EU Digital Services Act and implications for UK-based MSMEs

The average data consumption by UK consumers is projected to skyrocket to 98.34 GB by 2025, marking a staggering increase from a mere 1.26 GB in 2021. 

Driven by this surge in data usage, the increasing reliance on digital platforms highlights data's crucial role in shaping new technologies, services, and economic models. This evolving digital landscape underscores the need for regulatory measures to protect users and ensure fair competition, particularly for small businesses and startups.

The European Union's response to these challenges is the Digital Services Act (DSA), a part of its broader Digital Strategy, which includes the Digital Market Act and the EU AI Act. These regulations share a focus on transparency and accountability. 

This article will explore the DSA's key aspects and strategies UK-based Micro, Small, and Medium Enterprises (MSMEs) should adopt, emphasising the importance of regulatory compliance in the digital era.

Digital Services Act (DSA)
The DSA aims to harmonise and streamline the regulatory landscape around online services platforms across EU member states.

For users of such platforms, it intends to safeguard them from illegal goods, content, or services.

For businesses, it intends to foster innovation, growth, and competitiveness, facilitating the scaling up of smaller platforms, SMEs, and start-ups.

Scope of the DSA

The DSA applies to all businesses providing online intermediary services in the EU single market. Entities are categorised into tiers based on size and function, with very large platforms (VLOPs) and search engines (VLOSEs) facing the most stringent requirements. However, small and micro-enterprises are exempt from some obligations but must still comply with many.

Classification of businesses under the DSA

The Act categories Online intermediary businesses into the following categories:

• Mere Conduit: Service providers that simply transmit information over a network without actively modifying the content. For example ISP, and telecommunication networks.

• Intermediary: Services that temporarily store information to make transmission more efficient. For example: content delivery networks (CDNs), reverse proxies, and content adaptation proxies

• Hosting Service: Services that store information on behalf of and at the request of a user. For example: cloud computing and web hosting, services enable online content sharing. These also include online platforms.

• Online Platforms: Hosting service that at users’ request stores and disseminates information to the public. For example: Social Media Networks, Online Marketplaces, and Content-Sharing Platforms.

• Online Search Engine: Services that allow users to input their queries and present results based on the context.

Obligations on Online Intermediaries under the DSA

Obligations under the DSA can differ based on the size of the platform or the nature of the services provided. However, there are key obligations that apply universally to all platforms, which are outlined, in brief, as follows:

• Point of contact:

• A designated point of contact for regulators, and another for recipients of service.

• EU representative:

• Businesses outside the EU must appoint an EU legal representative in a member state where they operate.

• Terms and Conditions:

• Clear and concise, including: Content moderation details; Algorithm and human review use; Complaint system; Accessible, machine-readable format; Notification of changes; Child-friendly service terms; Service termination rights information.

• Transparency: Publish a detailed content moderation report at least annually

  Notice and Action: Mechanism to facilitate notifications of illegal content

  Statement of reasons: Notify users when their content triggers a restrictive action due to illegality or term violations.

  Notification of suspicions of criminal offences: To law enforcement for life/safety-threatening suspicions, for hosting services and online platforms.

Obligations are exclusive to the Online Platforms: 

• Establish a free, online complaint system.

• Provide out-of-court dispute resolution.

• Protect against service misuse.

• Ban deceptive online designs.

• Make ads clear and disclose advertiser info.

• Detail and allow changes to recommender system settings.

• Forbid profile-based ads to minors.

Online platforms (except micro and small enterprises) that facilitate contracts between customers and distant traders must:

• Conduct KYC procedures.

• Due diligence on products/services offered.

• Delete facilitation-related information after 6 months.

• Not disclose information to third parties, unless legally required.

• Design interfaces for traders to ensure compliance with specific rules and laws.

• Inform consumers about illegal products/services discovered on their platform.

Additionally, very large online platforms and search engines (VLOPs and VLOSEs), like Google, Facebook, and Amazon, face more extensive obligations.

• Penalties for non-compliance or violation 

• Maximum Fine: Up to 6% of the previous year's global turnover for DSA violations, exceeding GDPR fines.

• Misinformation Penalty: Fines up to 1% of annual income or global turnover for incorrect or misleading information, or non-compliance.

• Daily Penalty: Ongoing violations can lead to daily fines of up to 5% of the previous year's average daily global turnover.

Tips and Strategies for UK-Based MSMEs Navigating the DSA

For UK-based online platforms operating within the EU, navigating the compliance landscape is crucial for seamless operations and growth. While some of these strategies may not apply directly to micro or small-sized enterprises, adhering to all obligations from the outset can significantly reduce regulatory hassles as your business scales. The following steps are recommended for UK MSMEs seeking to comply with the DSA:

1. Understand Your Classification:  Determine if you are a mere conduit, intermediary, hosting service, online platform, or search engine to understand specific DSA obligations.

2. Appoint an EU Representative: Appoint a legal representative within one of its member states, similar to GDPR requirements.

3. Update Terms & Conditions: Make your terms clear, concise, and accessible, detailing your content moderation policies and complaint-handling processes.

4. Establish Notice and Action Mechanism: Create a system for users to report illegal content, especially crucial for hosting services and platforms.

5. Annual Transparency Reports: Publish content moderation reports yearly to demonstrate transparency and commitment to ethical operations.

6. Implement Complaint-Handling Systems: Online platforms should have accessible, free internal mechanisms for handling user complaints.

7. Conduct KYC and Due Diligence: For platforms facilitating contracts between customers and traders, ensure robust KYC processes and due diligence on offered products/services.

8. Prevent Misuse and Deceptive Practices: Introduce measures against service misuse and deceptive design practices.

9. Adjust Advertising Practices: Clearly identify and label advertisements; avoid profiling minors. 

10. Educate Your Team: Ensure your staff is well-informed about DSA requirements through regular training.

11. Stay Updated on Regulations: Keep abreast of changes in the DSA and related EU regulations to ensure compliance.

12. Use Compliance as a Competitive Edge: Highlight your compliance efforts in marketing and customer engagement to build trust and differentiate your business.

13. Review and Refine Processes: Continuously evaluate your operational and compliance frameworks to align with DSA requirements and mitigate risks.

By following these strategies, UK-based businesses can navigate the challenges posed by the DSA while seizing opportunities for growth and innovation in the EU's digital single market.

Moving Forward

There’s a lot to digest with the ‘soup’ of data regulations coming out of the EU right now, which includes the DSA. Boiling it down to three areas, we recommend that impacted UK companies act now to:

1. Implement- Clear T&C’s, transparent policies on content moderation and user engagement, and regular reporting to ensure transparency and accountability.

2. Establish- Accessible mechanisms for user complaints, ensuring users can easily report issues and seek redress.

3. Conduct- Regular risk assessments to identify potential threats and implement effective measures to mitigate these risks, staying informed about regulatory changes and updates.

Trace help global companies navigate global data regulations and implement practical steps for a risk-based and pragmatic approach to compliance with the relevant laws and frameworks. Looking for support with data governance and applied Privacy by Design for your company?

Book your free consultancy call now.

This article was authored by Ritesh Katal, CIPP/E. This article is should not be taken as legal advice.