Move over GDPR, the DSA is the next big thing to come out of Europe

When the GDPR came into force about five years ago, it made headlines because it was a mammoth piece of EU legislation introducing significant changes to data protection law throughout the EU. It was also significant because it introduced the possibility of substantial fines for non-compliance – up to 4% of worldwide annual turnover.

The DSA (Digital Services Act) is the latest piece of EU legislation to make headlines. It will apply in all EU members states from 17 February 2024, and it is similarly significant because it imposes new obligations on services providers operating online. Like the GDPR, it also imposes the possibility of substantial fines for non-compliance – up to 6% of worldwide annual turnover.

The DSA applies to: those providing ‘caching’ and ‘mere conduit’ services (e.g. internet service providers); those providing ‘hosting services’ (e.g. cloud storage service providers); those providing ‘online platforms’ (e.g. social media and online marketplaces); and very large online platforms (‘VLOPs’) and search engines (‘VLOSEs’) whose average monthly users in the EU exceeds 45 million (e.g. Google).

The DSA introduces a number of new and significant obligations, including:

– all service providers must respond to orders to remove illegal content and must inform users of their actions;

– all hosting service providers must have ‘notice and action’ system enabling users to flag illegal content;

– all online platforms must have effective internal complaint’s handling systems and must put in place “appropriate and proportionate measures” to ensure the privacy, safety and security of minors;

– all online marketplaces must check/verify the identity of users, must enable traders and consumers to comply with pre-contractual requirements on the platform, and must inform consumers if illegal products or services were sold on the platform;

– all very large online platforms and search engines must carry out comprehensive and regular risk assessments to prevent online harms (e.g. data breaches, IP infringement, child exploitation, gender violence, political extremism etc.).

In a post-Brexit world, the DSA does not form part of domestic UK law. However, the DSA still applies where the users/recipients of a service are based in the EU, regardless of the service provider’s place of incorporation/establishment. The UK’s answer to the DSA is its Online Safety Bill, which tackles similar issues relating to online content. The Bill is under review in the House of Commons.

Briffa comment

If your business provides services online, and you have customers/users in the EU (whether your business is based/incorporated in the UK, the EU, or elsewhere), your first step should be to consider whether your business/services fall within the scope of the DSA. Bear in mind that services may be intertwined e.g. a traditional e-commerce platform may also have an integrated online marketplace.

If your business/services fall within the scope of the DSA, your next step should be to consider any necessary changes to your platform documentation (e.g. most online platforms will already have, at least, terms and conditions, a privacy policy and a cookie police). Bear in mind that the DSA requires terms and conditions to be updated to reflect the content moderation systems mentioned above.

Once your user/customer contractual documentation is up-to-date, you should then consider any necessary changes to your platform processes/practices (e.g. most online platforms will already have some sort of signup/onboarding process). Bear in mind that the DSA requires online marketplaces to verify the identity of users, to facilitate users complying with pre-contractual requirements on-platform and to suspend/remove traders/products for non-compliance.

Once your documentation and practices are up-to-date and DSA-compliant, it might also be useful to review your other documentation/practices to ensure they are also compliant with all other applicable law (e.g. ensuring that your data protection documentation and practices are up-to-date and GDPR-compliant).

Briffa is a firm of specialist intellectual property, information technology and data protection lawyers We have a wealth of experience helping SMEs and others operating online in relation to e-commerce contracts, online data protection issues, online IP protection/enforcement issues, and more. If you believe your business/service may fall within the scope of the DSA, please get in touch on 20 70962779 or info@briffa.com and one of our team will be happy to help.

Written by Éamon Chawke – Partner