The EU is about to finalize the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content and advertising transparency. It will bring about significant changes to existing EU law in these areas and impose substantial new compliance burdens on businesses with regard to online content.
After lengthy negotiations, the EU institutions reached a political agreement on the final text of the DSA on 23 April 2022. The final text will now undergo technical and linguistic scrutiny before being formally adopted and published as law. We expect the DSA to be officially adopted this summer and come into effect in early 2023.
The DSA was originally proposed in December 2020 as part of the wider European Digital Strategy of the European Commission, in conjunction with the Digital Markets Act (AMD), which contains revamped antitrust rules for some of the biggest digital platforms. The European Digital Agenda also includes other data-related laws that are currently still under negotiation (e.g. AI law, data law, etc.). Businesses operating in the EU should carefully review the European Digital Strategy, especially the DSA and DMA, as they contain far-reaching rules that may require a complete overhaul of compliance policies.
For more information on DSA’s initial proposals and proposed amendments, see Wilson Sonsini’s Customer Alerts here and here. For the latest information on DMA, see the Wilson Sonsini Customer Alert here.
The DSA applies to all intermediary service providers, including:
- “single duct” and “caching“services, for example, internet service providers and domain name registrars;
- “accommodation“services, for example, cloud and web hosting services;
- online platforms, for example, online marketplaces, app stores and social media platforms; and
- very large online platforms or search engines (VLOP), i.e. platforms or search engines reaching more than 10% of the current EU population, the threshold currently being 45 million users. We predict that around 30 companies could qualify as VLOPs.
The DSA follows a layered approach with cumulative obligations for online intermediary services depending on their function and size. The DSA imposes a rule base that applies to all intermediary service providers (for example, including simple conduit and caching services), then adds obligations for hosting services, line and another set of bonds for VLOPs. In the DSA, each layer of obligations is cumulative, which means that each subsequent layer adds obligations on top of all the obligations of the previous layers (e.g. online platforms must comply with all requirements for hosting services and simple driving and caching services, but not the specific requirements for VLOP).
The DSA includes far-reaching obligations for platforms. Note that the final text of the DSA has not yet been published; thus, the following is based on our understanding of the political agreement.
- Content moderation. The DSA requires all intermediary service providers to diligently enforce their terms and conditions, including with respect to content moderation (e.g. removal of fake news). Additionally, online platforms should have a system in place for users to report any illegal content on the platform. Platforms must inform users when they decide to remove any content they have provided and explain the reasons for this decision. Platforms should also provide an internal complaints handling system allowing such users to challenge the platform’s decision to remove their content.
- Advertising targeted at children. The European Parliament has proposed to include a new rule prohibiting the display of advertisements targeted to children based on profiling, when the platform knows that the user is a child. This prohibition appears to be included in the final text of the DSA, although it is still unclear whether it will apply to all online platforms or only to VLOPs.
- Advertising transparency. Online platforms will have to provide detailed information about the advertisements shown to users. This includes ensuring that users can recognize sponsored content, and can identify the company responsible for the ad and receive “meaningful information” about the “parameters” used to show the ad to a specific user. These terms are not clearly defined in the DSA, and it remains to be seen how regulators will interpret them. In addition, VLOPs will be required to provide a publicly available list of advertisements detailing the audience reached for each advertisement and the “parameters” used to target specific groups of individuals.
- Customization of the platform. The DSA requires platforms to inform users of the main parameters used to organize/prioritize content on the platform. Additionally, VLOPs are required to offer a version of the platform where content is not personalized based on user profiling, and allow users to easily select this version without profiling through privacy settings. Compliance with this rule may require substantial changes to VLOPs that personalize content in a way that qualifies as “profiling” within the meaning of the General Data Protection Regulation (GDPR).
Failure to comply with the DSA could result in fines of up to 6% of a company’s worldwide annual revenue. Enforcement of the DSA is left to the national regulator of the EU Member State where a company has its main establishment in the EU, although the European Commission is responsible for supervising and enforcing very large online platforms.
Each EU Member State must identify the regulator(s) responsible for the application of the DSA and appoint such a national regulator as the “Digital Services Coordinator”. The DSA also creates an EU agency (the “European Digital Services Board”) to ensure consistent application of the DSA across the EU. The proliferation of regulators in addition to data protection authorities and antitrust regulators to enforce rules that are interdependent is likely to create significant challenges for businesses (for example, responding to investigations by different regulators covering the same services).
Civil society organizations and NGOs will be able to bring collective redress for breaches of the DSA, based on the recently adopted EU Collective Redress Directive.
Companies should monitor this space and review the final text of the DSA once it is published. All companies operating online should already start reviewing (and, if necessary, rethinking) their compliance strategies, and ensure that their regulatory and policy teams are aware of these new rules.
We will post further alerts covering the next steps in DSA adoption as they occur.