27 Oct What you need to know about the Digital Services Act: more transparency for users and a risk-based approach for enterprises

Authors: Federico Gatta, Eleonora Margherita Auletta, Andrea Strippoli

Background

The Digital Services Act (or DSA)[1], which came into force on 16 November 2022, is intended today to be the main point of reference in European legislation for the regulation of online intermediary services. Even if already applicable to a relevant number of large online platforms and search engines, the new regulation will be fully implemented as of 17 February 2024.

The DSA – to be read together with the Digital Markets Act (DMA, which came into force almost in the same days of the DSA)[2] – has the goal of creating a secure digital space which is able to guarantee adequate protection for the fundamental rights of digital services’ users, and in particular more transparency and control in the use of online services, ensuring at the same time a equal footing for the enterprises regarding the promotion of innovation, growth and competitiveness at the European and global level. Following a risk-based approach, the DSA slots perfectly in the broader strategy of digital ecosystem regulation and data governance that the European Union has been pursuing for several years, from which derived other relevant regulations recently or soon to be approved (such as the Data Governance Act[3], the Data Act[4] and the AI Act[5]).

The services considered by the DSA and its territorial scope

The DSA addresses to the so called “intermediary services” of the information society. The recipients included in the definition of intermediary services are identified in Article 3(g) of the DSA. In particular, it specifically refers to those providers who may offer:

• • • “mere conduit” (or simple transport) services, which typically consist of transmitting, over a communications network, information provided by a recipient of the service or providing access to a communications network;
    • “caching” services, consisting of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information’s onward transmission to other recipients upon their request;
    • “hosting” services, consisting of the storage of information provided by, and at the request of, a recipient of the service (unlike caching services, however, such storage is not temporary).

Among the intermediary services, the DSA includes those provided by online search engines and online platforms as well: these latter providers offer the service of storing information at the request of the recipient, making also such information available to an unlimited number of third parties[6] (consider, by way of example, social networks, app stores, marketplaces and/or content sharing services, as well as messaging services that facilitate the sharing of content through groups and/or channels open to the public).

It is worth noting that specific and particularly burdensome additional obligations, which are already effective since past few months, are mainly addressed to very large online platforms and very large online search engines – i.e., those which, according to Article 33(4) DSA, have a number of average monthly active recipients equal to or higher than 45 millions – in light of the fact that they have to deal with systemic risks.

As for the territorial scope, the DSA applies with respect to intermediary services offered to recipients that have their place of establishment or are located in the European Union, irrespective of where the providers of those intermediary services have their place of establishment. Essentially, the European law-maker approach has understandably identified an (extra) territorial application criterion with the clear aim of ensuring adequate protection for European citizens even towards those service providers established overseas, whenever they offer their digital services in the context of the European market[7].

Countering the spread of illegal content and more transparency for users

Among the protection objectives which underlie the new regulation of digital services, it is worth pointing out at first the attempt to counteract the misinformation which often characterizes the access to content available online. In this regard, some specific duties are provided for intermediary service providers identified above in order to prevent the online dissemination of illegal content[8] including:

• • • the fulfillment of information obligations to the competent authorities (Articles 9 and 10 DSA) and periodic reporting obligations to users regarding the moderation mechanisms applied to such content (Article 15 DSA);
    • the provision of notice and action mechanisms available to users to detect the presence of specific items of information that they consider to be illegal content (Article 16 DSA);
    • the implementation of appropriate technical and organizational measures aimed at handling as a priority matter reports received by qualified figures acting within their designated area of expertise (so-called ” trusted flaggers” pursuant to Article 22 DSA).

Interestingly, the DSA also contains relevant provisions regarding advertising on online platforms (Article 26 DSA), providing the latter with certain specific duties of transparency towards the recipients of the service regarding the possibility of clearly identifying that the information is an advertisement and the subject on whose behalf the advertisement is presented (as well as who paid for the advertisement if it is different from the previous one). In addition, not least, within the same Article 26 DSA referred to above (namely, paragraph 3 of said Article) the DSA introduces the express prohibition to the possibility of presenting advertising on online platforms based on profiling[9] using special categories of personal data referred to in Article 9(1) of Regulation (EU) 2016/679.

It is further noteworthy – of course without aiming to be exhaustive with respect to the other relevant innovations introduced by the regulation at stake – the provisions contained in the DSA regarding the “recommender systems” used by online platforms, aimed at fully or partially algorithmically suggesting, ranking and prioritising content to users[10]. Here too the DSA (Article 27) insists on the necessity to ensure more transparency towards users, requiring the providers involved to set out in their terms and conditions, in a transparent, simple and understandable manner, the parameters applied for the operation of such tools, as well as the related reasons and criteria underlying them.

Conclusions: practical implications and compliance actions

Taking into account the above findings, the DSA adopts a risk-based approach along the lines of other recently implemented regulations, such that the obligations under the new framework may vary widely depending on the category of services actually applicable. Therefore, it will be crucial to precisely determine which category of services a company’s digital services may fall into and the resulting impact of the provisions set forth in the DSA. The full implementation of this new European framework, which is set out for 17 February 2024, is imminent, and those potentially affected will be required (unless this has been already done) to promptly consider the compliance actions which may be necessary, including:

• revising the contractual documentation for users with the aim of ensuring more transparency and clarity; and
• conducting the appropriate in-depth investigations and risk assessments, if any, regarding how digital services offered to users are designed and/or operate.

Tags:

Digital Services Act; DSA; Data Protection; Digital Services; Transparency; Risk-based approach; Online Search Engines; Online Platforms; Data Governance; EU; ICTLC; ICT Legal Consulting.

[1] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act), published in the Official Journal of the European Union of 27 October 2022. See EUR-Lex – 32022R2065 – EN – EUR-Lex (europa.eu)

[2] Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act), entered into force on 1^st November 2022 after being published in the Official Journal of the European Union of 12 October 2022. See EUR-Lex – 32022R1925 – EN – EUR-Lex (europa.eu)

[3] Proposal for a Regulation Of The European Parliament and of the Council on European data governance (Data Governance Act). See EUR-Lex – 52020PC0767 – EN – EUR-Lex (europa.eu)

[4] Proposal for a Regulation Of The European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act). See EUR-Lex – 52022PC0068 – EN – EUR-Lex (europa.eu)

[5] Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (artificial ntelligence act) and amending certain union legislative acts. See EUR-Lex – 52021PC0206 – EN – EUR-Lex (europa.eu). Further details on the AI Act can be found in “AI Act: The EU Parliament adopts its position” available at the following link: https://www.ictlc.com/ai-act-the-eu-parliament-adopts-its-position/?lang=en

[6] Unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation (see Article 3(i) DSA).

[7] Article 2(1) DSA.

[8] According to Article 3(h) DSA: “illegal content” means any information that, in itself or in relation to an activity, including the sale of products or the provision of services, is not in compliance with Union law or the law of any Member State which is in compliance with Union law, irrespective of the precise subject matter or nature of that law.

[9] Meaning profiling pursuant to Article 4(4) of the Regulation (EU) 2016/679 (GDPR), without prejudice to the limits of profiling activities based on automated individual decision-making processing pursuant to Article 22 GDPR regarding special categories of personal data (see Article 22(4) GDPR).

[10] According to Article 3(s) DSA: “recommender system” means a fully or partially automated system used by an online platform to suggest in its online interface specific information to recipients of the service or prioritise that information, including as a result of a search initiated by the recipient of the service or otherwise determining the relative order or prominence of information displayed.