17 February 2024: The Digital Services Act (DSA) is now fully applicable
Published on 21st Aug 2023
The EU Digital Services Act is now applicable to all digital services. Since 17 February 2024, intermediary services must have fulfilled the far-reaching obligations. This should not be underestimated, as a considerable implementation effort is sometimes required. In some cases, it is even necessary to assign or create certain new roles within the company.
But what is the Digital Services Act actually, to whom does it apply, and what can affected companies expect?
Through the Digital Services Act, the EU is setting a new European standard for the regulation of intermediary services. Public coverage has initially focused mainly on issues such as tackling the spread of hate speech and fake news on social networks. As a result, other far-reaching effects are often still neglected at present, so that many companies are not yet clear on the extent of the regulatory requirements: The DSA applies to all types of online services that deal with third-party content. The DSA also addresses much more than just the deletion of illegal content, but also, for example, advertising disclosure obligations.
This note provides an overview of the concrete business models affected, the associated requirements, and possible sanctions for non-compliance.
DSA in a nutshell:
Examples: ocial networks, online marketplaces and comparison portals, but also cloud services, content delivery networks, VPNs, DNS services, registries and certification authorities that issue digital certificates, as well as many online shops, even if they only make very little third-party content available. |
What is the DSA?
With the DSA, the EU has created a new instrument to regulate intermediary services, in the form of a regulation with direct legal effect in the Member States. The DSA also updates the E-Commerce-Directive, which is over 20 years old and deals with harmonised rules on transparency and information requirements for online service providers, commercial communications or electronic contracts and limitations of liability of intermediary service providers.
The EU assumes that these services pose particular risks to society, as they pass through, transmit, store or distribute content from third parties – and not just their own content. The EU is pursuing a graduated regulatory approach depending on the type and size of the service. The aim is to combat the dissemination of illegal content such as hate speech and fake news, but also the sale of unsafe or counterfeit products by unidentifiable sellers. The DSA also addresses some consumer protection issues, such as general terms and conditions, the moderation of the content provided (replacing the Network Enforcement Act, or NetzDG), "dark patterns" (see our microsite), or special regulations intended to protect minors.
The DSA broadly consists of three regulatory areas:
- A safe harbor regime with conditions for exemption from liability for illegal third party content (in essence, adoption of the existing regulations from the E-Commerce-Directive; not an independent self-contained or harmonized liability regime, because the question of whether content is illegal or who is liable for it under which circumstances is in general based on national laws of the Member States or other EU legal requirements),
- the establishment of due diligence obligations, and
- Implementation and enforcement powers for the EU Commission and national authorities ("Digital Services Coordinators" or "DSCs"); in Germany, this role is likely to be taken over by the Federal Network Agency, while the Federal Data Protection Commissioner and the Federal Agency for the Protection of Children and Young People in the Media are also currently in discussion to oversee specific requirements under the DSA.
The DSA implements a destination or market location principle: It applies whether the service provider is established inside or outside the EU, as long as it addresses recipients in the Union. Offering services in the EU means enabling natural or legal persons in at least one Member State to use the services where there is a “substantial connection” to the EU. Such a connection for Non-EU-companies depends on factual circumstances such as a significant number of recipients or if the service is targeted at users in at least one Member State.
Which business models are affected?
The DSA addresses "intermediary services" and thus has a broad scope of application that should not be underestimated. It covers "mere conduit” services, "caching" services and "hosting” services (including online platforms and online marketplaces) as well as online search engines. The DSA has adopted definitions from the E-Commerce-Directive.
- Services of mere conduit transmit information provided by recipients into a communication network or open access to such a network without being connected to the transmitted information. Internet exchange nodes (e.g. DE-CIX), wireless access points, virtual private networks (VPNs), DNS services and DNS resolvers, services of top-level domain name registries, registrars, certification authorities issuing digital certificates and, at least with regard to the exemption from liability, also Internet voice telephony (VoIP) and other interpersonal communication services are covered. This also includes WiFi and VPN providers.
- Caching services also transmit information provided by recipients in a communication network. In contrast to "mere conduit", in this category an automated, temporary intermediate storage of the transmitted information takes place. However, this is only because the intermediate storage is necessary due to efficiency considerations. Typical examples are the operation of networks for the provision of content ("content delivery networks"), reverse proxies or proxies for the adaptation of content.
- Hosting services provide recipients with an infrastructure for storing their data. Examples include cloud computing services, web hosting services, paid referencing services or services that enable the online exchange of information and content (including file storage and exchange).
- Online platforms are a sub-category of hosting services and, in addition to the storage of third-party information, require that the information is disseminated publicly, i.e. to a potentially unlimited number of people, on behalf of the recipient. It should be noted that 'public dissemination' can also occur when registration is required, but is automatic or without human verification (i.e. a corporate intranet is not included, but platforms where anyone can register are). This category covers social networks or online marketplaces. The latter are characterised by the fact that they allow traders to conclude distance contracts with consumers (i.e. only B2C marketplaces) and are subject to further obligations. Purely ancillary activities that include the storage and publication of third-party information (e.g. the operation of the comments section of an online newspaper) do not result in a service becoming an online platform. However, this exception is to be interpreted narrowly and must refer to the technical functionality as a "minor feature"; the commercial significance plays at most a subordinate role in that regard.
- Online search engines allow recipients to enter queries in the form of a keyword, a voice entry, a group of words or any other input, in order to carry out a search on any topic on all websites and to have results displayed (horizontal search engines). The format of the final product is irrelevant as long as the information is related to the requested content (vertical search results such as an online image search are also covered).
What are VLOPs?
The DSA lays down additional obligations that apply exclusively to so-called "very large online platforms" (VLOPs) or very large online search engines (VLOSEs). The decisive factor is reaching an average of at least 45 million active recipients per month in the EU. This classification is made by designation-decision of the EU Commission on the basis of figures that all online platforms and online search engines had to publish on their service by 17 February 2023. At the end of April 2023, the Commission published the first wave of designations, including social networks, online marketplaces, app stores and search engines.
In addition to an annual supervisory fee to cover the Commission's costs for enforcement, the very large services must in particular carry out a risk analysis and are subject to additional obligations, for example regarding T&Cs, protection of minors, transparency of online advertising and the establishment of a compliance department. The obligations of the DSA will affect the VLOPs and VLOSEs already four months after their designation, i.e. with regard to the first designation-wave from the end of August 2023 and with regard to the second designation-wave from the end of April 2024.
Why does the DSA have such a significant impact?
In addition to new transparency obligations (for example, regarding recommender systems, advertising, information on the third-party trader for online marketplaces, etc.), there are in particular requirements regarding moderation processes, i.e. how to deal with content that is illegal according to national law, but also content that is to be prohibited on the service according to the provider's own terms.
These moderation processes are precisely regulated and must be described in detail in the T&Cs. The effort involved in implementing the moderation process should not be underestimated, even for those platforms that were already subject to the German Network Enforcement Act or its French equivalent (these national laws will be superseded by the DSA, but the DSA requirements are slightly different).
Online platforms have even more extensive obligations and must, for example, introduce a complaints management system, but also meet special requirements for advertising and recommender systems and pay particular attention to the protection of minors. In this regard, early consideration of the rights and obligations is elementary, as the implementation effort is enormous. The DSA not only requires adjustments to the T&Cs, but also has far-reaching consequences for the user interface, which often keep the development teams busy for months. In addition, internal processes have to be reorganised and, if necessary, new internal company roles have to be created. Providers of intermediary services which do not have an establishment in the EU have to designate a legal or natural person to act as their legal representative regarding (the breach of) obligations under the DSA.
In addition, building on the E-Commerce-Directive, the DSA has harmonised the liability privileges for unlawful third-party content and, in particular, codified respective case law of the European Court of Justice. In essence, hosting services (including online platforms and online marketplaces) remain liable for unlawful third-party content only if they have actual knowledge or awareness of unlawful activity or content and do not act "expeditiously" to block access to or remove the unlawful content.
What are the consequences of violating the new provisions?
Member States are in principle responsible for monitoring, enforcement and sanctioning (through the respective "digital services coordinators"). VLOPs and VLOSEs are supervised by the EU Commission.
In particular, it should be noted that fines and periodic penalty payments are imposed on providers and recipients can claim damages under the applicable national or other Union law.
The maximum amount for fines is 6% of the total annual worldwide revenue achieved in the preceding financial year, which is even higher than under the GDPR. The sanctions applicable in Germany will be regulated in the "Digitale-Dienste-Gesetz" (DDG), which has yet to be enacted.