The proposed DSA - part 1 - Transforming the delivery of online services through EU regulation

20 years after the adoption of the e-commerce Directive, the EU has gone back to the drawing board. On 15th December 2020, the European Commission released its highly anticipated proposal for a Digital Services Act ("DSA"), ticking one more box of its 2020 to-do list on "Europe fit for the digital age". The DSA intends to build on the rules set out in the e-commerce Directive, that has been the cornerstone for digital services regulation in the EU and bring them into the 21st century. The proposal will soon be with the Council and European Parliament, which will have to agree on the content of this ambitious reform of digital services.
 

---

Alongside the DSA will sit another piece of legislation, the draft Digital Markets Act, which we will not address in this article.

---

What is the DSA about?
 

• Enhancing consumer protection: Current business models have highlighted some legislative gaps under which users of online services are left vulnerable. The aim is to protect online users against illegal content, and provide them with actionable rights in this respect. Basically, championing core European values of "fundamental" online rights.
• Updating the liability regime of digital service providers: The European Commission wants to reform the e-commerce Directive's provisions on the responsibilities of digital services' providers. The goal is not only to protect users but also to give legal certainty and clarity to online businesses about what their responsibility and obligations and thereby levelling the playing field amongst online providers.
• Harmonising a fragmented framework: As the e-commerce Directive is 20 years old and not really "fit for purpose" anymore, Member States have, over the past few years, taken the matter into their own legislative hands resulting in a patchwork of digital legislation unsuitable for a single digital market. The DSA will provide unifying rules – by way of a Regulation, that will apply directly across the EU, in order to:
  • streamline online providers' liability rules,
  • offer consistency across the 27 Member States, and
  • provide enforcement mechanisms at EU level.

However, despite these ambitious objectives – which some consider are not going far enough - the e-commerce Directive lives on. It is important to understand that it will not be repealed but only be amended by the DSA.
 
What is the scope of the DSA?
 

• Actors covered: The DSA intends to cover digital service providers that act as intermediaries offering one of the following types of service (i) a mere conduit service, (ii) a caching service, or (iii) a hosting service.

In practice, it means that the scope of the DSA is very broad, covering actors such as internet service providers, domain name registrars, social media networks (of course that will include Facebook but also SnapChat, LinkedIn etc), messaging services, cloud services, app stores (whether Google Play, Apple Store, Stadia or any other similar business models) and online platforms (such as YouTube, Vimeo, TikTok) and marketplaces (e.g. Amazon, Etsy, eBay etc.) which transmit or store content of third parties.

• Broad (extra-)territorial scope: The DSA would apply to all online intermediary service providers as long as their users (businesses or individuals) have their place of establishment or residence in the EU. Yes - you heard it right: the EU strikes again with extra-territoriality principles, the same way it did with the GDPR. So providers of intermediary services based outside of the EU will still have to comply with the DSA if they direct their services to EU-based users. In these cases, the non-EU based intermediary service provider must appoint a legal representative in the EU, as it is the case under the GDPR.

This is a major change from the e-commerce Directive, which only covered companies established in the EEA and was meant to ensure the free movement of information society services between the Member States. The DSA now covers the activities of companies established in third countries, which offer their services in the single market. This position is consistent with the European Commission's approach on all its recent digital legislation and shows strong political will to lead on global digital policy by setting "golden" standards of behaviour amongst online service providers.

So what changes in terms of liability of intermediary service providers?
 

• The liability exemptions: The European Commission proposes to move the well-known 'mere conduit', 'caching' and 'hosting' liability exemptions from the e-commerce Directive into the DSA to maximize harmonisation across the EU.

Some good news: No substantial changes are proposed to the 'mere conduit' and 'caching' exemption regimes. However, as for the hosting exemption, the European Commission proposes that this exemption regime won't apply with respect to one specific illegal activity. This is the case where online platforms allow consumers to conclude distance contracts that present the object of the transaction in such a way that the user is lead to believe that it is provided by the online platform itself, or by someone acting on under its authority or control. Let's take the example of an illegal product offered for sale in Facebook's marketplace. Should Facebook provide a fake impression that it is the actual trader of the product, or if it appears to the user that the actual trader was somehow "mandated" by Facebook to sell this illegal product, then Facebook cannot rely on the exemption regime for hosting providers.

• No general monitoring obligation: Under the DSA, the providers of intermediary services would still not be subject to a general monitoring obligation.
• Voluntary own-initiative investigations: Settling a long debate, the European Commission takes the view that proactive investigations conducted by the provider of intermediary services should not result in the latter losing the protection of the hosting exemption. Although this may not be as harsh as some would like, it seems to us that promoting compliance by voluntary action has to be the way forward.           

What are the new diligence obligations to fight online illegal content?

All providers of intermediary services are now subject to due diligence obligations regarding illegal content (but to different levels depending on the category they fall in):
 

• Definition of illegal content: Contrary to the e-commerce Directive, which only referred to 'illegal activity' but without defining it, the DSA would now introduce and define 'illegal content' as any information that does not comply with Union law or the law of a Member State. It could cover information that is illegal by its nature, such as illegal hate speech or terrorist content, but also information that relates to illegal activities, such as sharing images that depict child sexual abuse or sharing revenge porn or the use of content infringing IP rights".

Although it has been much debated, the DSA does not contain any provisions around 'harmful content' (e.g. bullying, fake news). The main reason for keeping it outside of the DSA's scope seems to be the difficulties of reconciling this notion with the fundamental right to freedom of expression. This topic may not be closed yet and may be of one the challenges before the DSA is passed. If the EU adopts the current definition of "Illegal content", it will also be at odds with the UK's future Online Harms legislation. Brexit will start to show the cracks between UK and EU legislation on this pivotal point of what is allowed online.

• Due diligence obligations: The European Commission proposes to introduce a series of asymmetric due diligence obligations, which break down depending on the categories of intermediary services:
• All intermediary services would be  required to establish a single point of contact for communication with competent authorities, to include in their terms and conditions any restrictions that they may impose on their services users, and to comply with transparency reporting obligations (except micro and small enterprises).
• Additionally, hosting service providers would need to put in place notice and action mechanisms to allow third parties to notify the presence of alleged illegal content. Where the provider removes or disables access to its user's content, it must provide such user with a statement of reasons containing specific information.
• Moreover, all online platforms (except micro or small enterprises) would have to set-up an internal complaint-handling system on decisions taken, to engage with certified out-of-court dispute settlement bodies, to cooperate in priority with entities to which status as a "trusted flagger" has been granted, and to take measures against abusive notices etc.
• Finally, very large online platforms, which dominate the market (reaching at least 45 million users in the EU representing 10% of the population), would be required to conduct risk assessments on the systemic risks regarding the use of their services, conduct mandatory external audits on an annual basis, appoint one or more compliance officer(s), provide access to certain data to competent authorities etc.

Enforcement - Which will be the main competent authorities?
 

• Digital Services Coordinator: Each of the 27 Member States would have to appoint its "Digital Services Coordinator", i.e. the primary national authority responsible for supervising the intermediary services established in their Member State and/or for coordinating with specialist sectoral authorities. The Digital Services Coordinators will be granted enforcement powers in respect of providers of intermediary services under the jurisdiction of their Member State, including the power to impose financial fines.
• European Board for Digital Services ("EBDS"): The Digital Services Coordinators will cooperate within this new independent advisory group at EU level. The EBDS will issue reports and recommendations and coordinate the joint investigations by Digital Services Coordinators. The EBDS should not be seen as a new EU regulator as such and will certainly have missions similar to those of its "twin" institution, the European Data Protection Board.
• European Commission: New powers on supervision, investigation, enforcement and monitoring of very large platforms would be granted to the European Commission.  

What are the sanctions for non-compliance with the DSA?

Interestingly, the proposed sanction mechanism would be a combination of enforcement at both Member State and EU level.
 

• Member State sanctions: Each Member State will clearly specify the penalties in their national laws in line with the requirements set out in the DSA. Although the exact amount of the financial fines will be at the Member State's discretion, these would not exceed the maximum amount of 6% of the providers' annual income or turnover. So some local potential variations here but hopefully limited by the fact that the DSA would be a regulation setting common limits.
• European Commission sanctions: For very large platforms, the Commission would have direct enforcement powers and could impose fines of up to 6% of the global turnover of the unruly service providers. This is likely to be a game changer in the same way as the fines under the GDPR have put data privacy on the global compliance map. Potentially, the EU's most compelling argument for compliance with the new DSA. In addition, the Commission would also have the possibility to impose periodic daily penalties on very large platforms, which may not exceed 5% of the average daily turnover. It seems this new tool would mostly be used to force very large platforms to submit to an on-site inspection or to comply with certain interim measures that are being imposed by the Commission.

So what next?
 

• Providing feedback to the European Commission: From now and up until 4 March 2021, any interested parties can provide their feedback on the Digital Services Act to the European Commission. The Commission will then summarise and present such feedback to the European Parliament and Council, which will consider it when agreeing on the content of the DSA proposal.
• Reaching a consensus on the proposal's content: Overall, the initiative of reforming the e-commerce Directive has been widely supported.

However, the path towards the final adoption remains challenging. As part of its efforts to find a consensus over this proposal, the EU will also have to deal with strong lobbying pressure, notably from the US tech giants. Although their lobbies' campaigns have started several months ago, the EU did not deviate from its determination to regulate these actors more forcefully than the US lawmakers themselves.
 
No matter what the final version will look, it is clear that not complying with it will not be an option. The EU seems determined to ensure proper enforcement, adopting tools that can be found in EU competition law and in the GDPR.
 
We do believe that the DSA is going in the right direction and welcome its intent to harmonise and update this important but outdated area of law. Once adopted, consumers will benefit from better protection and digital services providers from a level playing field.

---

This article was authored by Fieldfisher partners Tim Van Canneyt and Laura Berton and associate Loriane Sangaré-Vayssac.

---