Search for:
Corporate Compliance

European Union: The Digital Services Act – What is changing in the world of tech?

By 6 Mins Read

In brief

The Digital Services Act (DSA) imposes wide-ranging and transformative obligations on online intermediaries and platforms.

As has been well-publicized over the last few months, the most onerous obligations and tighter deadlines for compliance fall on services designated by the Commission as very large online platforms (VLOPs) or very large online search engines (VLOSEs).

However, all online platforms and online search engines were required to publish information on their user figures earlier this year, and all online intermediaries in scope should be preparing for full compliance in February 2024.

The European Commission’s Digital Services package also includes the Digital Markets Act (DMA), which is targeted at a more limited number of “gatekeepers” and imposes additional obligations on these “core platform services,” which have until early 2024 to comply. Please contact us for more information on the DMA.

Key takeaways

The steps in-scope organizations should be thinking about now are:

  • Determine your role: Even if you are not considered a VLOP or VLOSE if you are providing intermediary services, hosting services, or operating an online platform, you will fall within the scope of the DSA. Different categories of service providers will have different obligations under the DSA, so it is crucial to identify which type of service provider you are.
  • Prepare for implementation: The DSA will apply to all service providers on 17 February 2024. Once you have determined which obligations apply to you as a service provider, you must start taking steps to ensure you are DSA-compliant by the applicable deadline.
  • Future planning and future proofing: It’s never too soon to start thinking about how your current obligations may change going forwards. Consider now how your plans for future products/services may tip you into a different category of service provider (with its own new obligations) or whether the growth of your business will trigger a future designation as a VLOP/VLOSE.
  • Understand the practical burden of compliance: for example,
    • For online platforms, including prominent ad disclosures identifying the advertiser and main parameters of the ad targeting and updating T&Cs with the main parameters used in recommender systems.
    • Additionally, for marketplaces, complying with obligations relating to trader traceability (to obtain, verify, and publish information on all traders offering goods/services on the platform).

These new requirements will have a significant impact on online platforms and marketplaces, involving new processes and disclosures (both proactive and reactive).

In more detail

Timeline

What’s happened already?

  • 17 February 2023 – all online platforms and online search engines were required to publish information on the “average monthly active recipients of the service” (MARs) in the EU (and continue to publish these figures every six months thereafter).
  • Online platforms and search engines with 45 million or more average MARs in the EU will be designated as VLOPs/VLOSEs. The European Commission designated the first set of 17 VLOPs and two VLOSEs in April 2023.
  • The DSA applied to designated VLOPs/VLOSEs from August 2023.

What’s next?

  • 17 February 2024 – the DSA will apply to all other in-scope service providers.
  • Further designations of VLOPs/VLOSEs based on MAR calculations will likely follow in the coming months.

Who will enforce the DSA?

  • The Commission is responsible for the supervision and enforcement of the DSA against VLOPs and VLOSEs.
  • Enforcement against other service providers will be via Digital Services Coordinators designated by each Member State.
  • Intermediaries based outside the EU will be in scope if they have significant numbers of EU recipients, target their activities towards the EU, or if other facts result in a “substantial connection” with the EU.

Who is in scope?

The DSA applies to “intermediary services” including:

  • Services offering network infrastructure, such as internet access providers or domain name registrars.
  • Hosting services, such as cloud and web hosting services.
  • Online platforms, such as online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms.
  • Online search engines.

One point worth flagging is that “online platform” is defined broadly; if a service hosts content provided by users and disseminates it as its main purpose, it will be caught.

Key issues

  • Product/service categorization.
    • The first step is for service providers to determine whether they provide “intermediary services” and, if so, what category their services fall into. Categorization is often difficult, particularly for services that have a range of functionalities / intermediary functionalities and content sources, but it is important: for Online Platforms, it will impact how to calculate MARs and, therefore, the likelihood of designation as a VLOP/VLOSE, and determine which substantive obligations under the DSA apply. Service providers also in the scope of the DMA will need to consider how their services are categorized under both the DSA and DMA in parallel. We expect the Commission to take a close interest in service categorization and to apply the definitions strictly.
  • Reporting monthly active recipients.
    • All online platforms and online search engines were required to publish information on MARs of their service in February 2023 and every six months thereafter. The Commission has published guidance on this requirement; as the DSA beds in, we expect to see enforcement action for failure to publish and further development of the Commission’s methodology for determining MARs.
  • Actions required for compliance – these may include:
    • Making proactive changes to products or building new functionality.
    • Building new internal processes, for example, to assess DSA compliance, respond to takedown requests, or manage account suspensions.
    • Preparing for proactive and reactive disclosures to the relevant regulatory authority, law enforcement, users, and the public.
    • Building a compliance function and putting in place dedicated personnel.
    • Embedding new design principles driven by DSA compliance.
  • Horizon scanning.
    • Platforms and search engines close to hitting 45m MARs in the EU will need to future-proof their products and compliance efforts against the likelihood of future designation as a VLOP or VLOSE, with the more onerous obligations that entails. Service providers will need to assess not just their existing user base, product categorisation, and functionality but where they plan to be in the future.
    • All service providers will need to consider how future product design and development will affect service categorisation under the DSA and understand what additional compliance obligations may kick in as products evolve and new products are launched.
    • All service providers will also need to consider how the enforcement landscape will likely evolve. Who is likely to be designated as the local regulator? How active is that local regulator likely to be, and what are its own priorities? How quick have local regulators been to enforce other emerging laws, for example, in the data privacy or consumer space? Will regulators become more sophisticated as more information is made available to them, and how will that shape the regulators’ view of your products?
Categories:
Author

John is a media and technology lawyer in Baker McKenzie's IP and Technology team. He is ranked as a ā€œrising starā€ for TMT, and recognised as a key lawyer for Media and Entertainment in the UK by Legal 500. In 2020 John was elected to TechUKā€™s Data Analytics and AI Leadership Committee.
His practice encompasses a broad range of both contentious and non-contentious aspects of IP, Technology and Commercial law, with a particular focus on copyright, digital media, and new technologies. John writes regularly on these topics and his chapter (with Ben Allgrove), ā€œEnforcement in a digital context: intermediary liability,ā€ was published in Tanya Aplin (Ed.) Research Handbook on Intellectual Property and Digital Technologies in January 2020. John qualified in 2013 and is based in the London office, having spent 2018 in the San Francisco office. John is heavily involved in the Firmā€™s tech-focused pro bono work, as well as its social mobility initiatives.

Author

Natasha Denton is an Associate in Baker McKenzie, London office.

Author

Kathy Harford is a Lead Knowledge Lawyer in Baker McKenzie, London office.

Related Posts