The EU Digital Services Act \\ how are online platforms, search engines, social network providers and other online service providers affected?

Written By Nicoletta Kouvara

Online providers of intermediary services such as marketplaces, internet services, cloud services, messaging, and social networking will soon be subject to new rules under Regulation (EU) 2022/2065 on a single market for Digital Services, amending Directive 2000/31/EC, the so-called Digital Services Act (the “DSA”).

The DSA entered into force on 16 November 2022 with the majority of obligations becoming applicable on 17 February 2024. The new rules supplement the E-commerce Directive (2000/31/EC) and apply to providers of intermediary services irrespective of their place of establishment or their location, in so far as they offer services in the European Union. 

The DSA establishes harmonised rules in the European Union for the creation of a secure, consistent and reliable digital space that promotes progress and upholds the fundamental rights protected under the EU Charter of Fundamental Rights, such as consumer protection rights. The DSA also introduces new mechanisms for the removal of illegal content. Although the DSA does not specify what constitutes illegal content, the approach “what is illegal offline should be illegal online” is being followed. Each EU Member State must designate a Digital Services Coordinator by the 17 February 2024.

Which providers are caught under the DSA?

The DSA defines intermediary services by classifying the information society services in three types: the mere conduit service, the caching service and the hosting service.

What requirements apply to each provider under the DSA depends on the nature and size of the services offered. Assessing whether the DSA applies to a provider's range of services can be a challenging undertaking, especially if some of those services fall outside the DSA's scope or belong to different types of intermediary services. Therefore, it is crucial to analyse each service offered by the provider individually to determine its level of DSA applicability.  

The DSA distinguishes between the following three types of intermediary services:

  • mere conduit services:

    consist of the transmission of information provided by a recipient of the service in a communication network, or the provision of access to a communication network. (e.g. internet exchange points, wireless access points, virtual private networks, DNS services and resolvers, top-level domain name registries, registrars, certificate authorities that issue digital certificates, voice over IP and other interpersonal communication services);

  • caching services :

    consist of the transmission of information provided by a recipient of the service in a communication network, involving the automatic, intermediate and temporary storage of that information, for the sole purpose of making the information’s onward transmission to other recipients more efficient upon their request. (e.g. content delivery networks, reverse proxies or content adaptation proxies); and

  • hosting services:

    consist of the storage of information provided by, and at the request of, a recipient of the service. (e.g. cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing).

Rules for different tiers of intermediary service providers

The obligations applicable to different intermediary service providers are divided into different tiers, with different levels of obligations applicable to network infrastructure providers and hosting services compared to online platforms, such as marketplaces and app stores, which are subject to more demanding requirements.

The most stringent rules apply to 'Very Large Online Platforms' (VLOPs) and 'Very Large Online Search Engines' (VLOSEs) serving more than 45 million EU service recipients on average each month and are designated as such under the DSA.

The breakdown of the different tiers is illustrated below:

Key obligations for providers of intermediary services:

Providers of intermediary services shall:

  • Establish two separate points of contact for direct communication with: (a) relevant authorities and (b) the recipients of the services. ‘Recipients of the service’ are natural or legal persons who use an intermediary service, in particular for the purposes of seeking information or making it accessible. Providers not established in the EU but offering services within the EU will need to designate a legal representative in the EU;

  • Include in their terms and conditions (T&Cs) clear information about the imposition of restrictions on the use of their services (i.e. content moderation policies) and their complaint handling procedure, inform recipients of any significant changes to their T&Cs, and providers offering services primarily to minors shall explain the conditions and any restrictions of use in a way that is understandable to minors;

  • Publish an annual report on content moderation, which shall include information on the number of orders and notices received from relevant authorities and complaints received from recipients and how they handled them.

Key obligations for hosting services:

In addition to the obligations applicable to all providers of intermediary services, the providers of hosting services must:

  • Put in place a mechanism that allows individuals or entities to notify them when they come across illegal content within their services. Upon examination of the matter, the provider shall inform the individual or entity who filed the notice of the decision taken and the available redress mechanisms.

  • Provide a statement of reasons to any affected recipient on any restrictions on visibility of the content, restrictions of monetary payments, suspension or termination of the service in whole or in part or suspension or termination of recipient’s accounts on the ground that they provided illegal content.

  • Inform the national law enforcement or judicial authorities of any information giving rise to suspicions of serious criminal offences involving a threat to the life or safety of persons.

Key obligations of online platforms:

Online platforms are considered a subcategory of hosting services. The difference between the two is that online platforms not only store information, they disseminate it too. More specifically, ‘online platforms’ are hosting services that, at the request of a recipient of the service, stores and disseminates information to the public. Examples include social networks, content-sharing platforms, app stores, online marketplaces, and online travel and accommodation platforms. 

The concept of ‘dissemination to the public’, entails the making available of information to a potentially unlimited number of persons without further action by the recipient of the service providing the information being required, irrespective of whether those persons actually access the information in question.

In addition to the obligations applicable to providers of hosting services, the providers of online platforms (excluding micro or small enterprises) must:

  • Provide an internal complaint-handling system for decisions taken by the provider regarding content moderation;

  • Provide the option of using a certified out-of-court dispute settlement mechanism to resolve disputes that have not been resolved by means of the internal complaint-handling system;

  • Handle notices filed by trusted flaggers (independent entities appointed by relevant authorities) with priority;

  • Publish the average monthly active recipients in the last six months on their online interface;

  • Design their online interfaces in a way that allows recipients to make free and informed decisions and shall not in any way deceive or manipulate them;

  • Ensure that advertisements are transparent in a way that allows recipients to understand that the information is an advertisement, identify the individual or entity on whose behalf the advertisement is presented, who paid for it and the parameters used to determine the targeted audience;

  • Set out in their terms and conditions the main parameters used in their recommender systems, as well as options to modify or influence those parameters;

  • Provide a high level of privacy, safety, and security for minors.

  • In addition to the above obligations applicable to online platforms, online marketplaces (excluding micro or small enterprises) are also subject to the following obligations:

  • Online marketplaces which allow consumers to enter into online contracts with traders (i.e. natural or legal persons acting for the purposes relating to their trade) shall ensure that such traders have provided certain information necessary to ensure their traceability (e.g. contact, payment and identification details) and must assess the information provided to the best of their ability.

  • In the event that consumers have purchased illegal products or services through the provider’s services, the provider shall inform them of such illegality.

Key obligations for very large online platforms or very large online search engines:

Very large online platforms (VLOPs) and very large search engines (VLOSEs) are subject to more stringent rules. Online platforms and online search engines which have a number of average monthly active recipients of the service in the EU equal to or higher than 45 million shall qualify as VLOPs or VLOSEs.

Some of key obligations applicable to VLOPs and VLOSEs, include:

  • Diligently identifying, analysing and assessing any systemic risks stemming from the use of their services and putting in place effective mitigation measures for those risks;

  • being subject to independent audits to assess compliance with their obligations and implement any recommendations or provide reasons for not doing so;

  • introducing a crisis response mechanism and shall provide a summary of their terms and conditions which shall be in one of the official EU languages.

Important deadlines to keep in mind:

Even though most obligations of providers shall take effect in early 2024, online platforms shall as of 17 February 2023 and every six months thereafter publish the average number of the recipients of their service in the European Union. Providers must count all recipients interacting with their services and include them when calculating the average monthly active recipients of their service. This information must be easily accessible on their online interface to facilitate automated identification and updates.

If online platforms exceed 45 million recipients of the service, the European Commission will “designate” them as VLOPs or VLOSEs. Four months after such designation, the DSA will be applicable to the designated entities.

Given that the new regulations carry the potential for significant penalties, it is critical for providers to begin preparing for the DSA's requirements as soon as possible.

More Information:

The above article provides a general outline of the DSA. If you offer intermediary services and would like to obtain more information, please do not hesitate to get in touch with us  here.

 

Nicoletta Kouvara
Previous

EU Markets in Crypto Assets Regulation (MiCAR)

Next

Software Agreements: Software licence agreement \\ SaaS agreement