The Digital Services Act
The Digital Services Act (DSA) is part of a legislative package governing digital services in the European Union (EU). The term ‘digital service’ is quite broad and covers a range of online services such as websites, online platforms, and infrastructure services; including online marketplaces, social media, cloud services, content sharing-platforms, search engines, app stores, etc. The legislative initiative aims to foster safety and openness in the digital space by promoting the fundamental rights of all users and levelling the playing field to stimulate innovation, growth, and competitiveness. The package responds to the need to address the consequences and concerns resulting from the expanding development of digital services in the EU; including issues such as the exchange of illegal goods, services, and content online, as well as the spread of disinformation and the ever-growing market position of very large online platforms.
Following the adoption of the DSA in the first reading by the European Parliament, it still has to be adopted by the Council of the European Union. After its adoption by the Council and publication in the Official Journal, it will be directly applicable in the EU fifteen months after its entry into force or from 1 January 2024, whichever date comes later. The DSA establishes a harmonized horizontal framework for accountability and transparency for providers of intermediary services according to their role, size, and impact in the online sphere. It complements sector-specific legislation such as the Audiovisual Media Services Directive and the Directive on Copyright in the Digital Single Market and does not replace the existing e-Commerce Directive and Platform-to-Business Regulation, but rather incorporates the existing rules exempting online intermediaries from liability under specific conditions.
Scope of application
The DSA applies to all providers of intermediary services that offer their services to recipients in the EU. Consequently, all recipients of intermediary services that have their place of establishment or residence in the EU will benefit from the DSA, irrespective of the place of establishment of the providers of those intermediary services. The DSA, like the e-Commerce Directive, also specifies which services fall under its scope by categorizing intermediary services into three groups (Article 2, (f)):
- mere conduit services: consist of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network including technical auxiliary functional services;
- cashing services: consist of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, performed for the sole purpose of making more efficient the information's onward transmission to other recipients upon their request;
- hosting services: consist of the storage of information provided by, and at the request of, a recipient of the service.
In addition to the aforementioned categories of intermediary services, for which the DSA establishes a set of general responsibilities and obligations, it also lays down additional obligations for a specific subcategory of hosting services: online platforms. Online platforms (e.g., online marketplaces, apps stores, social media, content sharing websites, collaborative economy platforms, etc.) are hosting services that do not merely store information at the request of a recipient of the service, but also disseminates that information to the public (Article 2, (h)). This dissemination to the public means that the online platform makes available information, at the request of the recipient of the service who provided the information, to a potentially unlimited number of third parties.
Lastly, the DSA recognizes the existence of very large online platform (VLOP) services that have a widespread impact on society and pose particular risks in the dissemination of illegal content and societal harms, especially considering their influence on public discourse and online behaviour. An online platform qualifies as a VLOP if that platform has 45 million or more average monthly recipients in the EU (10% or more of the total EU consumers) for at least four consecutive months. The qualification as a VLOP incurs additional stringent obligations to manage systemic risks.
The DSA establishes a set of layered and asymmetric obligations regarding the due diligence of service providers and the transparency and safety of the online environment. The DSA distinguishes four types of actors with cumulative layered obligations: intermediary services, hosting services, online platforms, and VLOPs.
As an online marketplace for personal data, which constitutes a digital service, the DSA is potentially relevant for the KRAKEN project. Taking into account its scope of application and accompanying categorization of intermediary services, it seems that the KRAKEN platform does not qualify as a mere conduit or cashing service, but rather as a hosting service. Despite the fact that the KRAKEN platform does not directly store any data products, it does facilitate the coming together of data providers and data consumers, as well as the transaction and transfer of a data product between them. Similar to other online marketplaces that do not directly store goods or products, the KRAKEN platform allows its users to publish information on products in order to connect with potential consumers. Furthermore, the KRAKEN platform would subsequently qualify as an online platform. Considering that the KRAKEN platform disseminates information to the public at the request of a recipient, which is an important feature, it satisfies the definition of an online platform. This reasoning is not only in line with the spirit of the DSA but is also confirmed by the EC which has explicitly stated that online marketplaces qualify as online platforms (and by extension as hosting services). Consequently, the KRAKEN platform will have to respect the layered obligations laid down in the DSA.
Firstly, it is important to note that the KRAKEN platform would benefit from the liability exemption for hosting services laid down in Article 5 of the DSA. As a result, the KRAKEN platform would not be liable for the information stored at the request of a recipient on the condition that the KRAKEN platform (a) does not have actual knowledge of illegal activity or illegal content and is not aware of facts or circumstances from which the illegal activity or illegal content is apparent; or (b) upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the illegal content. This knowledge or awareness could be obtained through a notice from a third party or by conducting voluntary own-initiative investigations, which would mean that the KRAKEN platform has to take action against the illegal content. Moreover, the KRAKEN platform cannot be obliged to generally monitor the information which it transmits or stores, nor to actively seek facts indicating illegal activity or for monitoring the behaviour of natural persons. It must also be noted that the KRAKEN platform does not store any content data (i.e. data products) of recipients, but rather stores information about that content data provided by those recipients. Consequently, the KRAKEN platform can only remove or disable access to the information about alleged illegal content data.
Secondly, following the layered approach, as (1) an intermediary service, (2) a hosting service, and (3) an online platform, the KRAKEN platform would fall under three cumulative layers of obligations. The fourth layer, which applies to VLOPs, does not apply to the KRAKEN platform due to the threshold of 45 million average monthly recipients in the EU for at least four consecutive months. However, the DSA also acknowledges that some of the abovementioned obligations are too burdensome for micro and small enterprises. Depending on its final adoption and exploitation, if the KRAKEN platform meets the threshold for the qualification as a micro or small enterprise, the obligation to publish an annual report on content moderation activities and all obligations applicable to online platforms would not apply.
To conclude, the DSA sets out a range of cumulative layered obligations for providers of intermediary services. The exact range of applicable obligations would therefore depend on the final adoption of the KRAKEN platform and its accompanying qualification under the DSA.