For most companies, planning for 2024 is now well underway, including consideration of new compliance obligations expected to have an impact in the new year. On the privacy front, the new EU Digital Services Act (DSA), which becomes fully operational on February 17, 2024, will impose a host of new requirements on all companies offering digital services to customers in the EU, regardless of where those companies are located.

Given the scope and complexity of the DSA, we have prepared a list of FAQs to help support your compliance preparation efforts.

  1. What is the purpose of the DSA?
    According to the European Commission, the governing body in the EU responsible for privacy regulation, the DSA was introduced with the following goals in mind:
  • For individuals, better protection of fundamental rights, more choice and control, more online protection for children, and less exposure to illegal content (such as hate speech, terrorist content, child sexual abuse material)
  • For digital services providers, more legal certainty and harmonization across the EU, making it easier for providers to operate
  • For businesses who use digital services, access to EU-wide markets
  • For society, greater democratic control, platform oversight, and mitigation of systemic risks, such as manipulation and disinformation

2. What does the DSA change?
The DSA is designed to accomplish the above goals by effecting change in the following areas:

  • Harmonizes rules across the 27 member countries to ensure all EU citizens are afforded the same protections
  • Enables users to be informed about, and to contest, content moderation
  • Provides access to dispute resolution mechanisms for users in their own countries
  • Requires transparent terms and conditions
  • Increases safety and awareness by revealing the true sellers of products
  • Establishes expedited crisis response mechanisms, along with additional risk management mechanisms applicable to public health and security crises
  • Implements new protections for minors
  • Bans targeted advertisements directed to minors or using sensitive personal data
  • Enables access to data to research platforms' risks on society and fundamental rights

3. What is the scope of the DSA?
The DSA applies to all online intermediaries offering digital services in the EU, whether they are established in the EU or elsewhere, including the following types of entities:

  • Intermediaries, such as Internet access providers and domain name registrars
  • Hosting services providers, such as cloud and webhosting service providers
  • Online platforms, such as online marketplaces, app stores, and social networks
  • Very large online platforms (VLOPs) and very large online search engines (VLOSE); specific rules will apply to VLOPs and VLOSEs

4. Who are the EU-Designated VLOPs and VLOSEs?
Online platforms or search engines that reach more than 10% of consumers in the EU (approximately 45 million consumers) have been designated VLOPs or VLOEs by the European Commission. Currently, the EU Commission has identified 19 VLOPs, including:

  • Amazon Store
  • Facebook
  • Google Maps, Google Play, and Google Shopping
  • Instagram
  • LinkedIn
  • Pinterest
  • Snapchat
  • TikTok
  • Twitter
  • Wikipedia
  • YouTube

Currently, there are 2 VLOSEs: Bing and Google Search.

5. What are the special requirements applicable to VLOPs and VLOSEs?
Under the DSA, entities designated as a VLOP or VLOSE were given four months from the date of such designation to begin complying with the law. Additionally, VLOPs and VLOSEs are considered regulated entities under the DSA, and are expected to comply with a set of additional requirements applicable only to those larger entities.

6. What are the basic requirements of the DSA?
The DSA creates a common set of rules that apply to all online intermediaries providing digital services to customers throughout the EU. These requirements are intended to match a provider's size, role (intermediary service, hosting service, online platforms, or VLOPs/VLOSEs), and impact in the online ecosystem. These requirements include:

  • Wide-ranging transparency measures, including use of algorithms
  • Terms of service requirements
  • Cooperation with national authorities
  • Designation of points of contact

Additional requirements for VLOPs and VLOSEs include:

  • Conducting independent audits
  • Measures for users to report illegal goods, services, and content online
  • Establishing a consumer complaint and redress mechanism
  • Cooperation with "trusted flaggers"
  • Measures against abusive notices
  • Know your business customer (KYBC) obligations
  • Bans on advertisements that target children and those based on a user's special characteristics
  • Transparency of online advertising
  • Risk management obligations
  • Internal and external auditing and public accountability
  • User choice to opt out of recommendations based on profiling
  • Data sharing with authorities
  • Codes of conduct for compliance and accessibility for people with disabilities
  • Crisis response cooperation

7. What are the penalties for noncompliance?
The European Commission, the Member States, and the Member States' Digital Services Coordinators will work together to enforce the DSA. Penalties for non-compliance include:

  • Fines of up to 6% of annual global revenue
  • Increased oversight
  • Temporary ban on operating in the EU in the event of repeated serious breaches that threaten people's lives or safety.

In addition, the European Commission launched the European Centre for Algorithmic Transparency (ECAT), a scientific center, to conduct technical tests on algorithmic systems, support investigations, identify emerging risks related to the use of VLPOs/VLOSEs, and analyze transparency reports, risk assessments, and independent audits.

If you have questions about the DSA or other privacy compliance issues, please contact Virginia Fournier at vfournier@outsidegc.com.

A member of our California team, Virginia Fournier is a seasoned technology and privacy attorney with over 25 years of legal and business experience in the industry. She regularly handles a wide range of technology-related matters, including negotiating and drafting complex licensing agreements, compliance, data security and privacy, and intellectual property issues. Virginia is also a Certified Information Privacy Manager (CIPM) and Certified Information Privacy Professional (CIPP/US and CIPP/E certifications).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.