Stanford CIS

What Does the DSA Say?

By Daphne Keller on

People keep asking me what the EU’s new Digital Services Act (DSA) says. So far, I have not found overview materials that seem like the right match for people unfamiliar with the EU legal and policy landscape. So here is my own very quick and dirty rundown.

This is not legal advice and it probably has some inaccuracy in the details. That’s both because some final points are not publicly known yet, and because I wrote this quickly and could have made mistakes. I will update it if corrections come in. I also did not try to summarize the DSA articles that are primarily about allocation of EU institutional power and enforcement capabilities.

What is the DSA?

The DSA is a once in a generation overhaul of EU law governing intermediaries’ handling of user content. It builds on the pre-existing eCommerce Directive from 2000, and preserves key ideas and legal structures from that law. The closest U.S. law analog is the DMCA. All three laws (DMCA, DSA, and eCommerce Directive) specify categories of immunized intermediaries, with immunities that may be lost if intermediaries learn about illegal content and do not act to remove it. (The devils in the details are legion, of course.) Unlike the earlier EU law, the DSA unifies many rules at an EU-wide level, with an EU-level regulator. Individual EU countries will continue to have their own speech laws (like what constitutes defamation), and national courts will surely reach different interpretations of the DSA. Still, platform obligations should generally become more consistent.

Europe has had knowledge-based platform liability for illegal content for decades. Don’t let anyone tell you that this aspect of the DSA is new. As a result, platforms operating in the EU typically operate notice and takedown systems roughly like the DMCA’s for illegal content of all varieties. The DSA takes this pre-existing model and supercharges it. It adds a LOT of new process and regulatory rules, and also adds substantial new rules for platforms’ voluntary enforcement of their own Community Guidelines or Terms of Service (TOS) for user content.

For companies that handle user content, the DSA is something like the GDPR. It adds new compliance and process rules that will need new staffing, new internal tools, new external user interfaces, and new formal legal interactions in Europe. For Internet users, researchers, and platform critics, the DSA creates a range of new legal protections and tools for understanding or shaping platform behavior.

Where does the DSA stand procedurally?

A final draft was announced this week, but we don’t yet have a public copy. This final version is the product of a “trilogue” reconciliation process, ironing out differences between earlier Commission, Council, and Parliament drafts of the law. Those earlier versions were largely similar in the big picture and in most of the smaller points, so for those wanting more detail this earlier draft is a decent source. (It’s also formatted for easy navigation using Google Docs’ left nav bar.) For those who want more recent language, the best sources are the leaked “four column drafts” from the trilogues. Those are harder to obtain and can be painful for even dedicated wonks to follow, though.

What the DSA Says

The DSA applies to numerous Internet intermediary services. It provides both immunities and obligations. Many of its specific rules apply only to services in specific categories (access, caching, hosting, and marketplace providers, for example). A last minute compromise brought search engines into scope, but largely left it to future courts to ascertain when search engines fit under one of the DSA’s enumerated categories, and thus what rules apply.

Much like the GDPR, the DSA asserts significant jurisdiction over companies based outside the EU. It reaches services “directed” to EU Member States. (Art 2) It allows enforcers to assess extremely steep fines, in principle reaching up to 6% of annual revenue. (In practice, I wouldn’t expect fines of that magnitude absent serious platform intransigence.) It also sets up major new regulatory powers within the European Commission, many details of which will be hashed out later.

The DSA will come into force January 1, 2024 for most companies, but apparently could start sooner for the very largest ones – the “Very Large Online Platforms” or VLOPs, which have at least 45 million monthly active users in the EU. The specific obligations vary based on the company size and the kinds of service it offers. An RA and I tried to capture this in a chart here. I have not seen an estimate of the number of total entities regulated under the DSA, but my guess is it may run into the hundreds of thousands. That’s a very rough estimate, extrapolating from the number of entities that historically registered for DMCA protection in the US, and from the UK government’s estimate that its own DSA-esque law will cover some 24,000 entities.

The DSA’s provisions fall into two general buckets: (1) prescriptive compliance obligations for most intermediaries, and (2) major new regulatory mechanisms for the VLOPs.

Prescriptive Compliance Obligations for Most Intermediaries

A lot of the DSA spells out specific operational obligations, mostly related to content moderation. These rules make it relatively clear what platforms are supposed to do, but they will require significant time and effort for smaller entities to hire, train, devise new UIs, and so forth to come into compliance. The obligations vary somewhat by size and function, and in some cases platforms are exempted if they have fewer than 50 employees and under EUR 10 million annual turnover. Medium-sized enterprises, defined as having up to 250 employees and EUR 50 million turnover, will have all of these obligations, but apparently will have extra time to come into compliance.

Obligations that relate to the DSA’s core concern with content moderation include:

The DSA also speaks to some ongoing tensions in intermediary liability law by reiterating the EU’s longstanding (but evolving) prohibition on “general” monitoring obligations, and specifying that platforms’ voluntary efforts to find and remove illegal content should not cause them to lose immunity. (Art 6 and 7)

A few of the DSA’s new obligations, including some added later in the legislative process, are less directly tied to content moderation. Some of these are less clearly prescriptive, and will likely require more legal judgment calls in interpretation.

Major new regulatory mechanisms for the biggest platforms

The biggest “VLOP” platforms have additional obligations. These are in many cases less prescriptive, and more about creating institutional governance systems to handle evolving risks. VLOPs include any platform with over 45 million monthly active users in the EU. I think that’s maybe a couple dozen platforms, the top few of which are much, much bigger than the rest. As I recall, the EU’s initial Impact Assessment document had a list of expected VLOPs (if people want to check). The list will likely have lengthened since then owing to expansive user-count methodology in later DSA drafts.

VLOPs are responsible for:

Some of these obligations were extended to “Very Large Search Engines” late in the DSA process, but I am not yet sure which ones.

Conclusion

The DSA is a massively important new law, on par with the GDPR and DMA. Usually, I would expect to see multiple summaries of this sort freely available by now, mostly from law firms in search of clients. Presumably now that I’ve spent the afternoon writing this up, those will finally appear. I hope this is useful in the meantime!

Published in: Blog