Against the backdrop of the explosion of digital services over the past few decades, an outdated legal framework for digital services dating back to 2000, an increasingly polluted information ecosystem and complex societal shifts which are making people more susceptible to misinformation and conspiracy, on 4 October 2022, the European Council approved the European Commission's (EC) proposals on the DSA.
The DSA is part of the European Commission's (EC) wider digital services package presented in 2020 which also includes the Digital Markets Act (DMA). The DSA fundamentally redesigns the rules for offering online content, services and products to consumers in the EU and whilst it will hit big tech the hardest, it will impact many businesses in the digital space (either directly or indirectly).
The current rules on digital services derive from the e-Commerce Directive (ECD) of 2000 which has created a patchwork of rules across the EU. The DSA will be implemented as Regulations to ensure a harmonised approach across the EU, which should make it easier for international businesses to navigate through.
The DSA ambitiously strives to create a modern uniform framework for digital services across the EU. Most notably, it sets an unprecedented new standard for greater accountability of online platforms regarding illegal or potentially harmful online content – a "world first" in the digital regulation space. It also seeks to provide greater transparency, better protection for internet users and creates a more modern liability regime for online intermediaries.
The DSA creates new obligations and accountability for providers of "intermediary services". The definition of intermediary services in the DSA is the same as in the ECD. A wide range of digital service providers are directly in scope, including internet access providers, cloud and hosting services, online marketplaces, app stores and social media platforms.
The DSA will apply to providers of intermediary services, regardless of their place of establishment, if they operate in the EU and there is a "substantial connection" to the EU (have an establishment or a significant number of users in the EU or target their activities towards one or more EU member states).
The obligations imposed by the DSA are layered and proportionate to the nature of the services provided and the number of users. Certain duties apply to all intermediary services but larger intermediary services with potentially greater societal impact ("very large online platforms (VLOPs) and "very large online search engines" (VLOSEs) which have at least 45 million or more active EU monthly users) are subject to more stringent requirements.
The framework includes:
- Wide-ranging transparency obligations regarding the steps taken by platforms to combat illegal information.
- Measures to counter the sale of illegal goods/services.
- Transparency obligations concerning online advertisements.
- Updated liability regime for online intermediaries. The core principles of the ECD remain but the DSA imposes obligations to address notifications of content considered to be illegal.
- A new crisis response mechanism (in the context of the ongoing situation in Ukraine and the potential impact of the manipulation of online information) which will facilitate the analysis of the impact of the activities of VLOPs/VLOSEs on the crisis and rapidly decide on proportionate and effective measures to implement to protect fundamental rights.
- Platforms accessible to minors must implement special protection measures to ensure their online safety and will be prohibited from using targeted advertising based on the use of minors' personal data.
- Restrictions on targeted advertising based on profiling using special categories of personal data such as sexual orientation or religious beliefs and the use of "dark patterns" on the interface of online platforms.
VLOPs/VLOSEs must also:
- Analyse the systemic risks their platforms create and implement effective content moderation mechanisms to address them.
- Provide transparency on the key parameters of decision-making algorithms used to provide content and offer users a system for recommending content which is not based on profiling.
There are heavy fines for non-compliance of up to 6% of annual global income/turnover.
Once the EU co-legislators formally adopt the DSA, it will be published in the Official Journal of the European Union and will enter into force twenty days after publication. The DSA will apply fifteen months after entry into force or from 1 January 2024, whichever the later. The majority of obligations in the DSA are expected to come into force in Q2 of 2024.
The rules applicable to VLOPs/VLOSEs may enter into force sooner, possibly as early as mid 2023. Such rules become applicable four months after the EC has designated a business as a VLOP/VLOSE. All online platforms must publish their average monthly users in early 2023 so that the EC can make this designation.
DSA v Online Safety Bill
Brexit has led to parallel but contrasting key domestic proposals in the form of the UK's Online Safety Bill (OSB) which seeks to regulate certain internet services with the key aim of tackling illegal and harmful online content. The OSB touches on aspects of the DSA. It remains to be seen whether the UK will seek to address the wider aspects, if and when the OSB makes it through Parliament. At the time of writing, the OSB has been postponed.
Key an eye out for further LS articles on the DSA, the EU AI Regulation and the OSB (as well as related commentary on the UK's recent proposals for data reform) as they progress through their respective legislative processes. A more detailed article on the DSA can be accessed here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.