How does the DSA categorise the tiers?
Tier 1: all Internet Service Providers ("ISPs"), including those cloud infrastructure services and virtual private networks commonly used in the workplace
Tier 2: ISPs which provide hosting services
Tier 3: ISPs which provide online platforms services
Tier 4: very large online platforms (“VLOPs”) and very large search engines ("VLOSEs") which have at least 45 million average monthly active recipients in the EU (roughly 10% of the total EU population)
Some of the DSA's obligations are not applicable to small companies and micro-enterprises (fewer than 50 employees and less than €10 million in annual sales).
All online providers are bound by the following obligations:
- When dealing with illegal content, providers need to act quickly and efficiently and without undue delay when national authorities request that the provider remove illegal content or provide information.
- There should be one electronic point of contact for direct communication with member state authorities, the European Commission, and the European Board for Digital Services. The same applies to users as they should have a single point of contact so they can talk to the provider "directly and efficiently." UK businesses must designate a legal representative in one of the EU member states where they offer their services if they don't have an establishment there. It is worth noting that this EU legal representative shall be liable for any violations of the DSA.
- Any restrictions imposed on the use of the services or the information provided by users must be explained in plain language whether these are contained in any policies, procedures, measures, and tools for moderation, including algorithms and humans, as well as internal complaints handling procedures. The restrictions must be applied "diligently, objectively, and proportionately" with due consideration for the fundamental rights of the users.
- At least once a year, providers must make public reports on their content moderation and takedown orders, along with illegal content reported.
Tier 3 and Tier 4 providers are subject to the following additional obligations:
- Hosting providers are required to provide notice-and-action mechanism so a person may notify any hosting service about the presence of illegal content, and the provider has an obligation to respond in a timely, diligent, and objective manner. In the event that the notice enables the provider to identify the illegality of the content without a detailed examination, this constitutes actual knowledge (under Article 6 DSA), which triggers the removal requirements. Furthermore, providers of online platforms must prioritize notices provided by trusted flaggers (experts who are certified by authorities), and VLOPs and VLOSEs are held to a higher standard for the speed and quality of their processing of notices and actions to remove online content.
- Higher up the tiers, there are increased requirements for reporting and complaint handling. These include:
(a) Hosting providers are required to provide reports on the number and actions taken on notices and if those actions were automated.
(b) It is essential that providers offer a free and easily accessible internal complaint handling system (e.g. for challenging suspensions). Whenever a decision is made, justifications must be provided to the user. Automated decisions cannot be made solely based on computer algorithms. The provider must also explain the option for redress through an out-of-court dispute resolution body.
(c) It is the responsibility of online providers to provide reports on complaints/disputes (including out-of-court disputes) and the decisions and outcomes they reached including tracking the number of suspensions of users and the grounds for suspension, as well as the average number of recipients within the EU who are currently active on a monthly basis.
- It is forbidden for providers to use layouts, methods of operation, structures etc. to deny or restrict a user's freedom of choice. For instance, making terminating a service more challenging than subscribing to it, or giving preference to certain choices. There is a limited application of this ban, however, since it does not apply to practices covered by the EU GDPR or the EU Unfair Commercial Practices Directive 2002.
- Users must be able to clearly identify where any information displayed is an advert, who is advertising and/or who financed it, and why they are being shown it. The providers should ensure that their online advertising is transparent and that it is easy for users to identify. A number of other advertising requirements apply, such as not targeting advertising based on special categories of personal data (as per EU GDPR) and not presenting advertisements to minors. All advertisements displayed by VLOPs and VLOSEs must be recorded and made publicly accessible.
- Providers of online platforms accessible to minors must implement appropriate measures to ensure enhanced data protection and safety for such minors.
- Whenever an online platform uses news feeds or other data sources, it must clearly specify the parameters used, explaining why particular information is suggested. Furthermore, VLOPs must provide recommender systems that do not use GDPR-compliant profiling to make recommendations to users of the online platform.
- VLOPs and VLOSEs shall be required to:
(a) undertake regular risk assessments;
(b) implement reasonable, proportionate and effective mitigation measures;
(c) appoint a compliance officer, independent of operational functions to conduct regular independent compliance audits;
(d) share data on request to relevant authorities in order to assess compliance; and
(e) pay an annual supervisory fee.
- In a crisis situation (such as Russia's aggression in Ukraine), the EU Commission can use this mechanism to require VLOPs and VLOSEs to take specific action. There is a three-month time limit on the actions required, unless the crisis evolves and the timeline should be extended (by no more than three months).
How can your business prepare for the DSA?
UK online providers operating in the EU can take a range of steps to prepare for the DSA. In order to achieve this, it is important to follow these steps:
- Review their existing policies and practices to ensure they comply with the new DSA rules such as their policies on illegal content distribution, transparency in online advertising, and data sharing.
- Implement technology solutions to support compliance with the DSA including but not limited to content filtering systems, data management systems, and advertising transparency systems.
- Develop compliance plans outlining how they will comply with the DSA to cover any changes in policies and practices, the implementation of technology solutions and the training of staff.
- Seek legal advice to ensure you understand your particular obligations under the DSA and that you are taking appropriate steps to comply with them.
UK businesses operating online platforms which operate also within the EU will be affected by the DSA, which is an important development in EU digital regulations. Take proactive measures to prepare for the DSA in order to keep your online business competitive in the EU digital market and comply with the new rules.