On 17 February 2024, the Digital Services Act, which introduces harmonised rules throughout the European Union for the digital services sector and online platforms with the aim of ensuring a safe and reliable online environment for users and countering the spread of illegal content and services, became fully applicable.
The Digital Services Act (Regulation EU 2022/2065) introduces rules regarding the single market for digital services, strengthening the obligations of commercial operators in the sector to protect end-users. This Regulation is part of the “Strategy for a Digital Single Market for Europe” and replaces, while innovating, the previous Directive 2000/31/EC on e-commerce. The Digital Services Act has been in force since 16 November 2022, but its rules have become fully applicable for all operators in the sector since 17 February 2024, while for large platforms and search engines they are already applicable as of 25 August 2023. In this respect, it is referred to VLOPs (very large online platforms) and VLOSEs (very large online search engines), so the Regulation under review provides specific rules for online platforms and search engines whose average monthly number of service recipients in the European Union exceeds 45 million.
The Data Services Act applies to all online intermediaries (so-called Internet Service Providers – ISPs) that provide their services within the Union, regardless of whether the provider is located in a Member State or not, what matters is that its service has a significant number of European users as recipients. Examples of digital services to which this regulation applies are marketplaces, social networks, app stores, cloud services, search engines, rental platforms, Internet access services.
More specifically, the Digital Services Act applies to providers of three types of services: i) Services of mere transmission (so-called ‘mere conduit’ services), which means services that provide access to a communication network and enable the transmission of information provided by a user; ii) Services of temporary storage (so-called ‘caching’ services), they are services through which information is automatically stored on an intermediate and temporary basis with the sole purpose of facilitating its transmission to other recipients; iii) Services of information storage (so-called ‘hosting’ services), which means services that enable the storage of information provided by the user at his request, as well as the sharing of information and contents online.
The Data Services Act introduces, first of all, general obligations applicable to all ISPs (Articles 11-15), specifically, the providers of online intermediary services must set up special contact points to facilitate the provider’s relations with the recipients of the service and with the national and European authorities; they must appoint a legal representative in the EU if they are based outside the EEA; they must prepare conditions of use of their service and publish annual ‘transparency reports’.
The subsequent provisions provide for obligations addressed only to hosting service providers (Articles 16-18), who must set up a mechanism for reporting online content through a so-called “notice and take down” system, which means that the hosting provider must inform the recipient of what content may not be published and what the consequences of such behaviour are. If illegal/incompatible contents with its Terms and Conditions are found, prompt and reasoned measures must be taken (for example restrictions on the visibility and monetisation of the content, restrictions on the account of the person responsible, blocking of payments).
With regard to the additional obligations applicable to online platforms (Articles 19-28), providers must set up internal complaint management systems (the right to complain can be exercised within six months from the decision complained), giving priority to the reports of the so-called Trusted Flagger, which are public or private entities with special requirements of competence and independence with respect to the ISPs. Furthermore, in the event of a dispute, recipients of services must be guaranteed the right to apply to a court or to settle the dispute out-of-court. Moreover, the Data Services Act includes the prohibition to introduce the so-called dark patterns, which are deceptive navigation interfaces/paths aimed at manipulating and influencing the choices of service users, as well as the prohibition to use particular data for profiling for advertising purposes (while for minors profiling using even common data is absolutely prohibited).
With reference to the obligations applicable to marketplaces (Articles 29-32), the service provider must protect consumers by guaranteeing the security and transparency of the platform by requiring special traceability requirements from traders who intend to offer their products/services on the online marketplace.
While as regards the additional obligations addressed only to VLOPs and VLOSEs (Articles 33-43), they are required to carry out specific assessments of the risks arising from the design, operation, and use of the service itself and to introduce mechanisms to mitigate them. The main risks include the diffusion of illegal contents and contents that are harmful to physical and mental health, discriminatory, gender-based violence, terrorist content, content that violates fundamental rights such as freedom of expression and information, and content that may harm minors.
Lastly, it should be underlined that the Digital Services Act provides for the designation of a specific “Digital Services Coordinator” for each Member State, that assumes the role of supervising and verifying the correct application of the Regulation (in Italy, this role has been assigned to AGCOM), whereas the Commission has exclusive supervisory power as regards VLOPs and VLOPEs.
DISCLAIMER: This newsletter merely provides general information and does not constitute legal advice of any kind from Macchi di Cellere Gangemi. The newsletter does not replace individual legal consultation. Macchi di Cellere Gangemi assumes no liability whatsoever for the content and correctness of the newsletter.