Digital Service Act

Last year, the new “Digital Services Act” (or “DSA”) was published (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC).

The DSA regulation applies to ‘mere conduit’, ‘hosting’ and ‘caching’ services providers (including a.o. online marketplaces). It refines existing rules under the e-Commerce Directive (Dir. 2000/31 – implemented in art. XII.17-XII.20 BCEL) on liability exemption in case illegal content is stored, transmitted or accessed through the services and installs new obligations for battling such illegal content.

The DSA shall have direct effect as of 17 February 2024 (no national implementing law is required).

We have prepared a straightforward Q&A for you covering the most important questions regarding this new DSA.

To whom will it apply?

The DSA focuses on providers of “intermediary services”.

With “intermediary services” the DSA means:

1. mere conduit services, such as internet exchange points, wireless access points, virtual private networks, DNS services and resolvers, top-level domain name registries, registrars, certificate authorities that issue digital certificates, voice over IP and other interpersonal communication services (e.g. domain name provider such as dns.be);

2. caching services, such as the sole provision of content delivery networks, reverse proxies or content adaptation proxies (e.g. web browser such as Microsoft Edge);

3. hosting services, such as webhosting and cloud computing services, but also online platform services (e.g. social networks and online marketplaces such as 2dehands.be or Vinted).

Whether a specific service constitutes a ‘mere conduit’, ‘caching’ or ‘hosting’ service depends solely on its technical functionalities, which might evolve in time, and should be assessed on a case-by-case basis.

The DSA applies to service providers that offer intermediary services to recipients (either natural persons or legal entities) that are located in the EU, irrespective of where the service providers have their place of establishment.

The DSA shall hence also apply to service providers established outside the EU but offering intermediary services to EU citizens. Such companies will be obliged to appoint a legal or natural person to act as their legal representative in one of the Member States where it offers the intermediary services.

Watch out! Another piece of legislation, the Digital Single Market directive (DSM Dir. 2019/790 – implemented in art. XI. 228/2 et seq. BCEL), applies to hosting services providers that are “online content-sharing service provider”, which is the case when one of one’s main purposes is to store and give the public access to a large amount of copyright-protected works or other protected subject matter uploaded by its users, for profit-making purposes (e.g. platform such as YouTube, Soundcloud). The DSM directive holds specific obligations for such platforms.

What is it about?

The DSA establishes amongst others:

1. a framework for the conditional exemption from liability of providers of intermediary services;

2. rules on specific due diligence obligations tailored to certain specific categories of providers of intermediary services.

When will the exemption of liability apply?

Regarding the first point, the DSA repeats (to a certain extent) and refines the liability exemptions that already existed for ‘mere conduit’, ‘caching’ and ‘hosting’ services under the e-Commerce Directive (Dir. 2000/31).

For each intermediary service there are varying legal conditions to be met to enjoy an exemption. As a general rule, to enjoy an exemption, it is necessary that the service provider in no way intervened with the transmission, storage or providing access to such illegal content (for each of the service categories, the DSA lists the specific conditions to be complied with).

If the conditions are met, the providers of intermediary services cannot be held liable for any illegal information they transmit, store or provide access to. Some examples of “illegal content” are illegal hate speech or terrorist content and unlawful discriminatory content, images depicting child sexual abuse, online stalking, sale of non-compliant or counterfeit products, sale of products or the provision of services in breach of consumer protection law, non-authorised use of copyright protected material, illegal offer of accommodation services or illegal sale of live animals.

Watch out! If you qualify as an “online content-sharing service provider” under the DSM directive, the liability restrictions under this directive will have to be considered. In any event, if you unlawfully give the public access to copyright protected works or other protected subject matter uploaded by your users, you will not be able to enjoy the exemption of liability as a “hosting” service provider under the DSA (art. XI.228/3, §3 BCEL).

Do the due diligence obligations include general monitoring?

The DSA explicitly states that the providers of intermediary services have no general monitoring obligation.

They are free to voluntarily and in good faith install certain monitoring mechanisms or own-initiative investigations or take other measures aimed at detecting, identifying and removing, or disabling access to, illegal content. Using such mechanisms does not make the service provider as such ineligible for the exemption of liability.

The DSA does install some ‘due diligence’ and transparency and other obligations to react in case of an order of a competent authority.

For example, all providers of intermediary services will have the obligation to:

• include in their general terms and conditions information on any restrictions that they impose in relation to the use of their service in respect of information provided by the recipients of the service;

• make publicly available, in a machine-readable format and in an easily accessible manner, at least once a year, clear, easily comprehensible reports on any content moderation that they engaged in during the relevant period;

• provide specific information about one or more specific individual recipients of the service, upon receipt of an order by a relevant national judicial or administrative authority;

• designate a single point of contact to enable authorities and recipients of the service to communicate directly and rapidly with them, by electronic means and in a user-friendly manner.

In addition, hosting service providers, including online platforms, will for example have the obligation to:

• install notice-and-takedown mechanisms, meaning to put mechanisms in place to allow any individual or entity to notify them of the presence on their service of specific items of information that the individual or entity considers to be illegal content and to diligently act upon such notice. Such mechanism shall be easy to access and user-friendly and must allow for the submission of notices exclusively by electronic means. This obligation is in principle not new as it already existed under the previous e-Commerce Directive;

• where measures are taken to make certain content unavailable or in any other way restrict access thereto, based on allegations of such content being illegal, the service provider shall inform the affected user that has placed such content online, with an extensive motivation. The minimum elements that must be included in this motivation are listed in the DSA;

• report on suspicions that a criminal offence involving a threat to the life or safety of a person or persons has taken place, is taking place or is likely to take place, to the judicial or law enforcement authorities.

The DSA also holds specific obligations for big online platforms, i.e. online platforms that cannot be qualified as ‘micro’ or ‘small’ enterprises (within the meaning of Recommendation 2003/361/EC). These obligations include for example the obligation to install a complaints handling mechanism.

Where an online platform (regardless its size) allows consumers to contract with big companies, (i.e. companies that cannot be qualified as ‘micro’ or ‘small’ enterprises (within the meaning of Recommendation 2003/361/EC)), additional obligations apply, e.g. in terms of ‘due diligence’ on such companies (e.g. request certain information and certifications prior to allowing them to use the platform, and obligations regarding the manner in which the user interface of the online platform is designed and organised, to allow the companies to comply with their precontractual information obligations and product liability obligations vis-à-vis the consumers).

Watch out! If you qualify as an “online content-sharing service provider” under the DSM directive, additional obligations in this regard may apply.

What should I do?

As a starting point, if you deem it likely that your company falls within the DSA’s scope, we recommend amongst other the following steps:

• review your terms and conditions and privacy policy(ies) to ensure that they are up to date and contain the necessary information (e.g. on what types of content moderation mechanism you will deploy, that user’s data may be transferred to authorities upon their request, etc.);

• set-up business processes to keep track of any content moderation that you undertake;

• publish a report regarding this content moderation on your website, at least on a yearly basis;

• appoint a SPOC within your company and publish their contact details on your website/application for easiness;

• =provide for sufficient internal procedures and training to efficiently respond to an official request of a judicial or administrative authority.

Further it is of importance to determine whether your company qualifies as ‘mere conduit’, ‘cashing’ or ‘hosting’ service provider, or as more than one of these categories, as specific obligations may apply. In addition, also keep in mind other legislation that may be applicable to your company (or certain services offered), such as the DSM directive, GDPR (Reg. 2016/679), AVMS directive (Dir. 2018/1808, transposed on regional level) or the regulation regarding the dissemination of terrorist content (Reg. 2021/784), possibly triggering additional obligations.

Where the intermediary services provided by your company are covered by different sections of the DSA (e.g. certain services qualify as ‘hosting’, others as ‘mere conduit’) the relevant provisions of the DSA shall apply in respect of those services that fall within their scope.

Based on this qualification, the obligations under the DSA should be identified and the necessary steps should be taken to bring your company into compliance by 17 February.

It is left to the EU member states to establish/appoint (a) competent authority(ies) to be responsible for the supervision of providers of intermediary services and enforcement of the DSA and to designate one of these competent authorities as “digital services coordinator” which shall be responsible for the coordination of the competent authorities in said member state and has extensive powers including the power to conduct investigations and impose fines. Member States are allowed to determine the fines within the framework provided by the DSA that provides for a maximum fine of 6% of the annual worldwide turnover of the provider of intermediary services concerned in the preceding financial year. Belgium has to date not yet adopted any other legislation in this regard.

Should you have any questions in this regard, do not hesitate to reach out to one of the members of the IP/IT/Data protection team of Liedekerke on their individual e-mail address or via ip/it-team@liedekerke.com.