The Digital Services Act (DSA)—which was adopted by the EU in October 2022 with the aim of updating the rules on digital services and entered into force on August 25, 2023—is the European Union’s new regulation designed to create a more equitable, transparent, reliable, and secure digital environment. This regulation maintains and updates the rules introduced in 2000, which exempt online intermediaries from liability for content shared by third parties—establishing that digital service providers, such as internet service providers and social networks, cannot be held directly liable for content published by users on their platforms; however, they are required to take serious and timely preventive measures to ensure the safety of their services.
The responsibilities under the DSA are based primarily on the design and operation of online services, not on specific content. The largest online platforms, however, as well as (needless to say) search engines, are subject to stricter rules and independent reviews.
On a more general level, given the conviction that every type of design—especially digital designs, which are inherently fluid and less definitive—can be considered a “mechanism of power” in and of itself, it is important to emphasize that this measure, too, is part of an effort aimed at safeguarding “digital” human rights. As has been done with regard to online privacy—and as is currently proposed in the latest text approved by the European Parliament on the AI Act—the Digital Services Act also recognizes the need for large digital providers, given the influence and power resulting from their dominant market position, to implement specific methods for assessing and mitigating risks arising from the impact of technology on fundamental rights: in this case, for example, through election interference or the spread of fake news.
The DSA will be applied uniformly across all EU member states and will enter into force 15 months after its publication or, alternatively, on January 1, 2024; and (in the event of a conflict) it will take precedence over national laws, applying to all digital service providers targeting the European market or having a significant number of European users, regardless of their place of establishment.
Like the now-famous GDPR, the DSA provides for legal action in the event of violations of its provisions: individuals and/or businesses that have suffered harm as a result of such violations may, in fact, seek compensation through national courts.
The main change introduced by the DSA is the separation of liability for content from due diligence obligations (investigation and assessment). Before the DSA, laws placed pressure on providers by “threatening” them with direct liability for users’ actions; the DSA modifies this approach by establishing substantial differences between expectations and due diligence obligations. Providers who fail to meet these obligations may be held liable, but the new Regulation provides for a series of liability exemptions for providers in cases where transparency violations stem from content published by users.
These liability exemptions are a key part of the DSA, protecting digital service providers from liability for content published by third parties; at the same time, they eliminate any general obligation on providers to monitor content.
The main innovation introduced by the DSA lies in the different ‘levels of due diligence obligations’ to which digital service providers are subject, replacing direct liability. These obligations vary, on the one hand, depending on the size of the entities (small platforms are excluded) and, above all, on the impact that such digital services could have on society.
Four broad levels of obligations are thus defined in terms of the measures platforms must implement to mitigate the influence they exert on society, including content moderation, fair service design to prevent manipulation, ensuring privacy, security, and the protection of minors, the removal of illegal content, and transparency (including regarding providers’ recommendations), up to the obligation for so-called VLOPs—that is, large platforms reaching approximately 10% of the European Union’s population, or 45 million monthly active users, such as Facebook or Google—to conduct an annual risk and impact assessment in order to identify the most urgent areas for action and design appropriate mitigation measures.
The legislation is certainly innovative and rightly aimed at ensuring a safer and fairer digital environment, but there are still several areas for improvement and aspects that need to be clarified. First and foremost, although the requirement for VLOPs to conduct human rights impact assessments has rightly been introduced, the fact that this can be a self-assessment seems to suggest that the goal is (only) to meet compliance requirements that can be certified through standard audits, rather than to genuinely investigate the systemic impacts that such platforms may have and will have in terms of shaping society.
Furthermore, for now, the determination of what constitutes illegal content and the issuance of orders regarding such content remain the prerogative of Member States, with no harmonization at the EU level to date, despite the fact that the European Commission supports voluntary standards and has direct authority over the enforcement of rules for large online platforms.
In short, the Digital Services Act appears to be another small step toward European digital governance—one that we hope will be just the beginning of a virtuous path toward ever-greater transparency and fairness in the management of online content and liability, as well as the management, through specific processes, of the assessment of impacts and risks associated with the design of digital services. This can only happen if national and European control and supervisory bodies monitor the application of the regulation, fostering coordination and an ecosystem of best practices that demonstrate a different approach to technology.
