Requirements for online marketplaces under the EU Digital Services Act (DSA)

According to the European legislator’s understanding, providers of online marketplaces belong to the stereotypical categories of addressees of the Digital Services Act (DSA). They enable one group of their recipients (mostly businesses) to store offers or other information on their behalf and make them available to another group of their recipients (mostly consumers). This takes place with the overall aim to mediate distance (purchase or service) contracts directly between those recipient groups via the framework of the online marketplace. In such cases, the respective service providers qualify as providers of online platforms (Art. 3 lit. i DSA), which includes the upstream qualification as providers of hosting services (Art. 3 lit. g sublit. iii DSA).

Since 25 August 2023, the DSA’s comprehensive obligations applicable to providers of online platforms already apply to those online marketplaces that the European Commission has designated as very large online platforms (VLOPs) on 25 April 2023. Outside of these designated VLOPs, only few obligations (for example, the obligation to publish the number of the average monthly active recipients in the EU) already apply, while the remaining majority of relevant obligations will only become applicable by 17 February 2024. Despite such “grace period”, providers of online marketplaces are advised not to waste time and start taking a diligent look at the DSA’s extensive and multi-faceted bundle of obligations. In particular, because the implementation of the DSA’s new requirements is likely to involve considerable efforts, which cannot be realized overnight. The remaining time is therefore precious and should be used efficiently. Apart from that, there is at least sometimes the impression that the DSA is still flying under the radar of many affected service providers, especially in the international domain.

In the following, a closer look is taken at the essential aspects of the DSA’s regulatory regime for providers of online marketplaces outside of VLOPs. In principle, this is based on the European legislator’s motif to make the services on online marketplaces subject to improved regulation and address respective challenges and risks more appropriately. To this end, it particularly had to find an ambitious balance between (a) the interests of service providers in a functioning European Single Market (Rec. 4 DSA) and (b) the interests of recipients (especially, consumers) in a safe, predictable and trustworthy online environment (Rec. 3 DSA). If and to what extent the DSA has in fact accomplished this, remains questionable and is subject to controversy. Only practical experience will show if the DSA will live up to its high expectations.

The safe harbor principles for host providers remain largely unchanged (Art. 6 to 8 DSA)

To avoid overburdening host providers (inter alia, providers of online marketplaces) with monitoring obligations and to not counter-act existing case law laboriously developed over the years, the safe harbor principles for host providers originally anchored in the EU e-Commerce Directive (2000/31/EC) were incorporated into the DSA with essentially the same contents (Art. 6 DSA). This also includes the retention that host providers are not required to conduct pro-active and general monitoring measures with respect to third-party content (Art. 8 DSA).

Still, the DSA provides for some amendments and clarifications:

• There is a new safe harbor exception with respect to consumer protection law solely concerning providers of online platforms that enable consumers to conclude distance contracts with businesses (B2C). Within this scope, the safe harbor principles for host providers do not apply, where the service provider presents the specific information or otherwise enables the specific transaction in such a way that leads the average consumer to believe that the information, product or service that is object of the transaction is provided by the service provider itself or by a respective business recipient (trader) that is acting under its authority or control (Art. 6 para. 3 and Rec. 23 DSA).

  For example, this is supposed to apply, where the service provider does not disclose the trader’s identity or withholds it until after conclusion of the mediated distance contract or where the service provider markets the products or services in its own name (instead of the trader’s name). In general, such determination is supposed to take place based on an overall view of the circumstances of the individual case.

  It cannot be dismissed that the essential characteristics of such attribution mechanism have somewhat systematic commonalities with the principle of adopting third-party content developed by German case law (FCJ, judgment dated 12 November 2009, case no. I ZR 166/07 – marions-kochbuch.de; FCJ, judgment dated 04 April 2017, case no. VI ZR 123/16 – klinikbewertungen.de).

  In sum, providers of B2C online marketplaces should generally take diligent care that the design and the processes on their online marketplaces do not provide a basis for the impression that they assume responsibility for the contents of their traders.

• Apart from that, the safe harbor principles for host providers do also not apply, where the host provider leaves its neutral role of purely technical, automated and passive services and plays an “active role” in the processing of information provided by a recipient (Rec. 18 DSA). Hereby, the European legislator has explicitly incorporated the figure of the “active role” developed by European case law (CJEU, judgment dated 12 July 2011, case no. C-324/09 – L’Oréal/eBay) into the DSA, albeit only within the recitals, so that this must be considered under the DSA as well.
• Further, a positive clarification in form of a good-Samaritan clause was added, stipulating that service providers’ voluntary own-initiative investigations or other measures aiming to achieve legal compliance do not exclude the safe harbor principles (Art. 7 DSA). This creates more legal certainty for providers of online marketplaces, especially since it was somewhat controversial in the past if and to what extent such measures constituted an exclusion of the safe harbor principles.

Overall, the implementation of the safe harbor principles for host providers made within the DSA is predominantly positive news for providers of online marketplaces, as it not only secures legal consistency and an associated legal certainty to the extent possible, but also continues to make liability risks associated with the storage of third-party content appropriately manageable.

Dealing with illegal content (Art. 14 to 16 DSA)

The DSA contains a large number of rules and obligations for providers of online marketplaces that specifically intend to protect recipients’ interests. In particular, service providers must provide meaningful information in their terms and conditions (T&C) about all policies, procedures, measures and tools used for the purpose of content moderation (Art. 14 para. 1 DSA). This also includes disclosures on content moderation related algorithmic decision-making and human review. Further, they must publish annual reports on the content moderation they perform (Art. 15 para. 1 DSA).

Compliance with such obligations is not only essential for providers of online marketplaces to govern and secure the quality standards of offers posted on the online marketplace in a transparent manner. Rather, this is also important for recipients to be able to comply with the respective online marketplace’s requirements and at the same time to be protected from arbitrary content moderation.

Further, recipients are entitled to act against what they consider to be illegal content through notice-and-action mechanisms that must be set up by the service providers (Art. 16 DSA). In view of the current procedure pertaining to notices and their subsequent redress developed by German case law (so-called notice and takedown), this does not really illustrate an innovation in principle from a German point of view. However, what is new is the first legal codification of corresponding formal and procedural requirements, with such formal requirements being essentially similar to the ones set by the U.S. Digital Millennium Copyright Act (DMCA). Apart from this, new obligations for service providers have been added for the benefit of recipients. For example, to make the notice-and-action mechanisms easily accessible and user-friendly (Art. 16 para. 1 DSA) or to decide on corresponding notices timely, diligently, non-arbitrarily and objectively (Art. 16 para. 6 DSA).

An advantage of the DSA’s notice-and-action mechanisms for service providers is above all that EU Member States are deprived of the possibility to establish their own individual procedures for removing content or blocking access thereto (Art. 14 para. 3 EU e-Commerce Directive). Overall, this should simplify such procedures in the event of alleged cross-border infringements and create efficiency gains to a uniform European Single Market.

Additional obligations for online marketplaces (Art. 20 to 28 DSA)

Of particular relevance to providers of online marketplaces are also the DSA’s rules specifically tailored to online platforms (Art. 3 lit. i DSA). These include:

Access to an internal complaint-handling system (Art. 20 DSA)

In addition to the notice-and-action mechanisms, providers of online marketplaces must provide recipients with access to an internal complaint-handling system (Art. 20 para. 1 DSA). This has the aim to enable the submission, processing and remedy of complaints about decisions made by service providers in connection with illegal content or content incompatible with their T&C. According to the European legislator’s motif, the internal complaint-handling system in particular serves the purpose of clarifying misunderstandings concerning content swiftly and simply as well as correcting errors.

Providers of B2C online marketplaces are likely familiar with this obligation, as they are already subject to the EU Platform-to-Business Regulation (P2B Regulation), which stipulates that business recipients must be provided with an internal complaint-handing system (Art. 11 para. 1 P2B Regulation). The DSA extends this obligation by stipulating that the internal complaint-handling system under the DSA must be accessible to all recipients, i.e. any natural or legal person that uses the service (Art. 3 lit. b DSA), including individuals or entities that submit notices. 

At the same time, the DSA’s wording and its recitals make it clear that the internal complaint-handling system should enable a timely redress. Therefore, the key challenge for providers of online marketplaces will be to create a resilient internal complaint-handling system that is capable of efficiently resolving a large number of complaints. To master such challenge, it is conceivable to use artificial intelligence (AI). However, such approach is not without restrictions, as the DSA explicitly requires that decisions made by service providers in conjunction with an internal complaint-handling system must not occur solely based on automated means (Art. 20 para. 6 DSA). Rather, a manual review of such decisions is required (Rec. 58 DSA).

Out-of-court dispute settlement (Art. 21 DSA)

Providers of online marketplaces should anticipate that they will likely be confronted with proceedings before out-of-court dispute settlement bodies. The DSA establishes the right for recipients (including individuals or entities that submit notices) to consult an out-of-court dispute settlement body in the event of disputes regarding illegal content or content incompatible with the online marketplace’s T&C (Art. 21 para. 1 DSA).

Such right requires that the underlying dispute concerns a decision by the service provider, which (a) could not be resolved via the internal complaint-handling system or (b) relates to restrictive, suspending or terminating measures (such as the suspension or blocking of user accounts).

In light of this, providers of online marketplaces must not only inform about this right in a transparent manner, but also cooperate with the respective out-of-court dispute settlement body (Art. 21 para. 2 DSA). Such understanding results not only from the aspect that the recipient’s right to consult an out-of-court dispute settlement body corresponds, under normal circumstances, with an obligation of the service provider to cooperate. Rather, this is also indicated by the DSA’s wording pertaining to the right to refuse cooperation with out-of-court dispute settlement bodies under certain exceptional circumstances (Art. 21 para. 2 subpara. 2 DSA). This is further supported by the aspect that the comparable provision of the P2B Regulation (Art. 12 para. 3 P2B Regulation) contains an explicit reference that participating in mediation is voluntary. The inverse suggests that the European legislator deliberately refrained from such clarification in the DSA and – in deviation to the P2B Regulation – intended an obligation to cooperate with out-of-court dispute settlement bodies.

This obligation has considerable commercial implications for providers of online marketplaces, as they ultimately have to bear the fees of the out-of-court dispute settlement body and the recipient’s costs in the event of a decision in the recipient’s favor, but do not receive any reimbursement of costs in the opposite case (Art. 21 para. 5 DSA). This logic seems questionable in view of the fact that the decision of the out-of-court dispute settlement body has no binding effect (Art. 21 para. 2 and 3 DSA).

Cooperation with trusted flaggers (Art. 22 DSA)

Additional new obligations are to give priority to notices submitted by trusted flaggers (such as Europol or NGOs) within the framework of notice-and-action mechanisms and to process and decide them without undue delay (Art. 22 para. 1 DSA). According to the European legislator’s intention, these obligations primarily have the aim to contribute to resolving illegal content faster and more reliable (Rec. 61 DSA). To this end, appropriately qualified and trustworthy individuals or entities are appointed exclusively by the competent Digital Services Coordinator (DSC) and only if certain requirements are met, such as particular expertise and competence in dealing with illegal content (Art. 22 para. 2 DSA). From the perspective of affected service providers, it makes sense to create additional functionalities within the notice-and-action mechanisms to secure the required priority treatment of trusted flaggers.

Measures and protection against misuse (Art. 23 DSA)

If recipients misuse the services, providers of online marketplaces are entitled to suspend their services vis-à-vis such recipients for a reasonable period of time after issuing a prior warning. This is particularly the case if they (a) frequently provide manifestly illegal content (Art. 23 para. 1 DSA) or (b) frequently submit manifestly unfounded notices via the notice-and-action mechanisms or the internal complaint-handling system (Art. 23 para. 2 DSA).

Overall, this pursues a multi-layered purpose. On the one side, the granting of such right to providers of online marketplaces aims to prevent recipients from committing serious infringements as repeat offenders. On the other side, it also aims to protect providers of online marketplaces from a potential abuse of the DSA’s procedural rights granted to recipients.

In this context, it should be stressed that providers of online marketplaces must include clear and meaningful information in their T&C for dealing with recipients’ misuse of the services and must also provide examples of aspects that they consider when assessing whether certain behavior constitutes misuse (Art. 23 para. 4 DSA). The core approach of this requirement should be familiar to providers of B2C online marketplaces, as the P2B Regulation already requires (solely towards business recipients) that the reasons for any restrictive measures (such as suspension or termination) must be explained in the B2C online marketplace’s T&C (Art. 3 para. 1 lit. c P2B Regulation).

In light of this, providers of B2C online marketplaces, who do not have not yet implemented sufficient standards for restrictive measures to their services, should at least implement a corresponding concept for their business recipients in due course and include respective explanations in their T&C. To the extent necessary, this can then later be used as a basis in order to achieve compliance with Art. 23 DSA, once it becomes applicable.

Transparency reporting obligations (Art. 24 DSA)

Since the DSA entered into force, its transparency reporting obligations, some of which have been applicable since 17 February 2023 (for example, the obligation to publish the number of the average monthly active recipients in the EU pursuant to Art. 24 para. 2 DSA), have been subject to controversy. Such discussions were caused, among other things, by the fact that the DSA defines the term “active recipient” quite broadly (Art. 3 lit. p DSA). This resulted in considerable uncertainty as to how and in what specific way active recipients are to be calculated and determined by affected service providers. Further information on such transparency reporting requirements can be found in the separate article here.

Online interface design and organization as well as the prohibition of so-called dark patterns (Art. 25 DSA)

At the latest with the rise of cookie banners and consent management platforms, the issue of dark patterns has become omnipresent. The DSA is the first European regulation in force that explicitly mentions the term “dark patterns” (Rec. 67 DSA) and prohibits relating practices in online interfaces (such as websites) that aim to significantly distort or impair the recipients’ ability to make autonomous and informed decisions (Art. 25 para. 1 DSA). According to the European legislator’s intention, such practices inter alia include to (a) repeatedly request recipients to make a choice where such choice has already been made, (b) make the procedure of cancelling a service significantly more cumbersome than signing up to it, (c) make certain choices more difficult and time-consuming than others or (d) deceive recipients by default settings that are very difficult to change.

The prohibition of dark patterns in principle does not come as a big surprise. Rather, this was solely a question of time, when considering (a) their current scale and sophistication in practice, (b) their evolvement to a mass phenomenon that has created more and more public attention, (c) the multi-faceted case law (mostly in connection to unfair competition and data protection law) that has been rendered in the meantime and (d) the numerous recommendations and actions (including fines) taken by governmental and non-governmental entities.

This is certainly not the last word on the issue of dark patterns, as the topic is far too volatile and dynamic for that. Especially, the blurry lines between dark patterns and still legitimate business practices require much more detailed and stronger contours. In light of this, it can be assumed that the publication of further guidelines by the European Commission (Art. 25 para. 3 DSA) on dark patterns under the DSA is just a matter of time. It certainly makes sense to keep an eye on further developments here.

Advertising on online platforms (Art. 26 DSA)

To increase the protection of recipients, the DSA has incorporated online advertisement labelling obligations for online platforms (inter alia, online marketplaces) that are essentially comparable to the ones concerning advertisers established under unfair competition law. In this context, the European legislator has further supplemented and specified them with a view to the business models of online platforms. In particular, providers of online marketplaces must secure that advertisements on their online interfaces (such as websites) provide for the following information (Art. 26 para. 1 DSA):

• The fact that the information constitutes advertisement.
• The identification of the natural or legal person on whose behalf the online advertisement is presented.
• The identification of the natural or legal person, who paid for the online advertisement, provided that this person is different from the principal of the presented online advertisement.
• Explanations on the main parameters to determine the target group of the online advertisement and (where available) how to change such parameters.

Further, providers of online marketplaces must create a functionality within their services with which business recipients can declare whether the information they provide constitutes or contains advertising (Art. 26 para. 2 DSA).

Apart from that, affected service providers are prohibited from profiling-based online advertisement (a) where sensitive data is processed, such as health data (Art. 26 para. 3 DSA), or (b) which is aimed at minors (Art. 28 para. 2 DSA). In the latter case, it unfortunately remains unclear how providers of online marketplaces are supposed to implement such prohibition. The reason is that in view of the motif of the European legislator to improve the protection of minors, this cannot be realized with additional age verification measures and the collection of more personal data.

Recommender system transparency (Art. 27 DSA)

Recommender systems on online platforms (inter alia, online marketplaces) are of particular commercial importance for service providers to be able to show recipients (especially, consumers) offers tailored to their interests. Insofar, they make a significant contribution to increasing the service providers’ own promotion as well as the sales of its recipients. However, according to the European legislator’s understanding, it should not be overlooked that recommender systems can have a significant impact on the recipients’ ability to retrieve and interact with information.

In order to safeguard the interests of recipients (businesses and consumers) and enable them to make informed decisions, providers of online marketplaces must in principle describe in their T&C the most important parameters underlying their recommender systems as well as the recipients’ options to change or influence those main parameters (Art. 25 para. 1 DSA). In this context, the DSA qualifies those main parameters as criteria that are most significant in determining the information suggested to the recipient and the reasons for their relative importance.

What this is supposed to mean specifically is unfortunately largely left unanswered. In this context, it also has to be considered that due to the vague legal term “most significant” similar requirements pertaining to ranking functionalities in the P2B Regulation and the EU Omnibus Directive (2019/2161/EU) have already been subject to controversy in the past. It is therefore all the more surprising that the European legislator – although aware of this issue – did not seize the opportunity by including further clarifications within the DSA to give such requirement more substance. After all, the European Commission has issued guidelines on the transparency of ranking functionalities comparable to recommender systems on the basis of a corresponding authorization in the P2B Regulation. In contrast, the DSA does not provide for such authorization, so that the given vagueness and ambiguity will likely be carried out on the backs of affected service providers.

Online protection of minors (Art. 28 DSA)

The DSA establishes safeguards for the online protection of minors (such as the requirement to put in place appropriate measures to secure a respective high level of privacy, safety and security), which should usually have manageable relevance to providers of online marketplaces. The reason is that online marketplaces regularly require recipients to be of legal age. In any case, such safeguards do not apply if the use for minors is not permitted within the T&C, the offer is not directed at minors or is not predominantly used by minors and if the service provider is not otherwise aware that some of its recipients are minors (Rec. 71 DSA).

Consumer protection provisions for distance contracts (Art. 30 to 32 DSA)

Providers of B2C online marketplaces should pay particular attention to the DSA’s consumer protection requirements pertaining to the mediation of distance contracts (Art. 30 to 32 DSA). After all, the core business purpose of B2C online marketplaces lies in the mediation of distance (purchase or service) contracts between businesses (traders) and consumers. Such consumer safeguards stipulated by the DSA essentially aim to secure reasonable transparency for the recipients’ benefit to protect them against the dissemination of offers that contain illegal content. At the same time, they intend to secure the enforcement of any rights of recourse recipients may have against traders in the event of infringements. To this end, providers of online marketplaces must fulfill certain requirements to facilitate the traceability of those businesses that use the online marketplace (so-called KYBC principle).

Traceability of traders (Art. 30 DSA)

Providers of online marketplaces must obtain basic information from their traders (Art. 30 para. 1 DSA), which includes the following:

• Name, address, phone number and email address (contact details).
• Copy of identity document or other electronic identification.
• Payment account details.
• Extract and number from the commercial register (if applicable) or details from a similar public register.
• Self-certification of the trader in which it undertakes to offer only products or services that comply with EU law.

Further, providers of online marketplaces must use best efforts to verify the reliability and completeness of such trader information (Art. 30 para. 2 DSA), whereby this is restricted to sources of (a) freely accessible official online databases and online interfaces (such as national trade registers and VAT information exchange systems) or (b) requests to the trader to provide trustworthy supporting documents (such as copies of identity documents, certified payment accounts’ statements, company and trade register certificates). This source restriction aims to preclude a disproportionate burden for affected service providers, which is reached in any case if service providers engage in excessive or costly online fact-finding or carry out disproportionate on-site verifications (Rec. 73 DSA).

However, even with such source restriction, the efforts required for such verification of traders will in all likelihood be significant. At least, the DSA positively clarifies at the same time that service providers, who have used best efforts in verifying such trader information, are not guaranteeing its reliability (Rec. 73 DSA). The traders are liable for the accuracy of the trader information (Art. 30 para. 2 DSA).

Subsequent to its verification, providers of online marketplaces must also make available part of such trader information (Art. 30 para. 7 DSA). This specifically concerns the contact details, the extract from the commercial register or a similar public register and the self-certification of the trader. With regard to the contact details, it is worth noting that the DSA goes beyond previous European case law on imprint obligations (CJEU, judgment dated 16 October 2008, case no. C-298/07). In addition to the designation of an email address, the DSA does not require another electronic contact option (such as a contact form), but explicitly requires the designation of a phone number. However, since the DSA only addresses providers of online platforms (inter alia, online marketplaces), it is questionable on what legal basis the trader as recipient is bound to provide a phone number. In any case, it is certain that online marketplaces, if they have indications or reason to believe that the phone number has not been provided at all or has been provided incorrectly, must immediately request the trader to supplement or correct it and (if necessary) suspend the services for such trader (Art. 30 para. 3 DSA).

Compliance by design (Art. 31 DSA)

From a technical point of view, the obligation to publish the traders’ information is complemented by the requirement that online marketplaces must design and organize their online interfaces in such a way that traders can provide their trader information (Art. 31 para. 1 DSA). To this end, the necessary functionalities must be created within the online interfaces of online marketplaces.

Right to information (Art. 32 DSA)

The DSA establishes a right to information for recipients, where they have acquired an illegal product or service on the online marketplace (Art. 32 DSA). In this context, providers of online marketplaces must secure such right by contacting the recipient directly (if contact details are available), informing it of the illegal product or service, the identity of the trader and any relevant means of redress. If it is not possible to contact all affected recipients, this information must be made public and easily accessible on online interfaces of the online marketplace.

Conclusion

Overall, it seems questionable if the European legislator has been able to create an appropriate balance between the interests of consumer protection and online marketplaces in a functioning European Single Market. The reason is basically that the DSA’s new rules and obligations are often too broad and ambiguous, leading to considerable legal uncertainties. Respective clarification or guidance by the European legislator or competent authorities is currently almost non-existent. Moreover, it is unlikely that this is going to change in the short term. Rather, it seems that the European legislator intends to wait and observe the developments in practice and only then take corrective measures where necessary.

As a consequence, providers of online marketplaces are currently confronted with the dilemma of (a) interpreting the DSA’s obligations too broadly when taking a cautious approach and thereby possibly incurring unnecessary organizational and commercial efforts to implement such obligations or (b) interpreting them too narrowly when taking a risk-oriented approach and thereby failing to comply with such obligations, when a competent authority comes to a deviating conclusion at a later point in time. In this context, it also needs to be considered that failure to comply with the DSA’s requirements can potentially trigger considerable fines of up to 6% of the annual global turnover of the preceding financial year (Art. 52 para. 3 and Art. 74 para. 1 DSA) and damage compensation claims by recipients (Art. 54 DSA).

In any case, it will be very interesting to see how things will further develop.