European Union (EU) regulators reached agreement on the 23 April 2022 on the new Digital Services Act (DSA). It follows their recent agreement on its sister proposal, the Digital Markets Act, which addresses digital market imbalances in the EU. The aim of the DSA is to create an EU-wide uniform framework dealing with four issues - the handling of illegal or potentiality harmful online content, the liability of online intermediaries for third-party content, the protection of users' fundamental rights online and the bridging of information asymmetries between the online intermediaries and their users. Transparency and accountability sit at the heart of the EU's approach to handling these issues.

The DSA will have very wide application as it will catch any intermediary provider with significant numbers of EU users or targeting EU users, even if the provider is not established in the EU.

The DSA is due to be put before the European Parliament in July for the final vote. In this alert, we summarise some of the main provisions.

The DSA is due to be put before the European Parliament in July for the final vote. In this alert, we summarise some of the main provisions.

Scope

The DSA's reach is very broad. It applies to all "digital intermediary service providers", which covers mere conduits, caching providers and hosting providers. The DSA's regulations will apply in a proportionate way according to the nature of the service provider and type of risks:

  1. Intermediary services – this is the collective term for mere conduit services, caching services and hosting services i.e. organisations that transmit information in a communication network or give access to a communication network, such as an ISP or a hosting service, storing information inputted by a user;
  2. Online platforms – a sub-set of hosting services that, in addition to hosting information, disseminates that information to the public. Social networks, online marketplaces, app stores, online travel and accommodation websites, content-sharing websites and collaborative economy platforms are explicitly included as online platforms. In contrast, if the dissemination of information to the public is a "minor and purely ancillary feature" of another service, this is insufficient to establish an online platform. Additional obligations apply to online platforms; and
  3. Very large online platforms (VLOPs) –online platforms with more than 45 million active users in the EU. This is the highest tier of hosting services and has the heaviest compliance obligations.

Main provisions

This is a summary of the key obligations imposed on different levels of digital intermediary service providers by the DSA:

  1. Governance – all providers at all levels must establish a single point of contact for direct communication with supervisory authorities and have designated EU representatives (if established outside of the EU). Online platforms will need to have an out-of-court alternative dispute resolution mechanism, publish reports on the removal and disabling of illegal content or content contrary to their terms and conditions. VLOPs must perform systematic risk assessments, share data with regulators and appoint a compliance officer.
  2. Responsible online marketplaces – online platforms and VLOPs will have to strengthen checks on the information provided by traders and make efforts to prevent illegal content so that consumers can purchase safe products and services.
  3. 'Dark patterns' – providers must not manipulate users (commonly known as 'nudging') into using their service, for example by making one choice more prominent than the other. Cancelling a subscription to a service should also be as easy as subscribing.
  4. Targeted advertising – targeted advertising to minors and targeted advertising based on special category data will be prohibited for online platforms and VLOPs.
  5. Recommender systems VLOPs will be required to offer users a system for recommending content not based on profiling. Transparency requirements for the parameters of recommender systems will be included.
  6. "Notice and action" procedure - users will be empowered to give notice of illegal online content. Online platforms and VLOPs will have to be reactive through a clearer "notice and action" procedure. Victims of cyber crime will see the content that they report removed "immediately".
  7. Protection of fundamental rights – stronger safeguards must be put in place to ensure user notices are processed in a non-arbitrary and non-discriminatory way, and safeguards must protect fundamental rights such as data protection and freedom of expression.
  8. Accountability - Member States and the European Commission will be able to access the algorithms of VLOPs.

Enforcement and liability

Digital intermediary service providers can be fined up to 6% of annual worldwide turnover for breaching the DSA and up to 1% of worldwide turnover for providing incorrect or misleading information.

The 'mere conduit' exemption and 'caching' exemption from the E-Commerce Directive are available for service providers of intermediary services and remain unchanged. The 'mere conduit' exemption applies where the service provided only consists of the "transmission … of information provided by a recipient of the service, or the provision of access to a communication network". The 'caching' exemption applies where the service provided only consists of the "transmission … of information provided by a recipient of the service". The 'hosting' exemption within the DSA applies as long as the provider is unaware of the content - and there is no obligation on providers to pro-actively monitor content.

Should the service provider decide to conduct their own-initiative investigations and legal compliance initiatives, they will not lose the ability to use the exemptions above. However, they must act quickly to remove the illegal content once identified.

There will be national regulators for all intermediary services, bar VLOPs. Enforcement against VLOPs will be overseen directly by the European Commission.

Extra-territorial provision

The DSA will apply to providers of intermediary services regardless of their place of establishment/residence if they offer goods/services in the EU, or if their services have a "substantial connection" to the EU, which includes significant numbers of, or the targeting of, EU users.

It remains to be seen whether the UK Government will legislate in a similar manner. It is also worth noting that the DSA explicitly prohibits additional national laws dealing with the areas in scope of the DSA, making harmonisation absolute within the EU.

Timing

Other than for VLOPs, the DSA is to apply from the later of 15 months after entry into force or from 1 January 2024. For VLOPs the obligations will apply from four months after publication of the list designating the VLOPs.

If you would like to discuss any of the points raised in this article or would like more information, please contact Jocelyn Paulley.