The DSA Package - What Are the Main Questions?

The European Union (EU) Digital Services Act (DSA) regulates online intermediaries and platforms such as marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. Its main goal is to prevent illegal and harmful activities online and the spread of disinformation. It ensures user safety, protects fundamental rights, and creates a fair and open online platform environment.

In short, it is designed to fight fake news and protect the users of online platforms from offensive and dangerous content.

When the DSA was announced, most people assumed that it applied only to social networks, but a more detailed look at the modern internet shows that many different companies rely heavily on User-Generated Content (UGC). Dating sites, online shopping sites, and travel sites all ask users to post videos, photos, and comments or reviews.

The early internet was a read-only environment, but today it exists in a state of constant change where the contribution of the users is what makes many sites so valuable to other users.

But can the DSA create the protection that users need, and will it be enough for such a fast-moving business environment??

A full introduction to the DSA, as explained directly by the European Commission, can be found here.

Why did the EU create this legislation?

The DSA is designed to protect consumer rights online by setting clear rules for the behavior of online services and platforms. Companies need to think carefully about their approach to advertising, transparency, and content moderation. Companies will be held legally responsible for the content they host, even if it is generated by users of the platform.

The DSA builds on existing consumer rights and protections but aims to bring together all the regulations for platforms in a single place. Lawfare Media said: “the DSA is novel in two ways and unique in at least two other ways within the platform governance discussion. While part of its uniqueness is connected to its existence as a creation of the EU, the holistic approach it takes allows for complex and layered solutions to a wide array of platform governance issues. These aspects have an important role to play in whether it can be the blueprint for other jurisdictions.”

We are seeing a repeat of the GDPR process. When consumers needed protection for their personal data, the EU created the General Data Protection Regulation. Jurisdictions around the world have used the GDPR as a blueprint to protect their own local consumers and it seems that this is already happening with the DSA.? Very few jurisdictions have this control over consumer protection on platforms and therefore, the DSA is likely to create a wave of international legislation.

So, in short, consumers need protection, and the EU is the first major legislative body to step up and create a framework of rules and regulations aimed at addressing this issue.

What types of company does it cover or affect?

DSA enforcement will eventually apply to all companies that interact with consumers in the EU.

The European Commission explanation is worth repeating as it makes the situation very clear: “All online intermediaries offering their services in the single market, whether they are established in the EU or outside, will have to comply with the new rules. Micro and small companies will have obligations proportionate to their ability and size while ensuring they remain accountable. In addition, even if micro and small companies grow significantly, they would benefit from a targeted exemption from a set of obligations during a transitional 12-month period.”

So smaller companies will face less onerous compliance obligations, but they will not be exempt.

What are the basic requirements?

The basic requirements focus on greater transparency around how a platform functions, protection from harmful content, and the ability for end users to immediately identify and report illegal or objectionable content.

This summary from Algorithm Watch features a good list of how the DSA changes the status quo. Some of the most important points they focus on are:

• Clear rules for dealing with illegal content: The DSA updates the process where digital service providers must act to rapidly delete illegal content based on national or EU law. It also reinforces an EU-wide ban on general content monitoring, such that platforms will not be forced to systematically police their platforms to the detriment of free speech.
• New rights for users to challenge content moderation decisions: Platforms must provide affected users with detailed explanations if they block accounts, or else remove or demote content. Users will have new rights to challenge these decisions with the platforms and seek out-of-court settlements if necessary.
• More transparency on recommender systems and online advertising: Platforms must clearly lay out how their content moderation and algorithmic recommender systems work in their terms of service, as well as offer users at least one option for an alternative recommender system (or “feed”) not based on profiling. They must also give users clear information about why they were targeted with an ad and how to change ad targeting parameters.

Content moderation requirements are being strengthened and obligations to protect end users are becoming more explicit. Users are also given more powers to challenge decisions and to demand transparency over why certain content has - or has not been - removed. The entire process of advertising and recommending content to users must also be entirely transparent so users know exactly why a system is advising them to look at certain content.

What are the penalties?

Supervision of the rules is yet to be known. The European Commission will share this responsibility with member states. These states have been encouraged to create or nominate Digital Service Coordinators, so there is a specific organization in each state responsible for DSA compliance.

Failure to comply can be costly. The European Commission guidelines state: “The Commission has the same supervisory powers as it has under current anti-trust rules, including investigatory powers and the ability to impose fines of up to 6% of global revenue.”

The British Online Safety Act (OSA) in the UK already has similar rules. In the UK, the fines can be up to ￡18 million ($23m USD) or 10% of annual corporate turnover - whichever is the higher amount.

Whether the potential fine is 6% or 10% of revenue, this should make all corporate leaders take the DSA package and the OSA seriously. Non-compliance is not an option.

What can you do to be prepared?

It is already too late for very large platforms - they already need to comply, but what can everyone else do to be prepared for the DSA? This advice from the law firm Taylor Wessing is very good and highlights four key steps to being prepared:

1. Does it even apply to my business? It does apply to companies outside the EU if your end users live inside the EU. It doesn’t matter about your registered office or headquarter address - if you have European users then it applies to you.
2. What kind of company are we for the purpose of the DSA regulation? Platforms, online marketplaces, and search engines will all be regulated slightly differently so if you know that you probably need to follow the rules then look in more detail at exactly what applies to your business.
3. What obligations do we have? This flows from question two. If you know which type of company regulation, then you can determine exactly which obligations apply to your business. Is it all about transparency, user information, and content moderation?
4. How do we start the implementation project? You will need to define the scope, do a gap analysis, risk analysis, and then create a project plan. It can’t just happen overnight.

What will happen in February 2024?

Some provisions and checks are already in place for larger companies. Those classified as very large have had to be compliant since November 2023, however the broader set of obligations for all online intermediary services are applied from 17 February 2024.

Fines for non-compliance can be up to 6% of the annual worldwide turnover of the provider of the intermediary service, as well as up to 5% of the average daily worldwide turnover for periodic penalty payment.

Law firm K&L Gates commented: “The experience with fines under the EU General Data Protection Regulation, which has established a similar legal regime, indicates that, after an initial period of uncertainty, fines in the five- to seven-digit area may be realistic for smaller and medium-sized enterprises. However, if fines under the DSA will develop similarly remains, of course, to be seen.”

Conclusion

Larger companies, such as the big well-known social media platforms, already need to be compliant with the DSA, but it is applying to more and more companies in Europe that host or offer a platform to online data. If your users or customers are uploading content and you host it, the DSA applies to your business.

Starting a compliance project does not need to be difficult. At Alorica we have helped companies with European regulations including the GDPR and DSA. We can help to immediately work on a gap analysis and create a roadmap to compliance.

If you want to protect your company, and your customers, and you need rapid advice on how to avoid non-compliance then contact me. I can provide you with case studies and examples of our experience and I’m happy to answer questions about your own situation.

Please feel free to contact me here.

?