The EU is close to finalizing the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content, and advertising transparency. It will entail significant changes to existing EU law in these areas and will impose substantial new compliance burdens on companies in regard to online content.
Following long negotiations, the EU institutions reached a political agreement on the final text of the DSA on April 23, 2022. The final text will now be subject to technical and linguistic review before it is formally adopted and published as law. We expect the DSA to be formally adopted sometime this summer, and to become applicable in early 2023.
The DSA was originally proposed in December 2020 as part of the European Commission's broader European Digital Strategy, together with the Digital Markets Act (DMA), which contains revamped antitrust rules for some of the largest digital platforms. The European Digital Strategy also includes other data-related laws which are currently still being negotiated (e.g., the AI Act, the Data Act, etc.). Companies operating in the EU should carefully review the European Digital Strategy, particularly the DSA and the DMA, since they contain far-reaching rules which may require redesign of compliance strategies from the ground up.
For more information about the initial DSA proposals and draft amendments, see the Wilson Sonsini client alerts here and here. For the latest information about the DMA, see the Wilson Sonsini client alert here.
Scope of the DSA
The DSA applies to all intermediary service providers, including:
The DSA follows a layered approach with cumulative obligations for online intermediary services depending on their function and size. The DSA imposes a baseline of rules which applies to all intermediary service providers (e.g., including mere conduit and caching services), and then adds obligations for hosting services, online platforms, and a further set of obligations for VLOPs. In the DSA, each layer of obligations is cumulative, meaning that each next layer adds obligations on top of all the preceding layer(s)' obligations (e.g., online platforms need to comply with all the requirements for hosting services and mere conduit and caching services, but not the specific requirements for VLOPs).
Key Obligations
The DSA includes far-reaching obligations for platforms. Note that the final text of the DSA has not yet been published; thus, the below is based on our understanding of the political agreement.
Enforcement
Non-compliance with the DSA could lead to fines of up to six percent of a company's worldwide annual revenue. Enforcement of the DSA is entrusted to the national regulator in the EU member state where a company has its main EU establishment, although the European Commission is in charge of supervision and enforcement for very large online platforms.
Each EU member state needs to identify the regulator(s) responsible for enforcement of the DSA, and appoint one such national regulator as the "Digital Services Coordinator." The DSA also creates an EU Agency (the "European Board for Digital Services") responsible for ensuring consistent enforcement of the DSA across the EU. The multiplication of regulatory bodies in addition to data protection authorities and antitrust regulators to enforce rules which are interrelated is likely to create significant challenges for companies (e.g., responding to investigations by different regulators covering the same services).
Civil society organizations and NGOs will be able to lodge class action lawsuits in the event of an infringement of the DSA, on the basis of the EU's Collective Redress Directive, which was recently adopted.
Next Steps
Companies should monitor this space and review the final text of the DSA once it is published. All companies operating online should already start reviewing (and where necessary, re-designing) their compliance strategies, and ensure that their regulatory and policy teams are briefed on these new rules.
We will publish further alerts covering the next steps in adoption of the DSA as they occur.
For more information, please contact Cédric Burton, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.
Christopher Kuner and Roberto Yunquera Sehwani contributed to the preparation of this Wilson Sonsini Alert.