DSA decoded #2: The art of scoping – which intermediary are you?

In this week’s edition of our ‘DSA decoded’ blog series, we take a look at the scope of the DSA and what services it applies to – the first question that providers need to ask to ensure compliance with the DSA. By mastering ‘the art of scoping’, businesses can explore strategic approaches to framing which intermediary-category a service falls into and which of the DSAs tiered obligations apply as a consequence. 

While the most stringent set of rules applies to the largest online platforms and search engines, any business providing digital services may potentially be required to take steps to ensure compliance with the DSA. Scoping is also critical to determine whether your business can benefit from the ‘safe harbour’ defence to intermediary liability, a concept that the DSA carries over from the 20-year-old e-Commerce Directive.

Services in scope of the DSA 

The DSA applies to intermediary services offered to recipients located in the EU. Intermediaries deal with third party generated content rather than their own (eg on social media platforms), or allow users to conclude contracts with third parties rather than with themselves (eg on marketplaces). This covers services that are provided by electronic means at the individual request of a recipient (as opposed to classic broadcasting), normally for remuneration, and that store or transmit information provided by recipients of the service (so-called ‘hosting’, ‘caching’ or ‘mere conduit’ services).  This may extend to user information shared in chat rooms or forums, comment sections, online marketplaces and file storage services. 

Under its tiered approach, the DSA sets up different categories of intermediary services: 

• Hosting services consist of storing information provided by and at the request of a recipient of the service. This includes cloud computing, web hosting, paid referencing services as well as any services enabling sharing information and content online, like file storage and sharing (Recital 29). 
• Online platforms are an important sub-set of hosting services that not only store, but also disseminate information to the public at the request of a recipient, thus to a potentially unlimited number of people. This includes social networks for example (Recital 13). Online platforms are subject to additional obligations, with the most stringent set of rules implemented for very large online platforms (VLOPs). 
• Online marketplaces are subject to specific obligations under the DSA as online platforms allowing consumers to conclude distance contracts with traders. 
• VLOPs are online platforms that are designated as such by the Commission based on an average number of monthly active users of 45 million in the EU, along with so-called very large online search engines (VLOSE). 
• Mere conduit services transmit information provided by a recipient in a communication network or provide access to a communications network, such as VPNs, DNS services top level domain name registries and voice over IP (Recital 29). Those services are characterized by the fact that they do not involve storing of information although the DSA also includes edge-cases like buffering in this category which include intermediate automatic and transient storage only for the purpose of carrying out the transmission.
• Caching services temporarily store information provided by a recipient to make transmission of this information to other recipients more efficient. This includes web and database caching, content delivery networks and  content adaptation proxies (Recital 29). 

The territorial scope of the DSA may extend beyond the EU 

In terms of its territorial scope, the DSA applies to providers of intermediary services regardless of their place of establishment as long as its services are offered to recipients that are located or established in the European Union. Providers from outside the EU fall within the scope of the DSA only if there is a substantial connection to the EU, for example because of a significant number of recipients in the EU, or because the provider targets its activities to EU member states. This may include where the services uses EU languages, offers the Euro as currency, advertises in EU countries or uses a top-level domain relating to an EU country (Art. 3(d), (e), Recital 8). 

Delineating a service and why it matters 

• In short, all intermediary services are subject to a set of baseline obligations that include the designation of single points of contacts for authorities and users, designation of a legal representative, transparent terms and conditions as well as annual transparency reporting. All intermediary services must also meet certain standards in their content moderation (Art. 14(4) DSA).
• Host providers must take additional steps, including setting up notice and takedown mechanism and giving reasons for content moderation actions.
• Online platforms are further required to adopt measures to combat the dissemination of illegal content online and protect minors, increase the transparency of their platforms for users and avoid dark patterns, and establish internal complaint handling and dispute settlement mechanisms, among others. 
• B2C online marketplaces are subject to further specific obligations, requiring them in particular to obtain some basic information from traders to ensure their traceability. 
• The most stringent set of rules apply to VLOPs and VLOSE. Providers are required to identify and mitigate systemic risks stemming from their services including risks related to illegal content, fundamental rights and public security, provide further transparency reporting, conduct independent audits, and introduce an independent compliance function. They also have to pay a supervisory fee to the Commission. To this date, the Commission has designated 20 providers of VLOP/VLOSE.

Strategic approaches to scoping

It is important for businesses to delineate digital services accurately. Notably, different services offered by the same provider may fall into different categories and be subject to divergent rules depending on technical functionalities and a service that a business thinks about conceptually as a single service might technically comprise multiple services (Recital 29).

In addition to considering the definition of each intermediary service outlined above, businesses should take account of the following additional considerations:

1. As a starting point, providers should determine what information they store and distribute to the public and to what extent this includes information that is provided by recipients of the service (including not only consumers, but also business users). In our experience, many businesses may be offering intermediary services without realising it. 
    
2. Where a provider offers multiple services or a service that constitutes multiple kinds of services under the DSA, different obligations may attach to each of those services. For example, a business that runs an online marketplace may have different duties associated with its marketplace (likely an online platform) and an account feature that enables sellers to upload and analyse sales data (likely a hosting service but not an online platform). Online marketplaces are also an example of a service type to which specific additional obligations attach, which we will discuss in a future blog. 
    
3. In thinking about whether your service might be a hosting service, bear in mind that the concept of hosting is often interpreted broadly by European regulators and courts, and may include services that merely store data connected to a user account or a user’s search history. Besides, it is important to note that a service will not benefit from the safe harbour shields from liability if a provider takes an active role with respect to third-party content, e.g. by way of organising and promoting such content. A similar rule is set out explicitly for online marketplaces in the DSA when a marketplace presents items in a way which suggests that they are provided by the platform or under its authority or control. Some providers are seeking to argue insofar that the DSA does not apply altogether absent a systemic risk if third-party content is curated and checked before being uploaded. 
    
4. Intermediary services must also be distinguished from tangible services like transport, accommodation or delivery services (which are not an intermediary service) even if those services are provided through the use of an intermediary service. The DSA does not apply to such services and does not affect the substantial requirements relating to those even if they are offered using intermediary services – including in situations where the intermediary service constitutes an integral part of such a tangible service (Recital 6). In practice, drawing this line is particularly complex. 
    
5. Similarly, certain obligations do not apply to small and medium-sized enterprises (under EU recommendation 2003/361) depending on staff headcount, turnover or balance sheet total.

Becoming a VLOP and calculating user numbers 

For large platforms, it is crucial to determine whether user numbers in the EU exceed 45 million. The DSA contains little guidance on how to count users in detail and it is critical for providers to arrive at an accurate figure that is defensible to the Commission. The relevant users are not limited to registered users but include all users that have engaged with a platform (Recital 77). As reported in an earlier blog post, the Commission has indicated in a Q&A doc that this figure may be determined based on an average over a period of the past six months and that this information must be easily available and accessible on their online interfaces as well as identifiable in an automated way.