If you have customers in the EU this is important to you but even if you don’t, you may get involved. We recently heard of a case where a small company was sent a threatening letter of non-compliance with EU law, even though they don’t do business in the EU. Turns out that doesn’t matter. Trolls have figured out that they can extract money and even if they can’t, it costs you money to defend yourself. We have a recommendation at the end.
On November 1st the EU published the details of the Digital Services Act. According to law firm Wilson Sonsini, this bill complements the Digital Markets Act, which went into effect on November 1st.
The DSA only applies to Intermediate Service Providers, which includes conduit providers, caching service providers and hosting service providers. The provisions will depend on the nature and size of an organization.
Here are some of the requirements:
- Comply with any order issued by a national judicial or administrative authority requiring an intermediate service provider to remove content or information relating to service recipients.
- Implement and enforce terms and conditions (T&Cs) that are sufficiently detailed and cover the decision-making of algorithms and the DSA compliance procedures utilized by the organization in engaging in the use of the algorithms. The T&Cs must be “sufficiently detailed” and, if the services will be primarily utilized by children, they must be clear and comprehensible by the proper age group. Additionally, any time “significant” changes are made to these T&Cs, the consumer must be notified.
- Publish a DSA-compliant content moderation report on at least an annual basis in a “machine-readable format” that is easily accessible by the public.
- Hosting service providers must implement a mechanism for users to identify illegal content on online platforms, as well as a process for reviewing the received notice, taking proper action in response, and notifying the user of what action was taken in response to their report.
However, Wilson Sonsini says the most burdensome obligations are related to content moderation, online advertising and trader transparency. This includes:
- Avoid engaging in targeted advertising based on a consumer’s sensitive data or the data of children.
- Maintain clear information on the advertisements they elect to display on their platform, including the details of the transaction and the variables that will be utilized to determine who views the advertisement.
- Where the online platform uses “fully or partially automated systems to recommend content” to consumers, the T&Cs must include the recommendation process, including the most significant criteria for determining what information would be presented and ways in which a consumer can modify these recommendation parameters.
- Refrain from designing or organizing their online interface to influence consumer behavior, such as prominently displaying certain information or choices when users are prompted to make a decision.
- Provide consumers with a compliant mechanism to challenge algorithmic decisions relating to the content they receive or their accounts and issue user warnings where an user of an online platform has repeatedly provided undoubtedly illegal content or misused the platform in another manner.
- Maintain Know Your Consumer requirements to collect user information before permitting them to utilize the provided service.
- Notify consumers directly or, where that is not possible, provide public notice if an online marketplace is offering illegal products or services.
- Design their online interface to allow compliance with DSA obligations and provide consumers with a clear identification of the products and services offered by the platform.
This is only part of what is required and to be honest, this is going to be interesting for consumers and a king size pain for the likes of Twitter, Facebook and Google. This will be especially hard for Twitter as they have half of their staff last week and a lot of the organization’s organic knowledge probably will be lost to them forever.
In terms of recommendations, there is a simple one if it works for your organization.
If you do not do business in Europe, block any access from European IP addresses. We have already seen a lot of this from big companies. There is no reason that smaller companies should not follow suit. This especially applies to any company, no matter the size, that allows user comments or curates what specifically users see.
If you need help with this, please contact us.
Read the ADCG article for more information.