The EU’s Digital Services Act: an update for UK businesses

On 17 February this year, the EU's Digital Services Act (DSA) became applicable to all "online intermediaries" (as defined below) across the EU. As one of the European Commission's flagship projects forming part of its wider digital strategy, this landmark regime aims to modernise the regulatory framework for digital services within the EU whilst navigating various issues presented by the digital age such as the spread of illegal content and the dominance of Big Tech.  

With online safety becoming an increasing regulatory focal point globally, the DSA forms part of a broader wave of legislation in this area. In the UK, for instance, the Online Safety Act, which bears some similarity to the DSA, will gradually come into force over the next 2 years (see our article on the then draft Online Safety Bill here). Following our previous comments on the DSA here, and as businesses develop practices to ensure compliance with this evolving landscape, we have set out below a recap of the key changes now in force and the important considerations for UK businesses.

Who is affected?

The DSA applies to providers that offer "intermediary services" to (or target) a significant number of recipients in the EU, including online platforms, hosting services, online consumer marketplaces, cloud storage services, as well as caching services, conduit services and online search engines. Given that the DSA applies irrespective of where a provider is established or located, nearly all UK businesses offering, or intending to offer, online services in the EU are affected by the new regime.

What are the key changes?

Utilising a four-tiered system, the DSA introduces different levels of obligations depending on the type of provider, with the most onerous obligations applying to very large online platforms (VLOPs) and very large online search engines (VLOSEs) that have at least 45 million average monthly recipients located in the EU. However, some of the DSA's obligations do not apply to small companies and micro-enterprises (with fewer than 50 employees and less than €10 million in annual sales). We have included below a non-exhaustive summary of the key obligations imposed on the affected providers.

Illegal content

One of the DSA's core features requires providers to implement measures to prevent the spread of illegal content and to act quickly and efficiently when dealing with such content. This includes cooperating with relevant national authorities and providing users with the necessary tools to flag illegal content. There is, however, no general obligation placed on providers to monitor content and they may be able to rely on an exemption from liability, even where illegal content is detected voluntarily or steps are taken to comply with national or EU law. What constitutes illegality in this context is determined by the law of the affected EU member state.

Transparency reporting

Providers must issue reports on the content moderation they have undertaken, as well as other details on their compliance with any take-down orders they receive and the respective actions taken. The exact requirements as to the details of such reports may be issued by the European Commission. Further, online platforms are required to be transparent regarding the volume of complaints they receive and the advertisements displayed on their platforms, including the performance metrics and targeting criteria used.

Additional obligations for VLOPs and VLOSEs

In addition, the DSA requires VLOPs and VLOSEs to establish an independent compliance function and conduct regular compliance audits together with a mandatory risk assessment prior to releasing any new features in order to adopt effective risk mitigation measures. A new crisis response mechanism also applies to VLOPs and VLOSEs enabling the European Commission to require specific actions be taken, and VLOPs and VLOSEs must create a repository of information in respect of the online advertising displayed on their platform.

What are the penalties for non-compliance?

As well as the potential for private law enforcement of the DSA, EU member states are empowered to appoint a Digital Services Coordinator (DSC) as the competent authority responsible for monitoring and enforcing compliance within that member state (or the European Commission in relation to VLOPs and VLOSEs). The DSC (or the European Commission, where applicable) receives comprehensive enforcement powers, including the ability to impose fines of up to 6% of a provider's global annual turnover (or 1% for violating an information obligation), and for the most severe breaches, to require a temporary suspension of the provider's services.

Implications for UK businesses

Recently, we have seen the European Commission take a proactive approach to enforcement of the DSA, by already investigating Meta for various potential violations under the regime, and by opening two sets of formal proceedings against TikTok in relation to its verification mechanisms and the platform's suspected addictive design. With this in mind, and given the reputational risk associated with non-compliance with the DSA, UK businesses operating, or intending to operate, in the EU should be taking a range of steps to ensure compliance with this new regime.

If businesses have not done so already, reviewing existing policies and procedures is vital, including policies related to transparency, data sharing and the spread of illegal content. This will allow for the implementation of the requisite control frameworks, compliance plans and technical solutions such as filtering systems and advertising transparency tools. Through taking such a proactive approach to compliance, UK businesses will be well-placed to keep pace with an evolving EU digital marketplace.

Should you be taking action?

The continued application of the DSA shall significantly impact digital organisations and their risk exposure. If you have any questions about your potential obligations under the DSA or any other concerns, please contact a member of our expert team below.