The DSA is the result of a 2020 initiative. This regulation is part of the broader context of the European Union’s digital strategy that aims at modernization and safety. The premise is that what is forbidden offline must also be forbidden online. The DSA adheres to this by imposing a series of obligations on digital services providers to protect the recipients of those services.
As the DSA is an EU regulation, the rules therein have direct effect and bind every EU Member State. Moreover, service providers have until 24 February 2024 to comply with the DSA obligations. From then on, every recipient of digital services can directly seek remedies from the authorized body to enforce its rights when breached by a digital service provider. Therefore, it is important that your company or organization check thoroughly whether you are subject to the new rules, and if you are, whether your company or organization complies with them.
What is important in this respect is that your company or organization, must disclose how many recipients use your services. The European Commission will use these figures to determine which obligations apply to you, and if, for example, you qualify as a very large online platform. After the required information has been provided, every EU Member State has until February 2024 to designate a Digital Services Coordinator who will follow up on DSA compliance. Hence, you still have time until then to make the requisite adaptations.
2. Scope of application of the DSA
The DSA distinguishes three types of service providers:
- Providers of intermediary services: these provide services that consist of the transmission of information through a communication network and that can also involve storage of that information. Internet service providers belong in this category, for instance.
- Providers of hosting services: these provide services that consist of the storage of information. These are providers of cloud services or other services whereby the provider also stores clients’ information.
- Online platforms: this is a subcategory of hosting services that stores and disseminates information, e.g., online marketplaces and social media.
Furthermore, the DSA dedicates a separate section to very large online platforms and search engines because of their significant reach and the particular risks associated with them. Because of their nature, these service providers are often subjected to stricter obligations.
Regarding the DSA’s personal scope of application, we note that not the service provider’s registered office is determinative, but rather the recipient’s place of establishment or residence. For example, the DSA shall apply whenever the recipient of the service is located within the EU, even if your company or organization, the service provider, is based outside of the EU.
This means that your company or organization will have to fulfill the obligations under the DSA if you offer any of the abovementioned types of services or if you make them available to your clients. An exception to this pertaining to online platforms is that the DSA will not apply if your company or organization mainly offers other services and merely provides an online platform as an additional or complementary service.
3. Main principles of the DSA
As mentioned in the beginning, the DSA is part of the EU’s harmonization strategy to create an environment that is innovative and competitive yet prioritizes the protection of the service recipients’ safety in a sustainable manner. Therefore, we distinguish four important pillars in the DSA that underly these principles.
The service provider has an obligation to inform which cannot be taken lightly. First of all, this translates to the mandatory publication of an annual report that contains detailed information on the platform’s content. Depending on the nature of the service supplied, this report must, among other information, include information about the number of complaints a platform received and how they are handled. Moreover, the service provider must inform the recipient of the service about any restrictions that the service provider can impose on the recipient. The service provider is thereby obliged to include this information in his general conditions, which must be communicated to the recipient of the service.
Another relevant aspect of the transparency obligation is explaining how the service provider moderates content and what algorithms are used. In this respect, and particularly for hosting services, the DSA sets out specifically what a report of illegal content must look like and how this must be substantiated. User-friendliness is key for this, and the recipient of the service must have the possibility to exploit this mechanism in a straightforward digital way. Furthermore, as part of this obligation, the recipient of the service must be informed about the various dispute resolution methods which are available to it and the effects thereof.
In addition, providers of intermediary services must designate two points of contact who are responsible for efficient communication. One point of contact for the recipient of the service, and the other one for the government or responsible authorities. Given the DSA’s scope of application, service providers outside the EU must also appoint a legal representative.
If the recipients of the service are minors or if the service provider is a very large online platform, the DSA provides for additional safeguards.
- Know your business and customer
This obligation is closely related to the transparency obligation and aims to compel service providers to conduct the necessary due diligence on the business partners with whom they engage and cooperate. More specifically, the service provider will have to verify the identity (e.g., name, bank information, ID) of every actor. Interestingly, this obligation is already being applied to influencers as of 2021. They too must disclose the identity of their business partners to social media users in light of the transparency obligation.
- Exclusion of Liability
Although the DSA mainly adheres to the idea that the recipients of a service must be protected, the law also establishes a protection mechanism for service providers. This protection is situated at different levels depending on the service provider’s conduct and the extent of its involvement or knowledge of certain information.
For intermediary service providers, we distinguish mainly two protection mechanisms:
- According to the DSA, intermediary service providers are protected, for example, when a recipient of the service requests that the service provider restrict the mere transmission of information without selecting or changing it. This type of service falls under the “mere conduit” category for which the intermediary cannot be held liable, even if the information were found to be illegal in nature afterwards.
- Whenever the intermediary stores the information temporarily upon the request of the recipient of the service, the intermediary shall also be excluded from liability. To enjoy this protection, the intermediary must meet the requisite conditions, such as using technical measures that are customary in the sector and regulating the access to information (offering so-called caching services).
Specifically pertaining to the limitation of liability for hosting services, this category of service providers can invoke the knowledge criterion. In particular, the hosting provider will not be liable if it can demonstrate that it was not aware of the illegal content of the information or data on its platform. If it gains knowledge of such content, it must act quickly and accurately to remove the illegal content. This obligation exists in addition to the abovementioned notification mechanism.
This limitation of liability goes hand in hand with Article 8 of the DSA, which stipulates that service providers have no obligation to actively conduct an investigation into illegal activities or information on their platforms. In this respect, Article 7 also confirms that services providers that do this (albeit only when they do so in good faith and diligently) continue to benefit from the limitations of liability. Therefore, the services providers are considerably shielded from certain activities by their recipients.
- Targeted advertising
This practice is very common, and the DSA regulates this in light of the transparency obligation. Service providers must always clearly indicate that certain content is an advertisement, and the recipient of the service must be informed about why he or she is seeing a specific ad. Moreover, the recipient of the service must know who the advertiser is, who paid for the advertising, and what parameters were used in order to show him or her that particular ad.
To enforce the aforementioned obligations, the DSA implements a double enforcement mechanism. At national level, the interests of the recipients of the service are protected by the Digital Services Coordinator, who has specific investigative powers. At supranational level, this task is carried out by the European Committee for Digital Services.
The most important aspect of enforcement evidently consists of fines, which any service provider would run the risk of incurring if it fails to fulfill its obligations under the DSA. Fines can go up to 6% of the service provider’s global annual turnover, and they can even be backed by a penalty of a maximum of 5% of the average daily global turnover if the violation persists. Given the severity of the fines, it is essential that your company or organization assess your own services in due time.
The DSA introduces some new obligations pertaining to transparency and the provision of information to recipients. Your company or organization, as a service provider, will have to conduct a thorough review of your current policies to identify any non-conformities. As the implementation of the requisite adaptations to achieve compliance can take time, we recommend that you take the necessary actions proactively in response to these obligations.
If you have any questions about providing digital services, using online platforms, or other questions relating to privacy and data protection, please contact the privacy and data protection team at Monard Law.