No 2 of our blog post series on the Digital Services Act: General obligations for all intermediary services
This blog post takes a closer look at the baseline obligations that all intermediary services covered by the DSA have to follow (for further information on the stringent set of rules for VLOP and VLOSE see our blog post on VLOP designation and their obligations).
After a brief overview, we will first scrutinize the term “intermediary services” which is relevant for determining the DSA’s scope of application before delving deeper into the specific obligations imposed on the providers of these services.
I. At a glance
The Digital Services Act (DSA) covers a wide range of intermediary service providers and its obligations matter to far more companies than those on the list of VLOP and VLOSE.
Following a “tiered approach” – or, as the European Commission calls it: asymmetric due diligence obligations –, different sets of obligations apply to intermediary service providers depending on the functioning and size of their services offered in the Union. Some baseline obligations will have to be followed by all intermediaries covered by the DSA, such as establishing a point of contact, appointing a legal representative, adjusting their terms and services and publishing transparency reports.
To prepare for compliance with the DSA, providers will need to assess whether and which of their services fall within one of the definitions set out in the DSA and if so, whether their internal compliance system matches the applicable baseline obligations. Implementing acts to be issued by the Commission providing templates on the form, content and other details of transparency reports will assist providers in meeting their reporting requirements and will play a key role.
II. Intermediary services covered by the DSA
The DSA applies to providers of “intermediary services” which are to be understood as a subset of “information society services” as defined in Article 1(1), point (b) of Directive (EU) 2015/1535. Information society services are services that are normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. The latter requirement excludes services provided without individual demand for the simultaneous reception by an unlimited number of individual receivers, such as television or radio broadcasting services (Annex I of Directive (EU) 2015/1535).
This definition prima facie covers a wide range of online services. The DSA takes up the categorization already included in the e-Commerce-Directive and covers three specific types of intermediary services:
- mere conduit services, which transmit information provided by a recipient (eg wireless access points, domain name system (DNS) services and resolvers, virtual private networks (VPN), top-level domain name registries, certificate authorities that issue digital certificates and voice over IP and other interpersonal communication services),
- caching services, which temporarily store information for more efficient transmission (eg the sole provision of content delivery networks or reverse proxies or content adaptation proxies), and
- hosting services, which store information provided by a service recipient (eg cloud computing, web hosting, paid referencing services or file storage and sharing). A sub-set of hosting services are online marketplaces and online platforms, to which – in addition to the baseline obligations – further obligations apply under the DSA.
In addition, the DSA also covers online search engines. In contrast to the other services, the final text of the DSA does not explicitly define the category of online search engines which leaves its exact scope and the applicable obligations unclear.
In terms of territorial scope, the DSA applies to providers of intermediary services regardless of their place of establishment as long as their services are offered to recipients that have their place of establishment or are located in the Union (Art. 2(1) DSA). Whether services are indeed offered in the Union is evidenced by a substantial connection to the Union (Recital 7).
While the mere technical accessibility of an online service in the Union should not be sufficient to create a substantial connection to the Union, Recital 8 provides some insight into when this might be the case in the view of the European legislator: A substantial connection should be considered where the service provider (i) has an establishment in the Union, (ii) has a significant number of recipients in one or more Member States in relation to its or their population or (iii) targets its activities towards one or more Member States. Activities might be considered as targeted towards one or more Member States, in line with existing national rules, if the online service uses a Member State’s language or a currency, offers the possibility to order products or services in that Member State, or uses a national top-level domain. The assessment will eventually rely on a case-by-case analysis.
III. Obligations for intermediary services covered by the DSA
The DSA introduces four key obligations for providers of intermediary services that primarily aim at improving transparency and streamlining communication between service providers and the relevant authorities.
1) Establishment of a point of contact (Article 11, 12 DSA)
Providers of intermediary services must designate a single point of contact to enable recipients of the service to communicate with them directly and rapidly in a user-friendly manner. The DSA further requires providers of intermediary services to publish the contact details and other necessary information of their single point of contact on their website and to keep them up to date.
In contrast to the legal representative (see below), the electronic point of contact serves operational purposes and is not required to have a physical presence.
2) Appointment of legal representatives (Article 13 DSA)
Providers of intermediary services without a presence in the EU must appoint a legal representative in one of the Member States where they offer their services. The legal representative may be held liable for non-compliance but this does not affect the service provider’s own liability. Providers of intermediary services must further inform the national Digital Services Coordinators – the competent authority for all matters relating to application and enforcement of the DSA in that Member State – of their legal representative’s name, address, email, and phone number and keep the information up to date.
The legal representative may be a subsidiary undertaking of the same group as the provider or its parent undertaking, if they are established in the Union. But service providers can also choose external entities as their representative, who might serve in this function for more than one provider and can also function as the single point of contact for that provider.
3) More transparent terms and conditions (Article 14 DSA)
To increase transparency for users, providers of intermediary services must inform users about any restrictions they may impose on the use of their service in their terms and conditions. This information must be in a clear and easily accessible language and should include details about content moderation policies, complaint handling procedures, and changes to the terms and conditions. Additionally, when providers of intermediary services are imposing restrictions on their service, they must do so in a diligent, objective, and proportionate manner and take into account the fundamental rights of users, such as freedom of expression and information.
If the service is directed at minors, the service provider must be particular cautious and also explain any restrictions in a comprehensive way for a young audience. Interestingly, the DSA encourages providers to be creative when drafting their terms of service, such as using icons or images to illustrate the main elements of the information (Recital 45).
4) Reporting obligations (Article 15 DSA)
In order to ensure transparency and accountability, providers of intermediary services must publish annual reports on their content moderation activities in a clear and easily comprehensible manner. These reports should be publicly available in a machine-readable format and must include information such as the number of orders or notices received from authorities, actions taken, and complaints received.
Furthermore, the transparency reporting also has to include information on the use of automated means in a provider’s content moderation systems.
The obligation to publish transparency reports is increased for certain providers according to the layered approach of the DSA, for example for providers of online platforms which also need to provide information on out-of-court settlement bodies. To ensure a coherent approach among providers of intermediary services, the Commission may issue implementing acts to define the form, content, and other details of these reports.