The Digital Services Act will become fully effective on 17 February 2024. The intention of the legislators is that “everything that is illegal offline should also be illegal online”. For operators of digital services, the Digital Services Act brings comprehensive new regulations for greater transparency and more consumer protection. Read here who the Digital Services Act applies to and what to consider when implementing it.

What is it about?

The European Union adopted a comprehensive regulatory package in November 2022, consisting of two regulations: the Digital Services Act and the Digital Markets Act. This post will focus on the Digital Services Act, and a subsequent post will cover the Digital Markets Act. As EU regulations, the new rules are immediately enforceable for all companies in Europe, without the need to implement the laws in the member states. The aim is to create a uniform legal framework for the entire EU, with the Digital Markets Act leading to fair competition between platform providers and the Digital Services Act leading to better protection of fundamental rights and effective law enforcement on the Internet.

Which companies are affected by the Digital Services Act?

The Digital Services Act follows a four-tier regulatory approach.

At the first tier, the Digital Services Act applies to digital services that provide consumers resident or established in the EU with access to content, goods, and services, whether the providers are based in the EU or outside. The Digital Services Act refers to these services as “intermediary services” (Tier 1). Included in this broad definition are all online services aimed at consumers, such as sales platforms, social networks, search engines, cloud and messaging services.

More extensive regulations apply to “hosting services” (Tier 2) that store information provided by users on their behalf, e.g. web hosting services and cloud computing services.

For “online platforms” (Tier 3), which are hosting services that store and publicly share information on behalf of users (e.g., sales platforms, social networks), regulations beyond Tier 1 and 2 apply.

For online platforms with more than 45 million users per month – these are defined as “very large online platforms” (Tier 4) – are subject the most intensive regulation. The EU Commission has so far named 17 very large online platforms (e.g. Google, Meta, Apple). They must comply with the provisions the Digital Services Act as early as 25 August 2023.             

What new regulations result from the Digital Services Act for companies?

Some of the regulations from the Digital Services Act are already found in existing laws in Germany, while other significantly stricter regulations are also new for German companies.

Central to the Digital Services Act is that all intermediary services are made responsible for fighting illegal content, goods and services and deleting corresponding entries after they have been reported by users. Intermediary services are required to provide appropriate reporting channels. There is explicitly no obligation to pre-screen content. Calls for violence and illegal hate speech should thus be removed more quickly than before. The sale of dangerous or counterfeit products is also to be uniformly prevented throughout Europe.

The law also increases transparency obligations towards users. For example, misleading user interfaces are to be prohibited, as is the use of manipulative “dark patterns” to persuade consumers to make certain purchasing decisions. Dark patterns describe user interface designs that are intended to induce users to take actions that run counter to their interests.

Sensitive data, e.g. origin, health and sexual orientation, may no longer be used for individually tailored advertising. The protection of children and young people is to be strengthened by ensuring that platforms are not allowed to use their data for personalized advertising and tracking. The terms of use of platforms that use recommendation algorithms must explain which factors guide the recommendations. In addition, users must be provided with an internal complaint management system on the part of the providers. Intermediary services that do not have a branch in the EU must appoint a legal representative in a member state who can be held liable for violations of the Digital Services Act.

For “very large online platforms” with more than 45 million monthly users, the Digital Services Act places them under the supervision of the European Commission as the primary regulator, which is intended to ensure consistent implementation and control of the regulations. Providers of “very large online platforms” will have to pay an annual supervision fee to the Commission. They will also be required to conduct annual risk assessments and make their recommendation algorithms (including for research purposes) more transparent.

Violations of the Digital Services Act can result in severe fines for companies of up to six percent of annual global revenue, but other measures such as temporary suspension of services may also be taken.

What is the advice for companies?

Companies operating digital services that provide consumers resident or established in the EU with access to content, goods, and services should take advantage of the remaining transitional period until 17 February 2024 to examine whether and to what extent they are addressed by the law and what measures are required. Even if smaller and medium-sized online platforms are affected by fewer new regulations, they must evaluate whether their currently established compliance mechanisms are sufficient and, if necessary, take additional measures.