What does this new landmark law mean for service providers?
The Digital Services Act (DSA) establishes a framework for an unprecedented level of transparency, accountability and fairness for digital services in the EU. It imposes obligations in a cascading fashion, with a base level of universal obligations and more onerous obligations applying to three specific categories of service provider. The DSA applies where recipients of a service are based in the EU, regardless of the service provider’s place of establishment. It provides for significant fines of up to 6% of global turnover for non-compliance.
Who is covered?
The DSA applies to ‘intermediary services’, the definition for which includes a wide range of online services. In terms of the obligations which apply, the DSA distinguishes between the following types of intermediary service:
- ‘Caching’ and ‘mere conduit’ services, such as internet access providers
- ‘Hosting services’ being services consisting of the storage of information provided by, and at the request of, a recipient of the service
- ‘Online platforms’, being a subset of hosting services that also disseminate information to the public, such as social media and online marketplaces
- Very large online platforms and search engines (VLOPs and VLOSEs), being online platforms which have an average monthly user base in the EU of at least 45 million
The DSA contains a wide array of obligations. The obligations applying to different online services match their role, size and impact in the online ecosystem. Examples of some of the more significant obligations include that:
- All services will be required to respond to orders to act against illegal content on their services and inform users of their actions. Terms and conditions will also need to be updated to reflect content moderation practices
- All hosting services must put in place ‘notice and action’ mechanisms to enable anyone to flag illegal content and to ensure that they act upon same in a timely manner
- All online platforms must have an effective internal complaints-handling system and must put in place “appropriate and proportionate measures” to ensure a high level of privacy, safety and security of minors. We expect European Commission guidance to assist service providers with this, and other, unclear obligations
- Online marketplaces must also carry out ‘Know Your Business Customer’ checks. Marketplaces which allow consumers, i.e. natural persons, to conclude contracts with traders must verify basic identity information about the traders conducting business on their platform, and must enable traders to comply with pre-contractual requirements on-platform easily. They must take steps to inform consumers if illegal products or services were sold on the marketplace
- In addition to all of the above obligations, VLOPS and VLOSEs have auditing and accountability obligations and must carry out wide ranging periodic risk assessments on, for example, the dissemination of illegal content on their platforms, and any actual or foreseeable negative consequences their services might have for minors, gender violence and civic discourse
Ireland now has pan-EU regulatory responsibility for service providers having their main EU establishment here, except for VLOPs and VLOSEs in relation to which the European Commission takes primary responsibility. National regulators known as Digital Services Coordinators (DSCs) have general responsibility for ensuring implementation and enforcement of the DSA. A new Media Commission, to be established under the recently enacted Online Safety and Media Regulation Act 2022, will be Ireland’s DSC under the DSA.
Timelines and next steps
The DSA entered into force on 16 November 2022 and will apply to most services from 17 February 2024. However, the DSA will apply to VLOPs and VLOSEs sooner than this. One of the first challenges for online platforms and search engines is how to calculate the number of average monthly active recipients (AMAR).
Online platforms and search engines have until 17 February 2023 to publish information on their AMAR. We discuss the legal, technical and practical challenges here. The European Commission also has the power to request this information and adopt decisions designating an online platform as a VLOP or VLOSE at any time. The DSA will apply to these services four months from designation.
Next steps for service providers:
- Are your services within scope? Providers should consider the services they offer. Services may be entwined, requiring providers to establish a process to decide where to draw the line, particularly for calculating monthly active users, complying with different sets of obligations or where an online marketplace might be integrated into a product
- Internally, consider whether and to what extent you need to change systems and practices in order to facilitate compliance with the various requirements under the DSA. This will of course depend on the nature of the service and scope of obligations which apply
- Externally, consider whether and to what extent you need to adjust your user interface and terms and conditions to comply with the DSA
- If you operate an online marketplace, consider whether you have processes for gathering and verifying identity information on traders. Does your marketplace provide the transparency for consumers, and allow you to suspend traders and products for non-compliance?
Ensuring compliance with the DSA will involve careful consideration of the various obligations, a gap analysis as against the service provider’s current practices and, in most cases, fairly extensive changes to a service provider’s terms, practices and policies, as well as implementing new reporting processes. We recommend that all relevant businesses/organisations take steps now to familiarise themselves with the scope of the Act and start a compliance project without delay.
For more information, please contact a member of our Technology team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.