With less than a month to go, those providing digital services to EU users will need to comply with a set of new EU digital rules; the Digital Services Act (DSA) takes full effect on February 17, 2024.
As a reminder, the DSA is part of the Commission’s broader Digital Agenda for Europe plan, which includes the Digital Markets Act and the Digital Governance Act (both applicable as of last year), the recently adopted Data Act, the AI Act, and other EU digital legislation.
We highlight the novelties this new EU regulation brings to the table in this short overview.
1. Why is the DSA important?
The DSA is important because it updates outdated rules on the provision of digital services to EU recipients by introducing a set of novel obligations that service providers must abide by, with the aim of preventing illegal and harmful online activities and the spread of disinformation.
2. To whom does the DSA apply?
The DSA applies to all providers of “intermediary services” that offer such services to EU recipients, irrespective of whether the service providers’ place of establishment is within or outside of the EU.
Under the DSA, “intermediary services” include three types of services:
- mere conduit services – simple transmission of data between users in a communication network
(e.g., virtual private networks (VPN), domain name systems (DNS), etc.); - caching services – temporary storage of user information for the purpose of transmitting the information to other users more efficiently
(e.g., content delivery networks (CDN), etc.); - hosting services – storage of information provided by a user and on the request of users
(e.g., online marketplaces, web hosting, cloud services, etc.).
Whether or not a particular service falls within one of the three “intermediary services” categories should be assessed on a case-by-case basis.
3. How does the DSA work?
The core provisions of the DSA are the due diligence obligations for service providers and the exemption from liability framework.
A. Due diligence obligations
The obligations service providers must adhere to, as well as the types and quantity of these obligations, depend on the intermediary services they offer to EU users.
The main set of obligations all service providers have to comply with are:
- updating of terms and conditions by including information on any restrictions service providers impose, in relation to the use of their service, regarding the data provided by the recipients of the service (e.g., policies, procedures, measures, tools for content moderation, etc.);
- designation of a single point of contact for communication with official authorities and service recipients;
- making publicly available, machine-readable, and easily accessible, annual transparency reports on content moderation carried out (including, for example, information about the content moderation engaged in at the service providers’ own initiative, use of automated tools in content moderation, measures to provide training and assistance to persons in charge of content moderation, etc.)
- appointing an EU legal representative, if service provider does not have a place of establishment within the EU.
Furthermore, all hosting service providers have to comply with additional set of obligations. These include responsibilities such as:
- additional transparency reporting obligations (e.g., information on the number of suspensions imposed on the service users for the provision of illegal content, the number of disputes submitted by the service provider to the out-of-court dispute settlement bodies and their outcomes, etc.);
- establishing an internal complaint-handling system, which allows users to lodge complaints against decisions of service providers on the grounds that the information provided by users constitutes illegal content or is incompatible with its terms and conditions;
- designing and organizing online interface in a way so as to not deceive or manipulate users, or in any way impair the ability of users to make free and informed decisions while using the service (e.g., dark patterns);
- Introducing greater transparency in displayed advertisements by allowing users to quickly and clearly identify that the content they are viewing is an advertisement. This includes the obligation to display clear information about the individual or entity sponsoring and financing the advertisement, along with details regarding the targeted audience. Additionally, the DSA establishes enhanced transparency in recommender systems.
Lastly, it should be noted that the DSA establishes important novelties in the provision of digital services, such as:
- the prohibition for service providers to present advertisements to users based on profiling using special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, etc.), and
- rules on online protection of minors which prohibit service providers to present advertisements on their interface based on profiling using personal data when they are aware with a reasonable certainty that the service recipient is a minor, as well as obligate service providers to articulate their terms and conditions in a manner comprehensible to minors if their service is primarily intended for or used by minors.
B. Exemption from liability
If service providers meet certain pre-established criteria, they may take advantage of the exemption from liability framework the DSA establishes.
To set an example, hosting service providers will not be liable for the information they store if they have no actual knowledge of illegal content and have no awareness of facts from which such illegal content is apparent. However, should the hosting service provider become aware of the illegal activity, they must act expeditiously to remove or disable access to such illegal content.
Similar requirements for exemption from liability also apply to mere conduit and caching service providers. For instance, for mere-conduit service providers, one requirement is not to modify the information transmitted, while for caching service providers, they are required to comply with conditions on access to the information.
It is important to note that under the DSA there is no general monitoring or active fact-finding obligation for service providers. Service providers do not have to hunt for illegal content, but should act swiftly once they become aware of such content.
4. Sanctions for non-compliance, enforcement, and the Croatian Implementation Act
Alike other novel EU acts regulating the digital sector, the DSA establishes very high sanctions for addressees that do not comply with its obligations.
Sanctions for service providers include:
- penalties of up to 6% of total worldwide annual turnover;
- periodic penalty payments of up to 5% of average daily worldwide turnover for each day of delay in complying with remedies, interim measures, and commitments; as well as,
- temporary ban on the provision of services to EU recipients.
Exact penalty amounts are determined by each member state in their implementation acts.
Regarding the oversight of the service providers, the DSA establishes a collaborative framework between the Digital Service Coordinators, designated by member states in their implementation acts, and the Commission, serving as the central regulator.
In accordance with DSA requirements, Croatia has introduced its DSA Implementation Act (Cro. Zakon o provedbi Uredbe 2022/2065) in early January. The Implementation Act is currently undergoing a public consultation process scheduled to conclude by February 8, 2024. The final report on the public consultation process is anticipated to be released by February 12, 2024.
The Croatian Implementation Act, among other provisions, designates the Croatian Regulatory Authority for Network Industries (HAKOM) as the Digital Services Coordinator. Furthermore, the Implementation Act outlines the coordination among Croatian regulatory bodies for the enforcement and supervision of the DSA.
Regarding the misdemeanor penalties, the Croatian Implementation Act establishes fines reaching up to EUR 66,360.00 for the violations of the DSA provisions.
Lastly, the Croatian Implementation Act mandates that service providers established in Croatia must notify HAKOM of their intermediary service provider status within three months of HAKOM’s publication of the notification format.
5. What should you do to prepare?
Due to the substantial penalties associated with DSA infringements, it is best that those providing digital services to EU users familiarize themselves with the range of obligations they may need to comply with.
We suggest providers of digital services:
- determine whether their provision of digital services to EU recipients falls into one of the three DSA “intermediary services” categories;
- familiarize themselves with specific obligations corresponding to the type of services they provide;
- approach the DSA holistically, understanding that the DSA is interconnected with other EU digital legislation, such as the Data Act, the Digital Markets Act, the Data Governance Act.
Should your business require assistance with the Digital Services Act or other emerging EU digital legislations, feel free to reach out via: vukmir@vukmir.net.