Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Unpacking the EU's suite of new era digital legislation – Part four: the DSA

On 23 April 2022, a political agreement was reached between the European Parliament ('the Parliament') and the Council of the European Union ('the Council') on the Proposal for a Regulation on a Single Market for Digital Services (Digital Services Act) ('DSA')1, which was first proposed by the European Commission ('the Commission') in December 2020. The DSA builds on the concepts contained in the Directive 2000/31/EC of 8 June 2000 on Certain Legal Aspects of Information Society Services in Particular Electronic Commerce in the Internal Market ('the e-Commerce Directive') and seeks to introduce EU-wide obligations applicable to digital services with the aim to improving the protection of consumers online, establishing a clear accountability framework, and fostering innovation, growth, and competitiveness within the single market.

In this five-part Insight series, OneTrust DataGuidance aims to bring you up to speed, demystifying the acronyms as we unpick the broader policy context informing the legislative proposals, the key obligations that they will entail for affected parties, and the issues that must still be resolved in order to reach political consensus, with accompanying commentary and insights provided by Wim Nauwelaerts, Partner at Alston & Bird. In part three, we discussed the Data Governance Act ('DGA'), in part four, we take a look at the DSA, and in part five, we will take a look at the proposal for a Regulation on laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain legal acts ('the AI Act').

Ideas_Studio / Essentials collection / istockphoto.com

Policy context

The Commission's DSA proposal stems from the recognition of the unprecedented role that digital services play in the lives of citizen and in the conduct of business, and the risks and challenges that accompany the same. In particular, core concerns that have been observed relate to the trade and exchange of illegal goods, services, and content online, and the misuse of manipulative algorithmic systems to amplify the spread of disinformation and other harmful content. It is in this perspective that the Commission introduced its proposal for the DSA, as part of its ambitious 'Europe fit for the Digital Age' strategy2, on account of the fact that current rules no longer remain adequate to ensure transparency and accountability for digital services3. More specifically, having the principles included within the e-Commerce Directive as a launch pad (and, importantly, without repealing the same), the DSA seeks to ensure the best conditions for the provision of digital services in the internal market, to contribute to online safety and the protection of fundamental rights, and to establish a sound governance structure for the effective supervision of providers of intermediary services. Against this backdrop, the DSA seeks to introduce a horizontal framework for all categories of content, products, services, and activities on online intermediary services.

Separately, it should be noted that the DSA goes hand in hand with another envisaged legislative development at EU level, namely the Proposal for a Regulation on Contestable and Fair Markets in the Digital Sector (Digital Markets Act) ('the DMA'). Once entered into force, the DMA and the DSA will create a single set of rules applicable across the EU. On the presentation of the two proposals, in December 2020, the Executive Vice-President for a Europe fit for the Digital Age, Margrethe Vestager, stated:

"The two proposals serve one purpose: to make sure that we, as users, have access to a wide choice of safe products and services online. And that businesses operating in Europe can freely and fairly compete online just as they do offline. This is one world. We should be able to do our shopping in a safe manner and trust the news we read. Because what is illegal offline is equally illegal online".

Notably, the DSA not only accompanies envisaged pieces of legislation at EU level but also complements existing ones, including the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). To illustrate, the text of the DSA, as presented by the Commission, clarifies that the measures concerning advertising on online platforms do not amend existing rules on consent and the right to object to the processing of personal data. Conversely, such measures impose transparency obligations towards users of online platforms, which will enable the same to exercise their rights as data subjects. In the section below, the interplay between key provisions of the DSA and the GDPR will be critically assessed.

Overview of key provisions

The DSA aims to tackle the abovementioned concerns by introducing a number of EU-wide harmonised responsibilities targeted at digital services that act as intermediaries in their role of connecting consumers with goods, services, and content. The following sections will analyse key provisions of the DSA, as laid down in the text of the provisional agreement on the DSA reached by the Parliament and the Council4.

Scope of application

Article 1a of the DSA delimits the DSA's scope of application, providing that the same shall apply to providers of intermediary services which are offered to recipients that have their place of establishment or are located in the EU, irrespective of the place of establishment of the providers of those services.

Nauwelaerts provides further clarification on the DSA's scope, noting both similarities and differences with that of the GDPR:

"Similar to the GDPR, the draft DSA has an extraterritorial scope of application, in the sense that it also applies to providers of intermediary services that 'offer services in the Union' even if they do not have a physical presence in the EU. In order to qualify as a provider that offers services in the Union, an IS provider must have a substantial connection to the EU. However, the criteria for assessing this connection are not aligned with the 'targeting' criterion in Article 3(2) GDPR, based on which the GDPR may apply to controllers/processors outside of the EU that are offering goods or services to individuals in the EU. As [intermediary services] providers will often qualify as processors for GDPR purposes, this lack of alignment could lead to divergent interpretations and legal uncertainty around the applicability of the DSA".

This begs the question: what is considered an 'intermediary service' under the DSA?  As Article 2(f) of the DSA details, the term 'intermediary services' captures the following information society services:

  • a 'mere conduit' service, that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network;
  • a 'caching' service, that consists of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate, and temporary storage of that information, performed for the sole purpose of making the information's onward transmission to other recipients upon their request more efficient; and
  • a 'hosting' service that consists of the storage of information provided by, and at the request of, a recipient of the service.

Exemption from liability

While setting out a wide range of obligations, the DSA also dedicates a chapter to the conditions under which providers of intermediary services are exempted from liability. More specifically, Chapter II of the DSA sets forth the conditions under which providers of mere conduit (Article 3 of the DSA), caching (Article 4 of the DSA), and hosting services (Article 5 of the DSA) are not liable when transmitting and storing third-party information.

For example, hosting providers shall not be liable for the information stored at the request of a recipient of the service if the the hosting provider (Article 5(1) of the DSA):

  • does not have actual knowledge of illegal activity or illegal content and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or illegal content is apparent; or
  • upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the illegal content.

On Article 5 of the DSA, Nauwelaerts notes that "the DSA exempts hosting service providers from liability for the information that they store at the request of their customers, if they 'expeditiously' remove or disable access to any illegal content that they have become aware of. If the hosted information includes personal data - which is most often the case - hosting providers are likely to be acting as processors on behalf of their customers (i.e. the controllers of the personal data). In that case, the hosting providers are supposed to handle the data on the instructions of their customer only, which typically does not allow them to remove or disable access to the customer’s data. Therefore, if they want to benefit from the liability exemption in the draft DSA, hosting providers will have to ensure that the ability to take down data is adequately reflected in their data processing agreement with customers".

Separately, Article 6 of the DSA outlines that providers of intermediary services may benefit from the exemption from liability when carrying out voluntary investigations or when taking the necessary measures to comply with the the law. Additionally Article 7 of the DSA establishes a general prohibition to impose on providers of intermediary services any obligation to monitor the information transmitted or stored, or to actively seek facts or circumstances indicating illegal activity.

Moreover, Nauwelaerts outlines the need to comply with the GDPR should intermediary services receive orders to act against illegal content, a possibility envisaged by Article 9 of the DSA:

"Under the draft DSA, [intermediary services] providers may receive orders (from judicial or administrative authorities) to act against illegal content that the providers have transmitted or stored. These orders may require [intermediary services] providers to a) provide information about one or more specific individual recipients of their service, and b) inform the authority that issued the order of its receipt and the effect given to the order. To the extent that the requested information includes personal data, providing the information to the authority will qualify as a processing activity, for which the [intermediary services] provider will likely be the controller".

Accordingly, Nauwelaerts notes that "[intermediary services] providers should be able to justify this processing by using one of the legal grounds in Article 6 GDPR, in particular the need to comply with legal obligations".

Due diligence obligations

At their core, the rules established by the DSA entail due diligence obligations, tailored to certain specific types of providers of intermediary services (Article 1(b) of the DSA). Such due diligence obligations, which are included in Chapter III of the DSA, vary based on the digital services provider's role, size, and impact in the online ecosystem.

In brief, the due diligence obligations stemming from Chapter III of the DSA are imposed on four categories of intermediary services, where each group includes the following ones, so that the obligations apply cumulatively5:

  • intermediary services offering network infrastructure, such as internet access providers and domain name registrars;
  • hosting services such as cloud and webhosting services;
  • online platforms bringing together sellers and consumers and social media platforms; and
  • very large online platforms and very large search engines, i.e. those platforms/search engines that reach, on average, at least 45 million recipients in the EU per month.

More specifically, Section 1 of Chapter III lays down the following obligations applicable to all providers of intermediary services:

  • The obligation to establish a single point of contact to facilitate direct communication with Member States' authorities, the Commission, and the European Board for Digital Services (Article 10 of the DSA).

    Nauwelaerts elaborates on the concept of 'points of contact' under the DSA as follows: "The draft DSA requires that all IS providers establish a single point of contact allowing for direct communication with EU Member States' authorities, the European Commission and the European Board for Digital Services. IS providers will have to publicise the information necessary to identify and communicate with their single points of contact, in at least one of the official languages of the EU Member State where the IS provider has its main establishment (or where its legal representative is located)".

    However, Nauwelaerts continues, "As the draft DSA does not define the term 'main establishment', presumably the legislator intended to reference to the main establishment concept that is used in the GDPR. However, it remains unclear how and where IS providers should designate a single point of contact if they have several presences in the EU but no main establishment, for instance, because their administrative operations or data processing decision-making is not centralized in one location. Those IS providers may be able to 'select' one of their EU establishments to act as the single point of contact for DSA purposes, but it would be useful if regulatory guidance could confirm this view".
  • The obligation to designate a legal representative in the EU for providers not established in any Member State, but offering their services therein (Article 11 of the DSA).

    Nauwelaerts explains, "If [intermediary services] providers do not have an establishment in the EU but offer services in the EU, they will have to designate a legal or natural person to act as their legal representative in one of the EU Member States where they offer their services. For [intermediary services] providers that qualify as a controller or processor under the GDPR, this requirement will often coincide with the GDPR obligation to appoint an EU representative. It will be important for providers to receive additional regulatory guidance on the interplay between the two roles. For instance, the draft DSA explicitly states that the designated legal representative can be held liable for non-compliance with obligations under the DSA, without prejudice to the liability and legal actions that could be initiated against the [intermediary services] provider. It is not clear whether this means that the legal representative can be held directly liable for the [intermediary services] provider's lack of compliance with DSA requirements. According to the European Data Protection Board ('EDPB'), the GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the EU. For the sake of legal certainty, it is hoped that the same applies to the legal representative for DSA purposes".     
  • The obligation to set out in their terms and conditions any restrictions that they may impose on the use of their services and to act responsibly in applying and enforcing those restrictions (Article 12 of the DSA).

    In relation to Article 12 of the DSA, Nauwelaerts notes that "The draft DSA allows [intermediary services] providers to impose restrictions on the use of their service in respect of the information that their customers provide. However, in that case customers must be informed by means of the [intermediary services] provider's terms and conditions (T&Cs), which will have to include information on any policies, procedures, measures, and tools used for the purpose of content moderation, including algorithmic decision-making, human review, and its internal complaint handling system".

    Notably, "Where content moderation involves processing of personal data," Nauwelaerts points out, "there will likely be an overlap between the information that the [intermediary services] provider is required to provide in its T&Cs and the information in its privacy notice (as mandated by the GDPR)".
  • The transparency reporting obligations in relation to the removal and the disabling of information considered to be illegal content or contrary to the providers' terms and conditions (Article 13 of the DSA).

Section 2 of Chapter III of the DSA lays down further obligations that apply, in additional to those under Section 1 outlined above, to all providers of hosting services, including providers of online platforms. Such obligations include:

  • The obligation to have in place mechanisms to allow third parties to notify the presence of alleged illegal content (Article 14 of the DSA).

    Critically assessing the notice and take down mechanism provided for under Article 14 of the DSA, Nauwelaerts comments that "Providers of hosting services will be required to implement a 'whistleblowing' tool, allowing individuals or legal entities to report what is presumed to be illegal content. To facilitate the reporting process and possible follow-up, the draft DSA appears to favor that hosting providers collect certain personal data from the whistleblower (including name and email address). From a data minimisation perspective, these personal data are arguably not needed and whistleblowers should therefore be provided with the option to submit their report anonymously. Not offering this option increases the risk that in particular individuals will shy away from reporting the presence of illegal content. This would defy the purposes for which the reporting mechanism was created".                    
  • The obligation to provide a statement of reasons to any affected recipient, if the hosting service decides to remove or disable access to specific information provided by the same, to suspend, terminate, or otherwise restrict monetary payments, to suspend or terminate the provision of the service, or to suspend or terminate the recipient's account (Article 15 of the DSA).
  • The obligation to inform competent enforcement authorities in the event they become aware of any information giving rise to a suspicion of serious criminal offences involving a threat to the life or safety of one or more persons (Article 15a of the DSA).

Moreover, Section 3 of Chapter III of the DSA establishes an additional set of obligations, which apply to all online platforms, in addition to the obligations applicable to all providers of intermediary services and to all providers of hosting services. However, online platforms that are micro or small enterprises6 are exempt, subject to some exceptions (Article 16 of the DSA).

Specifically, all providers of online platforms are obliged to, among others:

  • provide an internal complaint-handling system in respect of decisions taken by the provider upon the receipt of a notice or against the following decisions taken by the same, in relation to alleged illegal content or information incompatible with their terms and conditions (Article 17 of the DSA);
  • ensure that notices submitted by entities granted the status of trusted flaggers are treated with priority (Article 19 of the DSA); and
  • comply with transparency obligations in relation to advertising on online platforms (Article 24 of the DSA).

On this point, Nauwelaerts shares that:

"Online platforms will have to ensure that users of their services are provided with certain individualised information that is necessary to understand when and on whose behalf advertisement is presented, in addition to the method used for presenting the advertisement (e.g. contextual). This specific information requirement in the DSA will supplement relevant provisions in the GDPR, including on automated decision-making, profiling, and consent as a legal basis for targeted advertising. However, no consent-based approach will be possible for online advertisements based on profiling of a) minors' personal data, and b) special categories or 'sensitive' personal data (as defined in the GDPR). These types of online advertisements are banned under the draft DSA. The rationale for prohibiting advertising that is based on profiling of users’ sensitive data raises questions: the GDPR provides the possibility for individuals to (explicitly) consent to the processing of their sensitive personal data, and so it is not clear why individuals would need to be deprived of that possibility in this scenario. For purposes of enforcing the ban on advertising to minors, it is also uncertain how online platforms will be expected to verify and confirm minors’ status while respecting the data minimization principle in the GDPR".  

Separately, the version of the DSA as agreed by the Parliament and the Council incorporated an additional section under Chapter III of the DSA, namely Section 3a, dedicated to provisions applicable to providers of online platforms allowing consumers to conclude distance contracts with traders. Among other things, pursuant to Article 24c the DSA, intermediary service providers shall be required to conduct due diligence on traders seeking to access their platforms.

"Where an online platform allows consumers to conclude distance contracts with traders, it will have to conduct a basic due diligence on the traders before allowing them access to online platform services.", Nauwelaerts explains. "The online platform will be required to obtain specific information on the trader, which includes personal data such as name, address, a copy of identification documents, and bank account details of the trader (where the trader is an individual). The online platform will also be expected to verify that the provided information is reliable, using 'freely accessible' databases. If the online platform obtains indications that any information obtained from the trader is inaccurate or incomplete, the information must be corrected or completed. If the trader fails to correct or complete the information, the online platform will have to suspend the provision of its service to the trader until the request is complied with. Online platforms will have to make sure that the entire due diligence exercise is performed in accordance with the GDPR's principles relating to the processing of personal data".

Lastly, Section 4 of Chapter III of the DSA imposes additional responsibilities that target providers of very large online platforms and very large search engines. In particular, these must, among others:

  • Conduct risk assessments on the systemic risks brought about by or relating to the functioning and use of their services (Article 26 of the DSA).

    Commenting on the requirement to conduct risk assessments, Nauwelaerts clarifies that, "[The] DSA requires providers of Very Large Online Platforms (VLOPs) to carry out risk assessments - at least on a yearly basis - that are specific to their services and address a wide range of systematic risks, including any actual or foreseeable negative effects for the exercise of fundamental rights (e.g. the protection of personal data). Providers of VLOPs will need to consider how this requirement interacts with the obligation in the GDPR to conduct data protection impact assessments. The obligation to conduct a data protection impact assessment is incumbent on the controller, which in many cases will be the customer of the VLOPs provider. For these customers, it will therefore be important to know when and how they will be given access to the VLOPs provider's assessments under the DSA".
  • Take reasonable and effective measures aimed at mitigating those risks (Article 27 of the DSA).
  • Submit themselves to external and independent audits (Article 28 of the DSA).
  • Abide by specific obligations when using recommender systems (Article 29 of the DSA) or display online advertising on their online interface (Article 30 of the DSA).
  • Establish a compliance function to ensure compliance with the obligations laid down in the DSA (Article 32 of the DSA).
  • Comply with more stringent transparency reporting obligations (Article 33 of the DSA), with certain exceptions for very large search engines (Article 33a(1) of the DSA).

Enforcement and penalties

The oversight and enforcement mechanism laid down in the DSA presents a clear resemblance with the oversight structure of the GDPR.

Specifically, in consideration of the cross-border nature of the services in question and the horizontal range of obligations, the task of supervising the activities of providers of intermediary services and enforcing compliance with the DSA is primarily assigned to national authorities, identified as Digital Services Coordinators, to be established in each Member State (Article 38 of the DSA). Notably, the DSA outlines that Member States may choose to designate an existing national authority with the function of the Digital Services Coordinator, or with specific tasks to apply and enforce the DSA (Article 38(2) of the DSA). Digital Services Coordinators may receive complaints against providers of intermediary services for breaches of the DSA (Article 43 of the DSA) and have powers of investigation (Article 41 of the DSA).

In addition, the DSA would establish a new authority at EU level, namely the European Board for Digital Services, an independent advisory group of Digital Services Coordinators on the supervision of providers of intermediary services (Article 47 of the DSA).

Lastly, enhanced mechanisms would be introduced in relation to the supervision, investigation, enforcement, and monitoring of very large online platforms and very large online search engines (Article 50 of the DSA). It also provides the possibility for the Commission to intervene in case of persistent infringements of the DSA by very large online platforms and very large search engines (Article 51 of the DSA).

While the DSA seeks to establish harmonised, horizontal obligations, it would also leave Member States a considerable room for manoeuvre in relation to penalties. In fact, under Article 42 of the DSA, Member State would be required to lay down the rules on penalties applicable to infringements of the DSA committed by providers of intermediary services under their jurisdiction. In any case, Member States shall ensure that the maximum amount of fines that may be imposed for a failure to comply with an obligation laid down in the DSA shall be 6% of the annual worldwide turnover, in the preceding financial year, of the provider of intermediary services concerned, reduced to 1% in case of minor infringements (Articles 42(3) of the DSA).

Latest legislative developments and what's next

The next step in the journey towards the enactment of the DSA is the formal adoption of the text by the EU co-legislators. On 16 June 2022, the Parliament announced that its Internal Market Committee had endorsed the provisionally reached agreement on the DSA7. In addition, the Parliament confirmed that the DSA (and the DMA) are expected to be put for a final vote in Parliament in July, before they are formally adopted by the Council8.

In any event, once a formal agreement is achieved and the DSA is formally adopted, it is expected that the DSA will be published in the Official Journal of the EU and will enter into force 20 days after its publication. Subsequently, the DSA shall be directly applicable across the territory of the EU 15 months after its entry into force, or from 1 January 2024, whichever is later9.

Anna Baldin Privacy Analyst
[email protected]

Comments provided by:
Wim Nauwelaerts Partner
[email protected]
Alston & Bird LLP, Brussels


1. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020PC0825&from=en
2. See: https://ec.europa.eu/commission/presscorner/detail/en/ip_20_2347
3. See: https://digital-strategy.ec.europa.eu/en/faqs/digital-services-act-questions-and-answers
4. See: https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/IMCO/DV/2022/06-15/DSA_provisionalagreementAnnexe_EN.pdf
5. Available at: https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age/digital-services-act-ensuring-safe-and-accountable-online-environment_en#new-obligations
6. Within the meaning outlined in the Annex to Recommendation 2003/361/EC.
7. See: https://www.europarl.europa.eu/news/en/press-room/20220613IPR32814/internal-market-committee-endorses-agreement-on-digital-services-act
8. Ibid.
9. See: https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2545

Feedback