Abstract cybersecurity background

Security on the Internet. New European initiative – digital services act


Related topics
Digital Services Act[1] (referred to as „DSA”) was adopted as part of the European data strategy presented by the European Commission ("EC") in February 2020.

The DSA establishes harmonised rules for the online environment, aiming to ensure security, predictability and trust by introducing mechanisms for the protection of the fundamental rights enshrined in the Charter of Fundamental Rights of the European Union (hereinafter as the "Charter"), inter alia by introducing a liability regime applicable to providers of certain services for illegal content available online.
 

What services will the DSA provisions apply to?

The DSA will apply to:

  • Service of transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network ("mere conduit" service)
  • service of transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, for the sole purpose of making the information's onward transmission to other recipients upon their request more efficient („caching” service);
  • service of storage of information provided by, and at the request of, a recipient of the service („hosting” service).


The above services are collectively referred to as intermediary services, i.e. information society services - provided for remuneration, at a distance, electronically and upon individual request of the service recipient.

Indirect services may be provided separately, as part of another type of indirect service, or simultaneously with other indirect services. Whether a service is a 'mere conduit', 'caching' or 'hosting', service has to be assessed on a case-by-case basis taking into account that the relevant qualification depends on technical functions that may evolve over time. Not all providers of intermediary services will be required to comply with the obligations imposed by the DSA. The DSA will apply to:

  • sales platforms
  • social networking platforms (including networking and information sharing platforms)
  • online application shops
  • booking platforms (including travel and accommodation)

The following have been excluded from the scope of the DSA:

  • online platforms where the dissemination to the public is merely a minor and purely ancillary feature of another service (e.g. a comment section of an online newspaper because of its ancillary nature to the main service; a cloud computing service if public dissemination of information is an insignificant and ancillary feature or a minor functionality of such services);
  • online platforms used for communication between a limited number of people specified by the sender of the message (e.g., e-mail or private messaging services).

Entrepreneurs with micro- or small enterprise status, as well as within 12 months of losing such status, will be excluded from a significant part of the obligations foreseen for online platform providers.

ey-dsa-grafika

Will the DSA cover non-EU entities?

Yes. The DSA will apply to intermediary services that are offered to recipients established in the Union or to recipients located in the Union, regardless of where the intermediary service providers are established. However, the mere technical availability of a website from the Union will not be sufficient. In order for a supplier to be deemed covered by the DSA (and therefore to be 'substantially connected to the Union'), an analysis of the degree of connection to the EU will be necessary. The DSA provides an illustrative catalogue of factors to be taken into account in making such an analysis - these will include:

  • establishment of the provider - if located within the Union;
  • number of recipients of the service - if there is a significant proportion compared to the population of the Member State(s) concerned in one or more Member States;
  • targeting of at least one Member State - if the provider uses a language or currency that is widely spoken in that Member State, or if it offers the possibility to order products or services, and if the application offered by the provider is available in a given national app shop or its advertisements are present in the local market of this Member State.

What sanctions does the DSA provide for?

Under the DSA, if the activity carried out falls within the scope of the DSA, the supplier will be liable for the information transmitted or stored if it is of an illegal nature. However, the supplier's liability is not of absolute nature – DSA presents a catalogue of situations, in which the liability of the provider will be excluded.
 

It is left to the discretion of the Member States to lay down rules on sanctions in the event of the DSA breach. Only general guidelines have been included in the DSA, which indicate framework provisions as follows:

  • the maximum amount of administrative fines, which may be imposed for failure to comply with an obligation laid down in the DSA, is to be up to 6% of the annual worldwide turnover of the fined intermediary service provider in the preceding financial year,
  • the maximum administrative fine that may be imposed for providing incorrect, incomplete or misleading information, failing to reply or correct inaccurate, incomplete or misleading information and failing to submit to an audit is up to 1 % of the annual income or worldwide turnover of the fined intermediary service provider or person in the preceding business year,
  • the maximum daily amount of the periodic penalty is to be up to 5 % of the average daily worldwide turnover or income of the fined intermediary service provider in the preceding business year, calculated from the date specified in the decision.

The supervision and enforcement of the obligations under the DSA will be entrusted to an authority to be designated by each Member State individually. The competent authority for the provider will be the authority in the Member State where the principal place of business of the intermediate service provider is located (i.e. where it has its head office or registered office, where the main financial functions are performed and operational supervision is exercised) or in the country where the provider has appointed its legal representative (if it is not based in the Union). Member States are also required to appoint digital service coordinators - no later than 17 February 2024.


When to expect the changes?

The DSA came into force on 16 November 2022. Businesses have been given until 17 February 2024 to comply with the new requirements, although some obligations are already required to be fulfilled before that date.
 

By 17 February 2023 at the latest, and at least every 6 months thereafter, online platform or search engine providers must publish in a publicly accessible section of their online interface the information on the average number of active monthly users of the service in the Union. This number will be calculated as an average of users over the previous six months and based on the methodology established by delegated acts (once adopted). Providers of online platforms or search engines shall provide the local digital services coordinator (relevant for place of their establishment) and the Commission, upon request and without undue delay, with the above information updated at the time of such request.
 

The purpose of this obligation is to enable determination whether an entity falls into the category of a large platform, because as soon as it obtains this status, it will be subject to additional requirements under the DSA.
 

Tackling illegal content on the internet

Under the DSA, national judicial or administrative authorities will be given the power to issue orders to take action against specific illegal content against intermediary service providers, as well as orders to provide specific information on one or more specific individual service recipients.  The provider who has received the order shall:

  • inform the authority of any action taken;
  • inform the recipient of the service concerned of the order received and of the action taken in response to it, along with the reasons for the order, information on the existing possibility of appeal and the description of the territorial scope of the order.

At the same time, the DSA makes it clear that there is no general obligation of providers to monitor the information that they transmit or store, or to actively establish facts or circumstances indicating illegal activity. The DSA differentiates the obligations based on the nature of the business and the size of the entity offering its services on the European market.

ey-dsa-grafika

Specific obligations of very large intermediary service providers

Risk management by very large online platforms and search engines
 

Providers of very large online platforms and very large search engines will be required to put in place and apply risk management mechanisms, including regular analysis and assessment of systemic risks in the Union arising from the design or operation of their service. Four categories of systemic risk should be considered in the assessment:

I.  the risk of distributing illegal content as well as committing illegal acts;

II.  the risk of an actual or foreseeable impact of the service on the exercise of fundamental rights protected by the Charter (including human dignity, freedom of expression and information, the right to private life, data protection, non-discrimination, the rights of the child and consumer protection);

III.  risks of actual or foreseeable impacts on democratic processes, civil discourse and electoral processes, as well as on public safety;

IV.  risks related to the design, operation or use of platforms, including through manipulation, which may have an actual or foreseeable negative impact on the protection of public health, minors and serious negative consequences on the physical and psychological well-being of a person, or on gender-based violence.

If algorithmic accentuation of information contributes to systemic risk, suppliers should take this into account in their risk assessments, which they need to store together with source information.

ey-dsa-grafika

Independent audit and audit fee

The DSA makes it mandatory for very large online platforms providers and very large search engines providers to undergo an independent audit at least once a year. It will be possible for an organisation to carry out the audit if it meets a number of requirements set out in the legislation.

The entities being subject to mandatory audits will also be required to pay an annual surveillance fee to the European Commission. The fee will be payable for each service for which they are designated as a very large provider.

The Commission will adopt a detailed methodology for, among other things, determining individual annual supervisory fees, with the total amount of the annual supervisory fee charged to a given provider of a very large online platform or very large search engine not exceeding 0.05% of its worldwide annual net income in the previous financial year.

Implications for businesses operating on online platforms

What does the DSA mean for businesses operating on online platforms?

  • Right of appeal against the provider's decision. If a report of illegal content is received, or if the information provided by the providers does not comply with the provider's terms of service, the platform provider will be entitled to take action with the following consequences:
  • Restricting the visibility of certain information (including removing content, preventing access to content or deposition of content)
  • Suspension, termination or other restriction of monetary payments (including monetisation of information provided by the user);
  • Suspension or termination of services in whole or in part;
  • Suspension or termination of the service user's account.

If action is taken, the provider will be obliged to inform the user concerned immediately and to provide the recipient with the possibility to appeal the platform's decision (including through the internal complaints system - electronically and free of charge) if the decisions have a negative effect on the user. The possibility to appeal the decision must be maintained for at least 6 months after the provider has informed the user of its decision.

  • Choice of out-of-court dispute resolution body. Users have the right to choose any out-of-court dispute resolution body. Online platform providers will ensure that information on the possibility to use out-of-court dispute resolution is easily accessible on their online interface.
  • Obligation to undergo a verification procedure. Entrepreneurs wishing to establish their presence on an online platform will be subject to obligatory verification, which may include, inter alia, the duty to provide reliable supporting documents, such as a copy of an identity card, certified statements of payment accounts, business and commercial register certificates. In addition, the entrepreneur will certify that it undertakes to offer only products or services that comply with applicable Union law.
  • Potential reduction in the effectiveness of advertising campaigns carried out on the online platform.
    • Where recommendation systems are used, providers will specify in their terms of service the main parameters used in these systems, as well as any options for service users to change or impact these parameters. In light of the DSA, the user must be informed of any means available to them to change the profiling criteria for advertising purposes.
    • For very large online platforms and very large search engines - they will have to provide at least one option for each of their recommendation systems that is not based on profiling.
    • The DSA also prohibits the presentation of profile-based advertising using the personal data of a user if the provider knows with reasonable certainty that the user is a minor.

The above obligations may affect the effectiveness of advertising campaigns on online platforms.

ey-dsa-grafika

Summary

The DSA responds to a long-standing need for large online platforms to be involved in ensuring the legality of content presented online as well as their liability for consequences of the algorithms used by them. The development of the online marketplace, including in particular large social media or sales platforms, was possible in previous decades, among other things, thanks to the exclusion of the liability of intermediary platforms. Nowadays, such exclusivity is no longer justified, also due to the great power of the largest online platforms and the developing technical capabilities for detecting illegal content. Solutions such as artificial intelligence will be of help in detecting illegal content and its removal, as well as in assessment of Internet user complaints.
 

Controversies on social media have been growing for years. These are related both to scandals such as those relating to the US elections when Donald Trump won or the Brexit referendum, but also to the impact of the algorithms used on the platforms on exacerbating political attitudes (information bubbles) or the increase in mental illness among the youngest users. The DSA, with the introduction of obligations as to the systemic risk analysis of the largest online platforms, seems to respond to the above issues.
 

Although the new obligations are primarily aimed at large players present on the market, smaller entrepreneurs will also experience their effects - often positive ones. The most interesting provisions in this respect are the ones regulating the hitherto arbitrary online platforms process of blocking content published by individuals, but also entrepreneurs, without giving any reason or possibility to get explanations and appeal. The introduction of regulations requiring clear appeal process, as well as giving entrepreneurs the possibility to choose the out-of-court body to settle a dispute should be seen as positive. Entrepreneurs will gain greater security regarding their activities on third-party platforms.





Contact

About this article


Related articles

Poland: e-commerce in practice. EY Guide 2023

Take a look at EY Guide 2023 — Poland: e-commerce in practice. Our experts have analyzed all the crucial aspects which should be considered before commencing an online business in Poland, such as the legal form for conducting e-commerce, registration obligations, different channels of sale, necessary documents, seller’s obligations, consumer rights, IP rights and advertising, privacy and cookies, payment services, cybersecurity aspects and tax requirements.

First common EU data space - health sector

The European Commission has unveiled a proposal for a European Health Data Space, the result of work on regulations for easier and safer rules, structures and processes in Member States for accessing and exchanging health data across borders.