Special provisions only applicable to very large online platforms ("VLOPs") and very large online search engines ("VLOSEs") are not considered in this article.
The DSA applies to providers of intermediary services who offer their services to users located within the EU, regardless of the provider's place of establishment. It is only applicable to (i) "mere conduit" services (e.g. internet access providers, domain registrars, DNS services), (ii) caching services (e.g. sole provision of content delivery networks, reverse proxies) and (iii) hosting services (e.g. online platforms, i.e. services enabling sharing of content online, or cloud services). The DSA is not applicable to services outside of these three categories, such as a retailer's webshop.
Furthermore, the DSA does not apply if the intermediary service is an integral part of another service that does not qualify as an intermediary service itself. The decisive factor here is whether the intermediary service offered is separable from the other service. This can be a tricky question to answer, especially in the case of remote IT services, transport, accommodation or delivery services. For example, the CJEU held that Uber's IT service was not separable from its ride-hailing service whereas Airbnb's accommodation service was.
For those intermediaries that fall under the applicability of the regulation ("Providers"), the DSA provides a staggered catalogue of obligations applicable to all intermediaries, hosting services (including online platforms), online platforms, VLOPs and VLOSEs:
There are exemptions for micro and small enterprises (MSEs) with fewer than 50 employees and less than EUR 10m in annual turnover.
Revamp online presence
Providers must designate a single electronic point of contact to enable the national authorities as well as users to communicate directly with them. Those not seated within the EU must designate a sufficiently mandated legal representative in the EU. This contact information must be easily accessible, e.g. in the website imprint.
Providers must also inform users when they are talking to a chatbot and enable users to communicate directly and rapidly with a human contact in a user-friendly manner, e.g. by means of phone, e-mail or electronic contact forms.
Hosting providers must place a report button near all displayed (third-party) content, e.g. in context menus. This function must be easily accessible and user-friendly, which it is not if users must scroll to the bottom of a page or find a central reporting menu.
Obligations not applicable to MSEs:
Providers must publish (ideally on their website) a yearly, easily accessible and comprehensible transparency report on any content moderation that they engaged, containing information on the Provider's own initiative regarding content moderation, such as the use of automated tools or the measures taken to provide training to persons in charge of content moderation. Online platforms must provide additional information in these reports, such as the number of user account suspensions.
Platforms must ensure their online interfaces do not deceive, manipulate or hinder users' ability to make informed decisions. Examples of these forbidden "dark patterns" include misleading interfaces that may lead users to unintended purchases, deceptive notifications that pressure users into consenting to data collection, and hidden obstacles that make it difficult to unsubscribe or cancel services.
Ads on online platforms must be more transparent. Platforms must provide clear information about the commercial nature of content, ensuring users can easily discern between regular content and paid promotions. This includes flagging sponsored content, disclosures about targeted advertising, and identifying advertisers.
Online platforms must implement measures to ensure a high level of privacy, safety and security of minors. This includes a ban on ad targeting through profiling of minors.
Traders on B2C online marketplaces must be traceable. They will therefore be required to provide certain essential information prior to using the Provider's service, such as contact, identification and payment details.
Rethink complaint handling
Hosting providers must implement an effective process that enables any individual or entity to report illegal content, such as hate speech, child pornography or IP infringements on their service. Upon receiving such a notification, hosting providers must promptly assess the content's legality and, if found to be unlawful, take expeditious action to remove or disable access to it, or otherwise risk losing their liability privilege.
Hosting providers must disclose to the user why their content was removed and inform them about the possibilities to appeal the decision.
Obligations not applicable to MSEs:
Platform providers must implement an internal complaint-handling system so users can complain about content removal or account suspensions. They must ensure that the appeal decisions are overseen by appropriately qualified staff and not solely based on automated means.
Platforms must prioritise submissions by trusted flaggers. Trusted flaggers are entities assigned by the Digital Services Coordinator, a national authority.
Generally, Providers can determine for themselves which content is permitted on their services and which is not. This principle will continue to apply under the DSA. However, Providers must now disclose information on any restrictions regarding content provided by users of their services and explain their content moderation measures and the rules of procedure of their internal complaint-handling system in their GTC. If Platform providers use a recommender system, they must disclose the main parameters used in it in their GTC and provide options for users to modify or influence those parameters.
The language used in the GTC must be easy to understand. Providers of services predominantly used by minors must pay particular attention to an appropriate description of such conditions and restrictions.
Providers must inform their users of any significant change to their GTC, e.g. changes that could directly affect users' ability to use the service, "through appropriate means". While an explicit reference to the changes by e-mail will satisfy this requirement, a simple change to the text on the website will not.
When drafting these clauses, Providers should always keep in mind that they will in general also be subject to clause control mechanisms under national law, which is especially relevant for Providers that conclude contracts with consumers.
Report to authorities
After receiving an authority order to act against specific illegal content or an order to provide specific information about a user, Providers must inform the relevant authority without undue delay if and when they complied with the order.
Hosting providers must promptly alert law enforcement if they become aware of any information giving rise to a suspicion that a criminal offence involving a threat to the life or safety of a person has taken place, is (likely) taking place or planned.
Remember the consequences
Violating the DSA obligations can result in civil liability and/or administrative fines. These fines can amount to up to 6 % of the Provider's annual worldwide turnover. Moreover, users may have a claim for compensation in respect of any damage or loss suffered due to an infringement by Providers of their obligations.
authors: Roland Vesenmayer, Valentin Demschik