Under the Digital Services Act (DSA) that regulates online services content and more, 17 February 2023 marks the first deadline for "online platforms"; after that, "very large online platforms" (VLOPs) have four months after designation as such by the European Commission to comply fully; and 17 February 2024 is the deadline for all hosting, caching and mere conduit services offered to EU customers, which is not far away at all in the scheme of things. Effective 17 November 2022, the DSA carries GDPR-beating fines of up to 6% turnover.

Below are some key practical action points in light of these deadlines.

Near future, before 17 February 2023

  • If you offer any online on-demand service to EU users (whether consumer, business, etc), consider whether it is an "online platform" within the DSA that hosts and disseminates user-provided information publicly:
    • Online platforms include social networks and online marketplaces. IaaS/PaaS cloud and webhosting services are generally not online platforms, but are "hosting" services (see later). SaaS services could be online platforms, depending on the nature of the service.
    • Consider the applicability of exemptions for minor/ancillary public dissemination (e.g. comments sections in online news sites). Also consider the position regarding public groups/open channels.
    • Consider what approach to take if service users individually can choose whether to make some of their content private, public or shared only with a limited group.
    • Consider whether to argue that it is not an "online platform" because only registered users who have been granted access following a human decision or selection can view content, so there is no public dissemination (but bear in mind that regulators/courts may not accept this point if made by big tech platforms, given the DSA’s purposes).
  • If it is an online platform, decide whether to:
    • update systems, policies/processes ASAP to enable you to calculate, on an ongoing basis, the number of average monthly EU recipients (over the past six months, and over the six months before any regulatory request for the information) and publish it on your website/mobile apps by 17 February 2023 (small/micro enterprises are also caught here). This means that you need to start counting users from 16 November 2022 you need to be able to count users retrospectively as from mid-August 2022, i.e. users during the six months up to 17 February 2023. Furthermore, the deadlines stated above were simplified for brevity: in fact, from 16 November 2022 regulators can request average monthly EU user numbers for the six months immediately preceding the time of the request, so you need to ensure that your systems enable you to extract these numbers on an ongoing rolling basis. Also consider how you will:
      • count users (including readers/viewers, not just posters/uploaders) who engage at least once in a given period without tracking them, without double-counting web and app usage, and in compliance with privacy/data protection laws (e.g. GDPR legitimate interests assessment);
      • exclude incidental users arriving via links or search engines (which seems to be the intention and effect of the relevant recital); and
      • exclude bots/scrapers?

      OR

    • risk waiting for the Commission’s methodology (not yet issued) before calculating or publishing, even if this would mean missing the February 2023 deadline, given that penalties for non-publication seemingly cannot be imposed before 17 February 2024 and the level of fines for that infringement is unclear (it seems they could be up to 6%, even if imposed after 17 February 2024 for infringements pre-dating that date; it is 1% for failure to reply to a specific regulatory request for information or supplying incorrect, incomplete or misleading information, so it would be odd if failure to publish recipient information carried a higher % fine).
  • If you offer an in-scope online platform service, consider:
    • whether to publish your second report, post-February 2023, earlier than August 2023 (e.g. in April/May 2023, to move the publishing cycle to a more practicable April/May and October/November rather than February and August, which may cause practical issues with summer holidays/staff availability; although note that it is unclear whether regulators would accept such a shift in publishing schedule, or would insist on February/August always); and
    • where your EU "main establishment" for DSA purposes is or should be or, if you have no EU establishment, where to appoint an EU legal representative, and proceed to appoint one. Member states set their own penalties, with the DSA stipulating only various caps of 6% turnover and 5% daily or 1% turnover/annual income, so there may be national differences in penalties, and you may wish to await details of Member State implementations first. Note that DSA representatives will be fully liable for their appointor’s DSA infringements so indemnities, insurance etc. may require consideration/discussion.
  • "Very large online platforms" (VLOPs), whose average monthly EU recipients exceeds the DSA threshold (currently 45 million average monthly EU users), probably know who they are already, but must await Commission designation as such. Then, they have only four months after designation (or 17 February 2024 if earlier) to comply with all VLOP and other relevant DSA obligations. No doubt, VLOPs are already taking steps to comply, given the tight timing.

By 17 February 2024

  • If you offer online services to EU users, whether alone or as part of other services, consider ASAP whether they are, from a technical functionality perspective, "hosting" (including online platforms), "mere conduit" or "caching" services (together "intermediary services"):
    • "Hosting" includes cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing.
    • "Mere conduit" includes internet exchange points (IXPs), wireless access points or wireless local area networks (WLANs), virtual private networks (VPNs), domain name system (DNS) services and resolvers, top-level domain (TLD) name registries, registrars, digital certificate authorities, voice over IP (VOIP) and other interpersonal communication services like messaging and web-based email services provided over internet access services.
    • "Caching" includes content delivery networks (CDNs), reverse proxies or content adaptation proxies.
  • If they are intermediary services, they will benefit from certain liability exemptions, but you will also have to update systems, terms, policies and processes so that you can, by 17 February 2024 (see more detailed summary of key DSA requirements ):
    • respond appropriately to judicial/administrative orders on content takedown and/or giving information on specific users; and
    • comply with certain due diligence and transparency obligations, including requirements regarding user terms, language and format, moderation policies and processes e.g. algorithmic and human review, complaint procedures, moderation application/enforcement, annual reports on moderation etc.; and
    • comply with additional obligations for hosting services (reporting/notification, notice and action i.e. takedown procedures), even more on online platforms (further reporting, etc.) and even more on VLOPS (again, see the detailed summary ). Also consider the DSA main establishment or legal representative issue too, if not already actioned.
  • Specific requirements apply to advertising on online platforms and online marketplaces in particular, with the result that the DSA will affect those using or dealing with intermediary services, not just intermediary services themselves. This means advertisers, online marketplace traders and others must also consider the DSA’s implications for their businesses, and prepare accordingly before 17 February 2024 (further on advertising, please see this article).