Whether the company for which you work as Data Protection Officer (DPO) is a user of information society services or a service provider itself, it cannot remain unaware of the recent European legislation that has come into force in recent months.
In this article, we take a look at one of them, Regulation 2022/2065 on digital services (Digital Services Act / DSA), so that you can assess its practical impact on your business when it uses one of these services.
We’ll also help you take a closer look at the digital strategy being developed by the European Union (EU), of which the DSA is just one element, and which we think it’s important for you to keep an eye on.
European Digital Strategy
In addition to the GDPR, which governs the use of personal data, and the texts aimed at ensuring the resilience of players by imposing obligations in terms of IT security (NIS2 Directive) or physical (Directive on the resilience of critical entities), which are sometimes specific to certain sectors (such as the financial sector with the DORA Regulation), the EU will also be regulating the behaviour of players operating in the digital sector, as well as the way in which data (not necessarily personal data) is accessed and used more widely.
The Regulation (EU) 2022/1925 on digital markets (Digital Market Act / DMA) is there to ensure a competitive and fair digital sector, allowing innovative digital businesses to develop and ensuring the security of online users. It applies from 2 May 2023.
Regulation (EU) 2022/868 on data governance aims to make certain data (both personal and non-personal) available for re-use and to make it easier to share in different areas (health, environment, energy, agriculture, mobility, finance, etc.). It will apply from 24 September 2023.
The proposed regulation on data (Data act) will lay down harmonised rules to ensure fair access to and use of data.
Another proposal for a regulation still under discussion that we think is worth following if your company has any interest in the subject: the proposed regulation on artificial intelligence (AI act).
The DSA: Application dates and objective
The DSA continues to be implemented in waves. On 25 August 2023 , companies recognised as very large platforms and very large search engines entered the dance. For service providers that do not fall into this category, the deadline is 17 February 2024.
The stated aim is to ensure a secure, predictable and trusted online environment by :
- combating the dissemination of illegal content and misleading information
- while ensuring the protection of fundamental rights (EU Charter of Fundamental Rights)
- and facilitating innovation.
The DSA: The players involved and the roles created for the occasion
The players involved
Online service providers
Online services are defined as services which are normally (but not exclusively) provided for remuneration, at a distance, by electronic means and at the individual request of a recipient.
These services involve interaction with information provided (text, video, etc.) by a “service recipient” and are divided into :
- simple transport” services (e.g. virtual private networks, DNS services, domain name registrars, certification authorities issuing digital certificates, interpersonal communication services, etc.);
- “caching” services (e.g. provision of content routing networks, reverse proxy servers or content adaptation proxy servers);
- “hosting” services (e.g. website hosting, paid referencing, content sharing online, including file storage and sharing). In hosting, the DSA will also differentiate between the type of host and its size, adding ever stricter obligations: Any hosting service => Online platforms => Online platforms that allow consumers to enter into distance contracts with professionals => Very large platforms.
The DSA is aimed at suppliers offering services in the EU or targeting (“having a close link with”) the European market.
Unlike the GDPR, the size of the supplier will have an impact on the level (or even existence) of some of the obligations to be met:
- specific obligations (and early start on 25/08/23) for very large platforms and very large search engines = services with more than 45 million users in the EU.
- non-applicability of certain obligations for micro and small enterprises (as defined by recommendation 2003/361/CE), except in the case where a micro enterprise provides a platform service which corresponds to the definition of a very large platform;
For information, this number of monthly users corresponds to one of the DMA’s criteria for a platform to be designated as an “access controller”.
Recipient of services
The “service recipient” is any person (natural or legal) who is going to use the service made available to them, whether simply to consult the information or to make it accessible to other people.
The roles created for the occasion
Digital Services Coordinator
Each Member State will have to appoint a “Coordinator for digital services”, who will be responsible for controls and sanctions, the certification of out-of-court settlement bodies and the appointment of Trusted Signatories. He will also coordinate the transmission of information to the Commission (e.g. when a platform qualifies as a “very large platform”).
These coordinators will meet within a European Board for Digital Services (European Board for Digital Services), an advisory group that will ensure the consistent application of the DSA and the guidelines that will be generated by the coordinators and the Commission.
Out-of-court settlement bodies
These bodies, certified by the Coordinator, act as a level of appeal when an internal appeal takes place within a platform (in relation to a position taken by the platform on allegedly illegal content). Their decisions are not binding.
Trusted signallers
An entity with specific expertise enabling it to detect a certain type of illegal content more easily may ask the Coordinator in its Member State to become a Trusted Signaller.
The alerts it sends to a platform must be dealt with by that platform as a matter of priority. The Reporting Party must publish an annual report on its reporting activity, which must be easy to understand.
How is your company positioned in relation to the players and roles created by the DSA?
If the company you are advising as DPO is not considered to be an online service provider, there is a good chance that, in one way or another, it will use them as a recipient of services.
If you work for an association whose activity is the denunciation of behaviour that could be exploited through illegal content, you could mention the existence of the role of Trusted Signaller to them.
Topics covered by the DSA
Exemption from liability for illegal content transmitted by “service recipients”
The principle is as follows: an online service provider is not liable for the dissemination of illegal information/content, as long as it complies with specific conditions regarding the way in which it interacts with this content.
The illicit nature of content must be understood very broadly: Any information that in itself (discriminatory speech, illegal sharing of private images without consent) or because it is linked to an activity (e.g. the sale of counterfeit products) does not comply with the law may be “illegal”:
- EU law (including the GDPR);
- the law of an EU Member State.
Depending on whether the supplier provides a “simple transport”, “caching” or “hosting” service, the conditions to be met in order to avoid liability will be increasingly strict.
This subject was previously covered by the Directive on electronic commerce and was therefore subject to national specificities. The EU has decided to migrate this topic to the DSA, to improve legal certainty by eliminating national specificities and incorporating the clarifications made by the Court of Justice of the European Union ( CJUE) in its various rulings.
Management of injunctions
The DSA provides for coordination between:
- the competent national judicial or administrative authorities which notify service providers of an injunction to act on illegal content or an injunction to provide information on such content,
- the Coordinator and the European Committee (who receive information on these injunctions and the follow-up they have had).
Overview of “due diligence” obligations for service providers
Which of these may be of interest to you as a service recipient?
Obligation for the supplier to have a legal representative in the EU, if it does not have an establishment in one of the member countries.
Establishment of a means of recourse for recipients of services whose content has been declared unlawful, and whose content has been demonetised or even deleted. The existence of this possibility of recourse may be interesting information to bring to your company’s attention if it ever finds itself in this position.
General terms and conditions must include a list of specific subjects (with additional obligations depending on the type of service provided and its size), providing information in clear, simple, intelligible language and in an easily accessible and machine-readable format, for example :
- Information on content moderation procedures (including the possible use of algorithms and re-examination by a human being) and how complaints are handled;
- the existence of a content recommendation system (as well as the parameters taken into account and how to modify them);
- the very large platforms and search engines will have to provide a summary of their general terms and conditions.
A transparency report must be made available to the public, containing information on the moderation of content, injunctions received, and so on. The frequency and extent of the information to be provided by the service provider will depend on its type and size.
The possibility of notifying illegal content hosted by an online platform.
The very large platforms will also have to provide analyses of the risks caused by the use of their services (including the custom taken to mitigate them), which will be made public via an annual report by the European Committee.
Specific custom will have to be taken if a platform is aimed at (or is in fact used by) mainly minors.
Online platforms will also have to ensure that features are in place to ensure transparency regarding the use of advertising (whether targeted or not), both to enable consumers to understand that they are being targeted and to enable companies wishing to advertise to do so legally. Targeted advertising based on profiling of sensitive data is expressly prohibited.
Global ban on dark patterns and the importance of clarity
The DSA is the first European text to make explicit reference to the ban on the use of dark patterns / misleading interfaces… but it only mentions this in the preamble (in recital 67).
It also makes numerous explicit references (as mentioned for the general terms and conditions, for example) to the obligation to communicate in clear and comprehensible language.
This is probably a good opportunity for these platforms to adopt the use of Legal Design both in their communications and in the construction of their interface… and for you, it’s an additional argument to convince your hierarchy to adopt this technique in its own communications and tools intended for the public.
In any case, this is the method used by Admeet to build its tools to help you achieve GDPR and EPrivacy compliance.
DSA: Penalties
The penalties imposed must always be “effective, proportionate and dissuasive”.
- Fine of up to 6% of annual worldwide sales for a
- failure to comply with a DSA obligation
- for very large platforms: failure to comply with a decision to take provisional measures or a binding commitment.
- Fine of up to 1% of annual worldwide sales in the event of
- providing inaccurate, incomplete or misleading information ;
- failure to reply or to correct inaccurate, incomplete or misleading information ;
- failure to submit to an inspection ;
- for very large platforms: do not respond to requests for information, do not comply with the custom adopted by the Commission or with the conditions for access to the file.
Penalties may also be imposed (up to 5% of average daily global income or turnover) if the custom set out in the decision is not complied with.
Very large platforms are sanctioned directly by the Commission, while other online service providers are sanctioned by the Member State in which the provider has its principal place of business.
The Commission may also impose penalties (fines or periodic penalty payments) on “any other person”, whether natural or legal, who may have information about an alleged infringement and who fails to cooperate.
Conclusion: What about the role of the DPO?
Our aim is not to put you under pressure by adding all the challenges of Europe’s digital strategy to the long list of tasks already entrusted to the DPO.
It is nevertheless certain that your company will find itself impacted by this gradual reshaping of the digital space as we are experiencing it.
Therefore, helping your company to understand where it stands in relation to these texts will add enormous value. It may need to take action because it provides online services, or it may want to monitor compliance with the DSA (for example) by its online service providers, to avoid unpleasant surprises.
In our view, the right approach? To be able to mention to your company’s management the existence of the issues covered by the DSA and to emphasise the idea of another internal function taking up these issues.
This proactive approach on your part could help your colleagues to involve you more systematically before the start of projects involving new technologies and data.
The ultimate goal? To ensure that the voice of the data subject, the individual whose personal data will be used, is not forgotten.