Digital Services Act enters into force: new obligations for digital intermediary services
The European Union will see fundamental changes to online regulation. On 16 November 2022, the Digital Services Act (“DSA”) comes into force as Regulation (EU) 2022/2065. It contains numerous new provisions and obligations for digital intermediary services. These include liability rules for illegal content, a far-reaching system of tightened and new due diligence obligations as well as an effective enforcement regime. Fines of up to 6% of worldwide annual turnover can be imposed by authorities in case of violations.
Providers of intermediary services must implement measures to comply with the obligations of the DSA by 17 February 2024 at the latest. Given the scope of the requirements, this is not much time. Companies are well advised to review whether and to what extent they are affected by the new obligations and reorganise compliance structures in good time, make the necessary changes to the services and adapt their terms and conditions.
The DSA applies to digital intermediary services. These include internet access services (e.g. Telekom and Vodafone), social networks (e.g. Facebook and Twitter), online marketplaces (e.g. eBay and Amazon) and search engines (e.g. Google and Bing) as well as all other access, caching and hosting providers. Both large tech companies and also small and very small providers down to the individual commercial provider of a Wi-Fi hotspot are covered by the DSA. Like the GDPR, the DSA only requires that the service is offered in the EU, regardless of where the provider is based.
Liability for illegal content
On a practical level, it is very important to note that the DSA retains the liability privileges for online services introduced by the e-Commerce Directive (and the German Telemedia Act – TMG) in the event that users disseminate illegal content. In principle, online services continue to not be liable if users distribute illegal content via their services. Only once they become aware of illegal content, providers have to take action. There is no general monitoring obligation. The DSA supplements the liability rules with uniform procedural requirements for orders by authorities to act against illegal content or to provide user information.
The key feature of the DSA is a number of due diligence obligations that digital intermediary services will have to follow. These obligations impose duties to act on the providers, regardless of the question of liability for illegal third-party content. In order to cover the specific risks of online services, the DSA relies on a system of obligations graduated according to the nature and size of the services:
The most important requirements include obligations to offer points of contact for users and authorities and to set up a notice and action procedure for illegal content. For online platforms, there are also specific procedural requirements for moderating content and compulsory complaint and dispute resolution mechanisms comparable to those required under the German Network Enforcement Act (NetzDG). Last but not least, the DSA lays down wide-ranging requirements for the design of services such as rules on labelling online advertising, a prohibition of manipulative design elements (dark patterns) and measures to protect minors. For trading platforms, additional monitoring obligations apply in order to curb online trade in illegal goods and services.
Particularly strict requirements apply to very large online platforms and search engines with at least 45 million monthly active users in the EU. These very large services must examine the systemic risks of their services, for example with regard to the spread of harmful content and impact on elections, human rights or the mental health of users, and take measures to mitigate identified risks. The risk assessment must be reviewed annually in an independent audit. Therefore, very large services will need a comprehensive ongoing risk and compliance management.
Enforcement and sanctions
The DSA will not be a paper tiger. The European legislator has given very strong importance to effective and uniform enforcement of the DSA. Some of the numerous provisions on enforcement read like a direct answer to enforcement deficits of the GDPR. Two of the most significant innovation are that the supervision of very large services is mostly centralized at the European Commission while authorities of the Member State are given extensive rights and obligations to cooperate with each other. The authorities are given a range of effective enforcement powers – including the blocking of services. Companies in breach of the DSA obligations also face fines of up to 6% of their annual global turnover.
Furthermore, the DSA clarifies that not only authorities but also private-sector individuals and entities are entitled to legal recourse. This continues the trend towards supplementary “private enforcement” of European legal acts, which significantly increases companies’ sanction and liability risks. Private individuals or entities can also be represented by specialized associations and organizations even before legal action is taken.
It will be a few years before we will know for sure how authorities and courts apply the provisions of the DSA in practice. However, it is already certain that digital intermediary services will be required to increase compliance efforts. This is especially true for very large services. Additionally, the very large services are not only required to fulfil far-reaching due diligence obligations, but also to do so as soon as four months after the European Commission designates them as a very large services by Commission decision – even if this date is before 17 February 2024. Companies should determine now how they will have to change their internal structures, terms and conditions as well as the way their services are offered and initiate the corresponding processes.
Companies should also keep an eye on the other laws and legislative proposals by which the EU attempts to regulate the digital world and which are part of the Commission’s digital strategy. These include the Data Governance Act and legislative proposals such as the Data Act and the AI Act. In close relation to the DSA is its “sister regulation”, the Digital Markets Act (DMA), which establishes specific competition rules for important platforms that act as gatekeepers in order to limit the market power of the large digital companies.
Detailed information on the DSA can be found in the book “Das neue Recht der digitalen Dienste” (The New Law of Digital Services), published by Torsten Kraul and edited by Marvin Bartels and Niklas Maamar, among others.