Overview of the Digital Services Act (DSA)
The Digital Services Act (DSA - EU Regulation 2022/2065) is a directly applicable legal act of the EU with a number of requirements that companies with online presences must observe. The specific scope of the requirements to be observed depends on the exact classification of the service offered. Some companies therefore only have to make additions to the legal notice, while other companies have to publish annual transparency reports or carry out extensive checks of their own customers' details and supplement their own technology, e.g. by adding interfaces. It is therefore important to know whether your own company falls under the Digital Services Act (DSA) at all and which specific requirements need to be implemented.
Intermediary services
The term "Digital Services Act" is not very meaningful with regard to the content of the regulations. The Digital Services Act covers so-called intermediary services. An intermediary service can take three forms:
Pure conduit or access provider. According to the definition in the Digital Services Act, this consists of
transmitting information provided by a user in a communications network or providing access to a communications network.
Caching service. As defined in the Digital Services Act, this consists of
transmitting information provided by a user in a communications network, with automatic, temporary caching of that information for the sole purpose of making the transmission of the information to other users more efficient at their request.
Hosting service or hosting provider. As defined in the Digital Services Act, this consists of
storing information provided by a user on their behalf.
Depending on the specific form, the Digital Services Act places different requirements on hosting services. A distinction must be made between the following three forms:
"simple" hosting service
Online platform
Online platform on which entrepreneurs offer services to consumers (B2C)
More details on the hosting service and its various forms can be found below.
Online search engines and so-called "very large online platforms"
In addition to intermediary services, online search engines and so-called "very large online platforms" are also covered by the Digital Services Act. These are subject to significantly different and additional requirements in various respects, which is why these are not discussed in detail in this article.
General requirements for every intermediary service
According to the Digital Services Act, the following points in particular must be observed for each type of intermediary service:
Designation of a point of contact for public authorities
Designation of a contact point for users
Adaptation of the GTC with regulations in the event of content restrictions
Annual transparency reports, with exceptions for micro and small enterprises (see below for more details)
Simple hosting service
In the case of a hosting service, the following additional requirements must be observed in addition to the general requirements for intermediary services described above:
Structuring your own liability with a view to obtaining knowledge of content, for example with regard to the use of automated tools to detect illegal content
Establishment of a reporting procedure for users regarding illegal content
Provision of a statement of reasons in the event of measures due to illegal content
Notification of authorities in the event of suspected criminal offenses
In order to implement the above requirements, it will be necessary in particular to take organizational measures and adapt the current GTC.
Hosting service in the form of an online platform
Stricter requirements must be observed if the hosting service is operated in the form of a so-called online platform. An online platform is defined as follows
a hosting service which stores and publicly disseminates information on behalf of a user, provided that this activity is not merely an insignificant and purely ancillary function of another service or an insignificant function of the main service which, for objective and technical reasons, cannot be used without that other service, and provided that the integration of the ancillary or insignificant function into the other service does not serve to circumvent the applicability of this Regulation.
However, it should be noted that an exception for micro and small enterprises applies to online platforms. Therefore, although an online platform is operated within the meaning of the Digital Services Act, the relevant regulations do not have to be observed if the corresponding thresholds are not exceeded. The exemption applies to micro and small enterprises, which are to be understood as follows in accordance with an EU recommendation:
A small enterprise is defined as an enterprise that employs fewer than 50 persons and whose annual turnover or annual balance sheet does not exceed EUR 10 million.
A microenterprise is defined as an enterprise that employs fewer than 10 persons and whose annual turnover or annual balance sheet does not exceed EUR 2 million.
A further exception exists if the company only has an "insignificant and purely ancillary function".
If the above exceptions do not apply, the further requirements of the Digital Services Act for online platforms must be observed in addition to the requirements outlined above. These are in particular:
Regulations in the case of decisions towards users such as blocking and suspension of content or the suspension of monetary payments, insofar as this is intended to punish measures due to illegal content by this user or violations of their own terms and conditions. Access to an internal complaints management system must also be granted for at least six months.
Information on out-of-court dispute resolution must be provided.
In the case of reports by so-called "trustworthy whistleblowers", these are to be processed as a priority. This presupposes that appropriate adjustments are made for querying this status.
A stricter ban on so-called "dark patterns" must be observed.
If advertising is displayed on the online platform, users must be shown various information in real time, including the most important parameters for selecting the users to whom this advertising is currently being displayed.
Users must be able to declare on the platform whether their content constitutes so-called commercial communication. If such a declaration is made, it must be displayed to other users on the online platform.
Advertising using special categories of personal data (sensitive personal data) is not permitted.
In the case of the use of recommendation systems, there are special transparency requirements that require, among other things, a supplement to the GTC.
If it is "reasonably certain" that users are minors, advertising using any personal data relating to them is not permitted.
Hosting platform in the form of an online platform with users in the B2C sector
If the online platform is also used specifically to enable consumers to conclude distance contracts with companies (i.e. B2C), the following key requirements must also be taken into account in addition to the requirements from the previous sections (General requirements for intermediary services, requirements for simple hosting services and requirements for online platforms):
Entrepreneurs may only be allowed to offer goods or services or advertise them on their own online platform if certain information, including a self-certification from the respective entrepreneur, has been requested beforehand.
The information provided by the entrepreneur must be checked for accuracy to a certain extent, e.g. by comparing it with freely accessible, official online databases.
Liability is assumed for the information provided by the companies.
If there is any doubt about the accuracy of the information provided by the companies, access by these entrepreneurs must be suspended and clarification must be sought.
Technical measures must be taken to ensure that conformity with certain requirements of the Digital Services Act is maintained as far as possible. To implement this, the online platform must be designed technically and organizationally in such a way that companies acting as users can provide the necessary information, for example with regard to necessary information on product safety and product conformity of the goods and services offered.
The information provided by the companies on product safety and product conformity, among other things, must be checked at least summarily for accuracy before the companies are given the opportunity to offer the goods or services on the online platform. After the offer has been made, random checks must be carried out.
If knowledge is obtained that an illegal product has been offered via the online platform, those consumers who have purchased the illegal product must be informed of this fact and some further information, e.g. by email. If this is not possible, this information must be made public.
Taking the necessary measures
The first step is to check whether your own company falls within the scope of the Digital Services Act. To this end, it must first be determined whether an intermediary service exists (the aspects of an online search engine and a very large online platform are not considered in depth in this article).
If your own company falls within the scope of application, it must be clarified exactly what type of intermediary service exists. Depending on this, the requirements for the design of one's own presence, the organizational measures, the necessary contractual regulations and the information to be provided vary in intensity.
In simple cases, this may essentially mean that additions must be made to the legal notice (as well as the corresponding organizational measures). In other cases, a not insignificant addition to the programming of the service may be necessary. In most cases, the General Terms and Conditions (GTC) will also need to be amended to include provisions on blocking, remedial procedures and other measures, for example. In addition, certain information must be provided, which will often also be included in the company's own general terms and conditions.
In connection with the above measures, it should also be checked whether measures based on related, separate regulations, such as the EU P2B Regulation, must be observed.
Status: 10.07.2024