No doubt spurred on by events in Ukraine and growing concerns about the societal impact of the spread of misinformation, on 22 April 2022 the European Parliament and EU Member States reached a political agreement on the European Commission's proposals on the Digital Services Act (DSA) in record time.
The explosion of digital services in the past few decades has highlighted the need for a more modern and harmonised EU-wide regulatory framework. The current rules on digital services flow from the e-Commerce Directive (ECD) which is over 20 years old (as a junior lawyer, I was seconded to the DTI in 2002 to assist with the UK implementation of the ECD and I feel equally in need of an update). As a Directive, the ECD was implemented in slightly different ways in Member States which has created a patchwork of rules across the EU. The DSA will be implemented as Regulations to ensure a harmonised approach which will be easier for businesses to navigate through.
The DSA will create a modern uniform framework for digital services across the EU. It ensures more transparency and sets out an unprecedented new standard for greater accountability of online platforms regarding illegal or potentially harmful online content. It also seeks to provide better protection for internet users and a modernised liability regime for online intermediaries.
The DSA will not replace the ECD - it will apply alongside the national versions, with the exception of ECD provisions excluding the liability of online intermediaries. The DSA is aligned with the EU GDPR and will complement the e-Platform-to-Business Regulation (EU) 2019/1150 (the P2B Regulation) and the New Deal for Consumers Directives.
The DSA applies to "online intermediary services providers". In scope are a wide range of digital service providers including internet access providers, cloud and hosting services, online marketplaces, app stores and social media platforms. Like the EU GDPR, the DSA has extra-territorial scope and will apply to UK based online intermediary services providers who target EU users.
The obligations imposed are proportionate to the nature of the services concerned and tailored to the number of users and very large online platforms (VLOPs) and very large online search engines (VLOSEs) will be subject to more stringent requirements. Services with more than 45 million monthly active users in the EU will fall into these categories.
The new framework includes:
- Wide-ranging transparency obligations regarding the steps taken by platforms to combat illegal information. Platforms must publish detailed reports on their activities relating to the removal and the disabling of illegal content or content contrary to their terms and conditions.
- Stringent requirements to ensure that online platforms that allow consumers to purchase goods/services from online traders via their platforms engage in strict Know Your Customer procedures for such traders and retain information to help track down sellers of illegal goods/services.
- Transparency obligations concerning online advertisements. For each advertisement, online platforms must provide (in real time) clear and unambiguous information to each user that (a) they are seeing an ad; (b) on whose behalf the ad is displayed and (c) provide meaningful information about the main parameters used to determine why a user is targeted by the ad.
- Updated liability regime for online intermediaries. The core principles of the ECD remain broadly the same but the DSA imposes obligations to address notifications of content considered to be illegal. Hosting providers and online platforms must implement user-friendly notice and takedown mechanisms that allow the notification of illegal content, internal complaint-handling processes, engage with out-of-court dispute settlement bodies to resolve disputes with their users, give priority to notifications from "trusted flaggers" and suspend repeat offenders.
- A new crisis response mechanism which will be activated by the Commission on the recommendation of a new European Board for Digital Services (EBDS) which will make it possible to analyse the impact of the activities of VLOPs and VLOSEs on the crisis and decide onproportionate and effective measures to be put in place for the respect of fundamental rights. The mechanism proposed has already been the subject of heavy criticism from civil society groups.
- Platforms accessible to minors must implement special protection measures to ensure their safety online in particular when they are aware that a user is a minor. Platforms will be prohibited from presenting targeted advertising based on the use of minors' personal data.
- Hefty fines for non-compliance of up to 6% of the annual income/turnover of and periodic penalty payments for continuous infringements of up to 5% of the average daily turnover in the preceding financial year per day.
- Online intermediaries who are not established in the EU that provide services in the EU must designate a legal representative in the EU who will be required to cooperate with supervisory authorities, the Commission and the EBDS and can be held liable for non-compliance with the DSA.
VLOPs and VLOSEs must also:
- Analyse systemic risks stemming from the use of their platforms and implement effective content moderation mechanisms to address them.
- Provide transparency on the key parameters of decision-making algorithms used to provide content on their platforms and offer users options to modify those parameters (including an option which is not based on profiling).
- Establish and maintain a public repository with detailed information on the online advertisements served on their platforms in the previous year.
- Appoint a DSA compliance officer and undergo an annual independent audit.
- On request, provide access to the data necessary to monitor their compliance to the competent authority and vetted academic researchers who perform research into the systemic risks.
VLOPs and VLOSEs will be subject to enhanced supervision and direct enforcement by the Commission.
Brexit has led to parallel but contrasting key domestic proposals in the form of the UK's Online Safety Bill (OSB) which also seeks to regulate certain internet services with the primary aim of tackling illegal and harmful online content. The OSB touches on some aspects of the DSA. It will be interesting to see whether the UK will seek to address the other aspects.
Watch this space for further LS articles on the DSA and the OSB(as well as related commentary on the UK's recent proposals for data reform)as they progress through their respective legislative processes.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.