The EU Digital Services Act and how it may affect your business

Here's what you need to know about the EU Digital Services Act and how it may affect UK businesses

To meet the challenges posed by the digital revolution, the European Union Digital Services Act ("DSA") seeks to update the regulatory framework for digital services to tackle the abundance of illegal online content, the dominance of 'big tech' companies dominate and the lack of transparency of online advertising isn't transparent. In a nutshell, what's illegal offline should also be illegal online.

Who does this apply to?

The DSA was proposed by the European Commission in December 2020 and was adopted in October 2022. The majority of DSA rules are set to take effect from 17^th February 2024 but very large online platforms and search engines will be subject to the rules sooner than that.

Both EU and non-EU businesses will be affected by the DSA. All UK businesses who offer online services in the EU will have to comply with the DSA. Specifically, it applies to companies that offer 'intermediary services', like sending, storing, or hosting information online, or that are search engines. Regardless of the online provider's location, it is mandatory for these providers to comply with the DSA if they provide services to (or target their activity towards) a significant number of users located in the EU.

So let's look at the overview of the DSA and what it intends to impose on online providers:

1. All online providers shall be responsible for any illegal content on their platforms and shall be required to take steps to prevent illegal content from being disseminated from their platform. Illegal content includes any content that incites violence, hatred, or discrimination, any content that violates intellectual property rights and data protection principles as well as consumer protection laws and regulations. The legality of the content shall be determined by the laws of each member state.
   
2. All online providers shall be subject to a greater level of transparency about their commercial operations and must comply with more detailed public reporting requirements. They shall need to provide clear and transparent information regarding the advertisements displayed on their platforms such as who paid for the adverts, the targeting criteria used, as well as metrics relating to performance.
   
3. Online providers that have more than 10% of Europeans as users of their services will be subject to additional requirements, including transparency obligations, data sharing obligations, and audit requirements.
   
4. The DSA will grant national authorities the power to enforce the rules, including imposing fines and sanctions on non-compliant online platforms.

How does the DSA categorise the tiers?

Tier 1: all Internet Service Providers ("ISPs"), including those cloud infrastructure services and virtual private networks commonly used in the workplace

Tier 2: ISPs which provide hosting services

Tier 3: ISPs which provide online platforms services

Tier 4: very large online platforms (“VLOPs”) and very large search engines ("VLOSEs") which have at least 45 million average monthly active recipients in the EU (roughly 10% of the total EU population)

Some of the DSA's obligations are not applicable to small companies and micro-enterprises (fewer than 50 employees and less than €10 million in annual sales).

All online providers are bound by the following obligations:

1. When dealing with illegal content, providers need to act quickly and efficiently and without undue delay when national authorities request that the provider remove illegal content or provide information.
   
2. There should be one electronic point of contact for direct communication with member state authorities, the European Commission, and the European Board for Digital Services. The same applies to users as they should have a single point of contact so they can talk to the provider "directly and efficiently." UK businesses must designate a legal representative in one of the EU member states where they offer their services if they don't have an establishment there. It is worth noting that this EU legal representative shall be liable for any violations of the DSA.
   
3. Any restrictions imposed on the use of the services or the information provided by users must be explained in plain language whether these are contained in any policies, procedures, measures, and tools for moderation, including algorithms and humans, as well as internal complaints handling procedures. The restrictions must be applied "diligently, objectively, and proportionately" with due consideration for the fundamental rights of the users.
   
4. At least once a year, providers must make public reports on their content moderation and takedown orders, along with illegal content reported.

Tier 3 and Tier 4 providers are subject to the following additional obligations:

1. Hosting providers are required to provide notice-and-action mechanism so a person may notify any hosting service about the presence of illegal content, and the provider has an obligation to respond in a timely, diligent, and objective manner. In the event that the notice enables the provider to identify the illegality of the content without a detailed examination, this constitutes actual knowledge (under Article 6 DSA), which triggers the removal requirements. Furthermore, providers of online platforms must prioritize notices provided by trusted flaggers (experts who are certified by authorities), and VLOPs and VLOSEs are held to a higher standard for the speed and quality of their processing of notices and actions to remove online content.
2. Higher up the tiers, there are increased requirements for reporting and complaint handling. These include:
   (a) Hosting providers are required to provide reports on the number and actions taken on notices and if those actions were automated.
   (b) It is essential that providers offer a free and easily accessible internal complaint handling system (e.g. for challenging suspensions). Whenever a decision is made, justifications must be provided to the user. Automated decisions cannot be made solely based on computer algorithms. The provider must also explain the option for redress through an out-of-court dispute resolution body.
   (c) It is the responsibility of online providers to provide reports on complaints/disputes (including out-of-court disputes) and the decisions and outcomes they reached including tracking the number of suspensions of users and the grounds for suspension, as well as the average number of recipients within the EU who are currently active on a monthly basis.
3. It is forbidden for providers to use layouts, methods of operation, structures etc. to deny or restrict a user's freedom of choice. For instance, making terminating a service more challenging than subscribing to it, or giving preference to certain choices. There is a limited application of this ban, however, since it does not apply to practices covered by the EU GDPR or the EU Unfair Commercial Practices Directive 2002.
4. Users must be able to clearly identify where any information displayed is an advert, who is advertising and/or who financed it, and why they are being shown it. The providers should ensure that their online advertising is transparent and that it is easy for users to identify. A number of other advertising requirements apply, such as not targeting advertising based on special categories of personal data (as per EU GDPR) and not presenting advertisements to minors. All advertisements displayed by VLOPs and VLOSEs must be recorded and made publicly accessible.
5. Providers of online platforms accessible to minors must implement appropriate measures to ensure enhanced data protection and safety for such minors.
6. Whenever an online platform uses news feeds or other data sources, it must clearly specify the parameters used, explaining why particular information is suggested. Furthermore, VLOPs must provide recommender systems that do not use GDPR-compliant profiling to make recommendations to users of the online platform.
7. VLOPs and VLOSEs shall be required to:
   (a) undertake regular risk assessments;
   (b) implement reasonable, proportionate and effective mitigation measures;
   (c) appoint a compliance officer, independent of operational functions to conduct regular independent compliance audits;
   (d) share data on request to relevant authorities in order to assess compliance; and
   (e) pay an annual supervisory fee.
8. In a crisis situation (such as Russia's aggression in Ukraine), the EU Commission can use this mechanism to require VLOPs and VLOSEs to take specific action. There is a three-month time limit on the actions required, unless the crisis evolves and the timeline should be extended (by no more than three months).

How can your business prepare for the DSA?

UK online providers operating in the EU can take a range of steps to prepare for the DSA. In order to achieve this, it is important to follow these steps:

1. Review their existing policies and practices to ensure they comply with the new DSA rules such as their policies on illegal content distribution, transparency in online advertising, and data sharing.
2. Implement technology solutions to support compliance with the DSA including but not limited to content filtering systems, data management systems, and advertising transparency systems.
3. Develop compliance plans outlining how they will comply with the DSA to cover any changes in policies and practices, the implementation of technology solutions and the training of staff.
4. Seek legal advice to ensure you understand your particular obligations under the DSA and that you are taking appropriate steps to comply with them.

UK businesses operating online platforms which operate also within the EU will be affected by the DSA, which is an important development in EU digital regulations. Take proactive measures to prepare for the DSA in order to keep your online business competitive in the EU digital market and comply with the new rules.