As background, in December 2022, the EU Council adopted the policy programme ‘Path to the Digital Decade’, aiming to facilitate a seamless transition to digital transformation by 2030, aligning with EU values. This program sets specific digital targets for EU countries to achieve by 2030, including the development of national trajectories and strategic roadmaps to enhance digital infrastructure's security, accessibility, and sustainability. Notably, a key focus area of the EU digital strategy is digital services.
In this context, the digital services package was the EU’s response to the need to regulate the digital space. The two legislative acts the package contains, respectively the Digital Services Act (”DSA”) and the Digital Markets Act (”DMA”) aim to define measures to protect users while supporting innovation in the digital economy.
- What is the Digital Services Act?
The Digital Services Act is the world’s first digital regulation that makes digital companies across the EU accountable for the content posted on their platforms. It was adopted by the Council on 4 October 2022 and applies to most online intermediary companies as of 17 February 2024.
For ease of reference, DSA is setting rules regarding intermediaries’ obligations and accountability, which aims to counter online risks (such as harassment, bullying, false information, illegal content and/or people pretending to be someone else), by creating a harmonised legal framework to fight the spread of illegal and harmful content, thereby enhancing the protection of fundamental rights online and ensuring a proper implementation across the EU by coordinating the Commission and Member States actions.
The DSA builds on the rules of the Directive 2000/31/EC on certain legal aspects of the information society services, in particular electronic commerce, in the Internal Market ('Directive on electronic commerce'), which has been the main legal framework for the provision of digital services in the EU since 2000.
However, considering the massive development of the online platforms in the last 20 years, the DSA modernises and clarifies rules, aims to equally protect all users in the EU and aims to wide the European regulations already in force (i.e. EU Regulation 2019/1150 “P2B Regulation” applicable since July 12, 2020, which regulates the commercial relationship between online intermediaries and the business users that offer goods and services via the intermediary platforms.)
- Which companies are affected by the DSA?
All online intermediary companies whether they are established inside or outside the EU, that connect EU located users with content, products and services supplied in the EU single market, must follow the DSA, in their capacity as providers of intermediary services. This concept includes services such as internet access services, cloud services, messaging, marketplaces or social networks.
However, specific due diligence obligations apply to hosting services such as cloud and web hosting services (also including online platforms), and in particular to online platforms, such as social networks, content-sharing platforms, app stores, online marketplaces and online travel and accommodation platforms.
The most far-reaching rules in the DSA focus on very large online platforms (VLOPs) and very large online search engines (VLOSEs), which have a significant social and economic impact, reaching at least 45 million users in the EU (representing 10% of the EU population). For them, the new rules kicked in earlier, starting with 17 February 2023.
To avoid disproportionate burdens, most obligations imposed under the DSA on providers of online platforms, including platforms allowing consumers to conclude distance contracts with suppliers, should not apply to providers that qualify as micro (i.e. an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million) or small enterprises (i.e. an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million). For the same reason, those additional obligations should also not apply to providers of online platforms that previously qualified as micro or small enterprises during a period of 12 months after they lost that status.
- What new measures do companies have to put in place?
Some of the obligations for intermediaries include:
- New obligations for the protection of minors on any platform providing goods or services in the EU;
- Wide range of transparency measures for online platforms, including better information on terms and conditions, as well as transparency on the algorithms used for recommending content or products to users;
- Significantly more drastic measures to counter illegal content online, including provision of illegal goods and services. The DSA imposes new mechanisms allowing users to flag illegal content online, and for platforms to cooperate with specialised ‘trusted flaggers' to identify and remove illegal content;
- New rules to trace sellers on online marketplaces, to help build trust and go after scammers more easily; a new obligation for online marketplaces to randomly check against existing databases whether products or services on their sites are compliant; sustained efforts to enhance the traceability of products through advanced technological solutions;
- Online marketplaces are also requested to trace their traders ("know your business customer"). This ensures a safe, transparent and trustworthy environment for consumers and discourage traders who abuse platforms from selling unsafe or counterfeit goods;
- Effective safeguards for users, including the possibility to challenge platforms' content moderation decisions based on the compulsory information platforms must now provide to users when their content gets removed or restricted;
- Obligations for very large online platforms and search engines to prevent abuse of their systems by taking risk-based action, including oversight through independent audits of their risk management measures. Platforms must mitigate against risks such as disinformation or election manipulation, cyber violence against women, or harms to minors online. These measures must be carefully balanced against restrictions of freedom of expression, and are subject to independent audits;
- Bans on targeted advertising via online platforms by profiling children or based on special categories of personal data such as ethnicity, political views or sexual orientation;
- Enhanced transparency for all advertising activity via online platforms and influencers' commercial communications. Users have to be clearly informed whether and why they are targeted by each ad and who paid for the ad; they should also see very clearly when content is sponsored or organically posted on a platform and should also see when influencers are promoting commercial messages;
- A ban on using so-called ‘dark patterns' on the interface of online platforms, referring to misleading tricks that manipulate users into choices they do not intend to make;
- New provisions to allow access to data for researchers of key platforms, in order to scrutinise how platforms work and how online risks evolve;
- Users have new rights, including a right to complain to the platform, seek out-of-court settlements, complain to their national authority in their own language, or seek compensation for breaches of the rules. Now, representative organisations are able to defend user rights for large scale breaches of the law;
- What happens if companies do not comply with the new rules?
Under the DSA, the supervision of the new rules is shared between the Commission – which is primarily responsible for platforms and search engines with more than 45 million users in the EU – and Member States, responsible for any smaller platforms and search engines according to the Member State of establishment.
Member States are required to designate by 17 February 2024 the competent supervisory authorities – referred to as Digital Services Coordinators, respectively an independent authority which will be responsible for supervising the compliance with the new rules of the intermediary services established in their Member State and/or for coordinating with specialist sectorial authorities for enhanced supervision.
To do so, the Digital Services Coordinators will have specific powers to control and impose penalties, including financial fines. Each Member State will clearly specify the penalties in their national laws in line with the requirements set out in the Regulation, ensuring they are proportionate to the nature and gravity of the infringement, yet dissuasive to ensure compliance.
For the case of very large online platforms and very large online search engines, the Commission has direct supervision and enforcement powers.
Starting from 17 February 2024, the Commission or the Digital Services Coordinators, can:
- apply fines up to 6% of the worldwide annual turnover in case of: (i) Breach of DSA obligations, (ii) Failure to comply with interim measures, (iii) Breach of commitments;
- apply fines up to 1% of the offender’s annual income or worldwide turnover in the preceding financial year for supplying incorrect, incomplete or misleading information, as well as for failing to reply or to rectify such information, and for the failure to submit to an inspection;
- apply periodic penalties up to 5% of the average daily worldwide turnover for each day of delay in complying with remedies, interim measures, commitments (following lack of compliance with decisions imposing remedies, interim measures or making binding commitments).
The enforcement mechanism is not only limited to fines since the Digital Services Coordinator and the Commission will have the power to require also immediate remedial actions where necessary to address very serious harms and platforms will have to offer express and clear commitments on how they will remedy them.
- Roll-out at national level
The Romanian Government, during its meeting on 14 December 2023 passed the draft bill on measures for the implementation of Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC as well as amending and supplementing Law no. 365/2002 on electronic commerce. The draft bill appoints the National Authority for Management and Regulation in Communications of Romania (ANCOM) as Digital Services Coordinator in Romania. ANCOM, in its capacity as DSC shall be responsible for all aspects for the implementation and enforcement of the DSA.
- Getting DSA ready
Since in less than two weeks the obligations under the DSA must be observed by all affected digital services providers, our team envisaged a list of key steps to follow in order to ensure compliance with the DSA rulebook:
- Understand the DSA requirements: Get acquainted with the ins and outs of the DSA regulations, in order to have an idea on the specific obligations and guidelines applicable to your platform. Reference 6 in chapter iv) provides a summary of the significant obligations imposed by the DSA for every targeted service provider.
- Conduct an internal due diligence process: Identify areas that need to be aligned with the impending DSA requirements inside your organisation, conduct a proper risk assessment, defining priorities based on the red flag reports.
- Implement necessary amendments: Act on your audit findings by implementing the needed adjustments. Update terms and conditions, strengthen content moderation procedures and enhance user protection measures to meet DSA standards.
- Establish a compliance monitoring system: Set up a robust system for ongoing compliance. Regularly monitor, audit and adapt to changes, ensuring your platform policies are in line with DSA regulations.
By Angela Cristea, Counsel, Act Legal