In July of this year, the EU Parliament voted to adopt the Digital Services Act (DSA) and the Digital Markets Act (DMA), two legislative initiatives that will help safeguard the rights of users of digital services and establish a level playing field in the digital arena.
The DSA and DMA go hand in hand with the Data Governance Act; all three are central to the strategy of “A Europe fit for the Digital Age”.
Here, we explore the practical steps required to comply with the DSA.
The nature of the DSA means that businesses must understand and address the compliance requirements holistically, with a risk-based approach to operational implementation, and not through a ‘tick-box’ exercise against a list of minimum requirements.
DSA at a glance
The DSA is designed to significantly improve the mechanisms for the removal of illegal content and for the effective protection of users’ fundamental rights online, including the freedom of speech. It also creates stronger public oversight of online platforms, in particular for platforms that reach more than 10% of the EU’s population.
Fines for violation of the DSA are up to 6% of firms’ global revenue, while serious and repeated violations could result in national courts banning operations in their territories of jurisdiction.
The DSA has been developed against a backdrop of regulatory action against online platforms globally. We should expect increasing regulatory focus on consumer protection online due to the pace of technological developments and heightened consumer protection expectations.
Who does the DSA apply to?
The DSA applies to providers of intermediary services, with the level of obligations imposed dependent on the digital footprint and therefore potential impact of the business. There are four categories of businesses that the DSA applies to:
- Providers of intermediary services: Within this group, the provision of any of the following three services qualifies a business as an intermediary service provider: (i) a ‘mere conduit’ service, (ii) a ‘caching’ service, and (iii) a ‘hosting’ service.
- Providers of hosting services: For example, cloud service providers, online marketplaces or app stores.
- Online platforms and marketplaces: These cover providers of hosting services that publicly disseminate users’ information. Examples of this group include online travel and accommodation websites and app stores.
- Very large online platforms (VLOPs) and search engines (VLOS): Organisations with an average monthly number of users of 10% or more of the total EU consumer population qualify as VLOPs or VLOS. The European Commission will designate the entities that qualify and will be directly involved with the supervision and enforcement of obligations for VLOPs.
What do intermediary service providers need to do?
The DSA applies a layered or cumulative approach to in-scope businesses, with the fourth category of businesses mentioned above needing to comply with the full set of requirements. When planning DSA compliance, consider two types of operational constructs: (i) developing existing functions to cater for new obligations, and (ii) the build of new components (be it processes, capabilities or reporting).
To aid with your DSA compliance roadmap, we have grouped below the key DSA requirements into five practical building blocks. Note that those requirements which apply to all four categories of businesses outlined above are marked with an *:
1. Governance and policies
- Clearly defined internal policies, procedures, and training*
- Single point of contact, and where necessary, legal representative*
- Ensuring terms of service clearly reflect fundamental rights* and the main parameters of recommender systems
- Independent annual auditing with corrective actions promptly applied
- Internal compliance function operating independently of the business
- Participation in codes of conduct (voluntary but recommended)
2. Interface, cooperation, and facilitation
- Cooperation with national authorities on orders*
- Cooperation with authorities for on-site inspections
- Data sharing with authorities and vetted researchers, with the ability to explain underlying specifics of your algorithmic systems
- Interface with trusted flaggers
3. Control environment
- Ongoing identification, analysis and proportionate management of systemic risks stemming from the functioning and use made of your business’ services in the EU
- Complaints and redress management
- Marketplace traders obligation management
- Management of user choice not to have recommendations based on profiling
- Ban on targeted adverts to minors and those based on users’ special characteristics
- Crisis readiness and response e.g., wartime, pandemic
- Measures and protection against misuse of provided service
- Criminal offence reporting
- Enabling and facilitating notices
- Out of court dispute settlements
- Clear and comprehensible reporting*
- User-facing transparency of online advertising* with the requirement for a publicly available advertising repository for VLOPs and VLOS.
Where are we now?
The DSA regulatory text is pending formal agreement by the European Council and European Parliament. Once approved, it will be published in the Official Journal of the European Union and come into force twenty days after publication. Thereafter, the rules will begin to apply fifteen months after coming into force, or from 1 January 2024 – whichever is later. For VLOPs and VLOS, the rules will apply earlier, four months after designation.
In summary, here’s what we recommend companies do:
- Prepare early: It is never too early to assess whether and how the DSA applies to your business and the implications on your business.
- Prepare efficiently: The DSA builds upon existing regulations such as the GDPR and the recently introduced UK Online Safety Bill. Consider how your existing compliance arrangements could be extended or developed. This is best carried out by adopting a cross-functional approach to develop and sustain operating arrangements for DSA compliance across your business.
- Prepare strategically: Compliance alone should not be the ultimate end goal; building trust with customers and innovating for future growth are key. The greatest success in DSA compliance will be achieved by integrating the building blocks outlined above through the entire operating structure of your business.
How can AlixPartners help?
We have been working with regulated firms across industries for years, including building compliance capabilities for newly regulated firms and transforming compliance in mature businesses.
This practical experience helps firms who will be in scope of the DSA in multiple ways, such as:
- the design and build of policies, processes and controls, in a way that is efficient and effective, including the use of reg-tech tools
- the design and implementation of effective governance, around these controls and processes
- competition advice to navigate the future market environment
- advice on handling the regulatory interface – effective regulatory engagement and communication will be essential, and some firms have not historically had to do this continuously
- support for lean organisational design and organisational transformation; and
- support for effective and practical culture change.