Today, the Digital Services Act (the “DSA”) has been formally signed into law by the presidents of the European Parliament and Council (see here). While the law has been long in the making, the deadline to comply with the DSA’s various obligations is now approaching rapidly: most affected businesses will have approx. another year to implement, very large platforms with at least 45m monthly active users will have to comply with the DSA as soon as by summer 2023.
A quick re-cap
The DSA will be directly applicable in the EU. It introduces a new horizontal and technology-neutral framework that is based on the principle ‘what is illegal offline, must also be illegal online’ and aims to protect digital spaces against the spread of illegal content and to ensure the protection of users’ fundamental rights. It addresses all digital services providers that act as intermediaries, but defines a set of layered responsibilities, with stricter regulation applying to more complex and larger businesses – with the most stringent obligations for providers of very large online platforms (VLOP) and very large online search engines (VLOSE) with at least 45 million monthly active recipients within the EU.
The new rules also include a comprehensive enforcement regime, featuring an interplay between the European Commission and national authorities – and fines of up to 6% of a company’s global annual turnover.
The DSA will send service providers on a challenging journey – the new set of rules will need adaption and interpretation according to each individual business model, will require compliance processes to be adjusted, resources allocated on handling complaint systems and disputes, changes regarding the design of the interface, T&CS and other contractual documents, and, last but not least, a sound strategy for how to deal with data access requests as well as transparency and compliance queries by national authorities and the European Commission.
For everyone concerned with DSA compliance of their business, here are three key areas to focus on:
Strategic challenge n°1 – Know your services in scope
In view of the DSA's broad scope, it is important to identify and define the services offered on your platform to ringfence the breadth of your future compliance efforts. Delineation of the various services (even on the same “platform”) is crucial and tricky – especially if one or multiple relevant services might be considered a VLOP/VLOSE, with others falling out of scope. In such cases, providers will need to identify the right methodology to calculate their monthly active recipients (MAR) for each service, which need to be disclosed to the Commission and publicly. Once the service in scope is clearly defined, it is also important to understand how the DSA applies to such service in practice (for example, it might often make a difference whether the service is a marketplace, a cloud service or a social-media offering).
Strategic challenge n°2 – Rethink your internal compliance and organizational design
The different compliance obligations that come with the DSA will touch on different units in any organisation. It will be key to bring them together in a practicable way. This entails the design of internal responsibilities and processes on how to deal with requests for information, advertising restrictions, KYC obligations, take-down-requests and content moderation more generally, drafting transparency reports, requests for alternative dispute resolution – and for VLOP/VLOSE, dealing with the mandatory risk assessment, mitigation and crisis response obligations, data requests, and a new supervision and enforcement regime led by the European Commission.
Strategic challenge n°3 – Plan operationally relevant changes to your T&Cs, interface design and onboarding process of business users
The DSA may require significant tweaks impacting the operationally relevant side of the business – for example:
- adjustments to the consumer facing T&Cs (due to various minimum information requirements set out in the DSA),
- design changes to the online interface (to accommodate transparency requirements), and
- changes to contracts with business users and their onboarding process (e.g. requiring more checks).
Implementing such changes needs time and careful alignment with other potentially relevant laws and regulations (including the Digital Markets Act and EU consumer protection legislation) as well as with (global) internal policies.
Some of the above obligations allow for significant interpretative margin – both for the European Commission and providers. Preparations for DSA compliance will need to be well underway – in any case before the European Commission issues more granular guidance – as enabled by the DSA. Delegated acts to specify the methodology of MAR calculations and the conditions for sharing and use of data as well as implementing acts on a number of provisions (e.g. the format for reporting and the procedure for the European Commission’s to exercise its interventional powers) are expected to provide more clarity on the interpretation and practical application of the DSA. It will be interesting to see to what extent the European Commission will take up this opportunity and issue practical guidance for businesses.
In the long run, providers will also need to brace themselves for legal action as a result of the DSA, be it intervention by the European Commission, administrative proceedings by national regulatory authorities or private enforcement by competitors or users, also in the form of collective redress under the new Collective Redress Directive.
For more information about the DSA have a look at our blogpost series or reach out to the team:
- EU agrees on Digital Services Act, Julia Utzerath, Eugene McQuaid (freshfields.com)
- The DSA – it is coming soon!, Theresa Ehlen, Christina Moellnitz, Eugene McQuaid (freshfields.com)
- The DSA - Implications for contracts, Christina Moellnitz, Theresa Ehlen (freshfields.com)
- The Digital Services Act and its Impact on the IP and Trade Secrets Landscape, Lutz Riede, Tobias Timmann, Philipp Sebulke (freshfields.com)