Internet and online platforms allow us to easily access and purchase products and services and enjoy a rich variety of content. However, these conveniences come with risks to consumers, such as illegal content, the sale of illegal products, the publication of terrorist content, manipulative design patterns, and disinformation.
To address these risks, the European Union has implemented a new law, the Digital Services Act (DSA), in the context of its Digital Services Act Package.
The Digital Services Act ("DSA") applies to many businesses, such as content-sharing platforms, large online search engines, and online platforms. It imposes stringent obligations on the organizations that fall under its scope, including removing illegal content, prohibiting targeted advertising in limited circumstances, and certain reporting obligations. Organizations failing to comply with the DSA may face a fine of up to 6% of their annual turnover.
Interested in learning the Digital Services Act and whether it applies to you? Read more to find out.
What is the Digital Services Act (DSA)?
The EU Digital Services Act (DSA) is a new regulation for all EU member states. The new Act aims to create a safe online space for EU consumers and a level playing field for businesses. While the DSA came into force on 16 November 2022 following its publication in the Official Journal, its rules will become applicable to all regulated organizations on 17 February 2024.
"The whole logic of our rules is to ensure that technology serves people and the societies that we live in - not the other way around. The Digital Services Act will bring about meaningful transparency and accountability of platforms and search engines and give consumers more control over their online life. The designations made today are a huge step forward to making that happen."
- Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age (source: European Commission)
Some DSA obligations have already become applicable. The EU Commission has designated 2 Very Large Online Search Engines (VLOSEs), Google Search and Bing, and 17 Very Large Online Platforms (VLOPs), that reach at least 45 million monthly active users:
These designated online platforms have been required to comply with all the DSA obligations since August 2023.
What is the difference between the Digital Services Act (DSA) and the Digital Markets Act (DMA)?
If big tech companies such as Facebook, Google Search, and Microsoft are already subject to the EU Digital Markets Act, why is there a separate law called the EU Digital Services Act?
The answer is that these two laws are distinct from each other.
While the EU Digital Markets Act aims to prevent anti-competitive business practices by gatekeeper platforms and to ensure the contestability and fairness of digital platforms such as Google and Facebook, the DSA’s primary objective is to create a safe online space for EU consumers.
Since they regulate different areas and their objectives differ, these laws’ requirements also differ. However, some organizations might be subject to both the Digital Markets Act and the Digital Services Act.
What organizations are subject to the Digital Services Act?
Regarding scope of applicability, the DSA takes a tiered approach, describing four tiers of organizations that may fall under its scope of applicability, subject to exceptions. Depending on the specific tier, an organization will be subject to different obligations under the Act.
For instance, large online platforms such as Facebook must comply with more stringent obligations than medium-sized content-sharing platforms.
Tier 1: Intermediary services
Organizations that provide one of the three pre-defined categories of services will fall under this tier: mere conduit services, caching services, and caching services.
Mere-conduit services contain the transmission of the information provided by a service recipient in a communication network or the provision of access to a communication network. For instance, internet service providers, virtual private networks, and domain name systems will fall under this category.
As for the caching services, content delivery networks and content adaptation proxies are examples of such services.
Tier 2: Hosting services
Hosting services involve storing information provided by a service recipient, including cloud service providers, web hosting providers, social media platforms, and online marketplaces.
Tier 3: Online platforms and marketplaces
Online platforms refer to services that publicly disseminate service users’ information. Social network services like Instagram, two-sided platforms like Airbnb, and content-sharing platforms like TikTok would fall under this category.
Tier 4: Very large online platforms and large online search engines
An online platform or search engine averages will qualify as a very large online platform/search engine if the amount of monthly users exceeds 10% of the total number of EU consumers (45 million at the time of the text).
The European Union Commission will designate organizations that fall under this category. As referenced in the previous section, in its decision dated 25 April 2023, the EU Commission designated companies that qualify under this tier, including Google, Facebook, Amazon, and Alibaba.
What are the key obligations under the DSA?
The DSA imposes new requirements on service providers, such as the prohibition on using dark patterns and the obligation to be more transparent about the logic behind any recommender system. Furthermore, it grants internet users new rights they may exercise. The key obligations include:
Restrictions on targeted advertising: Article 26.3 of the DSA prohibits intermediary service providers from displaying targeted advertisements to users based on sensitive data such as race, religion, and political opinions.
This prohibition applies to organizations under tier 3 and tier 4: online platforms, online marketplaces, very large online platforms, and search engines. Moreover, providers of online platforms shall not present advertising on their interface that is based on profiling using personal data relating to the recipient of the service where they know with reasonable certainty that the recipient of the service is a minor.
Recommender Systems: When an online platform uses a recommender system such as a news feed, it should inform its users about the logic of how this recommendation system operates and be transparent about how it works. Furthermore, providers of very large online platforms and online search engines that use recommendation systems offer at least one option for each of their recommendation systems that is not based on profiling.
Prohibition on dark patterns: Article 25 of the DSA bans deceptive and/or manipulative interfaces that prevent users from making informed and free choices.
Removal of illegal content: When national authorities submit a content removal request, providers of intermediary services shall act promptly and comply with the request. Remember that online platforms are not obligated to constantly monitor illegal content and take action.
Notification and action mechanisms: Hosting service providers (including platforms) must put in place mechanisms that are easy to access and use, enabling any individual or entity to notify them of the presence of illegal content on their service.
Transparency: All intermediary service providers must provide their users with clear and transparent information about their policies, tools, and procedures used for the removal of content, content moderation, and complaint handling procedures. Therefore, organizations subject to the DSA shall revise their terms and conditions to inform users about these policies, tools, and procedures.
Transparency requirements for advertising on online platforms: Providers of online platforms that present advertisements on their online interfaces shall ensure that, for each specific advertisement presented to each individual recipient, the recipients of the service are able to identify, in a clear, concise and unambiguous manner and in real-time, the following:
that the information is an advertisement,
the natural or legal person on whose behalf the advertisement is presented,
the natural or legal person who paid for the advertising,
meaningful information directly and easily accessible from the advertisement about the main parameters used to determine the recipient to whom the advertisement is presented and, where applicable, how to change those parameters.
Reporting obligations: Intermediary service providers must publish an annual report on their content moderation activities, such as what tools were used and what content removal requests were received during the relevant period.
How Didomi can help you comply with the Digital Services Act
From prohibiting personalized advertisements based on sensitive data to new transparency requirements, the Digital Services Act (DSA) introduces new obligations on how regulated organizations, including hosting services and online marketplaces, should design their platforms and interfaces and inform their users.
Most importantly for us, providers of online platforms that advertise on their online properties shall ensure that, for each specific ad, recipients can identify meaningful information directly and easily about the main parameters used to target them and, where applicable, about how to change those parameters.
In the context of consent collection and your Consent Management Platform (CMP), this could mean re-displaying your consent banner so consumers can update these parameters. To explore how the Digital Sevices Act might impact your organization’s consent practices and how to configure your consent banner accordingly, book a call with one of our experts:
Frequently Asked Questions (FAQ)
Is the DSA directly applicable across the EU?
The DSA is an EU regulation. Therefore, it is directly applicable across the EU.
Does the Digital Services Act apply to companies outside the EU?
If your organization offers services to EU consumers, you must determine if the Act applies to you and implement the appropriate compliance steps before the deadline.
What is the relationship between the Digital Services Act and the GDPR?
While there is some overlap between the DSA and the GDPR, the DSA does not override the GDPR because the GDPR takes precedence over it. Recital 10 of the DSA states that:
|“..The protection of individuals with regard to the processing of personal data is governed solely by the rules of Union law on that subject, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC….”
For instance, the DSA includes prohibitions on targeted advertisements based on sensitive data categories such as race and religion, and this prohibition needs to be read in conjunction with the GDPR.
What are the fines under the Digital Services Act?
An organization that fails to comply with the DSA may face a fine of up to 6% of its annual turnover.
When does the Digital Services Act come into force?
While the DSA came into force on 16 November 2022 following its publication in the Official Journal, its rules will become applicable to all regulated organizations on 17 February 2024.
However, very large online platforms and search engines have been affected since 25 August 2023.
Who enforces the DSA?
Each EU member state is primarily responsible for enforcing the DSA and must appoint one digital services coordinator to supervise service providers. However, the European Union also plays a role in enforcement.