On October 4, 2022, the EU adopted the Digital Services Act (“DSA”), which imposes new rules on providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces).  The DSA will enter into force on November 16, 2022 — although it will only fully apply as of February 17, 2024. 

As we reported in July, the DSA requires that certain intermediaries of content, goods and services:

  • implement notice-and-action mechanisms, establish internal complaint-handling systems, reply to information requests by law enforcement authorities, and comply with law enforcement orders to act against illegal content — all building on the existing requirements under the EU eCommerce Directive;
  • ensure the traceability of traders offering goods or services on online marketplaces; and
  • comply with detailed transparency and accountability obligations, including:
    • describe in terms and conditions the restrictions imposed in relation to the use of the service concerning user generated content;
    • provide recipients of the services with a concise and easily accessible summary of the terms and conditions in machine-readable format;
    • inform the recipients of the service of any significant change made to the terms and conditions;
    • where services are directed at minors or predominantly used by them, explain the conditions for and restrictions on the use of the services in a manner that is easily understood;
    • identify online advertising as such, and identify the advertiser and sponsor; and
    • provide information on the main parameters used in recommender systems, as well as options recipients have to modify or influence the parameters.

Moreover, the DSA imposes a ban on so-called dark patterns and online advertising activities targeting minors, or those based on sensitive personal data.

The strictest set of obligations are directed at providers of “very large online platforms” and “very large online search engines”, i.e., those reaching an average of 45 million or more monthly active users in the EU, and designated as such by the Commission.  Specific obligations for such organizations include:

  • publishing their terms and conditions in the official languages of all Member States in which they offer their services;
  • conducting annual assessments of “systemic risks” stemming from the design, functioning and use of their services, including algorithmic systems, in the EU;
  • conducting independent audits each year;
  • granting authorities access to data, upon request, for the purposes of monitoring and assessing compliance with the DSA, and explaining the design, logic, functioning and testing of algorithmic systems;
  • establishing an independent compliance function to ensure compliance that reports to senior management;
  • paying an annual supervisory fee to the Commission for the costs associated with its oversight; and
  • complying with certain actions required by the Commission in crisis scenarios, where activities relating to the platforms or search engines give rise to a serious threat to public security or public health.

Providers of “very large online platforms” and “very large online search engines” will be subject to these obligations four months after the European Commission designates them as such.

* * *

The Covington team is advising many clients on how to prepare for complying with the DSA and other legislative proposals affecting technology companies. Please reach out to a member of the team if you have any questions.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Shona O'Donovan Shona O'Donovan

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying…

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying with data protection laws in the EU. In particular, she represents organizations in regulatory investigations and inquiries, advises on children’s privacy issues and provides strategic advice on incident response. Shóna also advises clients on policy developments in online content and online safety.

In her current role, Shóna has gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.