The European Commission enacted its Digital Services Act last November as another step in its efforts to regulate online services and platforms. Most of these regulations take effect next February, but some will require many European businesses — and others that have customers on the continent — to meet the first deadlines next week.

Once again, Europe is moving further ahead of the U.S. in terms of privacy protection and forcing online businesses to be more transparent. This began with the General Data Protection Regulation five years ago and continues with the implementation of the DSA.

Almost all of the new provisions of the DSA have no U.S. federal equivalent, and they far exceed the strictures in those few states that have enacted their own privacy laws. But U.S. companies will need to adhere to the DSA provisions if they do business in Europe.

The DSA makes modifications to a decades-old eCommerce Directive and tries to bring the laws of EU member nations into a coherent and unified approach, especially how online businesses handle illegally posted content, disinformation and online ads. “Businesses will use new simple and effective mechanisms for flagging illegal content and goods that infringe their rights, including intellectual property rights, or compete on an unfair level,” according to the EU directives issued last year.

Part of these rules include new mechanisms to enforce “know your customer” methods. The EU has this fact sheet for businesses that’s worth studying for more specifics. “Tech platforms will have to respond to the DSA regulations,” says privacy specialist Tom Kemp. “I don’t see anything happening in the U.S., nor with any new federal privacy laws enacted.”

One of the more notable circumstances is that the noncompliance penalties could result in substantial fines, with up to 6% of a company’s global annual revenue that could be levied.

Baskets of regulation

There are two basic groups of companies according to the regulations, split between very large vendors, which are singled out for special treatment, and remaining online e-commerce businesses. This latter group is split among three different categories: hosting providers, “intermediary services” that provide mostly domain registration and internet access, and remaining e-commerce businesses.

Each group has a different basket of regulations to comply with, and this webpage has a helpful chart that lays out the differences, with a portion shown in the accompanying screenshot. For example, hosting providers have special regulations for reporting criminal complaints.

The European Commission earlier this year announced the names of 19 of the internet’s largest social media platforms and search engines and other online properties. This group will need to satisfy more stringent due-diligence requirements such as mandatory regularly scheduled risk assessments, the first of which is due next week. They’re singled out because “they pose particular risks in the dissemination of illegal content and societal harms,” according to EU documentation.

Some of these large providers are familiar to most readers, such as Alibaba’s AliExpress, various Meta Platforms Inc. divisions (Facebook, Instagram), Snapchat, various Google properties (Play, Maps, Shopping YouTube and search), Microsoft (Bing and LinkedIn), the Apple AppStore, Amazon, X.com/Twitter, Wikipedia and TikTok. But there are also a few entries that may be less well-known, such as Booking.com, a travel booking service, and Zalando.com, a fashion e-commerce site only available in Europe.

These large entities have been put on notice to provide better opt-out information for users, along with ways for users to report illegal content and do a better job explaining their terms and conditions, along with improved protection of minors in terms of privacy and safety. Any ads targeted at minors will be subject to sanctions too. In an article this summer in TechCrunch, Natasha Lomas wrote the platforms must “be proactive about analyzing and reporting potential issues related to the operation of technologies like content ranking tools and recommender systems.”

No cakewalk

One of the first signs that the DSA isn’t going to be a cakewalk is Twitter’s announcement in June that it won’t abide by the EU’s voluntary disinformation codes of conduct. Lomas said Twitter may have painted a target on its back, but how that resolves legally is still an open issue.

Most of Twitter’s content moderation staff – as was the case with other major tech firms — was laid off in the past year, and disinformation has flourished. DSA intended to make these voluntary codes mandatory, at least according to this independent analysis, which pointed out, “DSA codes could establish stronger accountability mechanisms, with real consequences for noncompliance.” That remains to be seen, of course.

Being based on the existing eCommerce Directive means a different liability scheme when European law is compared with U.S. laws. Here we have the infamous Section 230 of the Digital Millennium Copyright Act, which absolves any online platform from any responsibility for the content posted on their sites.

In Europe, liability is incurred only when a platform or provider becomes aware of any illegality and hasn’t removed the offending content. That provision still applies for the DSA, but it places more emphasis on the process of content reporting and removal, such as how consumers notify the providers. One consequence is that providers will have to act more quickly in these circumstances.

Another consequence is that DSA should result in more transparency on how the biggest online platforms operate, or so the regulators hope. One area of focus will be the algorithms behind how social media platforms consume content and make recommendations.

Think of this as performing algorithmic audits, or comparing the public relations privacy promises with what these platforms are actually doing. Before the massive tech layoffs this past year, there were a number of teams working in this area for the biggest tech firms. Some of these folks, such as Rumman Chowdhury and Jutta Williams of Humane Intelligence, have gone on to establish their own independent consultancies, and are working with the EU to help put these audits into practice.

To that point, the act created a new political entity called the European Center for Algorithmic Transparency. Based in Seville, Spain, it has begun operations and will be the coordinator of any complaints and legal actions in this area.

At the group’s launch event this past spring, it announced four initial projects, including investigating racially biased search results and social media recommendations systems.

The agency is colocated within the EU’s Joint Research Center that studies a variety of fields, including climate change and health sciences. Perhaps these algorithmic transparency requirements will drive better accountability. But how this will play out isn’t clear, given that all of these platforms make nearly continuous and constant algorithmic changes.

Another aspect of the DSA is the establishment of country regulatory bodies where consumers can lodge complaints, such as potentially offending content or when they have been deplatformed. The act names these entities as Digital Services Coordinators. France, for example, is considering a law to enable its media regulator, Arcom, to have these responsibilities.

One provision of the DSA that’s interesting puts in place a mechanism so that researchers can have access to data from the 19 largest online platforms, ”in order to understand how online risks evolve.” Facebook in particular could be forced finally to open up and provide its data in ways that it hasn’t done previously.

Coming next February

Things start to get interesting next February, when a new series of compliance deadlines kicks in for the other online businesses covered by DSA. There will also be new requirements for all businesses to provide details about their complaint handling processes and more specifics about how they will proactively protect minors and how they will monitor their ad clients and content. It is also the deadline for the countrywide digital services offices to be up and running. Finally, a new set of risk assessment reports are also due from the largest vendors.

Businesses that aren’t sure which compliance bucket they belong in can use this handy flowchart and guidance document from law firm Latham and Watkins LLP.

Whether DSA will be a privacy boon for consumers, a major pain point for the online business world, a regulatory jungle or some combination of all three is anyone’s guess at this point. Some experts, such as the Facebook whistleblower Frances Haugen, were glad to see the act enacted and have called it the global gold standard on curbing the power of big tech and an inspiration to other lawmakers.

Images: Pixabay, European Commission