The EU Digital Services Act imposes new requirements on companies offering digital services in the EU. It aims to protect users' rights and reduce exposure to harmful content.
For most companies, planning for 2024 is now well underway across the organization, including consideration of new compliance obligations expected to impact the company in the new year. In terms of privacy regulations, the new EU Digital Services Act (DSA), which becomes fully operational on February 17, 2024, will impose a host of new requirements on all companies offering digital services to customers in the EU, regardless of where the companies are located.
Given the scope and complexity of the DSA, we have prepared a list of FAQs to help support your compliance preparation efforts.
What is the purpose of the DSA?
According to the European Commission, the governing body in the EU responsible for privacy regulation, the DSA was introduced with the following goals in mind:
- For individuals, better protection of fundamental rights, more choice and control, more online protection for children, and less exposure to illegal content (such as hate speech, terrorist content, child sexual abuse material)
- For digital services providers, more legal certainty and harmonization across the EU, making it easier for providers to operate
- For businesses who use digital services, access to EU-wide markets
- For society, greater democratic control, platform oversight, and mitigation of systemic risks, such as manipulation and disinformation
What does the DSA change?
The DSA is designed to accomplish the above goals by effecting change in the following areas:
- Harmonizes rules across the 27 member countries to ensure all EU citizens are afforded the same protections
- Enables users to be informed about, and to contest, content moderation
- Provides access to dispute resolution mechanisms for users in their own countries
- Requires transparent terms and conditions
- Increases safety and awareness by revealing the true sellers of products
- Establishes expedited crisis response mechanisms, along with additional risk management mechanisms applicable to public health and security crises
- Implements new protections for minors
- Bans targeted advertisements directed to minors or using sensitive personal data
- Enables access to data to research platforms’ risks on society and fundamental rights
What is the scope of the DSA?
The DSA applies to all online intermediaries offering digital services in the EU, whether they are established in the EU or elsewhere, including the following types of entities:
- Intermediaries, such as Internet access providers and domain name registrars
- Hosting services providers, such as cloud and webhosting service providers
- Online platforms, such as online marketplaces, app stores, and social networks
- Very large online platforms (VLOPs) and very large online search engines (VLOSE). Specific rules will apply to VLOPs and VLOSEs.
Who are the EU-Designated VLOPs and VLOSEs?
Online platforms or search engines that reach more than 10% of consumers in the EU (approximately 45 million consumers) have been designated VLOPs or VLOEs by the European Commission. Currently, the EU Commission has identified 19 VLOPs, including:
- Amazon Store
- Google Maps, Google Play, and Google Shopping
- Snapchat
- TikTok
- Wikipedia
- YouTube
Currently, there are 2 VLOSEs: Bing and Google Search.
What are the special requirements applicable to VLOPs and VLOSEs?
Under the DSA, entities designated as a VLOP or VLOSE were given four months from the date of such designation to begin complying with the law. Additionally, VLOPs and VLOSEs are considered regulated entities under the DSA, and are expected to comply with a set of additional requirements applicable only to those larger entities.
What are the basic requirements of the DSA?
The DSA creates a common set of rules that apply to all online intermediaries providing digital services to customers throughout the EU. These requirements are intended to match a provider’s size, role (intermediary service, hosting service, online platforms, or VLOPs/VLOSEs), and impact in the online ecosystem. These requirements include:
- Wide-ranging transparency measures, including use of algorithms
- Terms of service requirements
- Cooperation with national authorities
- Designation of points of contact
Additional requirements for VLOPs and VLOSEs include:
- Conducting independent audits
- Measures for users to report illegal goods, services, and content online
- Establishing a consumer complaint and redress mechanism
- Cooperation with “trusted flaggers”
- Measures against abusive notices
- Know your business customer (KYBC) obligations
- Bans on advertisements that target children and those based on a user’s special characteristics
- Transparency of online advertising
- Risk management obligations
- Internal and external auditing and public accountability
- User choice to opt out of recommendations based on profiling
- Data sharing with authorities
- Codes of conduct for compliance and accessibility for people with disabilities
- Crisis response cooperation
What are the penalties for noncompliance?
The European Commission, the Member States, and the Member States’ Digital Services Coordinators will work together to enforce the DSA. Penalties for non-compliance include:
- Fines of up to 6% of annual global revenue
- Increased oversight
- Temporary ban on operating in the EU in the event of repeated serious breaches that threaten people’s lives or safety.
In addition, the European Commission launched the European Centre for Algorithmic Transparency (ECAT), a scientific center, to conduct technical tests on algorithmic systems, support investigations, identify emerging risks related to the use of VLPOs/VLOSEs, and analyze transparency reports, risk assessments, and independent audits.
For questions about the EU Digital Services Act, please contact Client Success at clientsuccess@outsidegc.com.