Gentle Reminder: DSA Obligations Will Apply to Online Intermediary Services Starting 17 February 2024
It has been some time already since the EU Digital Services Act (Regulation 2022/2065, DSA) was published, and since then, the discussions about Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) have dominated the media coverage (see initial press release of European Commission here and coverage about VLOPs/VLOSEs petitions against categorization as VLOPs/VLOSEs here and here).
Smaller online service providers tend to forget that they may also face some new obligations under the DSA from 17 February 2024 onwards, but would be well advised to comply to avoid significant sanctions (e.g., fines of up to 6% of the global annual turnover or periodic penalty payments up to 5% of the global average daily turnover).
The following paragraphs provide a brief summary of the most relevant content of the DSA and will help online service providers to understand:
- If and to what extent the DSA applies to them;
- What specific obligations exist; and
- What sanctions may be applied in case of breach.
Preface: The DSA—What was that Again?
The DSA replaces or takes over parts of the EU Directive 2000/31/EC (eCommerce Directive), namely its provisions for liability for third-party content. Due to massive developments in the digital field, evolving use of online services, and new players entering the market or gaining relevance for our societies and lives, the European Union decided it was time to put in place a more contemporary set of rules taking into account these new developments, services, and stakeholders. Some of the provisions under the eCommerce Directive will continue to apply. Others were more or less copy and pasted from the eCommerce Directive (liability for third-party content). However, the DSA also lays a profound focus on transparency, due diligence, and general fairness principles, which results in a broad set of additional respective obligations with which every covered online service provider needs to comply. As the need for transparency and fairness varies depending on the types of service providers, the DSA follows a tiered approach:
- All online intermediary services are subject to basic due diligence obligations;
- Hosting service providers and online search engines need to comply with additional obligations; and
- Online platforms are subject to another set of additional rules.
For a more detailed analysis of the respective undertakings for each tier, please refer to our comprehensive publication on the DSA available here.
While certain provisions for VLOPs and VLOSEs already apply since November 2023, the broad set of obligations for the basis of online intermediary services will apply from 17 February 2024—about time to check again if you are well prepared.
Sounds a bit chaotic? Agreed, but we will try shed some light on the new obligations and who needs to do what.
Does the DSA Apply to My Company?
The DSA applies to all providers of online intermediary services, which are defined as basically all of the below service categories offered to users (and not merely “consumers”) with a habitual residence in the EU.1 A seat or establishment of the service provider in the European Union is expressly not required.
Mere Conduit
(i.e., the transmission of information provided by a user to a communication network or granting a user access to such a communication network, e.g., the internet);
Caching
(i.e., the automated temporary storage of user information for the purpose of transmitting the information to other users faster on their request);
Hosting
(i.e., the storage of information provided by a user and on user’s request):
Online Platforms
(i.e., a hosting service storing information and disseminating the information to the public on request by a user);
Very Large Online Platforms
(i.e., Online Platforms with an average of at least 45 million monthly active users);
Online Search Engine
(i.e., the intermediary service enabling users to enter a search request and to run searches on the entire internet for a random topic and receive a result list in any format)2:
Very Large Online Search Engines
(i.e., Online Search Engines with an average of at least 45 million monthly active users).
Okay, got it—But what do I Need to Do?
As already pointed out, the specific obligations for online intermediary services depend on which of the above mentioned services your company provides. Here are the most relevant (albeit nonexhaustive) obligations for each service provider category applying from 17 February 2024 in a nutshell:
General Due Diligence and Transparency Obligations Applying to All Intermediary Services (Including Online Platforms, Hosting, Caching and Mere Conduit Services, Online Search Engines)
Point of Contact (Art 11, 12)
Make single points of contact for authorities and users available to the public, enabling users to communicate easily in electronic form (excluding solely automated tools like chat bots) and to choose the means of communication.
Legal Representative (Art. 13)
Appoint a legal representative who is authorized to respond to enquiries on behalf of service provider in one EU member state where services are offered (only if service provider has no EU establishment).
Terms and Conditions (Art. 14)
The restrictions for use of service in respect of illegal content provided by users must be mentioned in publicly available terms and conditions, including information regarding measures applied to block illegal content and procedural rules for complaint handling.
Transparency Report (Art. 15)
Publication of publicly accessible, easily comprehensible, and machine-readable reports on measures taken to respond to illegal content at least once a year.
Additional Obligations for Hosting Service Providers (Including Online Platforms, but Apparently Not for Online Search Engines)
Notice and Action Mechanism (Art. 16)
Put in place easily accessible and user friendly mechanisms to allow persons to notify hosting provider of illegal content and duly handle such notices (where receipt of such justified notice may give rise to liability for such illegal content pursuant to Art. 6).
Statement of Reasons (Art. 17)
Provide specific statement of reasons to users that are subject to service restrictions such as blocking content, suspension or termination of services, or similar measures in context of provision of illegal content, including information about applicable redress mechanisms.
Notification of Criminal Offenses (Art. 18)
Upon suspicion of a criminal offense against the life or safety of persons, report to competent law enforcement authorities.
Additional Obligations Only for Online Platforms (Not Applicable to Micro and Small Enterprises3)
Complaint Handling System (Art. 20)
Inform persons submitting take-down notices through the notice and action mechanism about the results of their notice by way of an effective internal complaint-handling mechanism and handle any incoming complaints in timely, nondiscriminatory manner by qualified personnel.
Out-of-Court Dispute Settlement (Art. 21)
Offer persons submitting take-down notices through the notice and action mechanism subject to a decision under Art. 20 an out-of-court settlement body certified by an EU member state to resolve any dispute related to the decision and engage in a dispute resolution process in front of such body.
Trusted Flaggers (Art. 22)
Notices by trusted flaggers (status to be awarded by EU member states) in their respective field of expertise must be handled with priority.
Suspension of Services in Cases of Misuse (Art. 23)
Upon prior warning, temporarily suspend access to services for users who have frequently and manifestly provided illegal content or have issued frequently and manifestly unfounded notifications under Art. 16 and 20.
Transparency Reporting (Art. 24)
In addition to Art. 15. Online Platform providers need to include in their annual reports information regarding out-of-court dispute settlement proceedings (Art. 21) and service suspensions (Art. 23) every six months. Starting 17 February 2023, Online Platform providers must publish and submit to the competent member state authority information about the number of average monthly active users in the European Union to assess whether they qualify as VLOP.
Online Interface Design (Art. 25)
Websites and other online interfaces must be designed in a non-manipulative and non-deceiving manner.
Advertising (Art. 26)
When presenting ads to users of an Online Platform, the provider must, in real time, inform the user that the content is advertising, the person on whose behalf the ad is presented or who has paid for it, and based on which main criteria the presented ad was selected.
Recommender Systems (Art. 27)
Online Platforms using tools to recommend specific content to users need to inform users about the main parameters for the content selection and how these can be changed or influenced.
Protection of Minors (Art. 28)
Online Platforms accessible to minors must put in place proportionate measures to ensure a high level of privacy, safety, and security of minors when using the service; advertising based on profiling (as defined by the General Data Protection Regulation) may not be presented where the data to build the profile does, with reasonable certainty, relate to a minor.
Additional Obligations for Online Platforms Enabling Consumers to Enter Into Distance Sales Contracts with Traders (Not Applicable to Micro and Small Enterprises)
Traceability of Traders (Art. 30)
Prior to allowing the use of the services, providers need to collect certain information from traders communicating with or offering goods or services to EU users on the Online Platform (the legal names, contact details, copy of an identification document, payment account details, trade register data, and self-certification to offer only products compliant with applicable EU laws) and confirm such information by accessible sources.
Compliance by Design (Art. 31)
The Online Platform needs to be designed in a manner that enables traders to comply with their statutory information, compliance, and product safety information duties and to assess by applying best efforts whether traders have complied with their respective obligations prior to permitting the trader to offer goods on the Online Platform (including random checks in official, freely accessible, and machine-readable online databases or online interfaces whether the products or services offered by traders have been identified as illegal).
Notification Obligation (Art. 32)
If an Online Platform provider becomes aware that a certain product sold via its Online Platform is illegal, the identified purchasers of this product must be notified that they purchased an illegal product, the identity of the trader, and any available means of redress.
As regards the transparency reporting obligations on content moderation applicable to intermediary service providers, the European Commission has published a draft act setting out the mandatory templates for these transparency reports here, on which feedback and comments can be submitted until 24 January 2024.
VLOPs and VLOSEs (Art 33–43)
As to this date, only very few Online Platforms and search engines have been identified by the European Commission as VLOPs and VLOSEs, and we thus refrain from providing further information in this regard here.
Ouch—But what if I Do Not Comply?
The competent supervisory authorities to be designated by each of the EU member states respectively until 17 February 2024 (Digital Services Coordinators) have investigative and corrective powers, including the power to impose administrative fines in case of breach of the obligations under the DSA of up to 6% of the annual worldwide turnover of the provider of the intermediary service, as well as up to 5% of the average daily worldwide turnover for periodic penalty payment. The experience with fines under the EU General Data Protection Regulation, which has established a similar legal regime, indicates that, after an initial period of uncertainty, fines in the five- to seven-digit area may be realistic for smaller and medium-sized enterprises. However, if fines under the DSA will develop similarly remains, of course, to be seen.
Our EU Data Protection and IT team is available to assist you in preparing your compliance with the DSA. We are an international law firm with European offices in Brussels, France, Luxemburg, Germany, Italy, and the United Kingdom. Our lawyers regularly advise on technology and media law, privacy law, consumer protection and product safety laws, and antitrust law.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.