The new Digital Services Act (“DSA”), a key pillar of the EU’s overhaul of the digital economy, aims to harmonize rules for online intermediaries (such as online marketplaces, social media platforms, app stores, cloud providers, and search engines). It seeks to promote transparency and to allow for safer digital spaces by preventing the dissemination of illegal and harmful content online. As a regulation, the DSA will be directly applicable across all 27 EU Member States and supersede any national legislation. Similar to the General Data Protection Regulation (“GDPR”), the DSA has extra-territorial effect and non-EU established businesses will also be subject to the DSA to the extent they offer intermediary services to recipients established or located in the EU.

The obligations imposed by the DSA are cumulative across four different categories of intermediaries, being: (i) all intermediary service providers; (ii) hosting service providers; (iii) online platform providers; and (iv) very large online platforms (“VLOPs”) and very large online search engines (“VLOSEs”) (those that have at least 45 million average monthly active users in the EU and that have been designated as such by the European Commission). A set of “base” obligations will apply across all categories of intermediary service providers, with hosting service providers, online platform providers and VLOPs and VLOSEs having additional (and increasing) obligations.

Some of the key provisions include:

  • a ban on targeted advertising based on profiling using data of minors or special categories of data;
  • a ban on dark patterns (for example, “nudging” a user to make a certain choice by using particular color and/or size emphasis);
  • obligations to provide further information about adverts and the reasons a recipient is shown an advert;
  • obligations on identifying and removing illegal content;
  • reporting requirements;
  • mandated information for terms and conditions.

While the bulk of the DSA is not applicable until February 17, 2024, there was an earlier deadline of February 17, 2023 for online platforms to publish information on their average monthly active recipients in the EU so that the European Commission can make its VLOP and VLOSE designations. Once designated, VLOPs and VLOSEs will have four months until the DSA applies to them.

Takeaway: Businesses should review the extent to which the DSA applies to their operations and begin to consider the likely implications. In the privacy space, DSA provisions such as the prohibition of certain advertising and dark patterns, as well as additional transparency requirements, mean that affected businesses will likely need to look to each of the GDPR, e-Privacy Directive (or, once adopted, Regulation) and the DSA to understand their obligations. As with the GDPR, businesses should bear in mind the potential for large fines as the DSA sets an upper limit of 6% of annual worldwide turnover.