The Digital Services Act: The New GDPR?

Over the past decade, Europe has clearly demonstrated, with the General Data Protection Regulation (GDPR), its ambition to become the global lead regulator on new technologies. With the publication of the Digital Services Act (DSA) draft legislation on 15 December, the European Commission is now overhauling its framework for digital services (the European “safe harbour”), adopted in 2000 with the e-Commerce Directive. This long-awaited piece of legislation aims to better reflect and address the evolution of the digital economy over the past twenty years and related risks (such as online fraud and disinformation on COVID19) by adopting a set of new rules for all digital services operating in the EU. The DSA is part of a broader package which includes a Digital Markets Act (DMA), a legislative instrument to regulate the market power of Big Tech by identifying digital “gatekeepers” and presenting a series of prohibitions and obligations that gatekeepers must comply with.

The new rules introduced by the DSA regulate the obligations of providers of digital services and give more protection to consumers and to fundamental rights online. The purpose of these rules is to ensure that online platforms behave more responsibly online without necessarily making them legally liable for every piece of content uploaded by their users.

Therefore, the rules on liability under the DSA stay similar to the current regime (with only a specific category of hosting services created for online platforms). The main modifications introduced by the DSA are due diligence obligations for digital services—with few applicable to all (such as harmonized obligations for the removal of illegal content) and others only applicable to online platforms (such as transparency measures on advertising and obligation to verify the identity of their business customers). The DSA also includes additional obligations for ‘very large only platforms’ on systemic risks and a new oversight structure.

Given the important impact on the future of the EU digital sector, each provision of the DSA is expected to be harshly debated by the European Parliament and Member States (in the Council of the EU), and by stakeholders from the industry, academia, think tanks and NGOs. Nonetheless, some issues are likely to be front and centre from the start of the negotiations:

  • Scopeof ‘very large online platforms’. Additional obligations apply to platforms that have an average number of monthly active users of at least 45 million users across EU. This number is likely to be hotly debated as a number of European platforms may be potentially captured. In case of breach of their additional content regulation obligations, ‘very large online platforms’ may face fines up to 6% of their global annual revenue, higher than the GDPR fines which are set at 4%.
  • New rules on traceability of business users. This measure requires online platforms to first check the identity of the traders using their services before allowing them to conclude distance contracts (on products or services) with their users. However, the European Parliament, IP and Brand owners have already called for all digital services to be captured in the scope of this new obligation and will lobby strongly to see its scope broadened as much as possible.
  • Enforcement. Just like for the GDPR, effective enforcement will be the main question. To ensure that the obligations are properly implemented by digital services, the Commission proposed a quite complex supervisory and enforcement structure. As it currently stands, authorities from Member States can for example carry out on-site inspections, impose interim measures or remedies, impose fines and request judicial authorities to temporarily restrict access to the service concerned. In case of infringement by a very large online platform of its specific obligations, the Commission has powers similar to the Member States. The Commission may also order such platforms to provide access to and explanations on its databases and algorithms for monitoring purposes. With this proposal, the Commission obtains significant enforcement powers over such platforms.

Negotiations on the DSA proposal are expected to be tough and lengthy, as the Member States and the European Parliament—now jointly in charge of the negotiations—have already strong opinions on platform regulation. Hate speech laws are debated or have been recently adopted in Germany, France and Austria, putting pressure on the EU to take a stand. In the meantime, the European Parliament has already positioned itself, with non-binding reports adopted in October 2020 sending strong messages on online advertising and consumer protection. The EU will also need to take into account developments across the Atlantic, with a Biden administration potentially amending Section 230 of the Communications Decency Act (CDA). A final text is not expected before at least 2022 and one thing can be certain: like the GDPR, there will be a before and an after DSA in platform regulation.