The repercussions of the Digital Services Act (DSA) beyond the European Union

Presentation

The digital strategy, of the European Union (EU) focusing on both enhancing data sharing and protection, online transparency and security, innovation, and economic growth in the digital market, holds significant relevance for third countries like Monaco.

The "digital legislative package" of the EU extends its regulations to businesses from third countries, with strict standards to guarantee the security and integrity of its internal market.

The EU aims to make digital security a trust-building factor for users and competitiveness, promoting fair competition in the digital market. It does not hide its wish to drive harmonisation of rules beyond its borders.

These issues are also essential aspects of the digital transition of Monaco, advocating for a digital environment of "security" and "trust," free from "unfair competition," and being "responsible, protective, and serving humanity."

This article is dedicated in particular to Regulation (EU) 2022/2065 of 19 October 2022 "Digital Services Act" (DSA), which is at the heart of the news.

The DSA has already been challenged by Zalando (Zalando SE (Berlin, Germany) v Commission, Case T-348/23, action for annulment brought on 27 June 2023, pending) and Amazon (Amazon Services Europe v Commission, Case T-367/23 R, application for suspension of operation of the decision of the European Commission of 25 April 2023 by application of 5 July 2023, granted on 27 September 2023).

At the same time, the DSA was activated by the European Commission, in the context of the conflict between Israel and Hamas. An initial request for information was sent to X (formerly Twitter) concerning the alleged propagation of illegal content and disinformation (in particular the dissemination of terrorist and violent content and hate speech) and compliance with other provisions of the DSA (European Commission press release of 12 October 2023). Followed by a second letter to Meta on the measures taken to comply with the obligations relating to risk assessment and mitigation measures, in particular with regard to the dissemination and amplification of illegal content and disinformation (European Commission press release of 19 October 2023).

* * *

SUMMARY

Regulation (EU) 2022/2065 of 19 October 2022 "Digital Services Act" (DSA) concerns online platforms (regardless of their place of establishment) that offer intermediary services in the EU (social networks, search engines, video sharing platforms, shopping sites, travel and accommodation platforms, online advertising service providers, domain name registers, etc.).

The DSA imposes new obligations on online intermediaries in terms of transparency, complaints handling and privacy protection, with a system of supervision and penalties. To facilitate communication with regulators, platforms must have a legal representative in the EU.

These stricter obligations are designed to curb the distribution of illegal or harmful content and products, combat misinformation and regulate targeted advertising.

* * *

The Digital Agenda of the European Union

Developments in the digital strategy of the European Union are of interest to Monaco, whose legislation, where appropriate, can be "in line with the work carried out at European level" (Explanatory memorandum to draft law no. 255 amending various provisions on digital matters, adopted on 7 December 2022).

For example, the introduction into Monegasque law of the "data intermediation (trust) service" (Law no. 1.528 of 7 July 2022 and the aforementioned draft law no. 555) is in line with Regulation (EU) 2022/868 of 30 May 2022 on European data governance (DGA) applicable since 24 September 2023, the purpose of which is to establish a balance between the promotion of the data economy and the protection of the fundamental rights of European citizens.

In addition to the DGA, the EU's digital "legislative package" includes:

• Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector (DMA), applicable from 2 May 2023 (with certain exceptions), the purpose of which is to combat the anti-competitive practices of the technology and web giants designated by the European Commission (in particular the GAFAMs: Google, Apple, Facebook, Amazon and Microsoft) and their virtual monopoly on the EU internal market.
• Regulation (EU) 2022/2065 of 19 October 2022 “Digital Services Act” (DSA), the subject of this publication, applicable in advance from 25 August 2023 to providers of very large online platforms and very large online search engines (with more than 45 million users in the EU per month) that were designated by the European Commission on 25 April 2023, and then from 17 February 2024 to the other providers concerned;
• the future legislation on artificial intelligence (AI), which aims to guarantee legal certainty to facilitate investment and innovation in the field of AI, strengthen governance and the effective application of existing legislation on fundamental rights and safety requirements applicable to AI systems.

* * *

Key points of the Digital Services Act (DSA)

The purpose of the DSA

The main aim of the DSA is to ensure a secure and transparent online environment for users, while fostering innovation and competition in the EU's digital marketplace. Its rules aim to:

• protect the fundamental rights of EU consumers more effectively ;
• define clear responsibilities for online platforms and social networks;
• deal with illegal content and products, hate speech and misinformation;
• ensuring greater transparency by improving oversight;
• encouraging innovation, growth and competitiveness in the EU's internal market.

The scope of the DSA

The DSA applies to providers of online intermediary services that connect online users with goods, services or content (such as internet service providers, social networks, content sharing platforms, online travel and accommodation platforms, hosting services such as cloud computing and web hosting services, domain name registrars, online marketplaces, application shops, or collaborative economy platforms), regardless of their place of establishment or geographical location, as long as they offer their services in the EU, provided that a close link with the EU is proven.

Such a close link with the EU exists where the service provider has an establishment in the EU or, if not, where the number of recipients of the service in one or more Member States is significant in relation to their population or on the basis of the targeting of activities to one or more Member States.

Targeting may be inferred, for example, from the ability to order products or services, from the availability of an application in the relevant national app shop, from the delivery of advertising locally or in a language used in an EU Member State, or from customer relationship management (such as the provision of customer service in a language commonly used in that Member State).

Some concrete examples of online intermediary platforms and services: X, YouTube, Facebook, WhatsApp, ,LinkedIn, Instagram, TikTok, Airbnb, Spotify, eBay, Amazon, Google, Netflix, Booking. com, TripAdvisor, Hotels.com, Trivago, Kayak, Etsy, Yelp, SoundCloud, Vimeo, Meetup, Leboncoin, Gumtree, Twitch, Pinterest, WordPress.com, Dropbox, Pinterest, etc.

The rules laid down by the DSA

The DSA imposes additional specific rules for very large online platforms (VLOPs) used by more than 10% of the 450 million consumers in the EU (given their important role in facilitating public debate, economic transactions and the dissemination of information to the public, particularly in terms of the number of recipients of the service, opinions and ideas, and influencing the way in which recipients obtain and communicate information online), and the very large online search engines (VLOSEs) used by more than 10% of the 450 million consumers in the EU (due to their key role in locating and retrieving information online).

→ Fighting illegal content online, including goods and services:

• Better informing users about the ads they see online;
• Easy flagging of illegal content or products, hate speech and misinformation;
• Cooperation between platforms and "trusted flaggers";
• Obligations regarding the traceability of traders in online marketplaces.

→ Empowerment of users and civil society:

• Ability to challenge content moderation decisions and seek redress, through a dispute resolution mechanism or judicial remedy;
• Access by authorities and researchers to key data generated by VLOPs in order to assess online risks;
• Transparency on a range of issues, such as the algorithms used to recommend content or products.

→ Risk assessment and mitigation:

• Requirement for VLOPs and VLOSEs to prevent misuse of their systems and subject their risk management systems to independent audits;
• Systems to respond quickly and effectively to crises affecting public safety or public health;
• Safeguards for children and young people (e.g. by designing their online interfaces or parts thereof with the highest level of privacy protection, security and safety of minors by default, where appropriate, or by adopting standards for the protection of minors, or by participating in codes of conduct for the protection of minors);
• Limits on the use of sensitive personal data for targeted advertising purposes.

→ Strengthened supervision and enforcement of EU legislation:

• For all intermediary service providers, with an important role for independent digital services coordinators in each EU Member State and the European Board for Digital Services;
• Additional supervisory powers for the European Commission in relation to VLOPs and VLOSEs (investigation of compliance with obligations set by the DSA, request for information, inspections, interim measures, control measures, sanctions).

→ Crisis response mechanism when extraordinary circumstances result in a serious threat to public security or public health in the EU:

The European Commission may require VLOPs and VLOSEs to:

• assess whether and how their services contribute significantly to this serious threat, or are likely to do so;
• identify and apply effective and proportionate risk mitigation measures set out in the DSA in order to prevent, eliminate or limit contributions to this serious threat;
• present their assessment and response to the European Commission.

Penalties provided for in the DSA

→ Penalties imposed by the Member States

The Member States shall lay down the rules on penalties applicable to providers of intermediary services within their competence, which must be effective, proportionate and dissuasive.

The maximum amount of fines that may be imposed for non-compliance with an obligation established by the DSA is 6 % of the annual worldwide turnover of the provider of intermediary services concerned in the preceding financial year.

For the provision of inaccurate, incomplete or misleading information, failure to respond or failure to rectify inaccurate, incomplete or misleading information and failure to submit to an inspection, the maximum amount of the fines is 1 % of the annual income or worldwide turnover of the provider of intermediary services or person concerned in the preceding financial year.

The maximum amount of a periodic penalty payment is 5 % of the average daily worldwide turnover or income of the provider of intermediary services concerned in the preceding financial year per day, calculated from the date specified in the relevant decision.

→ Penalties imposed by the European Commission

The European Commission may impose on the provider of the VLOP or VLOSE concerned fines of up to 6% of the annual worldwide turnover achieved during the previous financial year where it finds that the said supplier, intentionally or negligently :

• infringes the relevant provisions of the DSA;
• fails to comply with a decision ordering interim measures; or
• fails to comply with a commitment made binding by a decision.

The European Commission may impose on the provider of the VLOP or VLOSE concerned or on any other natural or legal person acting for the purposes of their trade, business, craft or profession fines of up to 1% of the annual worldwide income or turnover for the previous financial year where, intentionally or negligently, they:

• provide inaccurate, incomplete or misleading information in response to a simple request or a request by way of decision;
• fail to respond to a request for information by way of a decision within the time limit set; or
• fail to rectify inaccurate, incomplete or misleading information provided by a member of staff within the time limit set by the Commission, or fail or refuse to provide complete information;
• refuse to submit to an inspection;
• fail to comply with the measures adopted by the Commission to monitor compliance with the DSA;
• fail to comply with the conditions for access to the Commission's file.

In determining the amount of the fine, the Commission shall take into account the nature, gravity, duration and repetition of the infringement and, where appropriate, the delay caused to the proceedings.

In order to compel the provider of the VLOP or VLOSE concerned or any other natural or legal person mentioned above, the European Commission may adopt a decision to impose periodic penalty payments on them of up to 5% of the average daily revenue or turnover worldwide for the previous financial year per day, calculated from the date it sets in its decision.

Finally, the European Commission publishes the decisions it adopts, mentioning the names of the parties involved and the main content of the decision, including the penalties imposed, while taking account of the legitimate rights and interests of the supplier of the VLOP or VLOSE concerned or of the aforementioned natural or legal person, and of any third party, not to have their confidential information disclosed.

* * *

The DSA thus represents an important step in the regulation of digital services which, like Regulation (EU) 2016/679 on the protection of personal data (GDPR), could push non-EU states to align themselves with its legal standards, thereby promoting consistency and international compliance in the digital field.

The success of the DSA will certainly depend on how it manages to maintain the balance between protecting the rights of individuals on the one hand, and promoting innovation and economic growth in the digital market on the other.

* * *