Digital Services Act explained: new obligations for online businesses and other digital services

Member State judicial or administrative authorities may order service providers to remove illegal content or to disclose information on service recipients (i.e. users). In this respect, the DSA introduces a special information mechanism (Art 9 and 10), under which orders should comply with certain formal requirements and, in turn, providers are obligated to inform the issuing authorities about the effects given to these orders without undue delay. In addition, affected users must also be informed about the effects given to such takedown and disclosure orders, accompanied by information on their territorial scope and existing possibilities for redress.

All service providers must designate single points of contact and publish respective (electronic) contact information for both:

• communications with Member State authorities, the Commission, and the European Board for Digital Services (Art 11) and
• communications with users (Art 12).

In addition, providers without an EU establishment must appoint an EU-based legal representative to receive, comply with, and enforce DSA-related decisions (Art 13). These representatives may also bear liability for DSA non-compliance, without prejudice to any liability of the provider itself.

All service providers must revise applicable terms and conditions (T&Cs) to introduce information regarding their content moderation practices and internal complaint procedures (Art 14). These revisions should include detailed explanations on any content-related policies, procedures, measures and tools, including information on algorithmic decision-making and human review.

The information must be easily accessible, in machine-readable format, and written in a plain, intelligible, and unambiguous language. In this respect, special care must be taken (and age-appropriate language used) where the service is intended for minors. Furthermore, users must be notified of any significant modifications to the T&C.

All service providers are required to publish annual reports that are easily accessible and in a machine-readable format, providing clear and comprehensible information with respect to any content moderation activities undertaken during the specified reporting period (Art 15). Depending on the type of service, this may include information concerning takedown or other orders received from competent authorities, content notices by users and trusted flaggers, as well as complaints received through internal complaint-handling systems.

Given the extent of information to be reported, providers should assess whether their content moderation systems (e.g. dashboards) enable them to efficiently extract, document, and report the required information. Moreover, the Commission may adopt implementing acts to introduce templates apropos the form, content, and other details of these reports, including harmonised reporting periods.

Hosting providers shall implement user-friendly (electronic) mechanisms (e.g. via online forms or other functionalities) that enable users and third parties to report illegal content by submitting sufficiently precise and adequately substantiated notices (Art 16). Upon receiving a notice, the service provider must, without undue delay, confirm receipt and follow-up with the user once a decision in respect of the notice has been reached. In the context of the provider’s reasoned decisions, the user should also be informed about the possibilities for redress.

Decisions on notified content must be taken in a timely, diligent, non-arbitrary, and objective manner, which requires providers to implement adequate technical and organisational precautions such as sufficiently detailed notice forms and adequate staffing. Additionally, where automated means are used for decision-making, this must be disclosed to the user.

Hosting providers are required to provide affected users with clear and specific explanations, so-called statements of reasons, whenever they impose restrictions (e.g. removal/demotion of content or suspension/restrictions of user accounts) on the basis that user content is unlawful or in violation of the provider’s T&C (Art 17).

The statement of reason must include, inter alia, details related to the consequences of the decision, its territorial scope and duration, information on any automated decision-making means, as well as the facts, circumstances, and legal basis relied upon in the decision. Furthermore, the affected user must be informed with regard to available redress possibilities.

When a hosting provider becomes aware of any information that gives rise to the suspicion that a criminal offence involving a threat to the life or safety of persons has taken place, this must be promptly notified to the competent authorities (Art 18).

Providers of online platforms must implement an effective, internal complaint-handling mechanism (Art 20), which enables users to file complaints against the provider’s content-moderation decisions (e.g. decisions to remove/disable user content or to suspend/terminate the user’s service access). The ability to make a complaint must be available to users for at least six months from their receipt of the decision, and any submitted complaints must be handled in a timely, non-discriminatory, diligent, and non-arbitrary manner. Moreover, decisions require appropriately qualified human supervision and may thus not be taken solely on the basis of automated means.

If the complaint proves to be justified on the basis of the aforementioned criteria, the provider is obligated to reverse the contested decision (e.g. to reinstate content or an account). The provider must also inform complainants of its reasoned decision along with available redress options, including detailed information about mandatory out-of-court dispute settlements (Art 21) and other remedies.

Providers of online platforms must ensure that notices submitted by so-called “trusted flaggers” are given priority and are processed without undue delay (Art 22). Trusted flaggers will be appointed by the Member State’s Digital Services Coordinator and the Commission will maintain a publicly accessible database of trusted flaggers. Providers should thus ensure that they have technical and organisational measures in place that allow them to identify, prioritise, and promptly process notices submitted by trusted flaggers.

To combat the misuse of their systems, online platform providers must suspend, for a reasonable time-period, their services for users who frequently provide manifestly illegal content (Art 23). In addition, providers must also suspend the processing of notices or complaints by individuals who frequently submit manifestly unfounded notices. In both instances, prior warnings need to be issued and the applicable process must be clearly outlined in the providers’ T&Cs, alongside examples of circumstances that are taken into account when assessing what constitutes such a misuse.

Providers of online platforms are subject to further transparency reporting in addition to the Art 15 reports (see obligation 4 above) (Art 24). In particular, they must submit reports to the Commission including, inter alia, details concerning the disputes submitted to the out-of-court dispute settlement, pursuant to Art 21 and the number of suspensions imposed based on system misuses in accordance with Art 23. Additionally, every six months, such providers must publish information on the number of average monthly active users on their online interface. Lastly, content-restriction decisions and respective statements of reasons (Art 17) must be submitted to the Commission’s transparency database. The Commission may adopt implementing acts to introduce templates concerning the form, content and other details of such reports.

Providers of online platforms are required to ensure that their interfaces meet certain design and accessibility standards (“user interface transparency by design“) (Art 25). In particular, providers must refrain from designing their online platforms in a way that seeks to shape user behaviour in a particular way (prohibition of so-called “dark patterns”) or in any other deceitful or manipulative manner that would impair users’ ability to make free and informed decisions.

As such, the DSA inter alia prohibits platform interfaces that deceitfully or manipulatively promote certain user choices over others, or repeatedly request user choices that have already been made. Moreover, the DSA prohibits user lock-ins through termination mechanisms that are more complicated than the initial subscription or sign-up. The Commission may issue guidelines applicable to specific deceitful practices.

Online platform providers should thus conduct an audit of their online interfaces to ensure that they comply with the principle of “user interface transparency by design” and do not contain any dark patterns.

Providers of online platforms are subject to heightened advertising transparency requirements (Art 26). In particular, these providers must clearly identify online advertisements as such and reveal adequate information about the advertisement’s source and financing.

Moreover, with respect to the targeted advertising, providers must reveal information relating to the main parameters of how target groups are determined and, where applicable, how to change those parameters. Targeted advertisements based on profiling using special category data (as defined under Art 9 GDPR) are prohibited outright.

Providers of online platforms, which have recommender systems in place, are required to set out the main parameters used in such systems in their T&Cs, including any available options for users to modify or influence said parameters (Art 27). These main parameters should explain why certain content is suggested and include, at the very least, the most significant criteria for user recommendations and the reasons for the relative importance of those parameters.

Providers of online platforms accessible to minors are required to implement appropriate and proportionate measures to maintain a high level of security, privacy, and safety of minors (Art 28). Inter alia, providers are prohibited from presenting targeted advertisements based on profiling using the personal data of minors. The Commission may issue guidelines to assist with the implementation of these appropriate measures.

Providers of online marketplaces allowing B2C distance contracts (B2C online marketplaces) are required to conduct KYBC (“know your business customer“) checks on new traders offering products or services to consumers in the EU, including the vetting of information provided through reliable services (Art 30). For any existing traders, providers of B2C online marketplaces are required to make best efforts to conduct such KYBC checks within 12 months.

Providers of B2C online marketplaces must design their online interfaces in a way that allows traders to comply with their obligations regarding pre-contractual compliance and product safety information under applicable Union law (Art 31). They must also allow traders to clearly identify those products and services they offer to customers within the EU and to add relevant product labels (e.g. compliance markings). Finally, providers shall make best efforts to randomly check in any official, freely accessible, and machine-readable online database whether the products and services offered have been identified as illegal.

B2C marketplace providers should thus check whether their online interfaces comply with the principle of “compliance by design” and ensure that there is a mechanism in place for random checks for illegal products and services.

If the provider of a B2C online marketplace becomes aware that an illegal product or service has been offered through its services, the provider must inform consumers who purchased the illegal product or service of this fact and disclose the identity of the trader and any relevant means of redress (Art 32). This shall apply to any purchases within the six months preceding the moment that the provider became aware of the illegality. If the provider does not have contact details of the consumers, the respective information must be made publicly available.

Lastly, VLOPs and VLOSEs face extensive additional compliance obligations under Chapter III, Section 5 DSA. Specifically, providers of VLOPs and VLOSEs must undertake the following:

• conduct a risk assessment (Art 34) and implement risk mitigation measures (Art 35)
• implement a crisis response mechanism (Art 36)
• commission annual independent compliance audits (Art 37)
• implement at least one non-profiling-based recommender system option (Art 38)
• observe heightened advertising transparency (Art 39)
• provide data access and scrutiny to supervisory authorities (Art 40)
• install a compliance function, such as a “DSA Officer” (Art 41)
• file additional transparency reports (Art 42)
• pay supervisory fees (Art 43)