The Digital Services Act (“DSA”) was formally signed into law on 19 October 2022 and will be directly applicable in the EU from 16 November 2022. This legislation has been in the pipeline for some time, beginning with a 2020 proposal of the Commission and culminating in publication in the Official Journal in October 2022.
The DSA aims to create a harmonised approach to the protection and recognition of the fundamental rights of online users and foster greater competition in the digital marketplace. The President of the European Commission Ursula von der Leyen sets out that the DSA “will ensure that the online environment remains a safe space, safeguarding freedom of expression and opportunities for digital businesses. It gives practical effect to the principle that what is illegal offline, should be illegal online”
The DSA will provide users with more information about how their data is used by increasing transparency around the powerful algorithms used by large online platforms.
The DSA is applicable to all digital service providers that act as online intermediary service providers (“OIPs”) who offer services within the EU, regardless of their country of establishment.
The obligations placed on OIPs under the DSA differ based on the size of the OIP. There are enhanced obligations for platforms with 45 million users or more, labelled ‘very large online platforms’ (“VLOPs”) and very large online search engines (“VLOSEs”), which will be subject to the most onerous requirements of the DSA.
- The DSA places heightened accountability for illegal content on OIPs, requiring OIPs to implement user-friendly reporting mechanisms to enable users to notify the platform of the presence of illegal content.
- The DSA broadly provides for greater protection for children online including a ban on targeted advertising aimed at children. OIPs will have to assess and limit the risks their platforms pose to children.
- The DSA ensures greater transparency in online advertising, users will be better informed about the content that is recommended to them and providing the user with greater control over how their personal data is used.
- VLOPs must conduct annual risk assessments at their own expense to screen their processes for dealing with various risks including that of illegal online content. In addition to this, they must also establish an independent compliance function to oversee adherence to the DSA.
- The DSA also provides for a crisis response mechanism which allows for intervention from the European Commission in times of a threat to public health or security.
The majority of the provisions outlined will not be applicable until the DSA has been in force for 15 months, however the rules applicable to VLOPs and VLOSEs will apply from 4 months after being notified by the European Commission that they meet the threshold. This leaves VLOPs and VLOSEs with a short window in which to ensure they are complying with their obligations under the DSA.
Supervision and Enforcement by the European Commission of VLOPs
Under the new regime, the European Commission gains supervision powers over the activities of VLOPs and VLOSEs. The powers of the European Commission will be complemented by those of national regulators, Digital Services Co-ordinators which each member state must appoint to hold responsibility for overseeing smaller OIPs’ compliance with their obligations under the DSA.
In circumstances where OIPs do not act in compliance with the DSA, they could face fines of up to 6% of their annual global turnover. This compares to up to 4% of annual global turnover for a fine under GDPR.
Next Steps and Developments in Ireland
In light of these impending obligations, OIPs beginning the process of ensuring their business is DSA-compliant, should first identify the particular service(s) offered by the business, to enable them to form a proper understanding of their obligations under the DSA.
A number of VLOPs have already signed up to the 2022 Strengthened Code of Practice on Disinformation. Under that code, signatories committed to take action in various areas, including; “demonetising the dissemination of disinformation; ensuring the transparency of political advertising; empowering users; enhancing the cooperation with fact-checkers; and providing researchers with better access to data.”1 Many of the voluntary requirements in the Code will overlap with those imposed under the DSA, however if not considered already, all internal procedures, processes and products now need to have the relevant obligations of the DSA in mind. There is a greater need now more than ever before for strong and effective internal communication between trust and safety departments, legal and product leaders in order to ensure compliance with these obligations. OIPs should seek guidance from legal advisors on how to best implement updates to their terms and conditions and internal procedures to ensure that they are DSA-compliant.
OIPs should also note that an overlapping piece of Irish legislation is currently making its way through the Oireachtas. The Online Safety and Media Regulation Bill 2022 (“the OSMR”)2 has been passed by the Seanad, amended by the Select Committee in the Dáil and is currently being debated. The OSMR will apply to providers of relevant online services established in the State and amongst other things, creates a regulatory framework for online safety, defining categories of harmful online content and ‘age-inappropriate online content’. The OSMR plans to establish a new regulator, Coimisiún na Meán which has the power to create new online safety codes that are binding on designated online services. Coimisiún na Meán will have enforcement powers and the ability to impose administrative financial sanctions of up to 10% of relevant annual turnover. It is also understood that it may act as Ireland’s DSC under the DSA. The DSA and OSMR may have many of the same objectives, but with requirements for compliance with the first round of the DSA’s obligations beginning in early 2023 and the OSMR not yet in force, how they will work in tandem remains to be seen.