The European Commission has published a package of measures relating to regulation of internet intermediaries – the Digital Services Act (DSA) – aimed at ensuring a 'safe and accountable online environment' through improved mechanisms for the removal of illegal content, and also effective protection for users' fundamental rights online, such as freedom of expression. The proposed DSA was published at the same time as the Commission's draft Digital Markets Act (DMA) which is intended to impose specific obligations on online 'gatekeepers' to avoid certain unfair practices. These include prohibition against discrimination in favour of their own services, interoperability obligations, and data sharing obligations.
Taking the form of an EU Regulation, the DSA will apply directly across the EU once it is in effect. However, it will not, of course, apply in the UK (though its extra-territoriality provisions do mean that UK-based providers may be in its scope, as explained below). It will be particularly interesting to track developments relating to the DSA alongside the UK's own recently proposed Online Harms Bill (discussed here). For example, the DSA does not – unlike the proposed Online Harms Bill - cover 'harmful', as opposed to 'illegal' content (illegal content is defined in the DSA as any information which, in itself or by its reference to an activity including the sale of product or provision of services, breaches EU law or the law of a Member State). Harmful content is instead noted by the Commission as 'a delicate area with severe implications for the protection of freedom of expression'.
The DSA updates and incorporates aspects of the EU E-Commerce Directive relating to exemption for liability for online intermediaries. Whilst described by the Commission as a 'cornerstone' of Internet regulation, the E-Commerce Directive is now 20 years old, and so much has changed since it was first adopted. As a Directive, there has also been some significant divergence in how it has been implemented across the EU, unlike the proposed DSA, which is in the form of a directly applicable Regulation. In relation to the post-Brexit scenario, the UK implemented the provisions of the E-Commerce Directive into its laws and has said that it has 'no current plans to change the UK's intermediary liability regime or its approach to prohibition on general monitoring requirements'.
Scope of the DSA
Type of online intermediary services
The DSA governs a broad range of online intermediary services with the levels of obligation varying depending upon the role, size and impact of those services in the online ecosystem. Services in its scope include intermediary services offering network infrastructure (internet access providers, domain name registrars), hosting services (such as cloud and webhosting services) and online platforms that bring sellers and consumers together (such as online marketplaces, app stores, collaborative economy platforms and social media platforms).
A particular category in the DSA is 'very large online platforms' – those platforms that reach on average 45million or more active EU recipients (i.e., more than 10% of 450 million European consumers) – which are recognised as posing particular risks in the dissemination of illegal content and societal harms. At the other end of the scale, micro and small entities are not required to comply with certain of the obligations imposed on online platforms.
The DSA will govern online intermediaries providing services to recipients (businesses or individuals) in the EU, regardless of the place of establishment of the service provider. Accordingly, the DSA will apply to non-EU online intermediaries, such as those in the UK. By way of comparison, the General Data Protection Regulation (GDPR) also contains extra-territoriality provisions, albeit with an element of targeting to individuals in the EU. Under the DSA, the assessment will be whether there is a 'substantial connection to the EU', which will depend on a significant number of users in one or more Member States, or the targeting of activities towards one or more Member States.
Providers established outside the EU offering services into the EU will need to appoint a legal representative in one of the EU Member States where they offer services in order to ensure effective oversight and, where necessary, enforcement.
Member States will lay down the rules relating to penalties for breach of the DSA by providers under their jurisdiction, with penalties of up to 6% of the annual income or turnover of the provider. Member States will also appoint a Digital Services Coordinator to apply and enforce the DSA.
The new obligations imposed on the various online intermediaries in scope of the DSA include:
All intermediary services
- All providers of intermediary services must establish a single point of contact allowing for direct electronic communication with relevant authorities.
- Terms and conditions should include information on any restrictions relating to use of the service.
- Transparency reporting obligations require providers to publish, at least annually, content moderation reports.
Hosting services providers must:
- Put in place notice and action mechanisms to allow individuals/entities to notify them of the presence of illegal content.
- Provide any affected recipient of its service with a statement of reasons if it removes or disables information provided by that recipient.
Online platforms, other than micro or small enterprises, must:
- Set up an internal complaint-handling system for decisions to remove/disable access to information; to suspend or terminate provision of their service; or to suspend or terminate an account. They must engage with certified out-of-court dispute settlement bodies where the complaint is unresolved.
- Introduce a 'trusted flagger' mechanism ensuring that notices submitted by such entities are treated with priority and without delay. Trusted flaggers will be approved entities with particular expertise in detecting illegal content, and which represent collective interests. This mechanism will be useful for IP right-holders who face significant amounts of pirated content and counterfeit products online, as it is recognised that organisations of industry and of right-holders may be awarded trusted flagger status.
- Suspend the provision of services to those that frequently provide manifestly illegal content, but also suspend processing of notices and complaints where manifestly unfounded complaints are frequently submitted.
- Notify any suspicions of criminal offences to law enforcement or judicial authorities.
- Publish reports on their activities relating to removing and disabling illegal content or information that is contrary to their terms and conditions.
- Comply with transparency obligations in respect of online advertising.
Online platforms that allow traders to use their platforms to offer products or services to consumers must:
- Vet the credentials of those traders (KYBC – Know Your Business Customer) by obtaining traceability information, and making reasonable efforts to assess the reliability of and publish information on those traders. They must also organise their interface in a way that enables those traders to respect EU consumer and product safety law.
For very large online platforms, there are a series of additional obligations designed to manage systemic risks:
- Risk assessment to identify significant systemic risks stemming from the functioning and use of their services relating to the dissemination of illegal content, negative effects on fundamental rights and intentional manipulation of their service. Very large platforms should take into account, in particular, how their content moderation systems, recommender systems and systems for displaying online advertising influence any of these systemic risks.
- Mitigation of risks including adapting content moderation or recommender systems, and specific targeted measures.
- Independent external audits of their risk management systems.
- Clear and accessible information about the use of recommender systems in their terms and conditions.
- Additional transparency in relation to online advertising.
- Access to data and scrutiny by Digital Services Coordinators in the relevant Member State or by the Commission.
- Appointment of compliance officers.
Exemption of liability of intermediary services
The DSA updates the E-Commerce Directive – maintaining the liability rules for providers of intermediary services and harmonising and clarifying the conditions under which providers of mere conduit, cache and hosting services are exempt from liability for the third party information that they transmit and store. In particular, where they provide voluntary own-initiative investigations, this will not prevent them relying upon the 'safe harbour' exemptions. Further, the DSA preserves the prohibition of general monitoring obligations and against 'active fact-finding', which would otherwise disproportionately limit users' freedom of expression and freedom to receive information. Finally, it sets out minimum common criteria for courts to make orders to act against illegal content and to provide information about users.
The DSA proposal will now make its way through the EU legislative process, by reference to the ordinary legislative procedure, where the European Parliament passes laws jointly with the EU Council.