The Digital Services Act (DSA) was published in the Official Journal of the European Union today. It will enter into force on 16 November 2022, i.e. 20 days from the date of publication in the Official Journal.

Who will be affected?

The DSA will apply to a range of providers of digital “intermediary services” (which will include mere conduit services, caching services and hosting services), where such services are offered to natural or legal person recipients that are established or located in the EU. Broadly, the obligations set out in the DSA are proportionate to the scale of the user base of the service provider. The most significant obligations will fall on:

  • Very Large Online Providers (VLOPs) – these are online platforms that store and disseminate user-generated content to the public at the request of a user. The platform must have 45+ million active monthly users in the EU in order to qualify as a VLOP.
  • Very Large Online Search Engines (VLOSEs) – these are online search engines that consist of 45+ million active monthly users in the EU.

An intermediary provider will be designated as a VLOP or VLOSE in accordance with Article 33(4) of the DSA.

When will it come into effect?

The DSA will come into effect from 17 February 2024. However, the following provisions will apply from 16 November 2022:

(i) transparency reporting obligations of online platforms;
(ii) delegated acts;
(iii) designation of VLOPs and VLOSEs;
(iv) supervisory fees; and
(v) certain enforcement obligations.

Once designated, relevant obligations will apply to VLOPs/VLOSEs from four months after their designation in accordance with Article 33(4) DSA (where that date is earlier than 17 February 2024).

For more information on this topic, please contact Andrea Lawler, Partner, Commercial & Technology, Caitríona Lavelle, Solicitor, Commercial & Technology or any member of A&L Goodbody’s Commercial & Technology team.

 Update on the Electoral Reform Act 2022

The Electoral Reform Act 2022 (the Act), brings about significant changes to the electoral system in Ireland.

From the perspective of online platforms, Part 4 and Part 5 will be of key importance as they impose new obligations on platform providers to (i) ensure transparency in respect of online political advertising on their services; and (ii) to notify/take action in respect of dis/misinformation relating to online electoral processes on their services.

While the Act was signed into law on 25 July 2022, only certain sections of the Act have been commenced.  Part 4 and Part 5 of the Act have not yet been commenced.

Continue Reading Update on the Electoral Reform Act 2022

The Digital Services Act (DSA), a major EU regulation for online content, was signed into law yesterday.

The DSA together with the Digital Markets Act (the DMA) form part of an EU legislative strategy that seeks to create a level playing field for both big and small businesses in the digital world, create a harmonized approach to doing business online and to create a safer environment for users online.

What ‘s new

More particularly, the DSA aims to achieve the following objectives:

  1. Establish a powerful transparency and accountability framework for internet intermediaries:

The DSA will hold intermediaries accountable for policing content on their sites. This is achieved through imposing obligations to carry out content moderation and transparency reporting and requiring them to comply with orders to remove illegal content from their services. For larger online intermediaries, the DSA requires them to carry out risk assessments and external audits and to report on the findings.

  1. Ensure the safety of users of digital services:

The DSA provides users with actionable rights. Users will be entitled to lodge a complaint in circumstances where an online intermediary fails to comply with the DSA.

  1. Create a harmonized approach to content regulation:

DSA rules will apply on a pan-European basis and will address the legislative “gaps” that currently exist from the fragmented enforcement and implementation of the e-Commerce Directive. The DSA also provides for unified enforcement as it allows for co-operation between Member States and provides for a supervisory and enforcement role for the European Commission in respect of certain provisions of the DSA.

Services in scope

The DSA will apply to a range of providers of digital “intermediary services” (which would include mere conduit services, caching services and hosting services), where such services are offered to natural or legal person recipients that are established or located in the EU. Broadly, the obligations set out in the DSA are proportionate to the scale of the user base of the service provider. The most significant obligations will fall on:

  • Very Large Online Providers (VLOPs) – these are online platforms that store and disseminate user-generated content to the public at the request of a user. The platform must have 45+ million active monthly users in the EU in order to qualify as a VLOP.
  • Very Large Online Search Engines (VLOSEs) – these are online search engines that consist of 45+ million active monthly users in the EU.

VLOPs and VLOSEs: What are the key obligations

Some of the key obligations for VLOPs and VLOSEs (“Large Providers“) include:

  • the obligations to perform risk assessments to assess the “significant systemic risks” that stem from the provision of their services. This would include risks in relation to the dissemination of illegal and other harmful content through their services. Large Providers will be required to put in place reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified in their risk assessment, with particular consideration for the impacts of such measures on fundamental rights;
  • the obligation to establish an independent compliance function that reports directly to the management body of the provider and can raise concerns and warn the management body of non-compliance risks;
  • the obligation to conduct independent audits which assess the provider’s compliance with certain obligations arising under DSA, as well as any commitments to the codes of conduct; and
  • the obligation to comply with detailed transparency reporting requirements including the requirement to make publicly available reports, setting out the main findings of the external audit and the results of the risk assessment.

When does the DSA come into force

The DSA is due to be signed into law on 19 October 2022. It will enter into force 20 days after its publication in the Official Journal of the European Union. The majority of its provisions will apply 15 months thereafter or on 1 January 2024, whichever is later. However, rules governing Large Providers will apply from four months after the provider has been notified of its designation as a VLOP/VLOSE by the European Commission.

For more information on this topic, please contact Andrea Lawler, Partner, Commercial & Technology, Caitríona Lavelle, Solicitor Commercial & Technology or any member of A&L Goodbody’s Commercial & Technology team

We reported last year that the Unitary Patent and Unified Patent Court (UPC) were progressing. The main hurdle to clear was sufficient countries ratifying the Protocol on the Provisional Application (PAP-Protocol) of the UPC Agreement to allow the provisional application period (PAP) to begin.

Continue Reading Another Step Closer to a Unified EU Patent Court

Photo of John Cahir

The Government has published the long anticipated Online Safety and Media Regulation Bill 2022 which it has hailed as a “watershed moment as we move from self-regulation to an era of accountability in online safety”.

Online safety is one of the headline items, and it will be overseen by the newly-established Media Commission (Coimisiún na Meán). The Bill also seeks to implement a number of other key legislative reforms including the transposition of the revised Audiovisual Media Services Directive and the alignment of the regulation of video on-demand services with traditional broadcasting.

The publication of this Bill follows input from and engagement with key stakeholders from the public, NGOs, companies and government organisations over the course of the last three years.

We have summarised some of the key aspects of the Bill below.

Continue Reading Online Safety & Media Regulation Bill 2022

Photo of Emma Creaven

The new Enforcement and Modernisation Directive 2019/2161, more commonly known as the ‘Omnibus Directive’ (the Directive), aims to strengthen consumer rights through enhanced enforcement measures and increased transparency requirements.

Key dates

EU Member States must adopt national implementation measures by 28 November 2021. The new requirements set out in the Directive must then come into force by 28 May 2022.

Who the Directive applies to

Those engaged in online business-to-consumer (B2C) transactions as well as companies offering digital services to consumers where payment by the consumers is in the form of personal data rather than money, will fall under the remit of the Directive.

Continue Reading New Deal for EU Consumers- the Omnibus Directive explained

Photo of Davinia Brennan

When the European Commission adopted the new EU Standard Contractual Clauses (new SCCs) for international data transfers earlier this year, we highlighted 3 key dates to be aware of.  As one of those dates –  27 September 2021 –  has now passed, its timely to remind ourselves why those dates are important.

Continue Reading Old EU SCCs now repealed

Photo of Davinia Brennan

The Government has published its legislation programme for Autumn 2021. We have set out below the status of key Bills of relevance to the data protection, commercial and technology sector.

Priority legislation for publication and drafting this Autumn

  • Online Safety and Media Regulation (OSMR) Bill – This Bill will provide for the establishment of a multi-person Media Commission (including an Online Safety Commissioner), the dissolution of the Broadcasting Authority of Ireland, a regulatory framework to tackle the spread of harmful online content, and implementation of the revised Audiovisual Media Services (AVMS) Directive 2018/1808. The Heads of Bill were published on 9 January 2020, with additional provisions approved on 8 December 2020 and 18 May 2021. The government also approved the integration of the Broadcasting (Amendment) Bill into the OSMR Bill. Member States were due to implement the revised AVMS Directive in national law by 19 September 2020, so Ireland has missed this deadline. Pre-legislative scrutiny is ongoing. Further background information information on the proposed Bill is available here.
  • Consumer Rights Bill – This Bill will give effect to two EU Directives (770/2019 and 771/2019) on consumer contracts for the supply of digital content and digital services, and on consumer contracts for the sale of goods. It will also update and consolidate the statutory provisions on consumer rights and remedies in relation to contracts for the supply of non-digital services, unfair contract terms, and information and cancellation rights. The General Scheme of the Bill has been published for public consultation. The Heads of Bill were approved on 20 April 2021.

Continue Reading Government publishes legislation programme for Autumn 2021

Photo of Davinia Brennan

The DPC recently fined WhatsApp €225m for failing to discharge its transparency obligations under the GDPR. The decision will have implications for all businesses, particularly regarding their privacy notices and transparency obligations. The decision sets out the DPC’s high expectations in regard to businesses’ transparency obligations. It also clarifies the relevance of the consolidated turnover of the entire group of companies when calculating both the maximum fining cap, and the appropriate fine to impose.

This publication provides a deep dive into the DPC’s findings and considers their impact on businesses.

Photo of Sarah Cleary

The European Data Protection Board (EDPB) published its finalised Guidelines on the concepts of controller and processor in the GDPR (07/2020) (Guidelines) in July. These concepts play a crucial role in the application of the GDPR as they determine who is responsible for compliance with GDPR obligations and how data subjects can exercise their data protection rights in practice. In Part I, we outlined some of the key highlights of the Guidelines in respect of the controller and processor concepts. This Part II addresses the key highlights in respect of the joint controller concept and the implications of the joint controller relationship.

Continue Reading EDPB provides guidance on the concepts of controller and processor in the GDPR (Part II)