July 2022 – An intense effort to agree on unified directly applicable European rules for digital services is finally yielding results. On 5 July 2022, almost two years after their introduction by the European Commission, the European Parliament adopted in the first reading the Digital Services Act (DSA) and Digital Markets Act (DMA), following an earlier deal reached between the Parliament and the Council of the European Union on 23 April and 24 March 2022, respectively.
Both the DSA and DMA are landmark rules with the potential to fundamentally change the way digital services are provided within the European Union (EU). In this installment, we look at the DSA, which updates the rules for online intermediary liability 20 years on from the adoption of the e-Commerce Directive, and which introduces new compliance requirements for many market players.
What are the current rules and why the need for an update?
The e-Commerce Directive, adopted in 2000, has been the main legal cornerstone for the provision of digital services across the EU. Due to significant technological developments over the past 20 years the rules were deemed to require upgrading.
Directly applicable rules and tiered obligations
One set of directly applicable rules will now apply to digital services across the EU. All intermediary service providers across the EU single market (whether based within or outside the EU) will be bound by these rules. The DSA sets forth “tiered obligations” so that the more complex and larger the service, the greater the applicable obligations.
To whom does the DSA apply?
The regulation applies to intermediary services providers in general. This represents a broad category of players, including:
- “mere conduit” services (e.g. internet service providers);
- “caching” services (e.g. content distribution networks that store data for only a limited period of time);
- hosting services (e.g. cloud or web-hosting);
- online platforms (such as social networks, online marketplaces, app stores and online travel and accommodation websites.);
- very large online platforms (those with over 45 million active monthly users in the EU and are which designated as such by the Commission) (“VLOPs”); and
- very large online search engines (those with over 45 million monthly active users in the EU and which are designated as such by the Commission) (“VLOSEs”).
Status quo: no general monitoring or active fact-finding obligations; notice and takedown preserved
Intermediary service providers (ISPs) are not obliged to actively monitor transmitted or stored information and the current “notice and takedown” principle is preserved (this means that a hosting service provider must expeditiously remove or disable access to hosted content when notified of any alleged illegality; if a hosting service provider fails to remove or disable access to the content expeditiously, the provider becomes liable for the respective allegedly illegal content).
New “Good Samaritan” provision
A notable addition to the EU intermediary liability regime is a so-called “Good Samaritan” clause. Under this clause ISPs are not held liable if they, in good faith and with diligence, have carried out their own voluntary investigations or taken other measures aimed at detecting, identifying and removing, or disabling access to illegal content.
Obligations applicable to all ISPs
All ISPs are obliged to comply with the following new requirements:
Single point of contact: ISPs must designate a public single point of contact enabling them to communicate directly, by electronic means, with both the respective authorities and the recipients of their services. This information must be easily accessible and up to date.
EU legal representative for ISPs based outside the EU: If the ISP is based outside the EU, but offers its services in the EU, it must appoint a natural or legal person as its legal representative in the EU (this is to some extent similar to the EU representative concept under the GDPR). However, under the DSA, such a representative can be held directly liable for non-compliance with the obligations under the DSA.
Terms and conditions: ISPs must include in their T&Cs any restrictions on their services, details on procedures and on the tools used for content moderation, including algorithmic decision-making and human review, and the rules of procedure for the respective internal complaint handling systems.
Annual transparency reporting: At least once per year ISPs must issue a transparency report on any content moderation conducted. The report must contain, inter alia, the number of orders to provide information about one or more specific individual recipients of the service received by Member State authorities and the number of complaints received through the respective internal complaint-handling systems. Online platform providers must also inform, on the basis those complaints, of any decisions taken in response, the time required for taking the decisions and the number of instances where those decisions were reversed.
Takedown and disclosure orders: ISPs that receive takedown and disclosure orders from the competent judicial or administrative authorities are obliged to notify these authorities of any actions taken with regard to the order. If the ISP takes down content or discloses information about the service recipient, the ISP must then notify the service recipient of such an action.
Additional hosting provider obligations
Notice and action mechanisms: Hosting providers are obliged to put mechanisms in place to allow any person to notify potential illegal content. Those mechanisms must be easy to access, user-friendly, and allow for the submission of notices by electronic means.
Notification of takedowns and reasoning: If a hosting provider decides to impose restrictions on particular content – such as removal, disabling access, or demoting or restricting visibility (e.g. “shadow bans”) – it must provide a clear and specific statement on the grounds for such actions to the affected service recipients.
Reporting criminal offence suspicions: Hosting providers must notify the law enforcement or judicial authorities if any hosted content creates a reasonable suspicion of a criminal offence involving a threat to the life or safety of persons.
Significant changes for online platforms
Key changes in the DSA apply to “online platform” providers that include, for instance, social media services and online marketplaces. As regards interpersonal communication services, such as e-mails or private messaging services, these do not fall under the online platform definition, as they are used for interpersonal communications between a finite number of persons determined by the respective sender. On the other hand, DSA rules may apply to services that allow making available information to a potentially unlimited number of recipients, not determined by the sender of the given communication, such as through public groups or open channels. The new rules on online platforms will also not apply to micro or small enterprise platforms.
Internal complaint-handling system: Online platform providers must have an internal complaint-handling system in place that will allow service recipients to exercise the right to file an objection against a decision by a content provider. The internal complaint-handling system must be easy to access and user-friendly. Moreover, online platform providers must handle such complaints in a timely, non-discriminatory, diligent and non-arbitrary manner. Online platform providers must also inform complainants without undue delay of any reasoned decision taken in respect of a complaint and of the possibility of an out-of-court dispute settlement. The above is undoubtedly a significant “compliance” change for many platforms who will, as a result, have to be much more transparent about their content moderation processes and may have to allocate additional resources to upgrade these processes in order to address any potential objections and appeals in accordance with the DSA.
Other significant new obligations for online platforms include, inter alia, the following:
Suspension of frequent offenders: Where a service recipient, after a prior warning, continues to “frequently” provide manifestly illegal content, the online platform provider is obliged to suspend such an offender for a reasonable period of time. Each case of a suspension must be dealt with individually, in a timely, diligent and objective manner, while taking in to account all the relevant facts and circumstances of the case.
Prohibition of dark patterns: Online platform providers cannot design, organise or operate their online interfaces in a way that manipulates, deceives or materially distorts the choices taken by the recipients of the service.
Additional transparency reporting obligations: Apart from the transparency reporting obligations outlined above, the online platform providers are also obliged to disclose the number of average monthly active recipients in the EU, the number of disputes submitted to out-of-court dispute settlement bodies, and the number of suspensions imposed on frequent offenders.
Ads and recommender system transparency: Online platform providers are obliged to provide recipients with information on displayed advertising, including the reasons why a particular ad was targeted at them. Similarly, the online platform provider must be transparent in its terms and conditions about the operation of any recommender system – i.e. the system used to automatically select content for the particular recipient to view – and must explain why certain information is suggested to the recipient on the platform.
Protection of minors: Online platforms accessible to minors must put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security for minors.
Strengthened rules for identifying and tracking traders on online platforms: If a trader wishes to conclude distance contracts with consumers through an online platform, the trader is now obliged to provide the online platform with the information and documents specified by the DSA. The online platform must then make a best effort to verify whether this information is reliable and complete. A trader will also have to make a self-certification to an online platform committing to offer only products and services that do not contravene applicable EU laws. This information must then be kept securely by the online platform for a duration of six months after the end of the contractual relationship – and is then deleted.
Additional obligations for VLOPs and VLOSEs
The strongest obligations laid down by the DSA concern VLOPs and VLOSEs. These are obliged, inter alia:
- to conduct a robust risk assessment of their services and to take steps to mitigate any systemic risks identified in the assessment;
- to appoint an independent compliance officer (a function similar to a DPO under the GDPR);
- to commission an annual independent audit, which will yield an audit report; and
- to follow other stringent transparency requirements.
High penalties for non-compliance with DSA obligations
Each Member State must specify the penalties in their national laws in line with the requirements set out in the DSA. Sanctions are gradual and unprecedented in their scope. Penalties will amount to up to 6 percent of the global turnover of a given intermediary service provider in the preceding financial year for DSA violations. In addition, daily penalties for continuous breaches of DSA total up to 5 percent of the average daily provider’s worldwide turnover. In addition, service recipients also have a right to compensation for any damage or losses suffered as a result of the given breach.
What’s next?
The DSA now has to be formally adopted by the Council. After its signature, the DSA will be published in the Official Journal of the European Union.
For most entities, the DSA will be directly applicable across the EU 15 months after its entry into force, or from 1 January 2024, whichever is later. For VLOPs and VLOSEs the DSA will apply from an earlier date, namely four months after being designated as such by the Commission.
The exact text adopted by the Parliament is available here.
The Kinstellar TMT team is available to answer any questions with respect to the above.
For more information please contact Petr Bratský, Managing Associate and Head of the local TMT sector, at , and Vít Kopečný, Junior Associate, at .