The Four “W”s and One “H” of Europe's Digital Services Act

13 minute read
May.19.2022

An update to this earlier article was published in October 2022 following approval of the Digital Services Act (DSA) by the Council of the EU Member States.

After more than a year of negotiations the final text of Europe’s (EU) Digital Services Act (“DSA”) has been agreed upon by the EU Parliament, the French Presidency of the Council of the EU, and the European Commission (“EU Commission”).

This update provides a quick summary and a deeper dive into who is impacted by the DSA, and the key obligations imposed to help organisations that qualify as EU-oriented intermediary service providers identify internal processes and products that will need to be adapted in order to achieve compliance.

The final agreed-upon text of the DSA has not been made public. The Orrick team is actively monitoring developments and this update will be amended once the final text is available.

Quick Summary

What Is the DSA?

The DSA updates and builds on the eCommerce Directive 2000/31/EC. Its dual objective is the creation of a European digital space where the rights of consumers and professional users are protected, and the establishment of a level playing field that will foster growth and innovation.

To achieve these objectives, the DSA imposes new obligations on intermediary service providers to identify and adopt measures to prevent the dissemination of “illegal” online content. The DSA also contains rules, as described in more detail below, regarding mandatory information to be provided to both consumers and professional users, in the service provider’s terms of use.

Importantly, the DSA does not replace other EU legislation that imposes rules regarding online content, including:

Directive on Copyright in the Digital Single Market 2019/790
Audiovisual Media Services Directive 2010/13/EU
Regulation on addressing the dissemination of terrorist content online 2021/784 (takes effect on 7 June 2022)

What Businesses Are Impacted and What Initial Steps Should They Take?

Online Service Providers: Online service providers that target EU users should assess whether they are a provider of “intermediary services”, and if so, which of the DSA obligations will be applicable to their business.
Intermediary Service Providers That Are Online Platforms: Intermediary service providers in the form of “online platforms”, even those that are not especially large in terms of users, are particularly impacted since most of the obligations in the DSA apply to online platforms. Such platforms will need to implement policies, internal processes, and new functionalities, in order to comply. The so-called Very Large Online Platforms (VLOPs) impacted by the DSA are already taking steps to implement their compliance.
Advertisers: Advertisers should also take note of the new transparency obligations that apply to intermediaries in relation to the ads displayed on their services.

Deeper Dive Into the DSA – An Overview of the Digital Services Act

1. Application

The DSA has a particular structure in terms of the applicability of its obligations as shown in the graphic below. All the law’s obligations apply to providers “intermediary services”. A subset of such obligations apply to “hosting services, including online platforms”. A further subset of obligations apply to “online platforms”, and still a further subset of obligations apply only to “very large online platforms".

The Four “W”s and One “H” of the European Commission’s Digital Services Act

Intermediaries Under the DSA Include:

Mere conduit services such as internet services providers.
Caching services such as cloud services providers offering automatic, intermediate and temporary storage of information, for the sole purpose of making the information's onward transmission more efficient.
Hosting services which are a storage of information services (e.g., cloud services providers, webhosting). Hosting services include:
- Online platforms: Which are hosting services that store and disseminate information to the public, at the request of service users, as their primary activity (e.g., marketplaces, app stores, collaborative economy platforms and social media platforms). Providers of hosting services that disseminate such information as a merely or ancillary service feature will not be considered online platforms (for example, the comments section in an online newspaper).
- VLOPs: The very large online platforms are those online platforms that provide for at least four consecutive months of their services to a number of average monthly active recipients of the service in the Union equal to or higher than 45 million.

2. Territorial Scope

The DSA applies to intermediary services that are provided to users that are established or have their residence in Europe, without regard to the where the intermediary is established. Non-EU based intermediaries that have EU-based users will therefore be expected to comply.

3. Intermediary Liability

The eCommerce Directive enshrined the principle that intermediaries shall not be liable for information transmitted through its service, provided it was not actively involved in the transmission and/or acted to remove or disable access to the information upon receiving notice.

The DSA retains this exemption from liability for intermediaries, with slight modifications, but imposes on hosts (and the subset categories of online platforms and very large online platforms) a set of due diligence requirements in relation to illegal content, as described below.

4. Obligations

Note: This section will be reviewed and may be subject to change when the final text of the law is published.

A. Applicable to All Intermediaries

Intermediary service providers will be required to do the following:

Identify a single point of contact within their organisation who will be the point of contact for national authorities. Intermediaries that do not have an establishment in the EU will have to appoint a legal representative in a Member State where the intermediary offers its services (there may be a possibility of collective representation for micro, small and medium enterprises).
There are specific obligations in relation to the form and content of the intermediary service terms and conditions. For instance, the terms must be fair, non-discriminatory and transparent, and must include information regarding how to terminate services, restrictions imposed on the delivery of services and also regarding the use of algorithmic tools for content-moderation.
Anonymity of users is protected except in relation to traders.
All intermediary services to publish an annual transparency report on any content moderation then engaged in, including specified information such as the number of orders received from Member States’ authorities, and information about the own-initiative content moderation practices of the service, including the use of automated tools. (This obligation does not apply to micro or small enterprises that do not qualify as very large online platforms).

B. Applicable Only to Intermediaries That Are Hosting Services, Including Online Platforms [Article 14 et. seq.]

Hosting services shall have a notification mechanism allowing the signaling of content considered by a user considers to be illegal content. The mechanism must be designed to facilitate sufficiently precise and substantiated notices to permit the identification of the illegality of the content.
‘Illegal content’ means any information or activity, including the sale of products or provision of services which is not in compliance with EU law or the law of a Member State, irrespective of the precise subject matter of that law;
If a notice containing the required information is received, the hosting service will be deemed to have actual awareness of the content and its potential illegality (which has implications for the service’s liability).
Hosting services must provide a statement of reasons to the user if their content is disabled or removed. This explanation, must contain certain information, including the facts relied upon and a reference to the legal ground relied upon, or other basis for the decision if it was based on the host’s terms and conditions. However, law enforcement authorities may request that no explanation is provided to users, if necessary due to an ongoing investigation.
There is a positive obligation to alert law enforcement or judicial authorities if the host suspects that a serious criminal offence involving a threat to life or safety of persons is taking place or is planned.
The anonymity of the content reporter is to be protected, except in relation to reports involving alleged violation of image rights and intellectual property rights.
The use of “dark patterns” is prohibited. Specific design practices are prohibited by the DSA (such as giving more prominence to a user consent option), and more may be identified through further legislation.

C. Applicable Only to Hosting Services That Are Online Platforms [Article 16 et seq.]

The obligations in this section do not apply to micro or small enterprises, except if they qualify as very large online platforms. Intermediary services may apply to be exempted from the requirements of this section of the DSA.
Online platforms shall provide an online appeals process against decisions taken by the platform in relation to content that is judged to be illegal or in breach of the platform’s terms and conditions. Decisions shall not be fully automated and shall be taken by qualified staff.
Users will be able to refer decisions to an out-of-court dispute settlement body certified by the Digital Services Coordinator of the relevant Member State.
Content reported by trusted flaggers shall be processed with priority and without delay. An entity may apply to the Digital Services Coordinator to be designated as a trusted flagger, based on criteria set out in the DSA.
The suspension of users, for a reasonable period of time, is permitted if they repeatedly upload illegal content shall be suspended for a reasonable period of time, after issuing a prior warning. Online platforms shall also suspend the processing of notices and complaints from users that repeatedly submit unfounded notices and complaints.
Online platforms are required to ensure that their services meet the accessibility requirements set out in the EU Directive 2019/882, including accessibility for persons with disabilities, and shall explain how the services meet these requirements.
To ensure the traceability of traders, online marketplaces shall only allow traders to use their platform if the trader first provides certain mandatory information to the platform, including: contact details, an identification document, bank account details, details regarding the products that will be offered.
A trader who has been suspended by an online platform may appeal the decision using the online platform’s complaint handling mechanism.
Online platforms shall also provide additional information in their transparency reports regarding the number of complaints received, the number of disputes submitted to the out-of-court dispute settlement bodies, the number of suspensions, the number of advertisements removed (with reasons) and use made of automated content moderation tools.
To promote online advertising transparency, online platforms shall ensure that service users receive the following information regarding online ads: that the content presented to users is an advertisement, the identity of the advertiser or person that has financed the advertisement, information regarding the parameters used to display the ad to the user (and information about how a user can change those parameters).
Users shall also receive information about how their data will be monetized.
Refusing consent must be as easy for the user as giving consent to a service or functionality. If consent is refused, users shall be given other fair and reasonable options to access the online platform.
Targeting techniques that involve the personal data of minors or sensitive personal data (as defined under the GDPR) is prohibited.
Online platforms have transparency obligations regarding any recommender system that is used to promote content. The online platform must disclose the main parameters used, as well as options for the recipient to modify or influence the parameters.
Specific obligations for online platforms that disseminate user generated pornographic content include mandatory verification of users that post content; professional human content moderation; a notification procedure specific for the take-down of content posted without the consent of a person depicted in the content.

D. Applicable Only to Online Platforms Which Are Very Large Online Platforms [Articles 25 et seq.]

The obligations in this section apply only to online platforms that provide their services to 45 million or more monthly active users, calculated in accordance with a methodology to be set out in further legislation. The European Commission will designate the online platforms that qualify as Very Large Online Platforms (“VLOPs”), and the list will be published.
VLOPs shall carry out (and in any event before launching a new service), an annual risk assessment of their services. The risk assessment shall take into account in particular risks of dissemination of illegal content, negative effects for the exercise of the fundamental rights, amplification of illegal content due to a malfunctioning or manipulation of their services, negative effects on public health. VLOPs shall consult with user representatives, independent experts and civil society organisations.
VLOPs must implement mitigation measures to deal with these system risks.
VLOPs shall have independent audits carried out, by independent firms, to assess their compliance with the DSA and any commitments undertaken pursuant to a code of conduct.
VLOPs that use recommender systems must provide at least one that is not based on profiling and must provide users with functionality to allow them to set their preferred options for content ranking.
Additional advertising transparency obligations are applicable, requiring the publication of information regarding the advertisements that have been displayed on the platform, including whether the advertisement was targeted to a group, the relevant parameters and the total number of recipients reached.
Content that qualifies as a “deep fake” shall be clearly labeled.
VLOPs are required to share data with authorities, where necessary for them to monitor and assess compliance with the DSA. Such information might include explanations of the functioning of the VLOPs algorithms. The regulator may also require that VLOPs allow “vetted researchers” (those that satisfy the DSA’s requirements) to access data, for the sole purpose of conducting research that contributes to the identification and understanding of systemic risks.
European legislators agreed to the last-minute insertion of a crisis mechanism, in the form an obligation on VLOPs to implement mitigating measures if a public crisis occurs. The text of this addition is not yet public.
VLOPS shall appoint a compliance officer responsible for monitoring their compliance with the DSA.

5. Enforcement and Sanctions [Articles 38 et seq.]

A. Digital Services Coordinator - Designation and Powers

Each Member State shall designate one or more competent authorities as responsible for the application and enforcement of the DSA, and one of these authorities shall be appointed by the Member State as its Digital Services Coordinator. This Digital Services Coordinator will be the main enforcement authority. For non-EU based intermediaries, the competent Digital Services Coordinator will be located in the Member State where these intermediaries have appointed their legal representative. If no legal representative has been designated, then all Digital Services Coordinators will be competent.
Digital Services Coordinators are granted investigation and enforcement powers—in particular the power to accept intermediary services’ commitments to comply with the DSA, order cessation of infringements, impose remedies, fines, and periodic penalty payment.
Users have the right to lodge a complaint against providers of intermediary services alleging an infringement of the DSA with the Digital Services Coordinator of the Member State where the recipient resides or is established.

B. Sanctions

Temporary access restrictions. Where enforcement measures are exhausted, and in case of persistent and serious harm, the Digital Services Coordinator may request that the competent judicial authority of the Member State order the temporary restriction of access to the infringing service or to the relevant online interface.
Fines. Sanctions shall be “effective, proportionate and dissuasive”. Member States shall ensure that the maximum number of penalties imposed for a failure to comply with the provisions of the DSA shall not exceed 6% of the annual income or turnover of the intermediary. The maximum amount of a periodic penalty payment shall not exceed 5% of the average daily turnover of the provider in the preceding financial year per day.

What's Next?

Once the final text of the DSA is published, this note will be updated. We will also be publishing more detailed information regarding the other key content-related obligations that will continue to apply alongside the DSA, to intermediaries operating in the French market.

If you have any questions, please do not hesitate to contact our team.

Authors

Julia Apostle Partner, Technology Transactions, Cyber, Privacy & Data Innovation

Paris

See my bio

D:+33153537500
E: [email protected]

Practice:

Technology & Innovation Sector
Technology Transactions
Cyber, Privacy & Data Innovation
Technology & Innovation

vCard

See full bio

Julia Apostle Partner

Paris

Julia counsels on compliance issues in relation to European and French tech and data regulations, including the GDPR, the Digital Services Act, the regulation of AI, the Data Act and other new and emerging legislation impacting online platforms, technology developers, and eCommerce businesses. She advises companies of all sizes on a wide range of compliance matters, ranging the drafting of internal policies, to assisting with regulatory investigations, and product counseling.

In the context of strategic transactions covering significant and complex technological issues, she is involved in the drafting and negotiation of agreements relating to data transfer, IT, software, content and brand licensing.

Qualified to practice in the UK and France, Julia is deeply familiar with the commercial considerations’ clients face, having practiced in-house at Twitter, Financial Times and CBS for more than a decade prior to joining Orrick.

Kelly Hagedorn Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

London

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Fintech
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kelly Hagedorn Partner

London

Kelly provides comprehensive regulatory advisory services to clients, including counseling on the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018. She has designed and implemented data protection compliance programmes for clients in a range of sectors, including technology, gaming, manufacturing, and private equity.

Kelly has worked with companies to respond to data incidents that range from small-scale issues that do not attract regulatory attention to large, multi-jurisdictional breaches requiring coordination across numerous different regulatory regimes. She has also advised extensively on litigation matters involving allegations of fraud and financial crime, and in connection with securities laws.

During her career, Kelly has undertaken secondments to the Serious Fraud Office and a major telecommunications company. At the Serious Fraud Office, she worked on a number of cases dealing with restraint and confiscation matters. During her time with the telecommunications company, she helped develop and implement the company’s group-wide anti-bribery compliance programme security associated with data retention, processing, and transfer.

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Furthermore, Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (4th ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2023 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Heather Egan Partner, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan Partner

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.

Rami Kawkabani Senior Associate, Technology & Innovation, Technology Transactions

Paris

See my bio

D:+33 1 5353 8157
E: [email protected]

Practice:

Technology & Innovation Sector
Technology & Innovation
Technology Transactions
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Rami Kawkabani Senior Associate

Paris

Rami advises clients in drafting and negotiating their contractual terms and in the context of strategic transactions covering significant and complex technological issues including in terms of liability and intellectual property.

He also regularly advises clients on compliance with tech and data European and French regulations (Digital Services Act, RGPD, Data Act, LCEN) and in the context of their commercial practices towards consumers.

Rami has spent time in-house with major tech companies, and is able to quickly understand his client’s requirements and priorities.

Related Areas

Cyber, Privacy & Data Innovation

The Four “W”s and One “H” of Europe's Digital Services Act

Quick Summary

Deeper Dive Into the DSA – An Overview of the Digital Services Act

What's Next?

Also of Interest

The Digital Services Act Is Here – And So Are Its Implications for...

Europe's Digital Services Act (DSA) is Approved: What You Need to Know

The Digital Services Act Takes Full Effect: 5 Takeaways for Businesses