The Digital Services Act (DSA) entered into full force on 17 February 2024. This is a monumental EU regulation, containing 93 articles and 156 recitals, which is intended to impose:
- A framework for the conditional exemption from liability of providers of online intermediary services (i.e. companies that are conduits for, cache or host third-party online content)
- Rules on specific due diligence obligations tailored to certain specific categories of providers of intermediary services
- Rules on implementation and enforcement, including as regards the cooperation between the competent authorities
It is applicable across the whole EU and EEA, and has extraterritorial reach.
Part of the DSA has already been in force since 2023 for some designated providers. However, since 17 February 2024, the remainder of the DSA now applies to all online intermediary services providers that offer their services in the EU/EEA, regardless of whether or not such providers have an establishment in the EU/EEA. A more detailed overview of the DSA is available on our Digital Markets Regulation page.
VLOPs and VLOSEs
The part of the DSA that was already in operation prior to 17 February applied only to designated “very large online platforms” (VLOPs) and “very large online search engines” (VLOSEs). The current VLOP and VLOSE list includes platforms and search engines such as Amazon Store, App Store, LinkedIn, Facebook, Instagram, Pinterest, Snapchat, X, and Google Search, Google Play, Google Maps, Google Shopping and YouTube. Alibaba, TikTok, and Booking.com are also among the listed platforms and search engines.
Intermediary Services
The remainder of the DSA, which entered into force on 17 February, contains broader rules that are applicable to all“online intermediary services providers” defined as providers of “mere conduit”, “caching” or “hosting services”, whether or not they are established in Europe.
While the DSA may, at first blush, seem to cover only Big Tech, many ordinary and smaller online services, including apps and websites that facilitate the sharing of user generated content, may come under the definition of intermediary services. The definition of “intermediary services” spans a wide range of economic activities that take place online and that develop continually to provide for transmission of information that is swift, safe and secure, and to ensure convenience of all participants of the online ecosystem. For example, “mere conduit” intermediary services include generic categories of services, such as internet exchange points; wireless access points; virtual private networks; domain name system (DNS) services and resolvers; top-level domain name registries and registrars; certificate authorities that issue digital certificates; and voice over IP and other interpersonal communication services, while generic examples of “caching” intermediary services include the sole provision of content delivery networks, reverse proxies or content adaptation proxies. Such services are crucial to ensuring the smooth and efficient transmission of information delivered on the internet. Examples of “hosting services” include categories of services such as cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing. Intermediary services may be provided in isolation, as a part of another type of intermediary service, or simultaneously with other intermediary services. Whether a specific service constitutes a “mere conduit”, “caching” or “hosting” service depends solely on its technical functionalities, which might evolve in time, and should be assessed on a case-by-case basis.
Conditional Exemption
The DSA exempts these intermediary services providers from content liability subject to the following conditions:
- For mere conduit services, the exemption conditions are that the provider “(a) does not initiate the transmission; (b) does not select the receiver of the transmission; and (c) does not select or modify the information contained in the transmission”.
- For caching services, the exemption conditions are that the provider “(a) does not modify the information; (b) complies with conditions on access to the information; (c) complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry; (d) does not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and (e) acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source of the transmission has been removed from the network, or access to it has been disabled, or that a judicial or an administrative authority has ordered such removal or disablement”.
- For hosting services, the exemption conditions are that the provider “(a) does not have actual knowledge of illegal activity or illegal content and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or illegal content is apparent; or (b) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the illegal content”.
This is similar to, but materially different from, the immunity offered to intermediaries under Section 230 of the US Communications Decency Act, and companies familiar with that regime should note the differences. One of the most crucial differences is the obligation of hosting services to act upon knowledge, in order to qualify for the exception, which is not necessary under US law.
Due Diligence Obligations
The DSA imposes specific due diligence obligations (including positive information obligations vis-à-vis consumers and business partners) tailored to each specific category of providers of intermediary services. Concerns about insufficient transparency, the nontraceability of online traders, automated machine-based decision-making, content tailoring, and the excessive power of large intermediaries, permeate the DSA and have significantly shaped these obligations. For an overview of these obligations, check our DSA Compliance Tracker.
New Enforcers and Compliance Roles
The DSA also introduces new enforcers and new compliance roles. For example, each EU member state will designate a digital services coordinator and each intermediary service provider without an EU establishment will need to appoint a representative in an EU member state who will need to be able to liaise with the designated digital services coordinators. One of the sticky practical implementation aspects for this requirement, however, is that the appointed representative will have direct liability for DSA noncompliance, without prejudice to the liability and legal actions that could be initiated against the provider of intermediary services.
International Ramifications
The DSA’s “rights-driven” model of internet governance seeks to chart something of a middle way between the US “market-driven” model and China’s “state-driven” model. Some commentators have described the EU model as more proactive and risk averse than the US model but also more mindful of privacy and individual rights than the China’s model. As an analytical framework, this categorisation is compelling, though it has worrisome implications arising from the dangers of a splinternet.
Because it applies to all intermediary services providers that offer their services to recipients located in the EU/EEA, whether they are established inside or outside the EU/EEA, the DSA will affect US and UK intermediaries servicing the EU/EEA market, an application that suggests that, as has been the case with the EU General Data Protection Regulation (GDPR), some spillover from the EU legislation will be felt in the US and UK. As the GDPR has shown, such spillover can result in US and UK intermediaries being targeted by EU enforcement actions, and in US and UK intermediaries adjusting their operations pursuant to the EU legislation, including inside the US and UK. Spillover may also result in US legislators looking at the EU legislation for thoughts about their own legislative actions in the US; the California Consumer Privacy Act is a prime example of GDPR spillover. The UK has already passed its Online Safety Act on content liability for online intermediary services and its regulator, Ofcom, is said to be cooperating with the EU Commission towards a coherent application of the Online Safety Act and the DSA.
Conclusion
The novel framework introduced by the DSA and its international ramifications present both opportunities and risks for online intermediary services providers active in Europe.