Home / Legal Publications / Digital Services Act (DSA): A new legal framework...

Digital Services Act (DSA): A new legal framework for the platform economy

The European Commission has issued the draft proposal for the Regulation on a Single Market for Digital Services (Digital Services Act, the “DSA”), which creates a new legal framework for digital services, amends the e-Commerce Directive, and prepares the EU law for new and innovative information society digital services.

The DSA sets out uniform, harmonised rules for intermediary service providers (the “ISPs”) to foster innovation, growth and competitiveness, to better protect consumers and their fundamental rights online, to ensure a safe, predictable and trusted online environment, to offer more choices for users and less exposure to illegal content, to provide access to business users to EU-wide markets through platforms, and to facilitate the scaling up of smaller platforms, SMEs and start-ups. The new draft rules establish:

  • a framework for the conditional exemption from liability of ISPs;
  • rules on specific due diligence and other obligations tailored to different categories of ISPs;
  • law enforcement rules and a new regime for cooperation of and coordination between the competent authorities.

1. Which digital service providers are covered?

The DSA covers those ISPs, whether established in or outside the EU, that provide intermediary services such as conduit services, caching services, hosting services to recipients (users, business users, consumers, individuals and legal entities using the intermediary services) having an establishment or residence in the EU.

The definitions of conduit, caching and hosting service providers remained the same as in the e-Commerce Directive; the DSA only repeats those e-Commerce Directive definitions word-for-word.

The draft regulation contains special obligations for online platform hosting providers and very large platforms as a special category of online platforms, and defines those hosting services as follows:

  • Online platforms are providers of hosting services which store and make available information to the public at the request of a recipient of the service, e.g. online marketplaces, app stores, collaborative economy platforms and social media platforms. However, if storing or making information available to the public is a minor and ancillary feature of another service, and cannot be used without that other service for objective and technical reasons, the service does not qualify as an online platform. This is the situation with the comment section in an online newspaper or email and private messaging services.
  • Very large online platforms are online platforms which provide their services to a number of average monthly active recipients of the service in the EU equal to or higher than 45 million. The list of very large online platforms is published in the Official Journal of the EU.

2. No change in the liability of ISPs for information stored or transmitted in their services

The DSA does not change the liability regime of ISPs for illegal content. It only repeats the liability provisions of the e-Commerce Directive word-for-word and also maintains the e-commerce rule that ISPs do not have a general obligation to monitor the information they transmit or store, or to actively seek facts or circumstances indicating illegal activity.

As an addition, the draft regulation stipulates that ISPs can still refer to the exemption of liability even if they conduct voluntary self-initiated investigations or other activities aimed at detecting, identifying and removing, or disabling access to, illegal content, or take the necessary measures to comply with the requirements of EU law.

3. What are the new obligations?

The DSA stipulates new obligations on ISPs at different levels. Common obligations apply to all kind of ISPs, including online platforms and very large online platforms. Hosting providers have additional obligations, and the DSA contains special obligations for online platforms compared to other hosting services. In addition, very large online platforms have further obligations to manage systemic risks.

3.1 Common obligations applicable to all ISPs

  • Providing information to authorities based on orders: if an ISP receives an order from an authority to act against illegal content, the ISP must inform the authority without undue delay about the actions it takes and the time of those actions. Furthermore, if the ISP receives an order to provide information about a specific individual recipient of a service, the ISP must confirm the receipt of the order to the authority without undue delay and must provide the requested information with certain limitations.
  • Designating points of contact and legal representatives: ISPs must establish a single point of contact for direct electronic communication with the authorities and publish it. Furthermore, ISPs not established in the EU but offering services in the EU must designate in writing a legal representative (together with its name and contact details) in one of the EU countries where the ISP offers services for receipt, execution and enforcement of authority decisions and for cooperation with the authorities. This designated legal representative can be held liable for non-compliance with obligations under the DSA.
  • Indicating restrictions in terms: all restrictions (including content moderation, algorithmic decision-making, and human review rules) related to the use of ISPs’ services regarding information provided by the recipients must be included in the terms and conditions of the services.
  • Publishing annual transparency reports: ISPs must publish detailed annual reports of any content moderation they engaged in during the relevant period. These reports must include, among others, certain information on the orders from authorities, notices on illegal content and complaints received by the ISP, as well as on content moderation by the ISP.

3.2 Additional obligations on all hosting providers

  • Managing notices on illegal contents: the hosting provider must introduce easily accessible, user-friendly electronic processes for managing notices on illegal contents. The DSA lists the mandatory elements of such a notice. The hosting provider must confirm the receipt of such notice in a responding email and notify the claimant of its decision without undue delay.
  • Providing reasoning for decisions: if the hosting provider decides to remove or make unavailable any illegal content provided by the recipient, it must inform the recipient of the decision and give clear reasoning for that decision. This reasoning must contain all mandatory elements listed in the DSA. The decision must be published in an anonymised way in the Commission’s public database.

3.4 Special obligations of online platforms

The provisions applicable to online platforms cannot be applied to SME online platforms. The following additional obligations apply to online platforms, including very large online platforms:

  • Complaint management system: online platforms must maintain an internal, user-friendly, easily accessible electronic complaint management system and must grant access to it to the recipients. The recipients can submit complaints electronically here against the online platform’s decisions on their illegal content.
  • Out of court dispute settlement: recipients affected by an online platform’s decision on illegal content are entitled to turn to an out-of-court body certified by the digital service coordinator. The online platforms are bound by the decision of this body. The DSA contains the detailed rules for the proceedings and the decisions of this certified body.
  • Priority for trusted flaggers: online platforms must process the notices on illegal content submitted by trusted flaggers with priority. The digital service coordinators are entitled to qualify an entity as a trusted flagger if all conditions listed in the DSA are met. The list of trusted flaggers is published in the Commission’s publicly available database.
  • Measures against abusive notices and counter-notices: online platforms must suspend their services to recipients that frequently provide manifestly illegal content. Furthermore, online platforms must also suspend the processing of notices and complaints submitted by persons that frequently submit notices or complaints that are manifestly unfounded. The DSA contains detailed rules for the circumstances to be assessed in the case of such suspension.
  • Reporting suspicions of criminal offences: online platforms must promptly inform the member states’ competent law enforcement authorities, or in certain cases Europol, if they become aware of any suspicion of a criminal offence involving a threat to the life or safety of persons has taken place, is taking place or is likely to take place.
  • Know Your Business Customer: online platforms must identify their traders promoting messages or offering products or services to EU consumers, and must obtain information about them listed in the DSA, among others the name, contact details, registration number, copy of the ID card of the trader. 
  • More detailed transparency reports: online platforms must include additional information in their annual transparency report, such as information about out-of-court disputes, suspensions, and automated content moderation. Furthermore, online platforms must publish information at least once every six months on the average monthly active recipients of the service in each EU country.
  • User-facing transparency of online advertising: online platforms must ensure that advertisements displayed in their services contain information that this is an advertisement, who is the advertiser, and the target audience of the advertisements.

3.5 Very large online platforms’ special obligations for managing systemic risks

The draft regulation contains the following special obligations for very large online platforms for managing systemic risks:

  • Risk management obligations: very large online platforms must conduct annual risk assessments on the significant systemic risks stemming from the functioning and use of their services in the EU. Furthermore, based on these risk assessments, they must put in place reasonable, proportionate and effective risk mitigation measures for the systemic risks they identify. The DSA contains a detailed list of those risk-mitigation measures.
  • External risk auditing and public accountability: very large online platforms must conduct annual audits on compliance with the DSA and the code of conduct via an independent, external professional auditor. The auditor must issue a written audit report including the mandatory elements listed in the DSA in writing.
  • Transparency of recommender systems: if a very large online platform uses a recommender system, it must include the main parameters of and certain information about this system in its terms and conditions, and must ensure options for users not involving profiling.
  • More transparency in online advertising: very large online platforms must make publicly available, through APIs, an anonymised repository about the online advertisements displayed on the platform. The repository must contain the content of the advertisements, each advertiser’s name, the period when each advertisement was displayed, and certain information about the target audience of each advertisement.
  • Data sharing with authorities and researchers: very large online platforms must provide access to the data to the digital service coordinator or the Commission for monitoring and assessing compliance with the DSA, and must grant access to the data to vetted academic, independent researchers for conducting research that contributes to the identification and understanding of systemic risks. Data access must be ensured via APIs or online databases.
  • Compliance officer: very large online platforms must appoint at least one professional compliance officer to monitor compliance with the DSA. The compliance officer’s name and contact details must be provided to the digital service coordinator and the Commission.
  • Additional transparency reporting duties: very large online platforms must publish transparency reports every six months and must publish and submit additional reports listed in the DSA to the digital service coordinator and the Commission.

4. Competent authorities, forum shopping

All EU member states must designate a competent national enforcement authority for the DSA and the same or another authority as the digital service coordinator. Each digital service coordinator has the power of investigation and is entitled to demand information from the ISPs and any other person on suspected infringements of the DSA, to carry out on-site inspections, to ask staff of the ISPs to give explanations, to order the cessation of an infringement, to impose fines, and to adopt interim measures.

The EU member state in which the main establishment of the ISP is located will have jurisdiction over the ISP. If an ISP does not have an establishment in the EU but offers services in the EU, it will be deemed to be under the jurisdiction of the EU member state where its legal representative resides or is established, which enables foreign ISPs to choose the EU jurisdiction by designating its legal representative. If the ISP fails to appoint a legal representative, all EU member states will have jurisdiction over that ISP.

The DSA establishes the European Board for Digital Services, an independent advisory group of digital service coordinators on the supervision of ISPs with advisory tasks for digital service coordinators and the Commission.

The DSA introduces enhanced supervision for very large platforms. In this case, the digital services coordinator will consider all opinions and recommendations of the European Board for Digital Services and the Commission. The Commission and the Board is entitled to recommend that the digital service coordinator investigates the infringing activity. The Commission is entitled to initiate its own proceedings against a very large online platform in cases defined in the DSA. The DSA contains special rules for proceedings initiated by the Commission against a very large platform, with special procedural rights and obligations.

5. Sanctions

The DSA does not contain an exhaustive list of sanctions for an infringement of the regulation; the Member States will set out the rules on sanctions. The draft regulation defines the following maximum amount of penalties:

  • 6% of the annual income or turnover of the ISP for infringing the obligations in the DSA;
  • 1% of the annual income or turnover of the ISP for supplying incorrect, incomplete or misleading information, failing to reply or rectify incorrect, incomplete or misleading information, and failing to submit to an on-site inspection;
  • 5% of the average daily turnover in the preceding financial year per day, calculated from the date appointed by the decision in the case of daily, periodic penalty payments.

6. Next steps

The European Parliament and Member States will discuss the Commission’s proposal according to the ordinary legislative procedure, which will take at least 18 months. Once adopted, the DSA will directly apply across the EU and ISPs will have three months to prepare for the new legal regime.

We will continuously monitor the status of the legislative process and keep you updated on any changes to the draft text of the DSA.

Authors

Dóra Petrányi
Dóra Petrányi
Partner
CEE Managing Director, Co-Head of the Technology, Media and Communications Group
Budapest
Katalin Horváth
Katalin Horváth
Senior Counsel
Budapest
Márton Domokos
Márton Domokos
Co-ordinator of the CEE Data Protection Practice, CMNO
Budapest

Read other related content

01/04/2021
Digital Markets Act: a new and fair business framework for large platforms
The European Commission has published the draft proposal for a new competition law framework for large online platforms, called the Digital Markets Act (the “DMA”). The reason the Commission proposed the DMA is that a small number of large online platforms capture the biggest share of overall value generated in Europe’s digital economy, and these platforms have emerged by benefitting from sector characteristics such as strong network effects, often embedded in their own platform ecosystems. These platforms represent the key structuring elements in today’s digital economy, intermediating the majority of transactions between end users and business users. A few large platforms increasingly act as gateways or gatekeepers between business users and end users, and enjoy a long-term, entrenched position, often as a result of the creation of conglomerate ecosystems around their core platform services, which reinforces existing entry barriers. The DMA deals with those large online platforms acting as gatekeepers in digital markets. The DMA aims to ensure that:these platforms behave fairly on­line;in­nov­at­ors and technology start-ups will have new opportunities to compete and innovate in the online platform environment without having to comply with unfair terms and conditions that limit their de­vel­op­ment;con­sumers will have more and better services to choose from, more opportunities to switch their provider if they so wish, direct access to services, and fairer prices. Who are the gatekeepers? Gatekeepers are core platform services which meet the qualitative and quantitative criteria set out in the DMA. Core platform services include online intermediation services, search engines, social networking services, video-sharing platform services, num­ber-in­de­pend­ent interpersonal communication services, operating systems, cloud computing services, advertising services including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by a provider of any of the core platform services listed above.A core platform service qualifies as a gatekeeper, if:it has a significant impact on the internal market, which is presumed if it achieves an annual EEA turnover equal to or above EUR 6.5 billion in the three preceding financial years, or where the average market capitalisation or the equivalent fair market value of the undertaking to which it belongs amounted to at least EUR 65 billion in the preceding financial year, and it provides a core platform service in at least three Member States;it operates a core platform service which serves as an important gateway for business users to reach end users, which is presumed if it has more than 45 million monthly active end users established or located in the Union and more than 10,000 yearly active business users established in the EU in the preceding financial year;it enjoys a long-term, entrenched position in its operations or it is foreseeable that it will enjoy such position in the near future, which is presumed if the thresholds in point b) were met in each of the three preceding financial years.   What are the gatekeepers’ main obligations? Do’s and Don’ts     What kind of tools and powers do the Commission and other bodies have? The DMA grants powers and different procedural rights to the European Commission and establishes the Digital Markets Advisory Committee for issuing opinions in issues related to the DMA. The DMA gives the Commission the following powers:to designate core platform services that meet the DMA criteria as gatekeepers;to review ad-hoc the status of gatekeepers on request or on its own;to review at two-year intervals the status of gatekeepers;to specify measures to be taken by gatekeeper to comply with the DMA;to suspend certain gatekeeper obligations under the DMA at a gatekeeper’s request, if the gatekeeper demonstrates that compliance with that specific obligation would endanger its economic viability;to exempt a gatekeeper from certain obligations under the DMA on the grounds of public morality, public health or public security;to initiate market in­vest­ig­a­tions:lower-ro­manto examine whether a provider of core platform services should be designated as a gatekeeper;into systematic non-compliance by a gatekeeper;to examine whether certain services in the digital sector should be added to the list of core platform services and identify practices that might limit the contestability of core platform services or might be unfair. The DMA grants investigative, enforcement and monitoring powers to the Commission during its proceedings, based on which the Commission is entitled to:request information from any undertakings and from the governments and authorities of EU member states;access data bases and al­gorithms;in­ter­view any private person or legal entity to collect information relating to the subject-matter of an in­vest­ig­a­tion;con­duct on-site inspections at the premises of any undertakings, including together with auditors and experts;order interim measures against a gatekeeper on the basis of a prima facie finding of an infringement of obligations under the DMA;monitor the effective implementation and compliance with the obligations under the DMA.   What will the sanctions for non-compliance be? If the Commission adopts a non-compliance decision in which it finds that a gatekeeper does not comply with one or more obligations under the DMA, the Commission may fine a gatekeeper. The maximum amount of a fine is 10% of the total worldwide annual turnover of the gatekeeper in the case of a material breach of the obligations under the DMA, and a maximum 1% in the case of a less serious breach of obligations under the DMA. The Commission is also entitled to order periodic penalty payments of up to 5% of the average daily turnover in certain cases defined in the DMA. In the case of systematic breaches of the DMA obligations by gate­keep­ers, ad­di­tion­al remedies may be imposed after a market investigation. Such remedies will need to be proportionate to the offence committed. If necessary and as a last resort, non-financial remedies can be imposed. These can include behavioural and structural remedies, e.g. the divestiture of (parts of) a business.   What are the next steps? The European Parliament and Member States will discuss the Commission’s proposal according to the ordinary legislative procedure, which will take at least 18 months. Once adopted, the Act will directly apply across the EU and the core platform service providers will have six months to prepare for the new legal regime. We will continuously monitor the status of the legislative process and keep you updated on any changes to the draft text of the DMA.