1 février 2023
Digital Services Act (DSA) - an overview
Regulation of digital markets and in particular very large online platforms.
In effect since November 1, 2022. Will enter into force on Mai 2, 2023. Some provisions already apply.
In particular, operators of central platform services, which are to be classified as “gatekeepers”.
The classification as a gatekeeper is mainly based on the platform’s impact on the internal market, its intermediary character between commercial users and end users, and the (foreseeable) solidity and permanence of the platform’s activity. To facilitate the classification of central platform operators as gatekeepers, the DMA provides thresholds which, if exceeded, have a presumptive effect. The DMA lists what exactly a central platform service is in its definitions. The classification as a gatekeeper entails (new) prohibitions and requirements for them. An overview can be found here. The EU Commission also has the power to specify further measures that the gatekeeper must implement to comply with its obligations if it deems the existing measures insufficient.
General antitrust law remains applicable alongside the DMA. Consumers and entrepreneurs will be able to pursue violations of the DMA by way of collective action and under the UWG. The gatekeeper status is also referred to in other current (Commission) drafts, for example in the Data Act, which provides for (negative) exemptions for gatekeepers from some regulations. According to its explanatory memorandum, the draft builds on the existing P2B Regulation, is coherent with the DSA, and supplements existing EU competition regulations and data protection law.
The Commission is responsible for the application of the DMA. Notwithstanding this, the member states may authorize their competition authorities to investigate and forward the results to the Commission. Violations of the DMA’s rules of conduct can result in fines of up to 10 %, and in the case of repeated violations, even 20 % of annual worldwide turnover. In the case of systematic violations, gatekeepers may even be banned from mergers for a limited period of time. In addition, the Commission can impose behavioral and structural remedies. An overview can be found here.
Creating a safe digital space, free of illegal content and ensuring protection of users’ fundamental rights.
In effect since November 16, 2022. Will enter into force on February 16, 2024. Some provisions apply earlier, such as from February 17, 2023 the duty to disclose he numbers of recipients of a online platform or a search engine. Some minor provisions will apply later.
All providers of intermediation services (intermediaries), including in particular providers of online platforms. Tiered regulation for intermediary services, host providers, online platforms, and very large online platforms. Also all providers of search engines and very large search engines.
Comprehensive regulations, for example, concerning liability, the handling of illegal content, the provision of a notice-and-takedown procedure, and the regulation of (very large) online platforms. The liability rules in particular, however, do not really entail many innovations. The question of “whether” liability will continue to depend on the regulations of the member states. However, the DSA restricts some liability privileges. For example, a privilege for host providers does not apply if a consumer has the impression that the service offered originates from the host provider itself or that the host provider is responsible for it.
In principle, liability privileges should continue to apply to intermediaries, as is currently the case in Germany, for example, under §§ 7 ff. TMG. Liability provisions for Internet Service Providers (ISPs) regarding illegal content remain; the liability provisions of the E-Commerce Directive are reproduced verbatim. Furthermore, no general obligation for ISPs to actively monitor transmitted or stored information.
The member states appoint authorities, one of which acts as a “Digital Services Coordinator”. These have comprehensive rights of information, search, order and sanction. In the case of measures against very large online platforms, the Commission has a right of entry. Sanctions for infringements are possible in the amount of up to 6 % of annual revenues or annual turnover.
Tightening of copyright law on the Internet. New regulation of copyright responsibility. Establishment of uniform exceptions for the use of content for the purposes of quotation, criticism, review, caricature, parody and pastiche.
The directive was adopted in April 2019; the implementing act in Germany “Act on the Adaptation of Copyright Law to the Requirements of the Digital Single Market” came into force on June 7, 2021. The regulations on the copyright responsibility of upload platforms in the Copyright Service Providers Act (UrhDaG) followed on August 1, 2021. The status of implementation can be followed here.
In particular, online content sharing platforms (upload platforms).
Among other things, the directive contains a performance protection right for publishers based in a member state with regard to the reproduction and provision for online use of their press products by providers of information society services. In addition, there are regulations on so-called online content sharing platforms, according to which these are themselves liable for content uploaded by users that infringes the copyright of third parties. Last but not least, the directive also contains a number of provisions for the protection of authors and artists, in particular to ensure appropriate remuneration.
The directive brings together the eleven directives that together make up the EU copyright legislation. The directive was implemented in Germany with the “Act on the Adaptation of Copyright Law to the Requirements of the Digital Single Market”; the parliamentary process leading up to the final law can be accessed here.
Enforcement is the responsibility of the national authorities. There have been no changes with regard to powers.
Ensure equitable distribution of value created from IoT data among data economy stakeholders and promote data access and use.
The draft was presented on February 23, 2022. The current state of consultation can be viewed here.
The manufacturers, owners, holders and users of IoT devices. In addition, third parties who want to use data from IoT devices.
The DA regulates obligations of manufacturers and developers of products to facilitate the accessibility of data generated during the use of the products for the user (or a third party designated by the user). This is accompanied by certain transparency obligations. In addition, the DA contains general provisions for (fair and non-discriminatory) data provision obligations, specific controls on contractual clauses, and (compulsory) access by public bodies to data “held” by companies in exceptional cases. Finally, the DA also contains regulations on IT security requirements for providers of data processing services and on data interoperability requirements.
At European level, the Data Act will be supplemented by sector-specific special regulations such as the European Health Data Space or the Mobility Data Space. The Data Governance Act, which facilitates the voluntary exchange of data, will also be supplemented. Further, the DSA, the DMA and the GDPR provide for access rights. In addition, the Data Act supplements a large number of other legal acts.
The Commission is to lay the foundations for data exchange with the exchange fees and technical standards. The Data Act will be enforced by national authorities. Since the authorities concerned with data protection are to remain responsible in parallel, coordination issues are likely to arise. The member states must also determine the sanctions. Sanctions can amount to up to EUR 20 million or, in the case of a company, up to 4 % of its annual global sales in the previous fiscal year.
Promoting the availability of data.
Adopted on May 30, 2022. Effective as of September 24, 2023.
Specifically, public entities that “own” data, data brokering services, and organizations that seek to further certain public interest objectives using “data altruism.”
The DGA relies on four pillars to promote data availability: The re-use of protected data “owned” by public sector bodies, data intermediation services, data altruism, the creation of a European Data Innovation Council. In particular, conditions are set for the re-use of certain data; a registration and supervision framework for data intermediaries is established and the possibility to obtain privileges as a “recognized data altruistic organization” is created.
According to the explanatory memorandum, the DGA supplements the Open Data Directive. In addition, it is intended to leave competition law unaffected. Some friction could arise from the fact that, according to Art. 1(3), Union and Member State data protection provisions, in particular the GDPR, are to take precedence. The German Federation is currently preparing a federal law to execute the DGA on national level. Inter alia the law will designate the competent authorithies.
The new law establishes the Data Innovation Council, an advisory body to provide expert input on the development of guidelines for European data rooms. Monitoring and registration of data intermediaries will be left to member state authorities. The powers of data protection authorities coexist. The Commission may also adopt model contractual clauses and adequacy decisions to facilitate data transfers to affected third countries. Member States determine the sanctions autonomously; no maximum limit is set by the EU.
The creation of a European Data Space in the health sector for efficient exchange and direct access to different health data in health care itself (primary use), as well as in health research and health policy (secondary use).
The Commission presented its plan on May 3, 2022. The public consultation will last until July 20, 2022 and the status can be found here.
Basically, all patients, health care providers, researchers, manufacturers of health-related products, and others who have an interest in the use of health data.
Provisions regarding common standards and procedures, infrastructures, a governance framework for primary and secondary use of electronic health data. The data space should be based on three pillars: Strong governance system and rules for data exchange, (ensuring) data quality and (ensuring) strong infrastructure and interoperability.
The EHDS is based on legislation such as the General Data Protection Regulation, the Medical Devices Regulation, the In Vitro Diagnostics Regulation, the AI Act, the Data Governance Act, the proposed Data Act, the NIS Directive and its proposed successor NIS-2, and the Patient Rights Directive.
Member States set the penalties and enforce them with their authorities. The Commission, however, is to create the framework for data exchange through delegated acts.
Establish a single legal framework for regulating AI.
Negotiations between the EU institutions (trilogue) are expected to start at the end of the year and be completed in early 2023 and be completed by 2024.
Providers and users of AI systems.
There is agreement on risk-based regulation. AI systems whose use involves an unacceptable risk (manipulation, social scoring) will be banned altogether. High-risk AI systems will be heavily regulated. In particular, these must undergo a “conformity assessment” before being placed on the market, demonstrating that they meet the AI Act’s mandatory requirements for them. Limited-risk AI systems are subject only to transparency requirements, while low-risk AI systems remain unregulated.
Promoting innovation in AI is closely linked to the Data Governance Act, the Data Act, the Open Data Directive, and other initiatives under the European Data Strategy. Data-driven AI models benefit from the (intended) greater sharing and public availability of data. Moreover, according to its explanatory memorandum, the AI Act complements the GDPR.
The monitoring of AI applications is to be carried out by the competent national market surveillance authorities. They will also set the fines, the threshold values of which will be regulated in the regulation. The penalties can reach a maximum of EUR 30 million or 6 % of global annual turnover.
21 February 2024
par plusieurs auteurs
17 January 2024
par plusieurs auteurs
15 December 2023
16 November 2023
15 September 2023
par Philipp Koehler
Philipp Koehler and Thomas Walter look at the issues faced by many media companies when deciding whether or not they fall within scope of the EU’s Digital Services Act.
12 June 2023
23 February 2023
23 February 2023
23 February 2023
21 November 2022
par Debbie Heywood
Gregor Schmid and Philipp Koehler highlight the key elements of the incoming EU Digital Services Act.
19 September 2022
Adam Rendle looks at the differences and similarities in the approach of the EU and UK to online safety under incoming legislation.
19 September 2022
par Adam Rendle
Alexander Schmalenberger looks at the scope of the Digital Services Act, what it covers and who is caught.
19 September 2022
Johanna Götz looks at the DSA's approach to online intermediary responsibility for illegal content.
19 September 2022
par Dr. Johanna Götz
Alexander Schmalenberger looks at the main obligations on intermediaries (other than those relating to illegal content).
19 September 2022
Maarten Rijks and Annemijn Schipper look at the impact of the DSA on targeted advertising and the use of dark patterns and recommender systems.
19 September 2022
Sasun Sepoyan and Otto Sleeking look at the impact of Article 24c of the DSA.
19 September 2022
Elisa-Marlen Eschborn looks at the Member State enforcement provisions of the DSA.
19 September 2022
par plusieurs auteurs
par Nathalie Koch, LL.M. (UC Hastings) et Thanos Rammos, LL.M.