Enacted in 2022 and already partially in effect, the European Union’s (EU) Digital Services Act (“DSA”) will come fully into force on February 17, expanding the obligations of a broad range of online service providers doing business in the EU. Companies offering online services in the EU—including those providing SaaS and hosting services that do not present user content to the public—should promptly determine whether, and to what extent, the DSA applies to them and take the steps necessary to ensure their compliance.
What is the DSA?
The DSA updates and expands portions of the eCommerce Directive that address liability for third-party content. It is intended to promote online safety through a more uniform set of rules that accounts for recent developments, services, and participants in the digital marketplace. As discussed below, businesses subject to the DSA generally are required to:
- Provide greater transparency about their services;
- Adopt procedures for handling takedown notices, informing users in certain circumstances and addressing complaints;
- Refrain from certain practices, such as using “dark patterns”; and
- Improve control for users of their service.
Who Is Subject to the DSA?
The DSA applies to entities that offer digital services to users—including individuals, businesses, and other organizations—in the EU, regardless of where they are located. DSA obligations are layered according to the size of the company and the nature of services offered. The most regulated companies under the DSA are those that present user-provided information to the public, such as social media networks. But other companies also have obligations under the DSA, which applies to several kinds of online services that are subcategories of each other:
- Conduits and caching services provide network infrastructure and include domain name registrars, internet service providers, and content delivery networks.
- Hosting services “stor[e] information provided by, and at the request of, a recipient of the service.” The prototypical examples are cloud hosting and file storage services, but the definition is broad and could encompass any number of SaaS services (both consumer and enterprise). This puts enterprise SaaS companies in a difficult position—unlike the General Data Protection Regulation (“GDPR”), the DSA includes no concept of controller or processor, so a company may have DSA obligations related to customer data that it does not control (and in some cases, where the customer is not subject to the Act).
- Online platforms include “a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public,” unless that activity is ancillary to the main service. “Public dissemination” means providing information to a potentially unlimited number of people – X and Amazon are good examples, but again, some SaaS services could qualify.
- Very large online platforms (VLOPs) and very large online search engines (VLOSEs) are online platforms having 45 million or more active monthly EU users, or which reach at least 10% of the EU’s population. VLOPs and VLOSEs are generally limited to very large companies like Google, Meta, X, etc.
DSA Obligations
The obligations for different types of entities are cumulative; for example, an online platform needs to comply with obligations for conduits and caching services, hosting services, and online platforms.
All types of services must:
- Have a designated point of contact for communications with government authorities and users.
- If not based in the EU, have a legal representative.
- Have terms of service that explain the restrictions on use of the service, algorithmic decision-making and human review, and the rules for use of the service’s internal complaint handling system.
- Provide a transparency report regarding content moderation (the contents of which depend on the type of service).
Hosting services must also:
- Have a notification mechanism for users to notify the platform of content that the user considers illegal.
- Provide a clear statement of reasons to users subject to certain actions of the platform, e.g., restrictions on visibility of content that the user provided, or suspension/termination of payments, provision of services, or the user’s account. The DSA requires the statement to include certain facts/content.
- Notify appropriate authorities of suspected criminal activity on the platform.
Online platforms must also:
- Provide a complaint mechanism related to removal, restriction, or suspension of content; suspending/disabling parts of the service, the user’s account, or the ability to monetize information, with the option to settle disputes out of court.
- Engage in out of court dispute settlement with approved providers if the user chooses.
- Ensure that they treat “trusted flagger” notifications about illegal activity with higher priority.
- Suspend users that meet certain criteria, like “frequently provid[ing] manifestly illegal content.”
- Make transparency reports related to complaints and suspensions.
- Not use dark patterns.
- Provide transparency regarding the ads shown on the platform and not use profiling for sensitive categories of data or children.
- Comply with transparency requirements about recommendation systems.
- Have appropriate protections for minors.
Where an online platform allows for purchases from third parties, it must also:
- Implement “know your customer” measures for third party sellers.
- Design the platform in such a way that sellers can comply with their legal obligations (e.g., disclosure and product safety requirements).
- Inform purchasers if the platform becomes aware that a product sold by a third-party seller is illegal.
VLOPs and VLOSEs have numerous additional obligations, but an entity must be designated as such by the European Commission based on user numbers the online platform provides.
DSA Enforcement
Violations of the DSA are punishable by penalties of up to 6% of annual turnover. For all entities other than VLOPs or VLOSEs, enforcement will be handled by the member state where the entity has an establishment or where the entity has appointed a legal representative, and member states are required to pass legislation to implement the enforcement provisions of the DSA.