The burden of additional requirements is hopefully proportional to the societal impact of those platforms as they grow
Daniel Lundqvist
Chair, IBA Internet Business Subcommittee
Online platforms: ‘notice and takedown’ procedures at heart of updated EU rules
When the e-Commerce Directive was adopted within the EU in 2000, it was a foundational attempt to regulate online activity for businesses and consumers. Since then, social media platforms such as Facebook and companies such as Google and Amazon have transformed how we engage, purchase and share information online.
This is where the Digital Services Act (DSA) comes in. Proposed by the European Commission at the end of 2020, alongside the competition-focused Digital Markets Act, it’s an upgrade of the existing rules. The draft legislation has been under review by European Parliament committees since January. If approved, it’s likely to be introduced in 2022.
A key legal distinction between the DSA and the e-Commerce Directive is that the DSA will be ‘approved as a regulation’, says Albert Agustinoy, Chair of the IBA Disputes and Rights Subcommittee and a partner at Spanish law firm Cuatrecasas. This avoids each Member State having to incorporate it separately – and time-consumingly – into their legal systems.
An immediate EU-wide implementation of the DSA should, says Agustinoy, ‘give more strength to a uniform approach to address the issues’ at stake. And this is an area of law that ‘very much calls for harmonisation’, says Kristian Storgaard, a partner at Danish firm Kromann Reumert. ‘In the majority of situations – at least from the perspective of a small country – you would be dealing with a provider that is based or located elsewhere.’
However, Marc Hilber, Projects Officer of the IBA Technology Law Committee and a partner at German law firm Oppenhoff, strikes a note of caution about the possibility of ongoing differences between EU-wide regulation and national laws. ‘The DSA is following a very similar approach to GDPR [the EU General Data Protection Regulation]’, he says. ‘And where GDPR allows the Member States to implement national legislation – for example, in the area of employee data protection – national laws still vary to a great extent.’
In terms of the DSA’s content, the liabilities facing service providers are not dissimilar to those in the e-Commerce Directive, says Hilber. Where the proposed legislation differs is in its detailed focus on transparency. ‘The notice and takedown mechanisms are at the heart of the new regulation,’ he says. Alongside this, companies dependent on websites such as Amazon’s for business will be able to seek greater clarity about decision-making.
Embedded in the proposed rules are oversight procedures – including a requirement for internal complaints management systems – for social media platforms that simply didn’t exist in 2000. The biggest online companies – deemed ‘gatekeepers’ by the DSA – will be expected to self-report and could face more substantial fines than those levied under the GDPR.
Storgaard sees parallels between the DSA’s processes relating to responsibility for online service providers and provisions in the US Digital Millennium Copyright Act 1998. The DSA’s emphasis on notice and takedown processes – where online hosts remove illegal content – goes towards levelling the playing field between EU and US law. It’s ‘much faster and more effective than having to go through court to get a preliminary injunction,’ he says.
Daniel Lundqvist, Chair of the IBA Internet Business Subcommittee and a partner at Advokatfirman Kahn Pedersen, is concerned by Article 31 of the DSA, which would only require platforms to provide advertising data to researchers affiliated with academic institutions. ‘This may actually limit the effect that such transparency obligations can have,’ he says, pointing out that historically, many issues about online platforms have been uncovered by journalists and activist groups.
The DSA’s reliance on the private sector for accountability worried the European Parliament’s Civil Liberties Committee enough that it struck out two key provisions – those requiring service providers to undertake risk assessments and audits carried out by external companies – in its amendments. It argued that compliance assessments by ‘private entities chosen and paid for by providers poses a risk to fundamental rights, as only public authorities are bound by fundamental rights’.
Whether the draft DSA places too much power in the hands of the private sector rather than a public authority or judiciary is ‘a difficult question’, says Agustinoy. He believes the system could be ‘reasonably workable’, as long as large platform operators were ‘also provided with reliable interpretation criteria that would avoid – at least from an ideal perspective – the uncertainties for all involved parties on private enforcement’.
The public authority route can also be costly and time-consuming. For Hilber, the challenge facing a regulation such as the DSA is achieving a ‘difficult balancing act’ between ensuring companies abide by the rules and encouraging private enterprise. He says this shouldn’t involve ‘any authorities specifically coming in and telling companies what they should do on their platform.’
Lundqvist believes that people shouldn’t ‘expect too much change due to mandatory risk assessments and audits’ – even if the DSA’s existing provisions remain. He argues that any ‘serious online platform’ will already perform risk assessments. Even with regulation, he says, ‘one can expect that any risk assessment will not drastically alter the implementation of some aspect of the online platform for which there is a business case’.
Another key feature of the DSA is its ‘three-tier’ system of different levels of regulation for service providers depending on if they are small enterprises, ‘regular’ online platforms or the so-called ‘very large online platforms’ that most commentators agree are the ultimate target of the DSA. ‘The burden of additional requirements,’ says Lundqvist, ‘is hopefully proportional to the societal impact of those platforms as they grow.’
For his part, Hilber believes that the DSA’s regulatory demands on smaller companies – despite the European Commission’s claim to proportionality – are not sufficiently different to those on the largest platforms. ‘We’re already not as good as the US at facilitating the quick implementation of business models by reducing the regulation with which small companies have to comply,’ he says. ‘This is really a step in the other direction.’
Elsewhere, Storgaard notes potential contradictions arising between the draft DSA and the European Commission’s Digital Single Market strategy’s approach to a platform’s liability for content, the ‘YouTube clause’. This introduces a direct liability for some platforms under certain circumstances.
Storgaard argues that this deviates from ‘the basic principle’ of the proposed DSA – and the current e-Commerce Directive – in which an online platform or host is not, in general, liable for any content uploaded by users, as long as they have ‘not been directly involved’ and ‘are aware of the copyright-protected works’.
Questions also remain over how the DSA will be harmonised with regulations outside the EU and exactly how jurisdictional authority will be handled when disputes arise. Online service providers, big and small, will doubtless be scrutinising every possible answer.
Related links
Image: metamorworks C / Shutterstock.com
Download the IBA Global Insight app
Access expert analysis on international rule of law, business and human rights