Thierry Breton, EU Commissioner for Internal Market, announced the Digital Services Act ("DSA"), which is intended to harmonise regulations on the internet at EU level, with the pictorial comparison of "a new sheriff in town".
It has been 20 years since the EU first laid down a basic legal framework for the regulation of the internet – namely the eCommerce Directive of 2000. Since then, it has been the Member States who took the lead on making the internet a safer or at least better place – however, on national level (e.g. in Germany with the Network Enforcement Act). This led to regulations regarding the internet being very inconsistent across the EU. From a business perspective, at times there was the impression of a fragmentation of the "European Internet".
Therefore, the EU Parliament and eventually the EU Council on October 4, 2022 approved the DSA. Other than hoped by some and feared by others, the DSA is not a "constitutional law for platforms". Rather it contains basic rules for the so-called intermediary services providers.
The underlying idea of the DSA is: "What is illegal offline, should be illegal online". At first glance, this sounds like an obvious truism, and in fact the regulations of the DSA are more of a tightening up or standardisation of regulations that already exist in many member states. However, many new obligations have been added with the real novelty being the possibility of initiating sanctions against companies along with a system of fines modelled on the GDPR).
The DSA is aimed at "intermediary services providers" who offer their services in the EU. This includes, for example, internet providers, cloud services and content sharing platforms, but also social networks, app stores and online marketplaces.
The extent of regulation depends on the respective type of intermediary service. A distinction is made between the pure transmission of data ("mere conduit"), transmission with short-term intermediate storage ("caching") and "hosting", with the special case of online platforms. The strictest regulations apply to "very large online platforms" and "very large online search engines".
At first, the DSA establishes a standardised legal framework for the conditional exemption from liability of intermediary service providers for the data or content they transmit. The exemption is mainly based on the knowledge of the intermediary services providers of the illegality of the content.
The DSA furthermore lists obligations of the intermediary services providers, some of which are very detailed.
Providers of hosting services must implement notice and action mechanisms. These must include a report function for illegal content which is easily accessible for users. If restrictions are imposed on user content or behaviour, the services provider must give a clear and specific statement of reasons for the restrictions to any affected recipient of the service. If a hosting provider becomes aware of any information that gives rise to the suspicion of a criminal offence involving a threat to the life or safety of a person, the provider must inform the relevant authorities.
Online platforms, such as social networks or online marketplaces, are defined as providers of hosting services that not only store information provided by the recipients of the service but also disseminate such information to the public at the recipient's request. Such online platforms will have further obligations.
For very large online platforms having in average at least 45 million EU users per month, even more comprehensive transparency obligations apply. They must give their users the possibility to refuse recommendations based on profiling. They must establish risk management systems and meet specific compliance requirements. And they must be publicly accountable for meeting these requirements and will be subject to annual independent audits. In a crisis (such as war), very large online platforms may be subject to further obligations. These requirements also apply to very large search engines.
Non-compliance with the DSA can be punished with heavy fines of up to six percent of the group's annual turnover. The competent national authority of the member state in whose territorial jurisdiction the intermediary services provider falls is responsible for enforcing the regulations of the DSA and imposing the respective fines. In the case of very large online platforms/very large search engines, the responsibility here lies with the Commission.
Companies will not only be subject to obligations if they are providers of any kind of intermediary services; they will now have the possibility to take better action against illegal content or illegal products (for example, counterfeit products, etc.).
The new regulations will probably apply from February 2024 and even earlier for very large online platforms. It remains to be seen whether and how the "new sheriff" will ensure better control and security online.
Dr Andreas Lober and Cathleen Laitenberger