On 17 February 2024, the Digital Services Act (the “DSA“) comes into full force, requiring all intermediary service providers to consider what action they need to take in order to comply with its terms.
In our previous Article, we set out details of those to whom the DSA applies. In this article we set out what core obligations apply to those within its scope.
What is the DSA?
The DSA forms part of the EU’s Digital Service Package which aims to apply harmonised rules in the EU to regulate the digital space. The DSA aims to protect the fundamental rights of users of digital services and establish a level playing field for businesses. Its main goal is to prevent illegal and harmful activities online and to tackle the spread of disinformation. It will do so by providing users of digital services more control over the content they engage with online and by imposing new obligations on those entities that come within the DSA’s scope.
What Obligations does the DSA Impose?
The DSA builds on the E-Commerce Directive, prescribing a range of new obligations for providers of services which transmit or store data on behalf of users (Intermediary Service Providers). These obligations increase if the Intermediary Service Provider also constitutes a hosting service, an online platform, an online marketplace or finally a very large online platform or search engine (VLOPs and VLOSEs respectively). The obligations set out in the DSA are tiered and cumulative so that VLOPs and VLOSEs have the most onerous obligations and must comply with all rules prescribed for the lower categories of Intermediary Service Provider.
Tier 1: Intermediary Service Providers
Intermediary Service Providers must comply with several new obligations aimed at protecting users’ fundamental rights and making their services more user-friendly and transparent. These include:
- Establishing a single point of contact for service recipients and regulators to communicate with the service provider;
- Updating terms and conditions to clarify any restrictions for users of the service in respect of illegal information provided by the service recipient;
- Appointing a legal representative in the EU if the service provider is not established there.
Tier 2: Hosting Services
Providers of Hosting Services have additional obligations to prevent hosting illegal content. These include:
- Implementing a ‘notice and action mechanism’ whereby users can flag illegal content for the service provider to remove;
- Providing a ‘statement of reasons’ to any user whose information is restricted by the service provider due to illegality;
- Notifying authorities where the service provider becomes aware of a crime affecting human safety.
Tier 3: Online Platforms
In addition to the above obligations, Intermediary Service Providers that also constitute Online Platforms must comply with further obligations to facilitate users in notifying them about illegal content on their platforms, promote transparency and freedom of choice for users, and safeguard users who are minors. These include:
- Introducing a ‘Complaint Handling System’ and ‘Out-of-Court Dispute Settlement’ option in respect of any decision taken by the Online Platform in relation to information provided by a user;
- Prioritising notifications of illegal content by ‘trusted flaggers’ and suspending service recipients who misuse the platform by providing illegal content or submitting manifestly unfounded complaints;
- Ensuring the platform’s online interface does not deceive service recipients;
- Ensuring transparency with regards to any advertising on the platform or any recommender systems used by the platform;
- Putting in place measures to ensure a high level of privacy, safety and security of service recipients who are minors.
Tier 4: Online Platforms that Allow Consumers to Conclude Distance Contracts with Traders (Online Marketplaces)
Additional rules apply to Online Platforms that act as Online Marketplaces to provide further protection to users who are facilitated to enter into contracts with third parties by the service provider’s platform. These include:
- Obtaining and displaying to consumers details of the traders who use their services to market their goods/services;
- Designing their online interfaces in a way that enables traders to comply with their obligations regarding pre-contractual information, compliance and product safety information under EU law;
- Informing consumers who have been offered an illegal product/service of the illegality and possible means of redress.
Tier 5: VLOPs and VLOSEs
VLOPs and VLOSEs, which are designated by the European Commission for having either an average of 45 million or more monthly active service recipients in the EU or 10% of the EU population, have the most obligations with which to comply under the DSA due to their size and influence. The additional obligations on VLOPs and VLOSEs include:
- Assessing, mitigating and responding to risks emerging from the use of their services;
- Ensuring compliance with the DSA by implementing independent audits, providing requested data to regulators and establishing a compliance officer;
- Paying a supervisory fee to the European Commission to cover their supervision costs.
Finally, Intermediary Service Providers at all levels must comply with varying degrees of transparency reporting obligations, which increase in onerousness in accordance with their classification under the DSA.
Enforcement and Sanctions for Non-Compliance
Failure to comply with the obligations under the DSA can attract hefty fines, tantamount to non-compliance with the GDPR (up to 6% of the Intermediary Service Provider’s annual turnover for the preceding year). The power to impose these fines will primarily rest with Commisiún na Meán (CNM), Ireland’s Digital Services Coordinator. CNM has several other investigative and enforcement powers, including the power to request information, carry out on-site inspections, order cessation of infringements of the DSA, and impose fines of 1% of global turnover for non-cooperation with investigations or 5% of global turnover in periodic penalties. CNM is also responsible for the enforcement of several other laws, including the Online Safety and Media Regulation and the Terrorist Content Online Regulation.
How to Prepare
Businesses must firstly assess whether (and how) the DSA applies to them. Our questionnaire is designed to help businesses identify whether they fall into one of the categories of service provider caught by this legislation, and which tier of rules applies. Our questionnaire can be found here .
For more information on how to get DSA-ready, please contact Leo Moore, David Cullen or your usual William Fry contact, or email [email protected].