- Providers of intermediary services must respond and take the required measures when courts or authorities point out illegal content.
- Providers of hosting services must provide predefined notice-and-action mechanisms for reporting alleged illegal content and follow up on such notices, including taking the necessary measures.
- Whether or not content qualifies as illegal content is not determined by the DSA itself but by the applicable law of the affected EU Member State.
- Providers of online platforms must give special weight to and prioritise notices provided by trusted flaggers, which are certified by authorities due to their expertise.
Liability privileges (safe harbour principles)
The liability privileges of the EU eCommerce Directive have effectively been included in the DSA. Therefore, the notice-and-takedown concept originally introduced and developed under the EU eCommerce Directive remains largely intact. Service providers do not have to actively check the legality of content.
However, the DSA also provides new features. This includes a welcome clarification (sometimes somewhat misleadingly referred to as a “good-Samaritan” clause) that voluntarily self-initiated investigations or other measures aiming to achieve legal compliance do not exclude the safe harbour principles. Host providers that enable the conclusion of contracts between traders and consumers cannot however rely on the safe harbour principles under consumer protection law where the design of the online platform leads the consumer to believe that the information, product or service that is the subject to the transaction is provided either by the service provider itself or by a trader who is acting under its control. See our article for more.
Single point of contact
Providers of intermediary services must designate a single point of contact as the direct contact for authorities and recipients. Information and contact details of the single point of contact must be easily accessible.
Legal representative
Providers of intermediary services that do not have an establishment in the EU but address recipients in the EU must appoint a legal representative in one of the affected EU Member States, a principle familiar from the EU GDPR. The legal representative must be equipped with sufficient power of representation and resources and has to act, among other things, as a contact for authorities and recipients. The name and contact details of the legal representative must be easily accessible. Notably, the designated legal representative can be held liable for non-compliance with obligations under the DSA, without prejudice to the liability of the provider of the respective intermediary services.
Due diligence obligations for terms and conditions
Providers of intermediary services must provide transparent information on any restrictions in their terms and conditions affecting the provision of information. This includes policies, procedures, measures and tools used for content moderation, including algorithmic decision-making and human review, as well as the rules of procedure for their internal complaint handling system. Providers of intermediary services must apply and enforce such restrictions responsibly, considering the affected European fundamental rights.
Transparency reporting obligations
Based on the classification of the affected service provider, there are various tiered transparency obligations to provide regular reports on content moderation and other measures:
- Providers of intermediary services must, among other things, provide reports on: (a) the number of administrative or court orders received and respective actions taken, (b) the specifics of self-initiated content moderation, and (c) applied automated means for purposes of content moderation, including indicators of accuracy, possible error rates and applied safeguards.
- Providers of hosting services must also, among other things, provide reports on the number of notices submitted (via notice-and-action mechanisms) by recipients and trusted flaggers, as well as respective actions taken, and whether such actions were performed on the basis of automated means.
- Providers of online platforms must also, among other things, provide reports on: (a) the number of complaints received through the internal complaint handling system and respective decisions made, (b) the number of disputes submitted to out-of-court dispute settlement bodies and the outcomes of such disputes, (c) the number of suspensions of recipients and their grounds, and (d) the number of the average monthly active recipients within the EU.
The EU Commission may set out requirements as to the form, content and details of such reports.
Complaint handling system
Providers of online platforms must implement an internal complaint handling system, which enables recipients to complain, for instance, about the alleged unauthorised removal of content, the suspension of user accounts and other measures that have detrimental effect. This must be easily accessible. The decision made on a complaint must include a justification by the provider of the online platform, and the decision may not be made purely by automated means. Apart from that, providers of online platforms must provide the possibility of out-of-court dispute resolution.
Exemptions for small companies and micro enterprises
Small companies and micro enterprises (with fewer than 50 employees and less than €10 million in annual sales) are exempt from complying with some of the DSA’s obligations. These include obligations for providers of online platforms as well as transparency reporting obligations of providers of intermediary services. The exemption does not apply if companies – despite their small size – qualify as VLOPs or VLOSEs.
Enhanced protection of minors
Providers of online platforms must take appropriate measures to ensure a high level of data protection and safety for recipients that qualify as minors.
Dark patterns and compliance by design
The DSA stipulates vague requirements for the design of user interfaces on online platforms. Misleading user interfaces (the recitals mention nudging or dark patterns) are prohibited if they hamper the recipient from making a free and informed decision. The European Commission can provide further specifics within guidelines, including on repeatedly requesting a recipient to make a choice which has already been made, and making the procedure of terminating a service more difficult than to subscribe to it.
Online advertising and transparency
Apart from the common requirement to clearly designate online advertising as such, providers of online platforms must provide information on the principle of the respective online advertisement. In addition, information has to be given as to the main parameters of how target groups are determined and, where applicable, how to change those parameters. In addition VLOPs and VLOSEs must provide a repository, where recipients can access information on online advertising that was displayed within the last year. Such information includes the content of the online advertisement, its principal, period and target groups. These rules may pose a significant challenge to the protection of trade secrets.
Partial ban on profiling-based online advertising
Providers of online platforms are prohibited from profiling-based online advertising based on sensitive data (such as health data) and aimed at minors. With the DSA aiming to increase the protection of minors, the European legislator did not want to encourage providers of online platforms to use age verification measures and collect more personal data. Accordingly, it is unclear how providers of online platforms should implement this ban.
Recommender systems
To the extent that providers of online platforms use recommender systems (eg for news feeds), they must provide transparent information on: (a) the main parameters of their recommender system, and (b) the possibility of modifying or influencing those parameters. In addition, VLOPs and VLOSEs must provide at least one option for their recommender system that is not based on profiling.
See our article for more on the advertising provisions of the DSA and here for more on duties and obligations under the DSA more generally.
Claims by recipients
Recipients are entitled to make claims against service providers for violations of the DSA, including claims for damages, under EU and EU Member State law.
B2C online marketplaces
Providers of B2C online marketplaces must collect data from traders based on the know-your-business-customer (KYBC) principle. To this end, providers of B2C online marketplaces must collect traders’ contact and payment data as well as proof of identity. If the trader provides inaccurate and/or incomplete information, the service provider must remove the trader from the service. Only businesses are considered traders under the DSA, so that affected service providers are required to differentiate between consumers and businesses to an even greater extent than already the case under current applicable law. See our article for more on the KYBC requirements.
VLOPs and VLOSEs
The DSA requires mandatory regular assessments of systemic risks by providers of VLOPs and VLOSEs. Based on the results, risk mitigation measures must be taken. In addition, providers must conduct regular independent compliance audits and appoint a qualified compliance officer, who is independent from operational functions.
Crisis response mechanism
A newly introduced crisis response mechanism will apply to VLOPs and VLOSEs. In the event of an extraordinary crisis (ie a threat to public safety or health in the EU - the recitals expressly refer to armed conflicts and pandemics), the EU Commission can oblige providers to cooperate and take defensive measures, eg adapting content moderation measures.
How is DSA compliance regulated?
The DSA aims to enhance cross-border communication and coordination between authorities in order to adapt it to the innate cross-border characteristics of digital services. Each EU Member State must appoint a Digital Services Coordinator (DSC) as the competent authority to monitor and enforce compliance with the DSA. The competent authority for VLOPs and VLOSEs is primarily the European Commission itself. See our article for more about the role of the DSC.
The authorities have extensive rights of access, to obtain information, to inspect, to order and to sanction service providers.
Violations of the DSA can potentially be subject to fines of up to 6% of annual worldwide turnover of the preceding financial year. If an information obligation under the DSA is violated, the maximum fine is limited to 1% of the previous year’s income or worldwide turnover. See our article on enforcement for more.
What is the relationship between the DSA and other European laws?
The DSA aims to standardise and simplify the legal situation for digital companies. It is supposed to help provide a level playing field. At the same time, the DSA touches on and overlaps with a number of other and more specific EU laws. In principle these remain unaffected. In all likelihood, however, ambiguities will remain or arise, in particular, where such rules cover identical aspects to or are less specific than the DSA. How issues are resolved will need to be defined by future practice and case law as we explore in more detail here.
The DSA also has a substantial influence on other EU Member States’ laws that have similar objectives. In this context, the DSA is expected to render the German Network Enforcement Act (NetzDG) obsolete. Since the liability provisions of the EU eCommerce Directive will be repealed and merged into Articles 3-8 of the DSA, some Members State laws (such as Sections 7-10 of the German Telemedia Act) will be repealed accordingly. Apart from this, the EU eCommerce Directive will remain unaffected.
When will the DSA apply?
The DSA will enter into force 20 days after its publication in the EU’s Official Journal, which is expected to take place this autumn. Most of the DSA’s rules are therefore likely to be effective 15 months after entry into force, ie in the first quarter of 2024. The earliest possible date was originally set for 01 January 2024.
The DSA’s rules for VLOPs and VLOSEs will however apply earlier, namely four months after the respective service provider has been designated as such by the EU Commission. Certain transparency and reporting obligations for providers of online platforms will apply when the DSA enters into force.
How should providers of digital intermediary services prepare for the DSA?
The DSA introduces a whole range of new rules and obligations. Certain providers – namely VLOPs and VLOSEs – are more in the sightlines of the DSA than others, but virtually all digital businesses are potentially affected. Businesses in the EU/EEA, but also worldwide, should therefore assess as early as possible whether and to what extent the DSA will apply to their business. Individual compliance gaps should be identified by a gap analysis. As a number of the DSA’s obligations imply considerable organisational, technical and legal efforts, tasks and processes should be defined sufficiently in advance and implemented in due time. In addition, companies should assess the impact on the interplay with existing laws (including sector-specific European laws) that must be observed in addition to the DSA. Specific implementation requirements will, of course, vary greatly from company to company, particularly because of the DSA’s tiered regulatory system.