The European Union’s Digital Services Act: In Force from This Saturday, February 17, 2024, Including for U.S. Intermediaries (Guest Blog Post)

by guest blogger Prof. Marketa Trimble

[Eric’s introductory note: I briefly addressed the DSA in this blog post, along with the attached meme. Otherwise, I generally try to avoid the DSA because it is so long, complicated, and mind-bending. To move us a little closer to understanding the DSA, Prof. Trimble provides this guest post.]

* * *

The European Union’s Digital Services Act (“DSA”), a significant legislative act of 93 articles and 156 recitals, will become fully effective from this Saturday, February 17, 2024. The DSA promises to change the internet inside the EU, and likely create spillover effects outside the EU.

Together with other recent EU legislation—particularly the 2022 Digital Markets Act, effective for the most part since May 2023, and Article 17 of the 2019 Digital Single Market Directive, recently implemented by the EU member states—the DSA is designed to govern intermediaries’ activities in the EU and reflects the EU’s current perception of the intermediary landscape, which has evolved significantly since the EU’s initial legislation on intermediaries in the early 2000s.

The DSA sets EU-wide rules for the “conditional exemption” of intermediaries from liability (including a “notice and action” mechanism), while also imposing on intermediaries certain due diligence obligations that reflect the evolution in technology and business models since the EU legislation of the early 2000s. Concerns about insufficient transparency, the non-traceability of online traders, automated machine-based decision-making, content tailoring, and the excessive power of large intermediaries permeate the DSA and have significantly shaped its provisions. The DSA introduces new actors: Each EU member state must designate a Digital Services Coordinator (among its other responsibilities, the Coordinators will award the status of “trusted flagger”), and the DSA establishes the European Board for Digital Services as “an independent advisory group of Digital Services Coordinators.”

The DSA will require much agency and court interpretation to give legal certainty to intermediaries and the recipients of their services. DSA Article 25 is a good example of a provision in need of interpretation and guidance; it requires providers of online platforms “not [to] design, organise or operate their online interfaces in a way that deceives or manipulates the recipients of their service or in a way that otherwise materially distorts or impairs the ability of the recipients of their service to make free and informed decisions.” The DSA foresees the possibility that the Commission will issue guidelines to clarify the application of Article 25, but it does not require the Commission to do so. The application of some DSA provisions will likely be tested with respect to their compliance with the EU Charter of Fundamental Rights, such as the “crisis response mechanism” under DSA Article 36.

Parts of the DSA have already been in operation; for example, the European Commission has begun to designate “Very Large Online Platforms” (VLOPs) and “Very Large Online Search Engines” (VLOSEs)—entities for which the DSA sets stricter rules in addition to the base rules that all intermediaries and platforms must follow. The designations depend on the number of average monthly active recipients of the intermediary service in the EU; the threshold is set at 45 million, which is currently 10% of the population of the EU. [Eric’s note: for a critique of size-based Internet regulations, see this piece.] A DSA recital justifies the special VLOP and VLOSE rules because of these entities’ capacity to “cause societal risks, different in scope and impact from those caused by smaller platforms.” The current VLOP and VLOSE list reveals the reach of these enhanced rules; the list includes platforms and search engines such as Amazon Store, App Store, LinkedIn, Facebook, Instagram, Pinterest, Snapchat, X, and Google Search, Google Play, Google Maps, Google Shopping, and YouTube. Alibaba, TikTok, and Booking.com are also among the listed platforms and search engines.

Whether the EU legislation on intermediaries is an avant-garde, progressive innovation that leaves behind the outdated U.S. sections 230 and 512 is, understandably, subject to debate. Because it applies to all intermediaries that offer their services to recipients established or located in the EU, the DSA will affect U.S. intermediaries servicing the EU market, an application that suggests that, as has been the case with the EU General Data Protection Regulation (“GDPR”), some spillover from the EU legislation will be felt in the U.S. As the GDPR has shown, such spillover can result in U.S. intermediaries being targeted by EU enforcement actions and in U.S. intermediaries adjusting their operations pursuant to the EU legislation, including inside the U.S. Spillover may also result in U.S. legislators looking at the EU legislation for thoughts about their own legislative actions in the U.S.; the California Consumer Privacy Act is a prime example of GDPR spillover. For better or for worse, some of the proposals concerning section 230 already show features of the EU’s DSA approach, and with the DSA coming into effect, identifying the features worth emulating or avoiding should be easier.