The EU is close to finalizing the adoption of the Digital Services Act (DSA), which will impose new obligations on digital platforms regarding content moderation, due diligence for illegal content, and advertising transparency. It will entail significant changes to existing EU law in these areas and will impose substantial new compliance burdens on companies in regard to online content.

Following long negotiations, the EU institutions reached a political agreement on the final text of the DSA on April 23, 2022. The final text will now be subject to technical and linguistic review before it is formally adopted and published as law. We expect the DSA to be formally adopted sometime this summer, and to become applicable in early 2023.

The DSA was originally proposed in December 2020 as part of the European Commission's broader European Digital Strategy, together with the Digital Markets Act (DMA), which contains revamped antitrust rules for some of the largest digital platforms. The European Digital Strategy also includes other data-related laws which are currently still being negotiated (e.g., the AI Act, the Data Act, etc.). Companies operating in the EU should carefully review the European Digital Strategy, particularly the DSA and the DMA, since they contain far-reaching rules which may require redesign of compliance strategies from the ground up.

For more information about the initial DSA proposals and draft amendments, see the Wilson Sonsini client alerts here and here. For the latest information about the DMA, see the Wilson Sonsini client alert here.

Scope of the DSA

The DSA applies to all intermediary service providers, including:

1. "mere conduit" and "caching" services, e.g., internet access providers and domain name registrars;
2. "hosting" services, e.g., cloud and web hosting services;
3. online platforms, e.g., online marketplaces, app stores, and social media platforms; and
4. very large online platforms or search engines (VLOPs), i.e., platforms or search engines reaching more than 10 percent of the then current EU population, the threshold presently being 45 million users. We expect that around 30 companies may qualify as VLOPs.

The DSA follows a layered approach with cumulative obligations for online intermediary services depending on their function and size. The DSA imposes a baseline of rules which applies to all intermediary service providers (e.g., including mere conduit and caching services), and then adds obligations for hosting services, online platforms, and a further set of obligations for VLOPs. In the DSA, each layer of obligations is cumulative, meaning that each next layer adds obligations on top of all the preceding layer(s)' obligations (e.g., online platforms need to comply with all the requirements for hosting services and mere conduit and caching services, but not the specific requirements for VLOPs).

Key Obligations

The DSA includes far-reaching obligations for platforms. Note that the final text of the DSA has not yet been published; thus, the below is based on our understanding of the political agreement.

• Content moderation. The DSA requires all intermediary service providers to diligently enforce their terms and conditions, including in regard to content moderation (e.g., removal of fake news). In addition, online platforms should implement a system allowing users to report any illegal content on the platform. Platforms need to inform users when they decide to take down any content they provided and explain the reasons for doing this. Platforms should also provide an internal complaint-handling system allowing such users to contest the platform's decision to take down their content.
• Targeted advertising to children. The European Parliament proposed including a new rule prohibiting the display of targeted ads to children based on profiling, when the platform is aware that the user is a child. This prohibition appears to be included in the final text of the DSA, although it is still unclear whether it will apply to all online platforms or only to VLOPs.
• Advertising transparency. Online platforms will have to provide detailed information about the ads shown to users. This includes ensuring that users can recognize sponsored content, and can identify the company responsible for the ad and receive "meaningful information" about the "parameters" used to show the ad to a specific user. These terms are not clearly defined in the DSA, and it remains to be seen how regulators will interpret them. In addition, VLOPs will be required to provide a publicly available list of advertisements detailing the audience reached for each ad and the "parameters" used to target specific groups of individuals.
• Platform personalization. The DSA requires platforms to inform users about the main parameters used to organize/prioritize content on the platform. In addition, VLOPs are required to offer a version of the platform where content is not personalized based on profiling of users, and to allow users to easily select such non-profiling version through the privacy settings. Compliance with this rule may require substantial changes to VLOPs which personalize content in a way that qualifies as "profiling" under the General Data Protection Regulation (GDPR).

Enforcement

Non-compliance with the DSA could lead to fines of up to six percent of a company's worldwide annual revenue. Enforcement of the DSA is entrusted to the national regulator in the EU member state where a company has its main EU establishment, although the European Commission is in charge of supervision and enforcement for very large online platforms.

Each EU member state needs to identify the regulator(s) responsible for enforcement of the DSA, and appoint one such national regulator as the "Digital Services Coordinator." The DSA also creates an EU Agency (the "European Board for Digital Services") responsible for ensuring consistent enforcement of the DSA across the EU. The multiplication of regulatory bodies in addition to data protection authorities and antitrust regulators to enforce rules which are interrelated is likely to create significant challenges for companies (e.g., responding to investigations by different regulators covering the same services).

Civil society organizations and NGOs will be able to lodge class action lawsuits in the event of an infringement of the DSA, on the basis of the EU's Collective Redress Directive, which was recently adopted.

Next Steps

Companies should monitor this space and review the final text of the DSA once it is published. All companies operating online should already start reviewing (and where necessary, re-designing) their compliance strategies, and ensure that their regulatory and policy teams are briefed on these new rules.

We will publish further alerts covering the next steps in adoption of the DSA as they occur.

For more information, please contact Cédric Burton, Chris Olsen, or another member of the firm's privacy and cybersecurity practice.

Christopher Kuner and Roberto Yunquera Sehwani contributed to the preparation of this Wilson Sonsini Alert.