On July 5, 2022, the European Parliament adopted the Digital Services Act (“DSA”) with 539 votes in favor, 54 votes against and 30 abstentions, following the political deal reached on April 23, 2022 (see our previous blog here).

Key aspects

The DSA is addressed to providers of intermediary services (e.g., Internet service providers, cloud providers, search engines, social networks and other online platforms, and online marketplaces).  The DSA will also apply to providers established outside the EU, to the extent they offer services to business and individual users established or located in the EU.

Among a range of topics, the DSA requires:

  • implementation of notice-and-action mechanisms;
  • setting up internal complaint-handling systems;
  • ensuring the traceability of traders on online marketplaces; and
  • compliance with detailed transparency and accountability obligations, including specifically on online advertising and algorithms used to recommend content. 

Moreover, the DSA imposes a ban on so-called dark patterns and online advertising activities targeting minors, or those based on sensitive personal data.

The strictest set of obligations are addressed to providers of “very large online platforms” and “very large online search engines”, i.e., those reaching an average of 45 million or more monthly active users in the EU, and designated as such by the Commission.  Specific obligations for such players include:

  • conducting assessments of “systemic risks” stemming from the design, functioning and use of their services, including algorithmic systems, in the EU;
  • conducting yearly independent audits;
  • granting access to data to the authorities, upon request, for the purposes of monitoring and assessing compliance with the DSA, and explaining the design, logic, functioning and the testing of algorithmic systems;
  • establishing an independent compliance function;
  • paying an annual supervisory fee to the Commission; and
  • complying with certain actions required by the Commission in cases of extraordinary circumstances leading to a serious threat to public security or public health.

Next steps

The DSA text must now be adopted by the Council (expected in September 2022).  The DSA will enter into force twenty days after publication in the EU Official Journal.

The DSA will be directly applicable across the EU and will apply fifteen months, or from January, 1 2024 (whichever comes later), after its entry into force.  However, the DSA will become enforceable sooner for very large online platforms and very large online search engines, i.e., four months after being designated as such by the Commission.

***

The Covington team will keep monitoring the developments on the DSA, and is happy to assist with any inquiries on the topic.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP’s European Advisory Board, Privacy International and the European security agency, ENISA.

Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.