The EU Digital Services Act: What You Need to Know as a UK Business

The European Union Digital Services Act (“DSA”) is a set of regulations aimed at modernising the regulatory framework for digital services within the EU and addressing the challenges posed by the digital revolution, including the proliferation of illegal content online, the dominance of large tech companies, and the lack of transparency in online advertising, ensuring what is illegal offline should also be illegal online.

Who does the DSA apply to?

 The DSA was proposed by the European Commission in December 2020 and adopted in October 2022. For most providers the majority of the DSA rules apply from 17^th February 2024, however the regulations will apply earlier to very large online platforms and search engines.

The DSA will affect businesses operating within the EU as well as those outside of it. The act applies to nearly all UK businesses that offer online services in the EU. Specifically it applies to providers that offer ‘intermediary services’ (e.g. transmitting, storing, or hosting information online), or are online search engines. All providers must comply with the DSA regardless of their place of establishment or location if they offer services to (or target their activity towards) a significant number of recipients in the EU. For more detail, see our article on the territorial scope of the DSA.

In this article, we will provide an overview of the DSA and highlight key considerations UK businesses intending to operate in the EU and what they need to know.

What are the key developments?

Accountability for illegal content: Online platforms will be required to take measures to prevent the dissemination of illegal content on their platforms. This includes content that incites violence, hatred, or discrimination, as well as content that infringes intellectual property rights or violates privacy principles or consumer protection law. Illegality is determined by the law of the affected member state.

Increased transparency: Online platforms will be required to provide clear and transparent information about the advertisements they display on their platforms. This includes information about who paid for the advertisements, the targeting criteria used, and the performance metrics. There are also wider information reporting requirements for all levels of providers.

New rules for large online platforms: Large online platforms (those with more than 10% of the EU's population as users) will be subject to additional rules, including transparency obligations, data-sharing requirements, and audit requirements.

New powers for national authorities: National authorities will have new powers to enforce the rules set out in the DSA, including the power to impose fines and sanctions on non-compliant platforms.

What obligations apply?

 The DSA includes a range of new provisions that are relevant to UK businesses that intend to operate in the EU. A four-tiered system of obligations is utilised, the least onerous obligations being in tier 1, with increasingly strict obligations applying to larger/better resourced providers as you move up the tiers. Tier 1 is all intermediary services, tier 2 includes hosting services, tier 3 covers online platforms and tier 4 covers very large online platforms (“VLOPs”). There are also additional special obligations for very large online search engines (“VLOSEs”) and some specific obligations for online marketplaces. Note that small companies and micro-enterprises (fewer than 50 employees and less than €10 million in annual sales) are exempt from complying with some of the DSA’s obligations.

The obligations which apply to all providers:

• Illegal content. Providers must act quickly and efficiently when dealing with illegal content. Where national authorities require providers to remove illegal content or provide information the provider should act with undue delay and keep both the authorities and the recipient of the service informed.
• Points of contact or legal representatives. A single electronic point of contact must be designated for direct communication with member state authorities, the European Commission, and the European Board for Digital Services. There must also be a single point of contact for service users to communicate ‘directly and rapidly’ with the provider. Crucially, for UK businesses, if you do not have an establishment in the EU, then you must designate a legal representative in one of the EU Member States where you offer services. Further, this legal representative can be held liable for non-compliance with the DSA.
• Terms and conditions. Transparent information must be provided in plain and clear wording on any restrictions imposed on the use of the service or the information provided by recipients of the service. This includes policies, procedures, measures and tools used for content moderation, including algorithmic decision-making and human review, as well as procedural rules for internal complaint handling. Any restrictions must be applied in a ‘diligent, objective and proportionate’ manner, with due regard to the fundamental rights of those involved.
• Transparency reporting. Providers must make publicly available, at least once a year, reports on their content moderation activities and other details on compliance with take-down orders and illegal content flagged on their services.

Other obligations that apply to the Tiers 3 and 4:

• Illegal content. In addition to the requirements set out above, providers of hosting services must provide for notice-and-action mechanisms. These allow any individual to notify the presence of illegal content on the service, the hosting service then has an obligation to take action in a timely, diligent and objective manner. Where the notice allows the provider to identify the illegality of the content without a detailed examination it counts as actual knowledge (under Article 6), triggering the requirement to remove. For more detail on the Article 6 hosting exemption, see our article. Additionally, providers of online platforms must prioritise notices provided by trusted flaggers (experts certified by authorities) and VLOPs/VLOSEs are held to a higher standard for the speed and quality of their processing of the notices.
• Transparency reporting/complaint handling. There are increased reporting/complaint handling requirements further up the tiers. Including:
  • Providers of hosting services must provide reports on the number of notices submitted and the actions taken, including whether the actions were via automated means.
  • Providers of online platforms must implement an effective internal complaint handling system that is free and easily accessible (e.g. to challenge suspensions). Decisions made must include justifications and cannot be made by solely automated means. There must also be a clearly explained option for redress through an out-of-court dispute settlement body.
  • Providers of online platforms must provide reports on complaints/disputes (including out-of-court disputes) and the decisions made or outcomes reached in relation to them. They must also record the number of suspensions of recipients and their grounds, and the number of the average monthly active recipients within the EU.
• Ban on dark patterns. Online platforms cannot use layouts, manners of operation or structures etc. to ‘distort or impair’ the user’s ability to make a free choice. For example, making the procedure for terminating a service more difficult than subscribing to it or giving more prominence to certain choices. Note however, that this ban does not apply to practices covered by EU GDPR or EU Unfair Commercial Practices Directive 2002, so it is relatively limited in its application.
• Online advertising. Online platforms must ensure their online advertising is transparent and that users can clearly identify: that the information is an advertisement, who it is advertising and/or who financed it, and why they are being shown it. There are a number of other advertising requirements such as not using targeted advertising based on special categories of personal data (per EU GDPR) and not presenting advertisements to minors. VLOPs/VLOSEs must also create a publicly available repository of information on all advertisements displayed on their platform.
• Enhanced protection of minors. Online platforms accessible to minors must put in place appropriate measures to ensure enhanced data protection and safety for minors.
• Recommender systems. Where an online platform uses news feeds etc. they must clearly set out the parameters used, explaining why certain information is suggested to the recipient. Additionally, VLOPs must offer recommender systems not based on GDPR profiling.
• Risk assessments and compliance. VLOPs/VLOSEs are required to regularly conduct a risk assessment about the systemic risks their services pose. They must also put in place reasonable, proportionate and effective measures to mitigate the risks found. In addition, VLOPs/VLOSEs must conduct regular independent compliance audits and appoint a compliance officer, independent from operational functions. They must also share data on request to relevant authorities to allow assessment of compliance and pay an annual supervisory fee.
• Crisis response. This mechanism allows the Commission, in a crisis situation (such as the Russian aggression in Ukraine) to adopt a decision requiring VLOPs and VLOSEs to take specific actions. The required actions are limited to a period of three months, unless extended (by no more than three months) due to the evolution of the crisis.

How can UK businesses prepare for the DSA?

UK businesses that intend to operate within the EU can take a range of steps to prepare for the DSA. Some of the key steps are:

Review existing policies and practices: UK businesses should review their existing policies and practices to ensure that they comply with the new rules set out in the DSA. This includes policies related to the dissemination of illegal content, transparency in online advertising, and data sharing.

Implement technology solutions: UK businesses could implement technology solutions to support compliance with the DSA. This may include content filtering systems, data management systems, and advertising transparency tools.

Develop compliance plans: UK businesses should develop compliance plans that outline the steps they will take to comply with the DSA. This may include changes to policies and practices, the implementation of technology solutions, and the training of staff on the new rules.

Seek legal advice: UK businesses should seek legal advice to ensure that they understand their particular obligations under the DSA and are taking appropriate steps to comply with them. Speak to David Varney and our specialist technology team on how we can help your business prepare.

The DSA is an important development in EU digital regulations that will have significant implications for UK businesses that intend to operate within the EU. By taking proactive steps to prepare for the DSA, you can ensure that your business is well-positioned to comply with the new rules and remain competitive in the EU digital marketplace.

This article was written by Alice Willoughby.