The EU Digital Services Act (DSA) is a far-reaching landmark European Union (EU) law, focused on the regulation of and tackling illegal content online.
Historically there was not enough legal protection to safeguard the rights of individuals online, but the DSA will now address this with a range of extensive new obligations for several different online service providers to comply with.
The DSA will harmonise rules and obligations for digital service providers both in the EU and for some outside of it. Although the DSA is EU law, it also applies to non-EU service providers (including UK businesses) if their services are offered to or targeted at individuals within the EU.
The DSA rules have the potential to impact almost all digital businesses. The legislation is vast and complex and failing to comply with its rules can lead to severe consequences, including investigations and fines of up to 6% of global revenue. As such, compliance with the DSA is critical and businesses should seek legal advice if necessary.
This article will set out some key insights about the DSA and its implications for UK businesses. For specific advice tailored to your situation, please contact our expert team of technology solicitors.
- What is the EU Digital Services Act, and why is it relevant to UK businesses?
- Scope of the Digital Services Act
- What are the key objectives and compliance obligations of the Digital Services Act?
- How will the EU Digital Services Act impact the operations of UK businesses and what can businesses do to prepare for it?
- Are there any potential benefits for UK businesses in complying with the Digital Services Act and what challenges might they face in adapting to it?
- How does the EU Digital Services Act compare to existing UK laws?
What is the EU Digital Services Act, and why is it relevant to UK businesses?
The DSA entered into force in November 2022. It sets out regulations aiming to modernise the regulatory framework for digital services in the EU and prevent use of the internet for harmful purposes.
The law aims to redefine rules to govern the offering of products and services online, setting new regulations governing how ‘online intermediary services’ should operate to create a safer and more transparent online environment for users.
The DSA encompasses a wide range of rules, with tiered responsibilities depending on the nature of a business. It will be enforced by the European Commission and national authorities.
The DSA is extremely ambitious and Jozef Síkela, Minister for Industry and Trade in the EU, stated as follows about this law in the press release:
‘The Digital Services Act is one of the EU’s most ground-breaking horizontal regulations and I am convinced it has the potential to become the ‘gold standard’ for other regulators in the world. By setting new standards for a safer and more accountable online environment, the DSA marks the beginning of a new relationship between online platforms and users and regulators in the European Union and beyond.’
Scope of the Digital Services Act
The rules under the DSA apply to a variety of businesses.
The DSA applies to ‘intermediary services’ (for example, services which involve transmitting, storing, or hosting information online), online platforms and online search engines.
Intermediary services cover a broad scope and various service providers including ‘mere conduit’ services (services through which information is transmitted to users), ‘caching’ services (services involving the temporary storage of information) and ‘hosting’ services (services involving storing information).
Examples of businesses likely to need to comply with the DSA are:
- Online marketplaces
- Social networks
- App stores
- Content sharing platforms
- Messaging services
- Online search engines
- Online shops
For most applicable businesses, the rules of the DSA will kick in from 17 February 2024. However, the rules will apply earlier for very large online platforms and search engines.
The DSA adopts a tiered approach in terms of the obligations it imposes on businesses, depending on their size and impact. For example, very large online platforms and search engines will have the strictest of obligations (compared with small businesses).
The DSA will be enforced by both European member states and the European Commission. For breaching the DSA, businesses can be fined up to 6% of annual global turnover in the preceding financial year. Therefore, compliance with the rules is serious.
The DSA is relevant to UK businesses, as it applies to UK businesses who target users or have a significant number of users inside the EU. Therefore, UK businesses who fall within the scope of the DSA must ensure they comply with it.
What are the key objectives and compliance obligations of the Digital Services Act?
The DSA sets out various objectives. Some key objectives include:
- it prescribes unique obligations for online marketplaces to tackle the online sale of illegal products and services;
- it introduces processes to stop illegal content online and obligations for platforms to react quickly;
- the DSA sets out a need to implement measures to tackle illegal content, services and goods online and mechanisms for users to report such content;
- it affords better protection for minors online, for example by banning platforms from using targeted advertising based on the use of minors’ personal data;
- it imposes certain restrictions on the appearance of advertising and on the use of sensitive personal data for targeted advertising;
- it prohibits misleading interfaces known as ‘dark patterns’ and practices aimed at misleading; and
- it sets out extremely strict rules for very large online platforms and search engines (for example, these businesses will need to
carefully investigate the systemic risks they create).
Some of the key obligations under the DSA regime include:
- a new modernised liability regime for online intermediaries caught by the DSA rules;
- the need for removal of illegal online content;
- rules around the use of user data;
- newfound transparency obligations for online platforms;
- the need to appoint an EU Representatives for online intermediaries established outside the EU; and
- stringent rules for very large online platforms.
The DSA sets out different obligations, depending on the category of digital services a business offers. It adopts a four-tiered system of obligations – tier 1 businesses have the least obligations, and the obligations get increasingly onerous the higher the tier. Small and micro-enterprises are exempt from complying with some of the DSA rules. The most heavy obligations apply to the largest online platforms and search engines.
- Tier 1 – applies to all intermediary services.
- Tier 2 – covers hosting services.
- Tier 3 – covers online platforms and marketplaces.
- Tier 4 – applies to very large online platforms and search engines.
All providers will need to comply with obligations such as:
- the need to act quickly to remove illegal content;
- having clear and transparent terms and conditions, describing content moderation practices; and
- reporting on their content moderation activities.
Compliance with the DSA is not a one-size fits all approach. Businesses should carefully consider which type of service they offer and which particular obligations under the DSA will apply to them. This will require a thorough analysis of the DSA and its rules.
How will the EU Digital Services Act impact the operations of UK businesses and what can businesses do to prepare for it?
UK businesses who offer online services in the EU are likely to be caught by the DSA, to the extent that they offer services to (or target their activities towards) a significant number of users who are based in the EU.
The DSA is ground-breaking law, bringing with it entirely new obligations and a range of tasks for businesses. As such, UK businesses need to consider the DSA and prepare for what impact it will have on them.
There are various practical steps which UK businesses can take to prepare for the DSA.
For example, as a UK business you should:
- consider whether you will need to comply with the DSA rules;
- determine which obligations under the DSA will apply to your business;
- review your policies and practices to make sure that they comply with the DSA rules;
- develop compliance plans to conform with the DSA, including consideration of the appointment of a legal representative and designated compliance offers;
- consider if you need to train staff on the DSA requirements;
- review whether you need to make any technical changes to your platforms to comply with the DSA rules;
- seek legal advice to understand your obligations under the DSA; and
- monitor developments and guidance around the DSA.
Are there any potential benefits for UK businesses in complying with the Digital Services Act and what challenges might they face in adapting to it?
In practice, compliance with the DSA and its new obligations will be onerous for businesses. It is likely to require significant time, resources, and reorganisation of internal practices and operations. It remains to be seen as to how businesses will tackle these rules – particularly UK businesses who are sat outside of the EU.
The DSA presents a significant shift to first time regulation in this digital space, likely to impact various areas across businesses, including their terms and conditions, internal policies and procedures and user interfaces. Given the extremely heavy fines for breaching these rules, businesses will be under a great deal of pressure to comply and compliance will not be an easy, nor quick job.
That being said, the DSA also presents the opportunity to develop good practices and be seen as competitive in the EU digital market. By following the DSA rules, UK businesses can show individuals that their online safety is taken seriously and develop a culture of trust with users. In the long-term, these good practices and culture of trust can help lead to long-term business success.
How does the EU Digital Services Act compare to existing UK laws?
The UK has its own forthcoming law to tackle online safety. The UK’s Online Safety Bill is a new law designed to protect children and adults online. The Online Safety Bill will place several obligations on online service providers. Certain provisions of the Online Safety Bill are similar to those set out in the DSA, such as rules around restricting illegal content and reporting mechanisms. However, there are also differences in these legal regimes.
UK organisations may need to comply with two separate sets of laws – both the DSA and the UK Online Safety Bill (when it becomes law). Being subject to two distinct legal frameworks will require businesses to invest substantial time, resources and costs into compliance.
UK businesses should carefully consider their business activities, which rules they will need to follow and stay on top of developments in this space. Complying with two sets of rules is complicated and this is a fast-moving area, so if you are unsure about this you should seek legal advice.
See more about the UK’s Online Safety Bill.
The online environment and the risks it poses to individuals has changed significantly in recent years. The DSA aims to help create a responsible atmosphere online and help users feel safer and more comfortable. The DSA presents opportunities for businesses to offer rights and transparency to users and protect them more than ever before, thereby fostering a culture of trust and fairness.
However, the DSA legislation is vast and complicated. Compliance may be particularly difficult for UK businesses, especially as they sit outside of the EU and may also have to comply with the UK’s own laws on online safety.
Now is the time for UK businesses offering online services in the EU to examine the DSA rules, assess what they need to do and then change their procedures, policies and documents to comply with the new requirements. This is new law and there are currently no precedents, market practices or lessons around compliance.
It is also vital to note that because of the tiered approach of the DSA rules, compliance is by no means a ‘tick box’ exercise. Businesses will need to carefully consider the DSA rules, because compliance will be different from business to business depending on the activities they carry out.
Compliance with the DSA is likely to be a big job for many businesses. Businesses may also need technical, as well as legal and operational support, to properly comply with the DSA rules. This article has set out some of the key issues for businesses to consider and steps they can take to work towards compliance.
If you have any questions about the DSA or require support with compliance, please contact our team who are here to help.