On October 4, 2022, the EU adopted the Digital Services Act (“DSA”), which imposes new rules on providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). The DSA will enter into force on November 16, 2022 — although it will only fully apply as of February 17, 2024.
As we reported in July, the DSA requires that certain intermediaries of content, goods and services:
- implement notice-and-action mechanisms, establish internal complaint-handling systems, reply to information requests by law enforcement authorities, and comply with law enforcement orders to act against illegal content — all building on the existing requirements under the EU eCommerce Directive;
- ensure the traceability of traders offering goods or services on online marketplaces; and
- comply with detailed transparency and accountability obligations, including:
- describe in terms and conditions the restrictions imposed in relation to the use of the service concerning user generated content;
- provide recipients of the services with a concise and easily accessible summary of the terms and conditions in machine-readable format;
- inform the recipients of the service of any significant change made to the terms and conditions;
- where services are directed at minors or predominantly used by them, explain the conditions for and restrictions on the use of the services in a manner that is easily understood;
- identify online advertising as such, and identify the advertiser and sponsor; and
- provide information on the main parameters used in recommender systems, as well as options recipients have to modify or influence the parameters.
Moreover, the DSA imposes a ban on so-called dark patterns and online advertising activities targeting minors, or those based on sensitive personal data.
The strictest set of obligations are directed at providers of “very large online platforms” and “very large online search engines”, i.e., those reaching an average of 45 million or more monthly active users in the EU, and designated as such by the Commission. Specific obligations for such organizations include:
- publishing their terms and conditions in the official languages of all Member States in which they offer their services;
- conducting annual assessments of “systemic risks” stemming from the design, functioning and use of their services, including algorithmic systems, in the EU;
- conducting independent audits each year;
- granting authorities access to data, upon request, for the purposes of monitoring and assessing compliance with the DSA, and explaining the design, logic, functioning and testing of algorithmic systems;
- establishing an independent compliance function to ensure compliance that reports to senior management;
- paying an annual supervisory fee to the Commission for the costs associated with its oversight; and
- complying with certain actions required by the Commission in crisis scenarios, where activities relating to the platforms or search engines give rise to a serious threat to public security or public health.
Providers of “very large online platforms” and “very large online search engines” will be subject to these obligations four months after the European Commission designates them as such.
* * *
The Covington team is advising many clients on how to prepare for complying with the DSA and other legislative proposals affecting technology companies. Please reach out to a member of the team if you have any questions.