The European Union’s rebooted ecommerce rules start to apply in full from tomorrow — setting new legal obligations on the likely thousands of platforms and digital businesses that fall in scope.
The Digital Services Act (DSA) is a massive endeavour by the EU to set an online governance framework for platforms and use transparency obligations as a tool to squeeze illegal content and products off the regional internet.
If something is illegal to say or sell in a particular Member State it should not be possible to workaround the law by taking to the Internet is the basic idea. So online marketplaces operating in Europe should not let users buy and sell guns, for example, if the purchase of weapons is banned in the relevant EU market nor should social media sites allow hate speech to stay up if a country has laws in place that prohibit it.
Protection of minors is another key focus — with the regulation stipulating in-scope platforms and services must ensure “a high level of privacy, safety, and security” for kids, and banning use of their data for targeted ads.
The bloc can’t put an exact number on how many companies are in the frame, not least as new digital platforms are being spawned all the time, but says it expects at least a thousand to be subject to the rules.
Platforms, marketplaces and other in-scope digital services providers that fail to comply with the DSA are risking tough penalties — of up to 6% of global annual turnover for confirmed breaches.
As well as applying content moderation rules to platforms and know your customer requirements to marketplaces, the regulation applies some obligations to hosting services and other online intermediaries (such as ISPs, domain name registers and network infrastructure providers).
Smaller platforms, such as early stage startups yet to grab much scale — defined as “micro” or “small” enterprises employing fewer than 50 staff and with an annual turnover below €10M — are exempt from the bulk of provisions. But they will still have to make sure they set clear and concise T&Cs; and provide a contact point for authorities. (Fast scaling startups that outstrip the micro/small criteria won’t immediately face having all general rules apply but will get a “targeted exemption” for some provisions DSA over a transitional 12-month period, per the Commission.)
In-scope companies have had well over a year to get their compliance plan in order — since the text of the law was published back in October 2022. Although plenty of detail remains to be filled in, as DSA oversight bodies spin up and start to produce guidance. Which means many businesses are still likely to be trying to figure out exactly how the rules apply to them.
More rules for Big Tech too
Major tech platforms and marketplaces face the strictest level of DSA regulation. They have already passed one compliance deadline: A subset of DSA rules, focused on algorithmic transparency and systematic risk mitigation, have been in application on larger platforms and search engines (aka VLOPs and VLOSEs) since late August. Last December, the Commission also opened its first formal investigation of a VLOP, on Elon Musk-owned X (formerly Twitter), over a string of suspected breaches.
But even for larger platforms there’s more rules incoming tomorrow: From Saturday, the almost two dozen tech giants which, like X, have been designated as subject to the rules for VLOPs and VLOSEs are expected to be compliant with the DSA’s general obligations, too. So if Musk was already doing DSA compliance badly, he’s now got a bunch more demands to worry about come the weekend.
This includes in areas like providing content reporting tools for users and giving people the ability to challenge content moderation decisions; cooperating with so-called “trusted flaggers” (third parties that are authorized to make reports to platforms); producing transparency reports; and applying business traceability requirements (aka know your customer rules), to name a few.
On moderation, for instance, platforms must provide a “statement of reasons” to users every time they make a content moderation decision that affects them (such as a removal or demoting content).
The EU is collecting these statements in a database — so far only for larger platforms already subject to VLOP rules — and says it has amassed more than 4 billion statements to date. As smaller platforms’ statements go into the database the Commission expects to get a complete overview of content moderation practices, building on the “very interesting overview” of larger platforms’ decision-making it says the DSA has already delivered.
Other requirements of the general rules for platforms include having to provide information about ads they run and any algorithmic recommender systems they operate.
As noted above, the DSA specifically bans child’s data being used for advertising — so there’s a requirement to ensure minors’ information is not sucked into existing ad targeting systems. Although exactly how platforms will be able to determine whether a user is a minor or not without also running into privacy pitfalls, such as if they were to force age verification tech on all their users, is, the Commission admits, a complex area.
So while, from tomorrow, all platforms will have an obligation to provide “effective protection measures for minors” as a Commission official put it in a background briefing with journalists today, they noted there are ongoing discussions between DSA enforcers aimed at determining which technologies might be “acceptable solutions” in this context — leaving platforms in limbo over how exactly to comply in the meanwhile.
“The problem is difficult to solve,” the official admitted. “We are fully aware of the impact that [age verification] can have on privacy and we would not accept any measure for age verification… So my short answer is it’s complicated. But the long answer is that we are discussing together with Member States and with the Digital Services Coordinators, in the context of a taskforce that we have put in place already, to find which ones would be the acceptable solutions.”
Digital Services Coordinators
Zooming out again, monitoring tech giants’ compliance with general DSA rules falls, not to the Commission — which is the sole enforcer of obligations specific to VLOPs/VLOSEs (and plenty busy enough as a result) — but to EU Member State level enforcers. So called Digital Services Coordinators (DSCs). Thus, with the DSA coming into full application, there’s a whole new layer of digital oversight being slotted into place to regulate online activity around the region.
Here the bloc’s lawmakers maintained a “country of origin” principle, which also applied in the EU’s earlier ecommerce regime, so this tranche of DSA oversight on tech giants will come from authorities located in countries where the platforms are established.
For example, in the case of X, Ireland’s media regulator, Coimisiún na Meán, is likely to be competent authority overseeing its compliance with the general DSA rules. Ditto for Apple, Meta and TikTok, which also locate their European HQs in Ireland. Whereas Amazon’s compliance with general DSA rules will probably be monitored by Luxembourg’s competition authority, the Autorité de la concurrence, on account of its pick of regional base.
In the case of platforms without a regional establishment, and which haven’t appointed a local legal representative, they face enforcement by any of the competent bodies in any Member State — which could request information from them and/or take enforcement action related to compliance issues under the general rules.
Such platforms are therefore (potentially) exposing themselves to greater regulatory risk. (Albeit, this is assuming Europe-based authorities can actually enforce the law on foreign entities if they refuse to play by the rules — and here the difficulties EU data protection authorities have had trying to make Clearview AI abide by the GDPR looks instructive.)
Smaller EU-located platforms and startups, meanwhile, are likely to face general DSA oversight by the DSC appointed in their home market. So — for example — France’s BeReal, a popular photo sharing platform, will likely have its DSA compliance overseen by ARCOM, the comms and audiovisual regulator the country looks set to name as its DSC.
Confirmed DSCs so far are a mixture of existing regulatory agencies, including telecoms, media, consumer and competition regulators. Member States are also allowed to name more than one body to ensure adequate expertise underpins their oversight.
The EU has provided a webpage for finding the DSC that each Member State has appointed — although, as the time of writing, not all appointments have been made so there are still some gaps.
As their name (“coordinators”) suggests, DSCs will be doing plenty of joint working to ensure they are tapping relevant expertise to carry out effective oversight of the broad range of in-scope platforms and businesses. They are also envisaged playing a supporting role for the Commission’s enforcement on larger platforms’ systemic risk. Although enforcement decisions on VLOPs/VLOSEs remain with the Commission.
Additionally, the regulation establishes a new body — the “European Board for Digital Services” — where DSCs will meet regularly to share information and coordinate. The Board will, for instance, be responsible for producing advice and guidance for applying the law.
A handful of Board meetings have already taken place, per the Commission, which says some early workstreams aimed at setting best practices cover areas including provisions around data access for researchers; how to award trusted flagger status and select out of court dispute settlement bodies; and coordinating the handling of user complaints.
Again, ahead of best practice consensus being reached, and compliance guidance produced (and, in some cases, a confirmed appointment of a DSC), regulated platforms and services will have to figure out a way forward on their own.
DSCs are also intended to be contact points for citizens wanting to make DSA-related complaints. (And if a complaint from a citizen is about a platform a particular authority doesn’t oversee they will be responsible for sending it to the relevant competent body that does.)
EU consumers won’t only have to rely on regulatory action on their complaints, though. They will also be able to turn to collective redress litigation if a company fails to respect their rights under the Act. So non-compliant platforms face the risk of being sued too.
Those DSCs already appointed in time for Saturday’s deadline could choose to start an investigation or request information from platforms they oversee starting from tomorrow, a Commission official confirmed. But it remains to be seen how fast out the blocks these new digital enforcers will be.
Judging by how other EU digital rules have been implemented in recent years, it seems likely platforms will be given some grace to get up to speed, and time allowed for the regime to bed in, including as enforcers get their own feet fully under the table. Although, given this is decentralized enforcement, some Member State authorities may be more eager to get going than others and we could see DSA interventions happening at different speeds around the region.
DSCs are empowered to issue fines of up to 6% of global annual turnover for breaches of the regulation, which is the same level of penalty the Commission wields on VLOPs/VLOSEs if they violate the extra obligations applied to larger platforms and search engines. So — on paper — there’s a lot of new regulatory risk in Europe arriving from Saturday.
The full application of the regime also means VLOPs like X could face separate fines from the Commission and a DSC — i.e. if their compliance fails both sets of obligations. (But whether another layer of regulatory risk in the EU will finally concentrate Musk’s mind on compliance remains to be seen.)
One thing is clear: The DSA steps up the complexity for platforms operating in the region, applying a whole bundle of new obligations and unfurling another network of enforcers — on top of the growing sprawl of existing laws that may also apply to digital businesses, such as the General Data Protection Regulation, ePrivacy Directive, Data Act and the incoming AI Act (to name a few).
Selling advice on how all these rules apply and intersect (or even collide) will certainly keep regional lawyers and consultants busy for years.
Changes and challenges
In one early sign of potentially interesting times ahead, Ireland’s Coimisiún na Meán has recently been consulting on rules for video sharing platforms that could force them to switch off profiling-based content feeds by default in that local market.
In that case the policy proposal was being made under EU audio visual rules, not the DSA, but given how many major platforms are located in Ireland the Coimisiún na Meán, as DSC, could spin up some interesting regulatory experiments if it take a similar approach when it comes to applying the DSA on the likes of Meta, TikTok, X and other tech giants.
Another interesting question is how the DSA might be applied to fast-scaling generative AI tools.
The viral rise of AI chatbots like OpenAI’s ChatGPT occurred after EU lawmakers had drafted and agreed the DSA. But the intent for the regulation was for it to be futureproofed and able to apply to new types of platforms and services as they arise.
Asked about this, a Commission official said they have identified two different situations vis-a-vis generative AI tools: One where a VLOP is embedding this type of AI into an in-scope platform (such as baking it into a search engine or recommender system) — where they said the DSA does already apply. “We are discussing with them to check compliance with the DSA,” the official noted on that.
The second scenario relates to “standalone” AI tools that are not embedded into platforms already identified as in-scope of the regulation. In this instance the official told TechCrunch the legal question for DSA enforcers will be whether the AI tech is a platform or a search engine, as the regulation defines it.
“A lawyer will go into the definition and check whether it is used as a search engine, or it is, technically speaking, hosting content and putting it at the request of the recipient of the service and disseminating to the public. If the definition is met, you tick the box and the DSA applies,” they said. “It is as simple as that.”
Although it’s less clear how quickly that process of determination might happen — and it would presumably depend on the DSC in question.
Per the Commission, standalone AI tools that meet the DSA definition of a platform or search engine and also pass the threshold of 45 million monthly users could — in the future — also go on to be designated as VLOPs/VLOSEs. In that scenario the regulation’s extra algorithmic transparency and systemic risks rules should apply and the Commission would be responsible for oversight and enforcement. Although the official noted the final wording of the incoming AI Act will also be relevant in establishing any respective bounds here, so whether the AI Act and DSA would (or wouldn’t) apply in parallel on such tools.