The EU Digital Services Act
What is the EU Digital Services Act (DSA)?
The Digital Services Act (DSA) establishes a framework for an unprecedented level of transparency, accountability and fairness for digital services in the EU. It imposes obligations in a cascading fashion, with a base level of universal obligations and more onerous obligations applying to three specific categories of service provider. The DSA applies where recipients of a service are based in the EU, regardless of the service provider’s place of establishment. It provides for significant fines of up to 6% of global turnover for non-compliance.
Who is covered under the EU Digital Services Act?
The DSA applies to ‘intermediary service’, the definition for which includes a wide range of online services. The DSA distinguishes between the following types of intermediary service:
- ‘Caching’ and ‘mere conduit’ services, such as internet access providers.
- ‘Hosting services’ being services consisting of the storage of information provided by, and at the request of, a recipient of the service.
- ‘Online platforms’, being a subset of hosting services that also disseminate information to the public, such as social media and online marketplaces.
- Very large online platforms and search engines (VLOPs and VLOSEs), being online platforms which have an average monthly user base in the EU of at least 45 million.
What are the significant obligations of the EU Digital Services Act?
The DSA contains a wide array of obligations. The obligations applying to different online services apply in a cascading fashion matching their role, size and impact in the online ecosystem. Examples of some of the more significant obligations include that:
- All services are required to respond to orders to act against illegal content on their services. Terms and conditions will also need to be updated to clearly and comprehensively reflect content moderation practices and service providers must publish transparency reports in relation to content moderation.
- All hosting services must put in place ‘notice and action’ mechanisms to enable anyone to flag illegal content and to ensure that they act upon same in a timely manner.
- All online platforms must have an effective internal complaints handling system and must put in place "appropriate and proportionate measures" to ensure a high level of privacy, safety, and security of minors.
- Online marketplaces must carry out ‘Know Your Business Customer’ checks and take steps to inform consumers if illegal products or services were sold on the marketplace.
- In addition to all of the above obligations, VLOPS and VLOSEs must carry out wide ranging periodic risk assessments on, for example, the dissemination of illegal content on their platforms and any actual or foreseeable negative consequences their services might have for minors, civil discourse, gender violence and civic discourse. They must also put in place corresponding risk mitigation measures and are subject to auditing obligations.
What is Ireland's role?
Ireland has pan-EU regulatory responsibility for service providers having their main EU establishment here, except for VLOPs and VLOSEs in relation to which the European Commission has primary (but not exclusive) responsibility. National regulators known as Digital Services Coordinators (DSCs) have general responsibility for ensuring implementation and enforcement of the DSA. The new Irish Media Commission (Coimisiún na Meán), established in March 2023, is Ireland’s DSC under the DSA.
What are the timelines and next steps of the EU Digital Services Act?
Since 17 February 2023, all online platforms have been required to publish average monthly active recipients in the EU on their website. The DSA has also fully applied to many VLOPs and VLOSEs since August 2023 but will apply to all other service providers from 17 February 2024.
Next steps for service providers in advance of the impending 17 February 2024 deadline:
- Are your services within scope? Providers should carefully consider their services on offer. Services may be entwined requiring providers to establish a process to decide where to draw the line, particularly for calculating monthly active users, complying with different sets of obligations or where an online marketplace might be integrated into a product.
- Internally, consider whether and to what extent you need to change systems and practices in order to facilitate compliance with the various requirements under DSA. This will of course depend on the nature of the service and scope of obligations which apply.
- Externally, consider whether and to what extent you need to adjust your user interface and terms and conditions to comply with the DSA.
- If you operate an online marketplace, consider whether you have processes for gathering and verifying information on the identity of traders.
Ensuring compliance with the DSA will involve careful consideration of the various obligations. In advance of the impending 17 February 2024 deadline, we recommend that all relevant businesses / organisations take steps now to familiarise themselves with the scope of the DSA and its approach to regulation. For more information on the likely impact of the DSA on your business, contact a member of our Technology team.