After several rounds of public consultations, the European Commission finally released its long-awaited proposal for the Digital Services Act (DSA) on 16 December 2020 (see our statement here). Now that we have had some time to read and digest the proposed regulation, we are ready to break it down for you! Before we get into it, you can read our DSA position paper here if you are looking for even more information.

What is the DSA?

In short, the DSA is one of two pieces of legislation the European Commission proposed as part of its “Digital Services Act package”. The other proposal is the Digital Markets Act, which will be covered in a future blog.

The DSA intends to increase and harmonise responsibilities for platforms and information service providers. In its current form, the DSA covers a wide range of policy issues and introduces a variety of obligations on providers of digital services (or platforms), making it relevant for all digital service providers as well as their business users and customers.

What is in the DSA?

First off, the DSA applies to any intermediary service provider that has European customers and/or business users. While very large online platforms are the major focus of the DSA, it does not exempt medium-sized service providers from its obligations. A medium-sized enterprise is defined as a business with 50 – 250 employees and with an annual turnover of 50 € million or less, and/or an annual balance sheet total of 43 € million or less. As for other related legislation, the DSA updates the liability provisions of the e-Commerce Directive and complements the Platform-to-Business-Regulation(P2B).

The DSA would be an EU-wide law. It addresses the handling of illegal or harmful online content, the protection of users’ fundamental rights online, the liability of platforms for third-party content, and the increased information sharing between platforms and their users. While micro- and small enterprises will have obligations proportionate to their ability and size, all digital service providers offering their services in the EU must comply with the following main provisions:

  1. Every hosting provider must implement a notice-and-takedown mechanism to enable users to notify the platform of illegal content.
  2. All content removals must include an explanation for the user whose content the platform took down, and they must publish detailed reports on removal activities. Platforms must also enable users to contest the removal decision.
  3. Platforms must list information on restricted uses of user data in their terms and conditions in easy, accessible, and unambiguous language.
  4. Platforms must implement “Know Your Customer” procedures, keep information about traders and provide safety information to track down sellers of illegal goods.
  5. Users must have access to real-time, clear, and unambiguous information when they are seeing an advertisement, who is paying for the ad, and why a specific user is seeing the ad.
  6. Platforms that provide services in the EU but are not established there must designate a legal representative in the EU. This representative is required to cooperate with supervisory authorities and can be held liable for non-compliance with the DSA.

Non-compliance with these obligations can result in fines of up to 6 percent of the annual income or turnover of the platform. Continuous infringements of the obligations can result in periodic penalty payments of up to 5 percent of the average daily turnover of the platform.

In addition to the rules above, very large platforms, defined as those with more than 45 million active users, must comply with additional obligations:

  1. Analyse systemic risks originating from the use of their platforms and implement effective content moderation mechanisms to address the identified risks.
  2. Provide transparency on which main parameters influence the decision-making algorithms that determine the content on their platforms and list options for the user to modify those parameters.
  3. Establish and maintain a public database, via APIs, with detailed information on the online advertisements of the past year.
  4. Designate a compliance officer dedicated to obligations under the DSA and undergo an annual independent audit.
  5. Upon request, very large online platforms must give access to the data necessary to monitor their DSA compliance to the competent authority and vetted academic researchers who research systemic risks on the platform.

In addition to these obligations, the European Commission will have supervisory and enforcement powers concerning very large platforms.

What does all of this mean for your business?

Making the digital environment safer for consumers benefits every actor in the digital economy. The DSA provides enhanced clarity concerning the liability exemption from the E-Commerce Directive and brings greater transparency to the Digital Single Market, particularly concerning dealings with very large online platforms. These are good aspects. However, we have concerns that three provisions will negatively impact our members: the obligations for all platforms to implement automated notice-and-action mechanisms, the requirement to obtain a legal representative, and the possibility of a shifting threshold for very large online platforms at frequent intervals.

Notice & action mechanisms

An automated notice-and-action mechanism means more costs and administrative burdens for hosting providers. The European Commission estimates it costs at least 1500 € to put a notice-and-action mechanism in place. This estimate does not include maintenance and the possibility of necessary human oversight of such a mechanism. Promptly responding to notices, drafting, and sharing a statement of reasons as well as publishing all decisions in an accessible database all require a significant amount of time. This cost is unreasonable for small businesses and especially for new market entrants. The European institutions should implement safeguards to protect small businesses from the cost and liabilities of these obligations. European policymakers can do this by exempting small and micro-enterprises from the requirement to put in place these automated systems. Alternatively, we recommend that the DSA include specific safeguards for small actors such as subsidised costs or more flexible response and reporting requirements.

Legal representative in the EU

Similarly, obtaining a legal representative means substantial extra costs for businesses. If a company is not established in the EU, it must install a legal representative, which the Commission estimates will cost at least 50 000 € per year. Without appropriate safeguards, this obligation would likely prevent many non-EU companies from conducting business in the EU, especially small and micro-enterprises. The European institutions should adjust this requirement to preserve a competitive app economy that does not shut out smaller players. Exempting small and micro-enterprises from the obligation to establish a legal representative in the EU would help achieve this goal. At least, the European institutions could facilitate and coordinate the pooling of costs related to installing a legal representative. For small and micro-enterprises that fail to appoint a legal representative, the EU should also develop more flexible response requirements and provide translation or consulting services.

Legal uncertainty

As of now, it seems that the European Commission could frequently reassess the designation of very large online platforms. A regularly shifting threshold would decrease legal certainty. Additional obligations that target platforms solely based on their size rather than on their risk profile could disincentivize growth. Platforms of any size may hesitate to scale up to avoid additional requirements, due to additional compliance and overhead costs the obligations may cause. This provision could result in significant barriers to challenging existing dominant actors. Being categorised as a very large online platform could also cause investor hesitation and hinder new innovative companies’ ability to challenge existing gatekeepers.

What is next?

The European Parliament and the EU Member States (via the Council of the European Union) will now discuss the DSA proposal. First, the European Parliament, the Commission, and the Council all have to settle on their own versions of the DSA. Then, they will need to agree on one final text before adopting the regulation. If this sounds like a lengthy process to you, you’re correct – it will likely take several years before these rules enter into force. Considering the legal changes the DSA may cause, however, we encourage any company that might be affected to monitor this policy debate and let their voice be heard. We will do our best to keep you updated and will continue advocating on our members’ behalf throughout the process to ensure that the best possible version of the DSA enters into force.