The EU Digital Service Act (DSA), Regulation 2022/2065, entered into force on 16 November. It sets out rules for online intermediary services in the single market to ensure a safe, predictable and trustworthy online environment. The regulation also aims to counter the spread of illegal content online and the risks to society caused by the spread of disinformation. The goal is to facilitate expansion for smaller platforms, micro and small businesses and start-ups.
Scope of the Regulation
The Regulation is applicable to intermediary services offered in the EU, regardless of where the provider of the intermediary service is established (inside or outside the Union). "Intermediary services" is a collective term that includes intermediary services for mere conduit, caching services and hosting services.
Mere conduit intermediary services include generic categories of services, such as internet exchange points, wireless access points, virtual private networks, DNS services and resolvers and other interpersonal communication services.
Caching intermediary services include the sole provision of content delivery networks, reverse proxies or content adaptation proxies. Such services are crucial to ensure the smooth and efficient transmission of information delivered on the internet.
Hosting intermediary services include categories such as cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing. The Regulation categorises online platforms and very large online platforms and very large online search engines as subcategories to hosting services, since they are considered to have specific characteristics that require separate rules.
The threshold for what constitutes a very large online platform/online search engine has been set at an average of 45 million monthly active recipients in the Union. It can be noted that it is the same threshold as that for what constitutes a "gatekeeper" under the Regulation on Digital Markets (Digital Markets Act – DMA). However, the Digital Markets Act provides for additional thresholds which are not included in the Digital Service Act, with the result that operators qualifying as very large online platforms and online search engines cannot per se be assumed to be subject to the Digital Markets Act, but the opposite is in principle true (the periods for calculating the average are different - twelve and six months respectively).
In order to understand the Regulation, it is important to underline that service recipient refers to both the person who uses an intermediary service to search for information, and the person who uses the intermediary service to make information available.
The Digital Services Act is structured in such a way that the obligations imposed vary according to the role, size and importance of the intermediary service in the digital ecosystem. This inter alia implies that operators with very large online platforms and online search engines are subject to more extensive obligations than operators with smaller intermediary services.
Obligations for providers of intermediary services
The main obligations imposed on all intermediary service providers are:
- Providers who receive an order from a national authority to act against illegal content or to provide information must inform the authority "without undue delay" of the effect given to the order.
Illegal content is considered to be information that is in breach of (other) Union law and national law that is in conformity with Union law, including the EU Charter of Fundamental Rights and provisions of the Treaty on the Functioning of the European Union (the FEU Treaty, or the TFEU), including the freedom of establishment and the freedom to provide services, particularly with regard to online gambling services and betting services. The Regulation does not itself stipulate what is illegal content, but refers to the rule that what is illegal offline should be considered illegal online.
The Regulation explicitly stipulates that intermediary service providers are not under a general obligation to actively monitor, investigate or take proactive measures against illegal activity. However, they may (in good faith and with due diligence) carry out voluntary investigations or take other measures aimed at detecting, identifying and removing illegal content, or making it inaccessible.
- Providers shall include information in their terms and conditions about potential limitations that they apply to the use of their services with regard to the information that is provided by the recipients. The information shall include information on policies, procedures, measures and tools that are used for the purpose of content moderation.
- Providers shall also publish reports at least once a year on all content moderation activities undertaken during the relevant period.
In addition to the above obligations, providers of hosting services are also subject to the following main obligations:
- They shall put in place mechanisms to allow individuals and entities to notify the presence of specific items or information that they consider to be illegal content.
- They shall immediately inform law enforcement or judicial authorities if they become aware of information giving rise to a suspicion of a criminal offence involving a threat to the life or safety of a person or persons.
Online platform providers are subject to the following main obligations (in addition to those applicable to all intermediary services and hosting services):
- They shall design, organise and operate their online interfaces (websites and applications) in a way that does not mislead or manipulate service users, or otherwise distort or impair the service user's ability to make free and informed decisions. The Regulation aims, in this regard, to remove "dark patterns", which manipulate a user's ability to make autonomous and informed choices and decisions, such as hidden costs, disguised advertisements and rearrangement of buttons.
- They shall, during a reasonable period, and after having issued a cautionary warning, temporarily pause the provision of their services to recipients that often provide content that is manifestly illegal.
- Providers enabling consumers to conclude distance contracts with traders must, before using their services for these purposes, obtain information on, inter alia, the trader's name, address, payment account details, registration in commercial registers, or other similar public registers, as well as a self-certification undertaking to offer only products that comply with the applicable EU rules.
- Providers presenting advertisements on their online interfaces shall ensure that service recipients can clearly, specifically and unambiguously identify, inter alia, that the information constitutes an advertisement, on whose behalf it is presented and who has paid for it.
- In the case of so-called recommendation systems, i.e. a fully or partially automated system used by an online platform to suggest, rank or prioritise specific information to recipients, providers shall be transparent by indicating the main parameters used, as well as any possibility for the recipient to modify and influence these main parameters. Furthermore, the key parameters shall explain why certain information is proposed.
- Providers shall also safeguard the online environment for minors by implementing appropriate and proportionate measures to ensure a high level of privacy, security and safety on online platforms accessible to minors.
Providers of online platforms that are micro and small enterprises are not subject to these obligations, unless they are very large online platforms.
It should be noted that, as opposed to online platforms, online search engines are only covered to the extent that they are considered to be very large online search engines.
Very large online platforms and online search engines
Very large online platforms and very large online search engines are subject, in addition to the obligations imposed on all intermediary services, hosting services and online platforms, to the following main obligations:
- They shall identify, analyse and assess any systemic risk in the Union stemming from the service. They shall also carry out risk assessments, which shall be specific to their services and proportionate to the systemic risk, considering its severity and probability of occurrence. Systemic risks include, inter alia, the dissemination of illegal content and possible, actual and foreseeable negative effects on public debate, electoral processes and public security.
- They shall implement reasonable, proportionate and effective risk mitigation measures adapted to the specific systemic risks identified. Such measures may include, inter alia, adaptation of the design and functioning of their services, adaptation of their general conditions and testing of their algorithmic systems.
- They shall establish an independent compliance function which shall entail one or more compliance officers, including an independent senior manager with distinct responsibility for the compliance function and who reports directly to the management of the body – a function which is reminiscent of the data protection officer under the General Data Protection Regulation (GDPR).
Limitation of liability
The Regulation provides for exemptions from liability for intermediary service providers. The exemption vary according to the intermediary service in question:
- Providers of intermediary services for mere conduit shall not be liable for transmitted or accessible information if the service provider did not initiate the transmission, did not select the recipient of the information, did not select the information or changed the information that was transmitted.
- Caching service providers shall not be responsible for the automatic, intermediate and temporary storage of information carried out for the sole purpose of improving efficiency or making further transmission of the information more secure at the request of the recipient of the service. The exemption from liability shall be subject, inter alia, to the condition that the provider does not modify the information and that the provider complies with the conditions for access to the information.
- Hosting service providers shall not be liable for the information stored at the request of the recipient of the service, provided that, inter alia, the provider was not aware of the existence of illegal activities or illegal content.
Compliance and enforcement
Member States have the exclusive power to supervise and enforce compliance with the Regulation in respect of intermediary service providers with their principal place of business in the Member State concerned, with the exception of providers of very large online platforms and very large online search engines. The Commission has the exclusive power to supervise and monitor the specific obligations imposed on very large online platforms and online search engines. For the other obligations, the Member States and the Commission share competence.
Member States shall designate the competent authorities responsible for enforcement and compliance with the Regulation, one of which shall be designated as the Member State Digital Services Coordinator (by 17 February 2024). The coordinator will be responsible for ensuring effective and consistent enforcement of the Regulation and will also receive complaints about compliance.
To ensure that the Regulation is applied consistently across the Union, a European Digital Services Advisory Board will also be set up to support the Commission and contribute to the work of the coordinators.
The Commission and the Advisory Board shall promote the drafting of voluntary codes of conduct at Union level.
It is up to the Member States to lay down the rules on penalties applicable to infringements, but they must be effective, proportionate and dissuasive. The Regulation provides that the maximum fine that can be imposed for non-compliance is 6% of the supplier's global annual turnover for intermediary services in the preceding business year.
It should be noted that the Regulation also provides that service recipients shall have the right to claim compensation from intermediary service providers for damage or loss suffered as a result of the providers' breach of their obligations.
As regards providers of very large online platforms and online search engines, the Commission shall adopt non-compliance decisions if it considers that they do not comply with the provisions of the Regulation, interim measures ordered, or commitments made binding. The Commission may impose a fine not exceeding 6% of the total annual worldwide turnover of the provider in the non-compliance decision, where the provider has acted intentionally or negligently. Furthermore, where the Commission has exhausted its powers to bring an infringement to an end and the infringement still persists and causes serious damage which cannot be avoided by the exercise of other powers, the Commission may request, through the digital services coordinator of the Member State in which the provider is established, that the competent judicial authority decide on a temporary restriction of access by recipients to the service concerned or, if that is not possible, to the online interface itself.
The Digital Services Regulation has generally been well received. In particular, the regulation of "dark patterns" - manipulation of users to make decisions they would not otherwise make, such as hidden costs, disguised advertisements and button rearrangement - has been noted. Dark patterns have been a major problem in the digital marketplace as neither competition nor consumer law has been able to eliminate them. The regulation is also expected to improve predictability and provide a more level playing field, making it easier for the operators concerned to operate in the EU's digital market.
However, some concern has been expressed because, after much discussion, the Regulation did not include an exemption for media. Critics see risks that freedom of expression could be negatively affected as there could be a tendency to remove content that is not illegal in order to be on the safe side.
Entry into force and application
The Regulation shall apply from 17 February 2024, with the exception of certain parts of the Regulation which shall already apply from 16 November 2022. Some of the main provisions that will become applicable on 16 November 2022 include:
- An obligation for providers of online platforms and online search engines to publish, by 17 February 2023, information on the average number of monthly active service users of the platform in the Union.
- An obligation for the Commission to designate, without undue delay, which online platforms and online search engines are to be considered as very large platforms and search engines based on the average number of active service users that the platforms and search engines have in the Union.
- An obligation for the Commission to set up an information exchange system between the national coordinators for digital services, to be used for all communications required by the Regulation.
It should be noted that the Commission is already in the process of setting up a new European Centre for Algorithmic Transparency ("ECAT"), which aims to support the application of the Regulation with technical and scientific expertise. ECAT is expected to be fully operational in the first quarter of 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.