Proposed New EU Regulation for Intermediary Service Providers - The Digital Services Act
The European Commission (the “Commission”) unveiled the highly anticipated Digital Services Act (“DSA”) (here) on 15 December, which seeks to tackle illegal content online and foster greater competition in the digital marketplace by harmonising the responsibilities and liabilities of online intermediary service providers (“OIPs”) with heightened obligations for platforms with more than 45 million users. Similar to the P2B Regulation, all online intermediaries offering their services in the EU, irrespective of where they are established, will be subject to the DSA. The Digital Markets Act (“DMA”) (here) which seeks to ensure fair and open digital markets was also published by the Commission on 15 December.
The New Digital Landscape
The DSA has been introduced to bridge the gap between a rapidly evolving European digital services market and an antiquated legal framework which has remained largely unchanged since the introduction of the e-Commerce Directive twenty years ago. The rapid growth of online shopping, social media and other online services has highlighted many shortcomings with the e-Commerce Directive, both in terms of its ability to regulate OIPs and to protect consumers from emerging online risks including illegal content, counterfeit goods and the misuse of personal data. It is hoped that by clarifying and increasing the obligations placed on OIPs and their liability for non-compliance, the DSA will shield consumers from many of these risks. While introduced to address shortcomings associated with the e-Commerce Directive, the DSA specifically states that it is without prejudice to this Directive.
Who does the DSA apply to?
The DSA applies to all OIPs offering services within the EU (including internet access providers, domain name registrars, cloud and webhosting services, online marketplaces, app stores, collaborative economy platforms and social media platforms), irrespective of their establishment or residence. As a result, US tech giants who provide digital services to European consumers will be subject to the same onerous responsibilities as their European counterparts. While the DSA applies to OIPs generally, it outlines enhanced obligations for both online platforms and ‘very large online platforms’, defined as platforms with 45 million users or more (“Big Techs”). This is a separate definition to that of “gatekeeper” under the DMA.
The DSA lays down certain conditions under which providers of mere conduit, caching and hosting services are exempt from liability for third-party information they transmit and store. For example, unless a hosting service has actual knowledge of illegal activity or content and is not aware of the facts/circumstances from which the illegal activity/content is apparent or on obtaining knowledge or awareness of those facts/circumstances, acts expeditiously (emphasis added) to remove or disable access to it, an OIP shall not be liable. However, court or administrative authority may still require the hosting service provider to terminate or disable access to the illegal content. Echoing Article 15 of the E-Commerce Directive, the DSA confirms that that there is no general obligation on OIPs to monitor information they transmit or store, nor does it require OIPs to actively seek facts or circumstances indicating illegal activity. The definition of illegal content in the DSA is information in itself or by reference to an activity, which is not in compliance with EU law or the law of a Member State, irrespective of the precise subject matter or nature of that law.
Online platforms and other providers of hosting services must put mechanisms in place to allow any individual or entity to notify them of the presence on their service which the individual or entity considers to be illegal content. These mechanisms must be easy to access, user-friendly, and allow for the submission of notices exclusively by electronic means.
The DSA obliges Big Techs to treat notices submitted by “trusted flaggers” with priority and they are required under the DSA to provide an internal complaint-handling system in respect of decisions on alleged illegal content or information incompatible with their T&Cs. Big Techs must also inform competent enforcement authorities in the event the platform becomes aware of any information giving rise to a suspicion of serious criminal offences involving a threat to life or the safety of persons.
The DSA requires online platforms to give users immediate information on the sources of the advertisements they see online, including information on why an individual has been targeted with a specific advertisement.
In addition, Big Techs are required to compile and make publicly available a repository containing information including (i) the content of the advertisement, (ii) the natural or legal person on whose behalf the advertisement is displayed, and (iii) the period during which the advertisement was displayed. This repository must be maintained for 1 year after the advertisement was displayed for the last time on the OIP’s interface. This repository must not contain any personal data of the recipients of the service to whom the advertisement was or could have been displayed.
The DSA also provides that Big Techs that use recommender systems (which seeks to predict the rating or preference a user would give to an item) must set out in a clear, accessible and easily comprehensible manner, the main parameters used in the recommender systems, as well as any options for the recipients of the services to modify or influence those main parameters that they may have made available, including at least one option which is not based on profiling (as defined in the GDPR).
Terms and Conditions and Single Point of Contact in the OIP
All OIPs must include in their T&Cs information on any restrictions that they impose in relation to the use of their services and they must act responsibly in applying and enforcing those restrictions. The information in the T&Cs shall include information on any policies, procedures, measures and tools used for the purpose of content moderation, including algorithmic decision-making and human review. It shall be set out in clear and unambiguous language and shall be publicly available in an easily accessible format. The DSA requires all OIPs to establish a single point of contact to facilitate direct communication with Member States’ authorities, the Commission and the Board and OIPs not established within the EU but offering services here must designate a legal representative within the EU for this purpose.
Obligations vis à vis Traders
The DSA obliges Big Techs to receive, store, make reasonable efforts to assess the reliability of, and publish, specific information on the traders using their services, where those online platforms allow consumers to conclude distance contracts. Big Techs must also organise their interface to enable traders to respect EU consumer and product safety law.
Annual risk assessments
Big Techs are required in the DSA to conduct annual risk assessments, at their own expense, probing how they have dealt with various systemic risks, including the dissemination of illegal content online. Such risk assessments should inform ‘risk mitigating measures’ that it may need to take in order to discourage and limit the dissemination of illegal content. The DSA also requires platforms of this nature to appoint one or more compliance officers to ensure compliance with the obligations in the DSA.
Enforcement and Penalties
Every Member State will be required to designate a Digital Services Coordinator (“DSC”) within two months of the entry into force of the DSA to oversee its compliance and enforcement. The DSC will be responsible for monitoring the number of users of online platforms every six months to see whether an OIP falls within the 45 million user threshold. Member States where the main establishment of the provider is located have jurisdiction to enforce the DSA and Member States are to set down their own rules on the penalties applicable for a breach. If an OIP does not have an establishment in the EU but offers services here, the relevant DSC for that OIP will be where the OIP’s legal representative resides or is established. DSCs are required to publish annual reports on their activities.
DSCs can receive complaints against OIPs on foot of an alleged breach and have investigative powers. In respect of Big Techs, these include the power to compel the supply of information or compel the supply of information to “vetted researchers” who will examine the activities of those OIPs for the sole purpose of conducting research that contributes to the identification and understanding of systemic risks within the platform.
In addition, the DSA makes provision for the establishment of the ‘European Board for Digital Services’, an independent advisory group of Digital Services Coordinators responsible for the supervision of OIPs and harmonising the application of the DSA across Member States.
Heightened supervision, enforcement and monitoring of very large platforms is provided for under the DSA with the ability of the Commission to carry out an investigation into an OIP of this nature including through requests for information, interviews, onsite inspections and interim measures and binding commitments by very large platforms.
In circumstances where a Big Tech breaches a relevant provision of the DSA, does not comply with an interim measure mandated by the Commissioner, or violates a binding commitment it made, it can face fines of up to 6% of annual revenue. In addition, further sanctions of up to 1% of annual revenue may be imposed where a Big Tech provides “incorrect, incomplete or misleading information” to the Commission in reporting obligations or fails to submit to an on-site inspection.
The European Parliament and the Member States will discuss the Commission's proposals according to the ordinary legislative procedure and if adopted, the DSA will be directly applicable across the European Union. In the meantime, all OIPs but in particular those with over 45 million users, or growing numbers of users, should consider the obligations and enforcement mechanisms in the DSA carefully. Subject to the DSA entering into force, OIPs will need to seek guidance and advice from their legal advisors where appropriate on how to best update their T&Cs and internal procedures to be DSA compliant.
The press release issued by the European Commission in relation to the DSA can be found (here).
Also contributed by Sean Kehoe.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.