The proposed DSA – Part 2: Broader scope for intermediary services

In our previous posts here and here, we provided a general overview of the proposed Digital Services Act (DSA) and its most important implications. In this piece, we address more specifically the DSA's scope.

Importantly, the DSA is not replacing the e-Commerce Directive, but rather pursues a more specific goal and goes beyond its basic framework. As explained below, the providers impacted vary greatly under each regime.

Scope of the e-Commerce Directive

 The e-Commerce Directive aims to eliminate frontiers in the internal market and allows European Economic Area (EEA) online service providers to operate in any EEA country, while only following the relevant legal requirements of the country in which they are established.
 
Specifically, the Directive covers EEA information society services (ISS). These are defined as any service that is normally provided:

• for payment, including indirect payment such as advertising revenue;
• ‘at a distance’ (where customers can use the service without the provider being present);
• by electronic means (electronic equipment for the processing and storage of data); and
• at the individual request of a recipient of the service.

 
This covers the vast majority of online service providers, including online retailers, video sharing sites, search tools, social media platforms and internet service providers.
 
In addition, the place of establishment is defined as the place where the provider has the centre of its activities relating to this particular service for an indefinite period. The presence and use of the technical means and technologies required to provide the service do not, in themselves, constitute an establishment of the provider. The place of establishment must be within the EEA to be subject to the Directive.
 
Further, the Directive applies to rules that fall within its ‘coordinated field’. This covers rules relating to online information, online advertising, online shopping and online contracting. In contrasts, it does not apply for instance to public policy issues (such as detection and prosecution of a crime, including hate crimes), public security, or the protection of consumers (including investors). These are excluded areas were service providers are required to comply with all local law requirements.
 

New proposed scope of the DSA

 The DSA calls for harmonized rules on the provision of intermediary services in the internal market by addressing mainly illegal content online, liability exemptions and content moderation. It designs a new framework of requirements applicable to certain ISS (focusing on intermediaries), which goes well beyond the basic framework of the e-Commerce Directive.
 
More specifically, it intends to cover providers of one of the following three types of services:

1. a 'mere conduit' service, which passes information between a sender and recipient over a communication network, or facilitates access to that network;
2. a 'caching' service, which involves the automatic, intermediate and temporary storage of information to smooth its further transmission; or
3. a 'hosting' service, which consists of the storage of information provided by, and at the request of, recipients.

 
This means that the scope of the DSA is also very broad, covering actors such as internet service providers, domain name registrars, social media networks, messaging services, cloud services, app stores, online platforms and marketplaces that transmit or store content of third parties.
 
However, in contrast to the Directive, the DSA rules apply irrespective of the place of establishment of the service provider. Similarly to the GDPR, it would apply to all online intermediary service providers as long as their users (businesses or individuals) have their place of establishment or residence in the EEA. Therefore, providers of intermediary services based outside of the EEA would still have to comply with the DSA if they direct their services to EEA-based users.
 
This is a major difference in scope with regards to the e-Commerce Directive, which only covered companies established in the EEA and was meant to ensure the free movement of information society services between the Member States. The DSA now aims to cover the activities of companies established in third countries which offer their services in the single market. This position is consistent with the European Commission's approach on all its recent digital legislation and shows strong political will to lead on global digital policy by setting "golden" standards of behaviour amongst online service providers.
 
Under the draft DSA, each EEA Member State would be required to appoint a Digital Services Coordinator (DSC) – a regulator responsible for enforcement of the DSA. The proposed baseline requirements would require all providers to identify and disclose a single point of contact, as well as reference the restrictions they impose on the use of their services within their terms and conditions. A new duty to report on content moderation activities is also envisaged, among other requirements. This means that non-EEA based intermediary service providers would be required to appoint a legal representative in the EEA, as is the case under the GDPR.
 
Further, the draft includes additional sets of obligations applicable (1) to providers of hosting services, including online platforms, (2) more specifically to online platforms only, and (3) to 'very large online platforms'. This later are defined as those that provide their services to a number of average monthly active recipients of the service in the EEA equal to or higher than 45 million (which amounts to roughly 10% of the 450 million consumers within the EEA market). The most extensive requirements proposed by the Commission would apply to those businesses. More on this on next posts.
 

UK position

 Following the end of the transition period, the UK has officially left the EEA, which means that (i) the e-Commerce Directive no longer applies to UK online service providers, and (ii) the DSA would not apply with respect to users (businesses or individuals) that have their place of establishment or residence in the UK.
 
As with the coined UK GDPR, the UK government has committed to introducing a new Online Safety framework this year. Similarly to the DSA, it would establish obligations on intermediaries to address both illegal and other harmful content.
 
Further, regarding the e-Commerce Directive, service providers should consider whether their services were previously in scope of the Directive and, if so, ensure that they are compliant with relevant requirements in each EEA country in which they operate in. This includes ensuring there are processes in place for ongoing compliance if individual EEA states change their requirements. In addition, the UK government intends to make some legislative changes to bring EEA service providers in scope of UK laws.
 
While it is still unclear how the DSA will look like after the legislative processes have concluded, it is advisable to start acting now to consider the possible implications of the DSA on your business or platform, as well as to review and monitor your compliance with the e-Commerce Directive.