EU’s Digital Services Act Targets Big Tech, Could Have Impacts Far and Wide

The European Commission cast its net over to the United States—and, more specifically, to Silicon Valley—when on April 25 it named 19 companies that will face additional, stricter requirements under the European Union’s (EU’s) Digital Services Act (DSA).

As a whole, the DSA, which passed in November 2022, targets providers offering network infrastructure to European users, including internet access providers, app stores, and social media platforms. But last month, the European Commission singled out 19 platforms that will fall into the “very large online platforms” (VLOPs) bucket, which are organizations that reach more than 45 million users in Europe. Among the well-known names on the list are Amazon Store, Bing, Facebook, Instagram, LinkedIn, Twitter, and YouTube.

While most of these online providers have likely expected the additional scrutiny from the EU, legal professionals noted that the stricter requirements will likely push the tech giants to transform how they’ve done business. And looking ahead, the high standards set by the DSA for the 19 platforms could ripple across the tech industry.

‘Less Time and More Obligations’

The DSA set broad-reaching regulation for the digital sector by requiring all providers offering their services to EU users to meet a set of obligations including transparency reporting, cooperation with national authorities, and a designated point of contact or legal representative.

But the platforms that fall into the VLOPs bucket will have additional requirements, including having risk management obligations and crisis response, bans on targeted advertising to children, transparency of recommender systems, and giving users the choice not to have recommendations based on profiling.

Not only is the list of requirements for these companies longer, but the compliance turnaround is shorter. While the DSA will go into effect in February 2024, VLOPs will have to comply by August of this year.

“For them it means accelerated entry into effect of the DSA with specific obligations applicable to them,” said Dessislava Savova, Paris-based leader of Clifford Chance’s tech group. “So less time and more obligations.”

The nature of these obligations, Savova noted, is ultimately about the prevention and mitigation of risks, especially related to algorithms. “It goes with significantly increased obligations and requirements that will apply to these players. … They will be impacted in a very significant manner,” she said.

While the additional requirements will be burdensome, Thomas Nietsch, Berlin-based partner at K&L Gates, noted they are far from taking Big Tech by surprise. “They knew what was coming,” he said. “They had to deliver their up-front report about the user numbers in February this year to enable the EU Commission to find out who is actually one of these particularly regulated, very large online platforms or very large online search engines.”

However, whether these platforms will be ready to comply in time is unclear.

A ‘Game Changer’

Although the EU Commission singled out only 19 companies for additional regulatory requirements, it’s clear that the impact of these requirements will reverberate beyond that cohort.

“Starting to comply with the DSA will be a game changer in terms of how the platforms and the biggest search engines are structured and dealing with compliance, transparency, governance, reporting, independent audits,” Savova said. What’s more, Savova expects the impact of the DSA to ripple across the tech market as other providers look to tech giants’ practices as an example.

“Because of these rules being applicable to the biggest, most important global players as a matter of law, it is likely that, actually, this will impact over the years the standards that players apply in their activities, even when they are not covered by the category of VLOPs.”

Similarly, as it happened following the GDPR, Savova said that the DSA could likely influence other regulators’ approach to setting rules for the digital sector. “Even if these regulators are not totally aligned with the European regulation, they will need to respond and to put in place their own rules and vision,” she said. “And we saw that with other regulations. … Clearly this will change the market more generally.”

The list of VLOPs is far from being set in stone. As other tech companies’ reach expands—as seen with OpenAI’s ChatGPT—they could quickly become the target of these additional compliance requirements.

Attorneys told Treasury & Risk sister site Law.com that this approach allows the law to be more dynamic and flexible than prior attempts at regulating the internet.

“They at least try to cover as much as possible here. Whether all these categories we have here now will suffice is hard to say,” Nietsch said. “ChatGPT is a great example. … Although this act is quite new, I’m pretty sure that no one has thought about this. … We will see over time how we have to deal with that. And that’s why it’s important to draft our laws in a way that they are not static, but that we may have influence on how it develops and who is covered by what.”

From: Corporate Counsel