Legal development

The EU Digital Services Act- What do you need to know?

pattern

    The Ashurst Emerging Tech Series is a collection of briefings compiled by our UK and European Digital Economy Transactions team, designed to help businesses understand and prepare for the impacts of new and incoming digital services and emerging tech legislation.

    In our second briefing, we consider the EU Digital Services Act (DSA).

    Introduction to the DSA

    The DSA sits alongside the EU Digital Markets Act (DMA) to form a single set of rules that apply across the EU. The DSA and the DMA have the dual goal of:

    • creating a safer digital space in which the fundamental rights of all users of digital services are protected (with measures being set out under the DSA); and
    • establishing a level playing field to foster innovation, growth, and competitiveness in the digital services market, both in the European Single Market and globally (with measures included under the DMA).

    We have published an article on the DMA which you can read more about here.

    What does the DSA do? When does the DSA take effect? Who does the DSA apply to?

    The DSA imposes rules on intermediary service providers i.e. companies that connect EU consumers with goods, services and content at a distance by electronic means. There are five sets of rules under the DSA:

    1. rules for all intermediary service providers;

    2. rules for hosting intermediary service providers;

    3. rules for online platforms;

    4. rules for online platforms that facilitate distance selling; and 

    5. rules for very large online platforms (VLOPs) and very large online search engines (VLOSEs).

    These rules are intended to increase transparency and help to prevent illegal or harmful online content, including online scamming activity.

    The DSA entered into force in November 2022 and becomes fully applicable in February 2024 (although some rules applicable to online platforms and online search engines have applied since February 2023).

    The DSA applies to intermediary service providers that provide services in the EU, regardless of where such companies are based - like the GDPR, the DSA has extra-territorial effect.

    While the DSA and UK Online Safety Act (OSA) broadly have the same core aim of making online activity safer for users, each of these Acts seeks to do this in materially different ways. This means that businesses providing digital services will have to consider their obligations under both the DSA and the OSA if they provide digital services in the EU and the UK. You can read our article on the OSA here.

    Key points and timeline

    What are intermediary services?

    Intermediary services are one of the following services when provided at a distance, by electronic means:

    • a mere conduit service – e.g. an internet service provider, virtual private networks or wireless access points;
    • a caching service – e.g. content delivery networks, content management or proxy providers;
    • a hosting service – e.g. cloud computing or web hosting service providers;
    • an online platform (being a hosting service which, at the request of the user, disseminates information to the public) – e.g. online marketplaces or social media sites; or
    • online search engines – e.g. Google or virtual assistants. 

    What rules apply?

    1. Provisions applicable to all intermediary service providers

    General obligations

    All providers of intermediary services have certain obligations under the DSA, regardless of the size of their operations in the EU. Such obligations include:

    • removing illegal content (and taking other appropriate actions) upon an order of a relevant national authority and advising the national authority what steps have been taken in respect of such illegal content;
    • making (at a minimum) a yearly report on any content moderation; 
    • ensuring their terms and conditions contain certain information about the restrictions that they impose in relation to the use of their intermediary service;  
    • designating a single point of contact to enable direct communication with relevant national authorities and, for providers established outside the EU, appointing a legal representative in the EU; and
    • designating a single point of contact to enable service users to communicate 'directly and rapidly' with them and allowing users to choose the means of communication.

    Liability safe harbours

    While providers of intermediary services are subject to the DSA generally, there are various safe harbours which protect them from liability for information they transmit, give access to or store, where certain conditions are met. 

    The conditions are broadly similar to those set out in the E-commerce Directive, such as whether the service provider has modified the information, has some other active role in terms of the transmission or conditions for access of the information or has actual knowledge of the illegal activity or illegal content.

    2. Due diligence obligations for hosting service providers

    While the DSA is clear that companies that provide intermediary services do not have general monitoring or active fact-find obligations, hosting service providers may have certain due diligence obligations, including:

    • putting mechanisms in place to enable illegal content to be reported to them. These mechanisms must be electronic, easy to access and user-friendly; and
    • notifying appropriate authorities where they become aware of information that raises suspicion of criminal activity involving a threat to life or safety. 

    The DSA also requires a hosting service provider that removes or restricts a user's access to content to give its reasons for doing so.  These content moderation decisions must be submitted to the DSA Transparency Database, which was launched in September 2023.

    3. Rules for providers of online platforms

    Online platform providers are subject to additional obligations which are centred around protecting against misuse of their services. Online platform providers must (amongst other obligations):

    • implement an effective complaints handling system;
    • escalate warnings made by 'trusted flaggers’ (independent companies which have been appointed by the relevant national authorities to monitor unlawful content);
    • suspend users for a reasonable period of time after having issued a prior warning where such users have undertaken illegal activity;
    • report on complaints and suspensions;
    • ensure that their platform does not attempt to influence user decision making or otherwise deceive or manipulate users; and
    • not use targeted advertising where they believe with reasonable certainty that the user is a minor. Platforms which are available to minors are also subject to appropriate and proportionate safety, security and privacy measures.

    These obligations broadly do not apply to 'micro' and 'small' business enterprises (as defined in the DSA).

    4. Provisions applicable to online platforms that offer distance selling

    Online platforms which operate as online consumer marketplaces have additional rules to comply with, including:

    • ensuring relevant traders on their platform are verified and can be traced by obtaining certain information before allowing such traders to trade; 
    • designing their platform so that it enables traders to comply with relevant EU consumer laws, including trader obligations to provide consumers with pre-contractual information; and
    • informing a consumer where they find that a trader has undertaken illegal activity in respect of goods or services the consumer purchased from the trader.

    'Micro' and 'small' business enterprises (as defined in the DSA) are excluded from the specific additional distance selling obligations in certain circumstances.

    5. Rules for Very Large Online Platforms and Very Large Online Search Engines

    VLOPs and VLOSEs are designated by the EU Commission. Currently 17 platforms have been designated as VLOPs and two search engines as VLOSEs (details of such designations are below).

    Where a designated VLOP or VLOSE has an average of 45 million or more active users in a month, it will be subject to certain additional obligations and separate rules on supervision, investigation or enforcement. 

    These additional obligations and restrictions, broadly fall within the following categories:

    Managing and auditing risk/compliance

    Advertising transparency and fairness

    Data use and access

    • Assessing the systemic risks that their platforms create and implementing proportionate and effective mitigation measures
    • Establishing an independent compliance function (reporting directly to management)
    • Ensuring enhanced transparency reporting on content moderation
    • Conducting independent annual audits
    • Making available an advert 'repository', which sets out prescribed details for all adverts displayed on their platform in previous 12 months
    • Providing at least one option not based on profiling in any recommender systems (i.e. a system that makes targeted recommendations for a user)
    • Giving regulators access to data necessary to facilitate regulatory compliance monitoring 

    Companies Designated  as VLOPs and VLOSEs by the EU Commission on 25 April 2023

    Very  Large Online Platforms (VLOPs)

    • Alibaba AliExpress
    • Amazon Store
    • Apple AppStore
    • Booking.com
    • Facebook
    • Google Play
    • Google Maps
    • Google Shopping
    • Instagram
    • LinkedIn
    • Pinterest 
    • Snapchat
    • TikTok
    • Twitter
    • Wikipedia
    • YouTube
    • Zalando

    Very Large Online Search Engines (VLOSEs)

    • Bing
    • Google Search

    VLOPs/VLOSEs: non-compliance

    01

    02 

    03 

    A VLOP or a VLOSE that intentionally or negligently infringes the DSA or fails to comply with a decision or commitment made under the DSA may be subject to fines of up to 6% of its total worldwide annual turnover in the preceding financial year.

    Periodic penalty payments of up to 5% of the average daily income or worldwide annual turnover in the preceding financial year per day may be levied on a VLOP or a VLOSE where it fails to comply with its obligations to supply information, allow for an inspection or otherwise comply with an obligation placed on it, or a commitment it has made under the DSA.

    The EU Commission may undertake enhanced supervision of VLOPs and VLOSEs, requiring them to draft an action plan to remedy any DSA infringements.

    Supervisory responsibilities 

    • Digital Services Coordinators

    Member States are required to designate one or more competent authorities (known as Digital Services Coordinators) to be responsible for the supervision of providers of intermediary services and enforcement of the DSA.

    • European Board for Digital Services

    The DSA establishes an independent advisory group of Digital Services Coordinators to supervise providers of intermediary services. This group advises the Digital Services Coordinators to assist with certain objectives, such as consistent application of the DSA.

    Considerations and consequences

    Companies which provide services over the internet to EU consumers should consider the following steps to help prepare for the DSA:

    • Service assessment: Consider the potential classification of their online service(s) against the DSA’s definitions for intermediary services;
    • Applicable points of contact: Consider whether they need to designate specific contact points, legal representatives or responsible persons (e.g. compliance officers) to meet the requirements applicable to their intermediary service classification;
    • Wider business review: Consider which processes, documents and/or systems they will need to review and/or modify to meet the DSA’s various obligations around the content, format and accessibility of their customer documentation and information, as well as the enhanced monitoring and reporting requirements; and
    • Applicability of other related legislation: Where they provide services to the UK market, consider whether they are subject to the OSA.

    Authors: David Futter, Partner; Aimi Gold, Senior Associate; Siân Deighan, Associate; Hana Byrne, Trainee Solicitor

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.