Digital Services Act. Legal Compliance Obligations

ai generated, eye, logo-8255191.jpgOnline services such as social media platforms and online shopping platforms have become an integral part of our daily lives. 

While GDPR regulates the processing of personal data, further regulation is required to ensure that digital platforms are not used for harmful purposes such as dissemination of illegal content and disinformation, among other issues. To this end, EU has taken active steps in platform regulation. 

It recently enacted the Digital Services Act (DSA) to regulate intermediary service providers and different kinds of online platform services. 


This article will discuss the obligations of different types of intermediary service providers under the DSA. 

Digital Services Act (DSA) is a part of EU Digital Regulation Strategy which aims to create a safe digital environment. The Digital Services Act officially took effect on the 16th November 2022 and will become directly applicable throughout EU as of 17th February 2024. 

Notably, very large online platforms (VLOPs) and very large online search engines (VLOSEs) are subject to an expedited compliance timeline which requires them to adhere to their obligations under the Digital Services Act within a maximum period of four months subsequent to their designation by the European Commission. 

 
The first set of very large platforms were designated on 25 April 2023 by the Commission. Commission designated 17 entities as VLOPs and 2 VLOSEs, which encompass those platforms and search engines serving no fewer than 45 million monthly active users. 
 

Some of these designated VLOPs and VLOSEs includes Alibaba AliExpress, Amazon Store, Facebook, Google Play, Instagram, LinkedIn, Twitter, YouTube, Google Search and Bing etc. 


These entities are now mandated to ensure comprehensive compliance with the obligations under the DSA within a timeframe of four months. The obligations require these designated services to conduct evaluations and be transparent about their online advertising, target illegal content and disinformation, take corrective measures against any harmful online practices, systemic risks and to put in place strong mechanisms for content moderation. 

 

DSA applies to information society services which is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of a service. DSA also applies to intermediary services consisting of services like ‘mere conduit’, ‘caching’ and ‘hosting services. 


Mere conduit services refer to an online service that primarily involves transmission of information through a communication network and where the information is typically provided by the users of the service. Thus, a  mere conduit services does not generally involve the creation of content being transmitted on the platform and they serve as a neutral intermediary facilitating transfer of data from one point to another without any active involvement in the generation of content itself. 


Caching services refers to an online service which also involves transmission of information within a communication network, but it is characterized by its automatic, intermediate, and temporary storage of information provided by users of the service and such storage is typically done for the sole purpose of enhancing the efficiency of transmitting storage information to users. 

 
Hosting services refers to an online service that involves storage of information and which essentially provide a platform/infrastructure for users to upload, store and make their content accessible on the internet, for instance, social media platforms, cloud storage providers and web hosting services are few examples of hosting service.  
 

Some of the key obligations for different types of service providers are enumerated below:

Intermediary Service Providers (ISPs) 
  • Designation of Contact Points for Authorities and for Users. Intermediary service providers must designate two points of contact. First, to facilitate direct electronic communication with the authorities of the Member States, Commission, and the Board, and second to facilitate direct communication with the recipients of their service i.e., the users. Notably, providers not established in EU but offering services to the EU must appoint a Legal Representative in the EU member state where it offers its services. Information such as name, postal and email address, telephone number of their legal representative must be notified by the intermediary service providers to the Digital Services Coordinator in the Member States where such legal representative resides/ is established. Additionally, all the essential information for easy identification and communication with the designated single point of contact, must be publicly disclosed. Intermediary service provider shall specify the official language and they must have at least one of the official languages of the Member states in which the intermediary service provider has its primary establishment or where its legal representative resides/is established.
  • Obligations Relating to Terms and Conditions. Intermediary service providers are mandated to ensure the inclusion of comprehensive information regarding any restrictions or prerequisites that they impose in relation to the utilization of their services, particularly concerning use-provided content. This disclosure of Information includes any policies, procedures, tools etc. used for content moderation purposes, including algorithmic decision making and procedure for their internal complaint handling system, which must be communicated to the users. Crucially, such information must be made publicly available in a manner that employs language which is clear, plain, intelligible, user friendly and devoid of ambiguity. DSA also mandates the intermediary service providers to promptly inform the users of their service of any substantial change to their Terms and Conditions. Special attention is warranted in case where any intermediary service is primarily directed towards or significantly utilized by minor users. In such instances, the provider must articulate the usage conditions and associated restrictions in a manner readily comprehensible to minors. VLOPs and VLOSEs must comply with a distinct obligation of furnishing users with concise, easily accessible, and machine-readable summary of its terms and conditions to the users, including available remedies and redress mechanisms in clear and unambiguous language. Additionally, VLOPs and VLOSEs are required to publish their terms and conditions in the official languages of all Member States where they provide their services.
  • Comprehensive Report on Content Moderation. Under the DSA, Internet Services Providers are obliged to produce annual, comprehensive content moderation reports. These reports, specifically for Internet Services Providers, must include details regarding orders received from member States’ authorities and the time taken for compliance with the order. Additionally, the report must provide insights into the utilization of automated tools, measures adopted for content moderation training, any related service limitations, and number of complaints received through internal complaint handling systems etc.
Hosting Service Providers (including Online Platforms)
  • Content Moderation Report to Include Notices. For hosting service providers, the content moderation report under Article 15 of the DSA, should encompass the number of notices submitted by trusted flaggers, the responses, actions undertaken based on these notifications, the number of notices processed using automated methods, and the timeframe required for compliance. However, these obligations do not apply to micro or small enterprises, and which are not VLOPs. 
  • Notice and Action Mechanisms. Apart from the above obligations listed for ISPs, the hosting service providers are also required to user-friendly notice and take-down mechanisms which facilitates notification of illegal content by third parties. Such mechanisms provided by hosting services should allow users to submit notices, aiding hosting providers in determining the potential illegality of the reported information without engagement of legal or factual assessments. Upon receipt of such notices, the hosting service provider is obliged to promptly handle the notice, make decisions regarding appropriate actions, for instance, content removal or access restriction, and should promptly notify the user of the measures taken. 
  • Notification of Suspicions of Criminal Ofences. A hosting service provider must promptly inform the authorities in their relevant country, if they suspect that a crime might have happened, is happening or could happen, especially if such incident threatens someone’s life or safety. 
Online Platfoms 

Similarly, apart from the obligations imposed on Internet Services Providers and hosting providers, the online platforms must also comply with other additional requirements under the DSA.

  • Content Moderation Report. An online platform must include information about the grounds for such complaints, the decisions made regarding them, and the timeframes for decision-making within the report.  
  • Complaint Redressal Mechanism System. Online platforms (excluding micro or SME platforms), are obliged to establish easily accessible, user-friendly internal complaint handling system . The users that have submitted a notice shall be given access to such internal complaint handling system for a period of at least six months, for them to lodge complaints after the platforms decides based on a notice about the reported content such as removing it, suspending user’s account etc. 
  • Priority to Trusted Flaggers. According to the DSA, trusted flagger will be designated as such by the Digital Services Coordinator (the regulatory authority under the DSA), within the jurisdiction of the member state where such prospective trusted flagger entity is established. Online platform providers are mandated to implement technical and organizational measures to guarantee that notices submitted by these trusted flaggers are given priority or precedence and that these are promptly processed without any delays.
  • Measures Against Illegal Content. Online platforms are legally required to clearly present their policies regarding misuse of their services within their terms and conditions. DSA grants online platform providers with the authority to temporarily suspend the provision of their services to users who frequently engage in dissemination of illegal content, but online platform in doing so must follow a reasonable duration of suspension and after issuing a warning.
  • Online Interface Design and Prohibited Deceptive Practices. Online platform providers are strictly prohibited from creating or organizing their website or interfaces in a way which can manipulate users, or which seriously impairs user’s ability to freely make decisions. 

Additional obligations for VLOPs and VLOSEs

  • Risk Assessment.  DSA puts risk assessment obligations on VLOPs and VLOSEs by mandating these entities to analyze and assess any systemic risks which may stem out from their service. They are also obliged to conduct such risk assessments annually and it must include assessment of systemic risks such as communication of illegal content, any negative effects on public security, gender-based violence, public health etc.
  • Measures for Mitigating Risks. VLOPs and VLOSEs are also mandated to implement mitigation measures which are specifically focused on the systemic risks identified by these services, such as adapting their internal policies, design, content moderation process etc. 
  • Independent Audit to Ensure Compliance. DSA mandates VLOPs and VLOSEs to conduct at their own expense an independent audit annually to assess their compliance with the DSA provisions. They will have to submit annual audit report and if in case the auditor’s assessment is not favorable, then such report must include recommendations specifying actions that should be taken to achieve compliance. Upon receipt of such recommendations, these entities will have a period of one month to adopt to the audit recommendation.
  • Data Access Obligations. VLOPs and VLOSEs are obligated to grant the Digital Services Coordinator or the Commission access to essential data required for the purpose of monitoring and evaluating compliance with this regulation. Upon receiving such request from the Digital Services Coordinator or Commission, the providers have a 15-day window to request a modification to the request if they are unable to grant access to the requested data.
  • Establishing Compliance Unit.  VLOPs and VLOSEs entities are required to institute a compliance function which must operate independently from their daily operational functions. Such compliance units must be staffed with compliance officers and such unit must have direct access to the management body of the provider of VLOPs or VLOSEs to ensure compliance. 

Conclusion. 

Given the extensive obligations imposed on different sets of intermediary services, it becomes important that all the intermediary service providers within EU should conduct an assessment of the applicability of the DSA according to their specific services. Since the majority of the DSA provisions will become effective from February 17, 2024, it is imperative that intermediary services providers prioritize their compliance with the Act to avoid any penalties under the Act. 
 

Author: Anupriya Singh, Legal Intern Data Privacy and Digital Law, EU Digital Partners