Digital Services Act – New Rules for Online Intermediaries

On 19 October 2022, twenty years after the adoption of Directive 2000/31/EC (“E-Commerce Directive”), the European Union (EU) has adopted Regulation (EU) 2022/2065 on a Single Market For Digital Services (“Digital Services Act” or “DSA” or “Act”) .

The DSA is part of the 2020 EC Digital Services Package and has been adopted in par with Regulation (EU) 2022/1925 on contestable and fair markets in the digital sector (“Digital Markets Act“ or “DMA”).

The aim of the Act is to set out harmonized rules for the internal market for online intermediary services towards a safe, predictable and trusted online environment that facilitates innovation, while also effectively protecting fundamental and consumer rights.

The DSA and the DMA are the centerpieces of the new EU legal framework for the regulation of digital services, which also includes, among others, the E-Commerce Directive, the Platform-to-Business Regulation (EU) 2019/1150 (“P2B Regulation”) and the Directive on Copyright in the Digital Single Market,

The DSA follows a tiered approach for the regulation of online intermediary services. Depending on the nature of the service, the Act establishes four tiers of due diligence obligations, with VLOPs and VLOSEs subject to the most comprehensive requirements.

1.Scope, Definitions & Subject Matter

The DSA applies to information society services that constitute an intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment.

Hence, the DSA develops a clear extra-territoriality effect by including in its scope any online intermediaries established outside of the EU that offer their services in the European single market. Similar to the EU representative institution of the GDPR, such entities are obliged under the Act to appoint a legal representative within the EU directly liable on their behalf.

Article 3 of the DSA establishes the following definitions:

  • Information society service means any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services;
  • Intermediary service means either a ‘mere conduit’ service (e.g. VoIP, VPN or WiFi) or a ‘caching’ service (e.g. web caching or proxy server) or a ‘hosting’ service (e.g. internet hosting, online platforms, online marketplaces and search engines);
  • Online platform means a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public as its core activity;
  • Online search engine means an intermediary service that allows users to input queries in order to perform searches of, in principle, all websites, or all websites in a particular language, on the basis of a query on any subject in the form of a keyword, voice request, phrase or other input, and returns results in any format in which information related to the requested content can be found.

According to the tiered regulatory approach of the Act online intermediary services are subject to the following tiers of due diligence obligations:

  • 1st Tier: Transparency rules for content moderation applicable to all intermediary services;
  • 2nd Tier: Notice and action requirements applicable to hosting providers and online platforms;
  • 3rd Tier: Extensive due diligence measures for online platforms and dedicated obligations for online platforms allowing consumers to conclude distance contracts with traders;
  • 4th Tier: Risk management, risk mitigation, independent audit, data scrutiny and enhanced transparency requirements for VLOPs and VLOSEs overseen by the European Commission;
  1. Liability of Intermediary Service Providers

Chapter II of the DSA replaces articles 12-15 ,of the E-Commerce Directive regarding the liability of online intermediaries.

As in the E-Commerce Directive, the relevant provisions of the Act provide that mere conduit, caching and hosting providers (i) are generally exempted from any liability regarding the information they transmit or store on the condition that they merely intermediate and lack actual knowledge of illegal activity; and (ii) have no general monitoring or active fact-finding obligations vis-à-vis such illegal activity.

In contrast to the E-Commerce Directive, however, the Act lays down specific rules for the execution by intermediary service providers without undue delay of orders and requests for information issued by national judicial or administrative authorities regarding illegal content.

  1. General Obligations for Intermediary Service Providers

The DSA lays down the following due diligence obligations applicable to all providers of intermediary services (Chapter III , Section 2):

  • The designation of a single point of contact with competent authorities and recipients of their services;
  • The inclusion in their terms and conditions of information about any restrictions in the use of their services, such as content moderation, algorithmic decision-making and rules of complaint handling;
  • The publication of annual content moderation transparency reports, with the exception of online intermediaries qualifying as SMEs;

Additional Obligations for Hosting Providers

In addition, the DSA sets outs due diligence obligations applicable to hosting providers and online platforms as follows (Chapter III, Section 2):

  • The establishment and implementation of notice and action mechanisms available to any third party for the removal of illegal content;
  • The submission of detailed statements of reasons to affected recipients of their services regarding the restriction or suspension of removal of content of additional restrictive measures against them;
  • The provision of respective notice to national law enforcement or judicial authorities in case of suspicion of criminal offences conducted through their services.

As lex specialis to the DSA, article 17 of the Directive on Copyright in the Digital Single Market provides for additional rules for the regulation of unlicensed user-generated copyright content in online content-sharing platforms.

  1. Additional Obligations for Online Platforms

Furthermore, the DSA provides for the following due diligence obligations applicable to online platforms (Chapter III, Section 3):

  • Establishment of effective, easy to access, user-friendly internal complaint-handling systems available to the recipients of their services, which ensure that complaints are handled in a timely, non-discriminatory, diligent and non-arbitrary manner;
  • Granting to the recipients of their services of the right to access out-of-court dispute settlement before certified bodies;
  • The prioritization of take down notices by trusted flaggers regarding illegal content;
  • The right to suspend their services to recipients that frequently provide manifestly illegal content;
  • The publication of enhanced annual content moderation transparency reports along with the publication per semester of information on the average monthly active recipients of their services in the Union;
  • The design and operation of their online interfaces in a way that does not deceive or manipulate the recipients of their services or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions;
  • The identification in a clear, concise and unambiguous manner and in real time of advertisements within their services and relevant data;
  • The prohibition of advertising based on profiling using special categories of data or data of minors;
  • The publication of the main parameters used in their recommender systems, as well as any options for the recipients of the service to modify or influence those main parameters;
  • The application of appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors.

Online platforms qualifying as SMEs shall be generally exempted from the foregoing obligations.

  1. Additional Obligations for Online Platforms Facilitating Trader / Consumer Contracts

The DSA also contains due diligence obligations targeted to online platform providers that facilitate the conclusion of contracts between consumers and traders as follows (Chapter III, Section 4):

  • The traceability of traders through the collection, verification and publication of their business data (“KYBC”);
  • The design of online interfaces in a way that nables traders to comply with their obligations regarding pre-contractual information, compliance and product safety information under applicable Union law;
  • The provision of information about illegal products or services to consumers who purchased them through their platforms.

Online platforms qualifying as SMEs shall be generally exempted from the foregoing obligations.

  1. Additional Obligations for VLOPs & VLOSEs

According to the DSA, online platforms and online search engines which have a number of average monthly active recipients of the service in the Union equal to or higher than 45 million shall be subject to additional obligations (Chapter III, Section 5).

Online platforms and online search engines shall acquire the status of Very Large Online Platforms (“VLOPs”) and  Very Large Online Search Engines (“VLOSEs”) upon their designation by virtue of a respective decision of the European Commission on the basis of data reported by the provider of the online platform or of the online search engine pursuant to Article 24(2-3) reporting obligations.

Providers of VLOPs and VLOSEs shall comply with the following obligations:

  • The carrying out of annual risk assessments about the dissemination of illegal content through their services, any actual or foreseeable negative effects for the exercise of fundamental rights, on civic discourse and electoral processes, in relation to gender-based violence, the protection of public health and minors and serious negative consequences to the person’s physical and mental well-being;
  • The implementation of reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified in risk assessments;
  • The execution, at their own expense, of annual independent audits by certified third parties to assess their compliance with the Act;
  • The application of enhanced obligations about recommender systems and advertising in their platforms;
  • The compliance with enhanced data scrutiny and transparency reporting obligations vis-à-vis competent authorities;
  • The establishment of independent functions to monitor compliance with the Act.
  1. Supervision & Enforcement

The DSA imposes the obligation on Member States to designate one or more competent authorities to be responsible for the supervision of providers of intermediary services and enforcement of the Act. One of those competent authorities shall be designated as Digital Services Coordinator responsible for all matters relating to supervision and enforcement of the Act.

Digital Services Coordinators shall have the power to impose fines to intermediary service providers violating the provisions of the DSA, the maximum amount of which shall be 6 % of their annual worldwide turnover in the preceding financial year.

Recipients of the services are also granted with the right:

  • to lodge a complaint against providers of intermediary services alleging an infringement of the Act with the Digital Services Coordinator of the Member State where the recipient of the service is located or established;
  • to seek, in accordance with Union and national law, compensation from providers of intermediary services, in respect of any damage or loss suffered due to an infringement by those providers of their obligations under the Act.

The Digital Service Coordinator of the Member State in which the main establishment of the provider of intermediary services is located or where its legal representative resides or is established shall have exclusive powers to supervise and enforce the Act.

In order to ensure its smooth and effective supervision and enforcement, the DSA also establishes a cross-border cooperation mechanism among Digital Services Coordinators and between them and the European Commission.

The DSA assigns the European Commission with the oversight of VLOPs and VLOSEs. Among others, the Commission has the power:

  • To require the provision of information about possible infringements;
  • To take interviews and statements from any natural or legal person;
  • To conduct on-site inspections and receive explanations on the organisation, functioning, IT system, algorithms, data-handling and business conducts of the entity under examination;
  • To order interim measures;
  • To render offered commitments binding;
  • To issue orders for the implementation of the necessary measures to ensure compliance;
  • To impose fines up to 6 % of the annual worldwide turnover of the entity under investigation in the preceding financial year.
  • To issue orders for the implementation of crisis response mechanisms towards specific VLOPs and VLOSEs.

Finally, the DSA establishes the European Board for Digital Services as an independent advisory group of Digital Services Coordinators on the supervision of providers of intermediary services.

In order to enforce the DSA through in-house and external multidisciplinary knowledge the Commission has also launched the European Centre for Algorithmic Transparency (“ECAT”).

  1. Timeline

The DSA has entered into force on 16 November 2022.

The Act shall generally become applicable from 17 February 2024. Nevertheless, VLOPs and VLOSEs will be required to comply within four months from their designation, where that date is earlier than 17 February 2024.

The Act empowers the European Commission to adopt delegated and implementing acts in order to supplement the provisions of this Regulation on the following issues:

(i)the form, content and other details of transparency reports by providers of online platforms;

(ii)the methodology for calculating the number of average monthly active recipients of VLOPs and VLOSEs;

(iii)the rules for the performance of independent third-party audits on VLOPs and VLOSEs;

(iv)the technical conditions for the access and sharing by VLOPs and VLOSEs to Digital Services Coordinators, the Commission or vetted researchers of data necessary to monitor and assess compliance with the Act;

(v)The calculation and determination of annual supervisory fees imposed on VLOPs and VLOSEs.

In April 2023, the Commission adopted the first designation decisions under the Act, designating 17 VLOPs and 2 VLOSEs.

The Commission may also issue guidelines on the obligations of VLOPs and VLOSEs related to online interface design and organization, especially in relation to the prohibition of “dark patterns”.

The Regulation (EU) 2022/2065 on a Single Market for Digital Services is available here.