Navigating the EU’s Digital Services Act (DSA): A Guide for US Companies
The way businesses connect with customers has changed a lot in the digital age, offering new opportunities but also presenting new risks. To address this evolving landscape, the European Union (EU) has introduced the Digital Services Act (DSA), a pioneering regulatory framework aimed at governing digital platforms and services while establishing new rules to regulate these service providers.
Although the DSA primarily focuses on EU Member States, its impact extends well beyond European borders, impacting companies globally, including those in the United States. This article explores the impact of the DSA on U.S. businesses and offers a step-by-step guide to assess its relevance for companies based in the U.S.
1. Understanding the DSA
The DSA aims to create a new regulatory structure for online service providers. It targets online “intermediary services providers” that facilitate the transmission or storage of third-party content for users. This category includes providers such as:
- Mere conduit services: these services essentially refer to the transmission of data between users without altering the content itself, and encompass services such as internet exchange points, wireless access points, virtual private networks (VPNs), and domain name system (DNS) services.
- Caching services: these services involve the temporary storage of data to facilitate quicker access and reduce server load, and include services such as content delivery networks (CDNs), reverse proxies, and content adaptation proxies.
- Hosting services: these are services that involve storing information provided by (and at the request of) a service recipient, including for example web hosting and cloud services.
- Online platform: this is a type of hosting service that stores and disseminates information to the public at the user’s request. Examples include social media platforms like Facebook and Twitter, and online marketplaces like Amazon and eBay.
- Online search engines: these are tools that help users search for information online. Popular search engines like Google and Bing index web content and provide users with relevant search results based on their queries.
2. Impact on US Companies
The DSA has an extraterritorial reach, which means that even if a company is not physically located within the EU, it must adhere to DSA rules if it offers services to individuals or businesses in the EU. This requirement applies as long as these companies, operating from outside the EU, have a “substantial connection” with the EU. Such a connection is established if the company:
- targets its activities towards one or more EU Member States; or
- has a significant number of users/recipients in one or more EU Member States;
When it comes to the number of users, the DSA doesn’t set a specific minimum or reference point to help companies gauge the significance of their user base. As a result, US-based companies must assess their business operations, market focus, and user base concerning the EU, preferably with the assistance of a legal expert. Factors to consider may include business activities, transaction volume, language, currency, the website domain and user demographics within the EU or a specific EU Member State.
3. DSA obligations
If your US-based business provides any of the services listed in section 1 to users, and has a “substantial connection” with the EU, as described in section 2, it’s likely that the DSA applies to your operations. The next step is to understand which specific rules and responsibilities are relevant to your business.
The DSA imposes certain obligations that are applicable to all types of intermediary services, regardless of their size. Here is an overview of these obligations:
- Point of contact. Establishing a single point of contact for communication with the supervisory authorities, as well as a single point of contact for communication with the recipients of the services. For more information on compliance with this obligation, check here.
- Legal representative. Establishing a legal representative in the EU (for providers of intermediary services which do not have an establishment in the EU). Also check here for more information on compliance.
- T&Cs. Publishing your T&Cs in an accessible and electronic format. This document should include provisions regarding your content moderation activities, clear details of your complaint procedures and a comprehensive description of the applicable terms and conditions for your service or product. Transparency is crucial under the DSA, and any significant changes must be communicated to users.
- Notice and takedown. Implementing a system for users to report illegal content. This includes notifying the person who submitted the report about the outcome after review, and informing the affected user about the action taken and the reason for it. Service providers should also promptly respond to orders issued by national judicial or administrative authorities, including takedown orders and requests for information about individual service recipients.
- Annual reports. Publishing reports on their content moderation on an annual basis. These reports should be readily available to the public and easily accessible in relation to the type of service being offered.
The DSA also establishes cumulative obligations for each type of intermediary services, structured as follows: (i) hosting services (encompassing all online platforms); (ii) online platforms (except for micro and small enterprises); (iii) online platforms that enable consumers to engage in distance contracts with traders (excluding micro and small enterprises); and (iv) very large online platforms and very large online search engines.
That means that in addition to the core requirements described above, there are additional rules that apply depending on the type of service your business provides. It’s worth noting that even if your business isn’t primarily an online platform or hosting service, but has some connection to these structures, the DSA might still apply. Services with a hybrid nature should be assessed separately by a legal expert. If you have questions, contact us for a free consultation.
The DSA will become fully enforceable for all affected online service providers starting from February 17, 2024. As a result, your business should take the necessary steps to assess your obligations and update your processes, registration, data collection, and systems before that deadline.
Conclusion
We have been working with US-based companies across industries for years. Our expertise involves establishing compliance capabilities to address new EU regulations that impact their operations, along with assisting in monitoring and implementing updates for continuous compliance. Leveraging this experience, we’ve developed a DSA pack to meet the needs of companies that must comply with the DSA. You can access more information about this pack here.
Feel free to get in touch with us for a 30-minute free consultation. We can discuss how the DSA changes might affect your business and how we can help you get ready for them.
| Image by macrovector on Freepik |
Read also