Search This Blog

Tuesday, 29 November 2022

Steiner Case No Save Haven For Card Issuers, Acquirers, Processors or Merchants

I have a real problem with the facts and ultimate outcome for the cardholder in the recent case of Steiner v National Westminster Bank plc [2022] EWHC 2519 (KB) decided in October. I make no criticism of the lawyers or judge involved, but those in the payment card business should not see it as setting up any kind of safe haven. 

In essence, the court absolved a credit card issuer from liability for the price of a timeshare deal under section 75 of the Consumer Credit Act because the supplier of the timeshare ('CLC') was found not to be a party to the credit card 'arrangements'. Instead, those arrangements were found only to involve a separate company ('FNTC') that was not part of the same corporate group as CLC and was acting as a trustee and not as agent for CLC. 

Unfortunately, it seems the Mastercard rules were not fully explored, as the judge held:

13. Equally, there was no evidence before me as to the rules of the Mastercard network, but it was not suggested that they prohibited a merchant who was a member of the scheme from receiving payment under the scheme as trustee or agent for another.

However, the Mastercard rules effectively require that acquirers, merchants and sub-merchants (and the intermediate 'Payment Facilitator') must be party to the overall scheme arrangements, and it would be a breach of those rules if that were not the case (see Chapters 5 and 7). 

In addition, it appears that as a separate company and a trustee, FNTC was not lawfully able to handle funds due to CLC under the Payment Services Regulations 2017. There is no evidence that FNTC was a payment institution (or small payment institution) or the agent of one; and as a separate company and trustee it could not benefit from any of the exclusions from the need for authorisation/registration as a payment institution, the most common in such scenarios being the exclusion for a commercial agent or a group company collecting or making payments on behalf of other companies in the same group. 

In this specific case, there may have been good reasons why the Mastercard rules were not explored and/or the card acquirer, FNTC and CLC were not joined as defendants and subject to a barrage of claims and remedies to recover the funds (assuming that the card issuer could not have known of the apparent breach of scheme rules and FNTC's apparently unlawful conduct). There may have been shortcomings in the evidence or other issues involved in mounting the potential legal claims and remedies - not the least of which would be the necessary financial resources.

But I do not see this case as a reliable basis for anyone to start setting up trustees as payment processors in an attempt to avoid liability under supply contracts, card scheme rules, Payment Services Regulations and/or section 75 of the Consumer Credit Act!


Monday, 28 November 2022

Legal Adventures in the Fediverse

Joining the fediverse has jolted my legal brain into gear over some esoteric questions (listed below). These largely turn on the fact that, unlike in Web 2.0 offerings, such as Blogger or Twitter, there is no central service provider hosting/operating the service on its own servers. In the fediverse, separate sites (or 'instances') can interoperate because they are running the same standardised, open software (e.g. Mastodon) which itself relies on the same standardised, open protocol (Activity Pub, in the case of Mastodon):
Mastodon websites are operated by different people or organizations completely independently. Mastodon does not implement any monetization strategies in the software. 
Some server operators choose to offer paid accounts, some server operators are companies who can utilize their existing infrastructure, some server operators rely on crowdfunding from their users via Patreon and similar services, and some server operators are just paying out-of-pocket for a personal server for themselves and maybe some friends. So if you want to support the server hosting your account, check if it offers a way to donate. 
Mastodon development is likewise crowdfunded via Patreon and via OpenCollective. No venture capital is involved.
Perhaps this is no different to independent website owners building their own websites using a standardised website template provider (e.g. Wix), but the interoperability does seem a significant additional factor to consider. That's like email, which again could be provided by a centralised email service provider (e.g. Microsoft's hotmail) or your employer. Equally, the fact that each site or 'instance' could be self-hosted is similar to websites and email, yet most users choose their site to be hosted with the operator of a server or instance that hosts many sites (e.g. mastodon.world or mastodon.social). Some instances are open to anyone, while others are targeted at, say, residents of Glasgow. 

I think this just involves a sense-check against the regulatory regime of where the relevant fediverse instance and any users that it actively solicits are based. Here's a flavour of some of the issues:
  • How does a user proceed if the developer of the relevant communication software somehow fails to ensure the software runs as promised in the documentation?
  • Who is responsible for the integrity of the protocol on which the software is based?
  • Do fediverse instances based in the EU with UK resident users but no offices, branches or other establishments in the UK need to appoint a UK representative under UK GDPR (and vice versa!)?
  • Is each 'instance' in the fediverse ready for the EU's Digital Services Act (exemptions for micro/small enterprises will help)?
  • If each 'instance' in the fediverse can be an Intermediary service, online platform or e-commerce platform under the Digital Services Act (see prior post), then they could grow to be 'gatekeepers' under the EU Digital Markets Act.
  • How are fediverse instances treated for the purposes of  'reverse solicitation' analysis - i.e. whether you are treated as doing business in another jurisdiction where users are based, as opposed to where the instance is based?
If you need assistance with any of these issues, please let me know.

Sunday, 27 November 2022

Welcome to The Fediverse

Now that both Facebook and Twitter have confirmed my hypothesis that Web 2.0 'Facilitators' (who solve your problems) could eventually be shunned as merely Institutions (who solve their own problems at your expense), I've finally embraced the fediverse - a network of independently hosted servers running open standard communication protocols. In my case, Mastodon, running on ActivityPub.

Web 2.0 vs The Fediverse is a little like King Arthur stumbling across an anarcho-syndicalist commune.

And, hey, no advertising!

My research on where to base myself began with an excellent SCL Tea & Tech session with Neil Brown and Simon Forrester, followed by a review of Mastodon documentation, then a trip to the Join Mastodon page to find a hosted server that seemed like the right home and would have me and seems serious about maintenance and moderation... a process that really makes you think about what matters to you! 

Setting up was just as easy as setting up in any of the Web 2.0 social network services.

Trickier is finding whom to follow, and deciding how to curate your new online 'instance' - again an opportunity to think quite hard about what matters to you and how you want to communicate. I'm planning not to follow many people or post much until I've that figured out. Maybe I'll set up several different accounts, following different themes, just as I have separate blogs, email addresses, communication apps and Web 2.0 social media presences some of which may need to fall away...

Monday, 21 November 2022

Help The UK Govt Understand Decentralised Autonomous Organisations (DAOs)

Source: Yield App
The Law Commission is calling for evidence to help shape its current understanding of the issues raised by Decentralised Autonomous Organisations ("DAOs").  The UK government has asked the Commission to accurately capture the composition of DAOs, their role in the cryptoasset ecosystem, participants and relationships. The Commission will identify options for law reform that might be required to make DAOs viable, possibly including “classes” of DAOs, but not to make recommendations yet. Responses may be submitted online between 16 November 2022 and 25 January 2023. It's worth contributing to help ensure all the challenges are identified and one day addressed. I have previously been asked to look into various aspects of DAOs. If you would like help in making any submission (including on your behalf), please let me know.

Broadly, a DAO is an organisation that relies on distributed ledger or blockchain technology, as well as smart contracts or other software/systems. It basically operates in a similar fashion to a partnership, club, co-operative or unincorporated association but online, so members could be anywhere. This can be helpful where the local community is too sparse or lacks resources to achieve a certain goal, but unincorporated associations and partnerships don't have independent legal status and carry unlimited liability for their members. Some DAOs include a recognised legal entity to interact with the 'real world' but others may operate solely via 'code' and/or smart contracts to automate some or all of their activity. This has created problems where the code did not operate the way users understood.

The Commission is looking for information from those with general knowledge of DAOs, as well as first-hand experience of specific DAOs, and to understand where opinions vary on any aspect or issue (with "sanitised or anonymised submissions where it is inappropriate to provide details about a particular DAO").

Personally, I've been approached several times to advise on certain challenges associated with DAOs, particularly governance, appropriate jurisdictions, potential authorisation and means of enforcement.

It's worth contributing to help ensure all the challenges are identified and one day addressed - at least in the law of England & Wales, but other common law jurisdictions may also benefit from the Commission's work.

If you would like help in making any submission (including on your behalf), please let me know.

 

Wednesday, 2 November 2022

Latest on EU Crypto Regulation

As I recently posted in more detail on Ogier Leman's 'Insights' page, the Council of the EU has published a further draft of the proposed Regulation on markets in cryptoassets (MiCA). It seems likely that MiCA will be published officially in 2023, with a wide range of transitional arrangements and dependencies on regulatory technical standards being developed by various EU regulatory agencies. Being a regulation, it will apply without needing to be implemented at national level. MiCA's impact will be significant, given the 'libertarian' origins of distributed ledger technology and cryptocurrencies and the goals of many purists, but likely welcomed by those seeking to harness the benefits of the technology to replace legacy systems. 

If you have queries about the regulatory implications of cryptoassets or related activities, please let me know.

EU Protection for Users of Online Intermediaries & Digital Markets

Despite a few weeks absence from these pages, I have not been idle. I'll explain more in other posts, but in part I've been ploughing through the EU's new regulations on Digital Markets and Digital Services, briefly summarised here, with more below. Please get in touch if you have any queries, particularly if you are a UK based platform providing services into the EU.

Digital Markets Act

In the course of providing certain “core platform services” for business users to reach their end users online, very large digital platform operators (“gatekeepers”) act as private rule-makers and may create ‘bottlenecks’ and ‘choke points’ that limit access, unfairly exploit data for their own purposes and/or impose unfair conditions on participants. Therefore, the EU has introduced the Digital Markets Act (DMA)) to control gatekeepers’ practices that either fall outside the existing EU competition controls or cannot be effectively addressed by those rules. Member state’s regulators cannot go further than the DMA restrictions and the restrictions must be applied consistently throughout the EU. Gatekeepers can be fined up to 20% of worldwide revenue for breaches. 

The DMA will start to apply in May 2023 and gatekeepers will have six months to comply, once they have been designated. 

Digital Services Act

The EU’s Digital Services Act (DSA) establishes a harmonized approach to protecting EU-based users of online communication, e-commerce, hosting and search services across the EU, by granting intermediary service providers (“ISPs”) exemption from certain liability if they perform certain obligations. An ISP will be in scope if it is either based in the EU or has a substantial connection with the EU (a significant number of users as a proportion of the population or by targeting its activities at one or more Member States). There are extra requirements for ‘very large online’ platforms and search engines; and some exemptions for small enterprises and micro-enterprises. 

The DSA applies from 17 February 2024 (4 months after designation as a VLO platform/search engine). However, ISPs will need to begin reporting their average monthly active users by 17 February 2023, and then every six months; and arrangements for the designation of VLO status and supervisory fees will apply from 16 November 2022.

Please get in touch if you have any queries.


Digital Markets Act in Detail

In the course of providing certain “core platform services” for business users to reach their end users online, very large digital platform operators (“gatekeepers”) act as private rule-makers, ‘bottlenecks’ and ‘choke points’ with the opportunity to limit access, exploit customer data for their own purposes and impose unfair conditions on businesses and end users. Similar opportunities arise in relation to advertisers and publishers of content on the gatekeepers’ platforms. Therefore, the EU has introduced the Digital Markets Act (DMA)) to control gatekeepers’ practices that either fall outside the existing EU competition controls or can’t be effectively addressed by those rules. Member state’s regulators cannot go further than the DMA restrictions and the restrictions must be applied consistently throughout the EU. Gatekeepers can be fined up to 20% of worldwide revenue for breaches. The DMA will start to apply in May 2023 and gatekeepers will have six months to comply, once they have been designated.

Which platforms are gatekeepers?

A platform can be designated as a gatekeeper if it satisfies the following criteria (unless it can prove otherwise):


         It has a significant impact on the internal market, which is presumed where the undertaking to which it belongs has either an annual EU turnover of at least €7.5bn in each of the last three financial years, or average market capitalisation/value of at least €75bn in the last financial year, and provides a core platform service in at least 3 member states;

         It operates a core platform service that serves as an important gateway for business users to reach end users, which is presumed where the service reaches user thresholds of 45m monthly active EU-based end users and 10,000 yearly active EU-based business users in the last financial year; and

         It enjoys, or will enjoy, an entrenched and durable position in its operations, which is presumed where the user thresholds were met in each of the last 3 financial years.

What gatekeeper services are affected?


A “core platform service” means any of the following:

         online intermediation services;

         online search engines;

         online social networking services;

         video-sharing platform services;

         operating systems;

         web browsers;

         virtual assistants;

         cloud computing services;

  number-independent interpersonal communication services (NIICS) – e.g. WhatsApp, Messenger, and other online communications services that do not actually connect using public telecoms number plans (even if your mobile number might be used as an identifier), but the DMA will not apply to other electronic communications networks defined in the European Electronic Communications Code;

         advertising services, including any advertising networks, advertising exchanges and any other advertising intermediation services, provided by a provider of any of the core platform services listed above.

Such service providers must notify the European Commission within two months after those thresholds are met (with any argument that the related criteria should not apply), but failure to do so does not prevent the Commission from designating these providers as gatekeepers, either then or following a market investigation.

Designation may change if there has been a substantial change or error in any of the facts on which it was based and Commission must also review the designation at least every three years. The Commission must maintain a public list of gatekeepers and their affected core platform services. 

Obligations on gatekeepers 

Specific requirements are aimed at protecting various types of participant from adverse practices in the course of their use of gatekeepers’ designated core platform services, regardless of whether the relevant practice is contractual, commercial, technical or of some other nature.

Gatekeepers must publish general conditions of access, including an alternative dispute resolution mechanism, and cannot terminate a core platform service on conditions that are disproportionate. Participants in the service, must be able to exercise their rights to terminate without undue difficulty.

End-users

Gatekeepers need end users’ fully informed consent (as per GDPR) to process their personal data for online advertising; combine or cross-use it with personal data from any other services provided by the gatekeeper or a third-party services; or sign the end user into to other services of the gatekeeper to combine their personal data. Where an end user’s consent has been refused or withdrawn, the gatekeeper may only make one request for the same consent for a year.

End users must be able to un-install any pre-installed software applications on a gatekeeper’s core platform service (but a gatekeeper may preserve applications that are essential for the functioning of the operating system or device where such applications cannot technically be offered on a standalone basis by third-parties).

Gatekeepers must not technically restrict end users from subscribing for or switching between applications and services using the operating system, including choice of Internet access provider.

End users must have effective portability of the data generated through their activity and be given the tools to achieve that, including continuous and real-time access.

A gatekeeper must not make the exercise of end users’ rights unduly difficult or degrade the quality or condition of any of the core platform service provided to end users who exercise their rights.

A gatekeeper must submit any techniques for profiling of consumers to an independent audit within six months of using them.

Business users

Gatekeepers must: 

         not prevent business users from offering the same products or services to end users through third-party online intermediation services or their own direct online sales channel at prices or conditions that are different from those offered through the gatekeeper’s service;

         allow business users, free of charge, to communicate and promote offers to end users acquired via its core platform service or through other channels and conclude contracts with those end users, regardless of whether and for what purpose they use the core platform service;

         allow end users to access and use content, subscriptions, features or other items through its core platform services, by using the software application of a business user (including where those end users acquired such items from the relevant business user) without using the core platform services of the gatekeeper;

         not directly or indirectly prevent or restrict business users or end users from raising any issue of non-compliance of any kind by the gatekeeper with any relevant public authority or courts (without prejudice to the right of business users and gatekeepers to specify lawful complaints-handling processes);

         in the context of business users’ services using the gatekeeper’s core platform service, not require end users or business users to use, offer, or interoperate with the gatekeeper’s own identification service, web browser engine or payment service (or technical services that support payment services, including systems for in-app purchases);

         not require business users or end users to subscribe to, or register with, any further designated core platform services as a condition for being able to use, access, sign up for or registering with any of that gatekeeper’s designated core platform services;

         not use in competition with business users any business data not publicly available that is provided by or generated through activities by their use of the core platform services or related services (including data generated or provided by the business users’ customers).

         provide business users with effective portability of the data generated through their activity and the tools to achieve that, including continuous and real-time access.

         provide business users (or their authorised third parties), free of charge:

         effective, high-quality, continuous and real-time access and use of aggregated or non-aggregated data, that is provided or generated in the use of the relevant core platform service by those business users and their end users engaging with their products;

         provide access and use for personal data only where directly connected with the use effectuated by the end user in respect of the products of the business user through the core platform service with the end users’ consent.

         apply fair and non-discriminatory general conditions of access for business users to its software application store (where designated).

         not make the obtaining of consents by a business user more burdensome than for its own services.

         not make the exercise of business users’ rights unduly difficult or degrade the quality or condition of any of the core platform service provided to business users who exercise their rights.

         submit any techniques for profiling of consumers to an independent audit within six months of using them.

Advertisers

Gatekeepers must provide on request to each advertiser to which it supplies online advertising services (or their authorised third parties) daily and free of charge:

·       information on each advertisement placed, the price and fees paid, remuneration received by the advertising publisher and the basis of calculation. If a publisher of advertising does not consent to the sharing of information regarding its remuneration, the gatekeeper shall provide the advertiser with the daily average remuneration received by that publisher, including any deductions and surcharges;

 

·     access to the gatekeeper’s performance measuring tools and the information necessary for advertisers to carry out their own independent verification of the advertisement inventory, including aggregated and non-aggregated data.

Publishers

Gatekeepers must provide:

·       on request to each publisher to which it supplies online advertising services (or their authorised third parties) daily and free of charge information concerning the display of each ad from the publisher’s inventory, the remuneration received and fees paid by that publisher, the price paid by the advertiser and the basis of calculation. If an advertiser does not consent to the sharing of such information, the gatekeeper shall provide the daily average price paid by that advertiser for the relevant ad, including any deductions and surcharges.

·       access to the gatekeeper’s performance measuring tools and the information necessary for publishers to carry out their own independent verification of the advertisement inventory, including aggregated and non-aggregated data. 

Third Party Software Providers 

Gatekeepers must:

         allow the installation and effective use of third-party software applications or software application stores using, or interoperating with, the gatekeeper’s operating systems and allow those applications or stores to be accessed by means other than via that gatekeeper (subject to proportionate measures to ensure those applications or stores don’t endanger the integrity of the gatekeeper’s systems).

         Not treat the gatekeepers’ own group products more favourably in ranking and related indexing and crawling, than similar third party products; and apply fair and non-discriminatory conditions to such ranking.

         Allow third party service and hardware providers, free of charge, effective interoperability with (and access for the purposes of interoperability) the same hardware and software features accessed or controlled via the gatekeeper’s designated operating system or virtual assistant as are available to the gatekeepers own services or hardware.

         Provide, on request, to any third party online search engine providers access on fair, reasonable and non-discriminatory terms to the gatekeeper’s data on ranking, query, click and view relating to free and paid search results generated by the gatekeeper’s end users (subject to anonymisation of personal data).

Interoperability

A relevant gatekeeper must make the basic functionalities of its NIICS interoperable with the NIICS of another provider offering or intending to offer such services in the EU, by providing the necessary technical means that facilitate interoperability, upon request and free of charge. The gatekeeper must publish a ‘reference offer’ specifying the technical details and conditions of interoperability, including necessary details on security and end-to-end encryption which must be preserved across the interoperable services. Any NIICS provider may then request interoperability for some or all of the basic functionalities, and the gatekeeper has three months to render those functionalities operational. Only the personal data of end users that is strictly necessary to provide effective interoperability may be collected and exchanged.

Over time, a relevant gatekeeper must at least make the following functionalities interoperable where it provides those functionalities to its own end users:

Basic functionalities: within three months of request:

 

         end-to-end text messaging between two end users;

         sharing of images, voice messages, videos and other attached files in end-to-end communication between two end users;

Group functionalities: Within 2 years from designation:

 

         end-to-end text messaging within groups of individual end users;

         sharing of images, voice messages, videos and other attached files in end-to-end communication between a group chat and an individual end user;

End-to-end voice and video calls: Within 4 years from the designation:

 

         end-to-end voice calls between two individual end users;

         end-to-end video calls between two individual end users;

         end-to-end voice calls between a group chat and an individual end user;

         end-to-end video calls between a group chat and an individual end user.

Compliance Measures

The Commission has vast powers to ensure compliance with the DMA, including monitoring, imposing conditions and fines, obtaining reports, granting exemptions on public interest grounds (health and security) and undertaking market investigations. 

Conclusion 

The types of services and restrictions covered by the DMA reflect many of the complaints and concerns generated in the course of the explosive growth of various ‘tech giants’ over the past fifteen years or so. The Commission has been very assertive on the wider competition front, so it seems likely to use these powers actively. This should go a considerable way toward addressing various ‘externalities’ that were simply left for the market or regulators to address. Perhaps some business models that were choked off might now regenerate, albeit in digital form. 

At the same time, gatekeepers may feel aggrieved that the enormous benefits that have accrued to them from a relentless commitment to solving users’ problems and creating genuinely useful services from launch not so long ago are already being unfairly curtailed or shared with businesses that have not had to make that journey or commitment.

At any rate, it remains to be seen whether the gatekeepers will comply quietly or continue what seems to have been an endless game of cat-and-mouse…   



Digital Services Act in Detail

 

The EU’s Digital Services Act (DSA) establishes a harmonized approach to protecting EU-based users of online communication, e-commerce, hosting and search services across the EU, by granting intermediary service providers (“ISPs”) exemption from certain liability if they perform certain obligations. An ISP will be in scope if it is either based in the EU or has a substantial connection with the EU (a significant number of users as a proportion of the population or by targeting its activities at one or more Member States). There are extra requirements for ISPs with at least 45m average monthly active EU users (designated as ‘very large online’ (VLO) platforms and VLO search engines). There are exemptions for small enterprises and micro-enterprises. A small enterprise employs fewer than 50 persons and has an annual turnover and/or annual balance sheet total which does not exceed €10m. A micro-enterprise employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed €2m.

 

The DSA applies from 17 February 2024 (4 months after designation as a VLO platform/search engine). However, ISPs will need to begin reporting their average monthly active users by 17 February 2023, and then every six months; and arrangements for the designation of VLO status and supervisory fees will apply from 16 November 2022.

 

Users can be any natural or legal person actually using or receiving the intermediary service, (particularly those seeking information or making information accessible).

 

Intermediary services consist of the transmission of data in or the provision of access to a communication network (‘mere conduit’); the automatic, intermediate and temporary storage of information, solely for its more efficient onward transmission to other users on their request (‘caching’); and/or the storage of information provided by, and at the request of, a user (‘hosting’). Online search engines are therefore ISPs, for example. 

Chapter II - Liability of ISPs

‘Mere conduit’

A ‘mere conduit’ ISP won’t be liable for the information transmitted or accessed, so long as it does not initiate the transmission; does not select the receiver; and does not select or modify the information contained in it. This extends to caching where the information is not stored for any period longer than is reasonably necessary for transmission.

‘Caching’

A caching ISP won’t be liable for caching so long as it does not modify the information and is in no way involved with the information transmitted or stored other than for storing it;  complies with conditions on access to the information; complies with rules regarding the updating of the information, specified in a manner widely recognised and used by industry; and acts expeditiously to remove or to disable access to the information it has stored upon obtaining actual knowledge of the fact that the information at the initial source has been removed or disabled, or an order for such removal or disablement has been made.

‘Hosting’

 

A hosting ISP won’t be liable for the information stored at the request of a user so long as it does not have actual knowledge of illegal activity or illegal content and is not aware of facts or circumstances making it illegal; or acts expeditiously to remove or to disable access to the illegal content on obtaining such knowledge or awareness; and the user is not acting under the authority or the control of the provider (which it would be where the ISP determines the price of products offered by the user, for example).

 

This immunity does not extend to liability under consumer protection law of online platforms that allow consumers to conclude distance contracts with traders, where the platform presents the specific item of information or otherwise enables the specific transaction at issue in a way that would lead an average consumer to believe that the information, product or service, is provided either by the online platform itself or by a user who is acting under its authority or control.

 Voluntary own-initiative investigations and legal compliance

 ISPs shall not be deemed ineligible for the exemptions from liability solely because they, in good faith and in a diligent manner, carry out voluntary own-initiative investigations into, or take other measures aimed at detecting, identifying and removing, or disabling access to, illegal content, or take the necessary measures to comply with applicable EU law (or national implementing law). It is not clear whether compliance with non-EU law would disable the exemptions.

No general monitoring or active fact-finding obligations

ISPs have no general obligation to monitor the information which they transmit or store, or to actively seek facts or circumstances indicating illegal activity.

Orders to act against illegal content

Upon the receipt of an order to act against illegal content, ISPs must inform the authorities of any effect given to the order without undue delay. This information is shared with the Digital Services Coordinator from the Member State of the issuing authority who shares it with all other EU Digital Services Coordinators. 

The ISP must inform the user concerned of the order received and the effect given to it, including a statement of reasons, the possibilities for redress that exist, and a description of the territorial scope of the order.

Orders to provide information

Upon receipt of an order to provide specific information about one or more specific individual users, ISPs must without undue delay inform the authorities of its receipt and of the effect given to it. The Digital Services Coordinator of the Member State concerned shares a copy of the order with all EU Digital Services Coordinators.

Chapter III - Due diligence obligations for a transparent and safe online environment

Section 1 - Provisions applicable to all ISPs

Points of contact

ISPs shall designate a single point of contact to enable them to communicate directly, by electronic means, with Member States’ authorities; and another for users (to communicate directly and rapidly with them, by electronic means and in a user-friendly manner, including by allowing users to choose the means of communication, which must not solely rely on automated tools).

Legal representatives 

ISPs which are not based in the EU must specify a legal representative in one of the Member States where the provider offers its services, mandated to deal with all issues necessary for the receipt of, compliance with and enforcement of decisions issued in relation to the DSA in an efficient and timely manner. The designated legal representative may be held liable for non-compliance with obligations under the DSA, without prejudice to the liability and legal actions that could be initiated against the ISP. The designation of such a legal representative will not itself constitute an establishment in the EU. 

Terms and conditions

ISPs’ terms and conditions (Service Terms) must include information on any restrictions that they impose in relation to the use of their service.  The Service Terms must be in clear, plain, intelligible, user-friendly and unambiguous language, and shall be publicly available in an easily accessible and machine-readable format. Users must be informed of any significant changes.

 

Service Terms for services primarily directed at minors or predominantly used by them, must be such that minors can understand them.

 

Providers of VLO platforms and of VLO search engines (VLO Providers) shall provide users with a concise, easily-accessible and machine-readable summary of Service Terms and conditions, including the available remedies and redress mechanisms, in clear and unambiguous language; and publish their Service Terms in the official language(s) of each Member State in which they offer their services.

Transparency reporting obligations for ISPs

ISPs (except micro/small enterprises, unless they are VLO platforms) must publish a report at least annually on any content moderation that they engaged in during the relevant period, including the number of orders received in relation to illegal content, by type; voluntary content moderation; the number of complaints received, their basis, decisions taken and median time taken to resolve; any use made of automated means for the purpose of content moderation.

 

Section 2 - Additional Provisions for Hosting ISPs, including ‘Online Platforms’

 Notice and action mechanisms

Hosting ISPs must have mechanisms to allow any individual or entity to notify them electronically of the presence of illegal content on their services, which are easy to access and user-friendly. To give rise to actual knowledge or awareness of the specific item where they allow the hosting ISP to identify the illegality without a detailed legal examination. The ISP must confirm receipt without undue delay and notify that individual or entity of its decision, providing information on the possibilities for redress in respect of that decision. Hosting ISPs must act in a timely, diligent, non-arbitrary and objective manner and specify where they use automated means for processing the notice or decision-making. 

Statement of reasons 

Where they have a user’s electronic contact details, Hosting ISPs must provide users with a clear and specific statement of reasons for restrictions imposed where the user’s information is illegal content or incompatible with the ISP’s Service Terms (except commercial spam).

Notification of suspicions of criminal offences

Hosting ISPs which become aware of any information giving rise to a suspicion that a criminal offence involving a threat to the life or safety of a person or persons has taken place, is taking place or is likely to take place, must promptly inform the authorities of the Member State(s) where the offence is suspected to take place, where the suspected offender is based or where the victim is based or the authorities in its home Member State and/or Europol.

Section 3 - Additional provisions applicable to Online Platform Providers (Hosting)

The term ‘online platform’ means a hosting service that stores and disseminates information to the public at the user’s request.  

 

This term excludes an activity that is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, so long as that integration of the feature or functionality into the other service is not a means to circumvent the applicability of the DSA.

Exclusion for micro and small enterprises

This Section does not apply to OPPs that qualify as micro or small enterprises or that previously qualified as a micro or small enterprise for 12 months after losing that status (unless they are VLO platforms).

 

Internal complaint-handling system and Out-of-court dispute settlement

An OPP must give the user and any other complainant access to its complaint-handling system to lodge a complaint, electronically and free of charge for at least 6 months, where the provider notifies a user of a decision that information provided by the user constitutes illegal content or is incompatible with its Service Terms, so long as that decision affects whether or not to remove or disable access to or restrict visibility of the information; suspend or terminate the provision of all or part of the service; or suspend or terminate the user’s account or ability to monetise the information provided by the user.

 

Wrongful decisions must be reversed without undue delay.

 

OPPs must inform complainants without undue delay of their reasoned decision in respect of the information to which the complaint relates and options to resolve any dispute.

These decisions must be under the supervision of appropriately qualified staff, and not solely automated.


Both parties must engage with the selected certified out-of-court dispute settlement process in good faith, but providers may refuse to engage if a dispute has already been resolved concerning the same information and the same grounds. Out of court settlements cannot be imposed as binding settlements, however.

 

If the out-of-court resolution favours the user, the OPP must pay all the fees charged by the alternative dispute resolution body, and reimburse the user for any reasonable expenses it has paid in relation to the dispute settlement.

 

If the dispute settlement favours the OPP, the user is not required to reimburse the OPP for any fees or other expenses paid or payable in relation to the dispute settlement, unless the user manifestly acted in bad faith.

 

Fees charged to OPPs by out-of-court dispute settlement bodies must be reasonable and not exceed the costs incurred by the body.

 

For users, the dispute settlement shall be available free of charge or at a nominal fee.

 

Trusted flaggers

The status of ‘trusted flagger’ under the DSA must be awarded by Digital Services Coordinator of the Member State in which the applicant is established where the applicant: has particular expertise and competence for the purposes of detecting, identifying and notifying illegal content; is independent from any OPP; and carries out its activities for the purposes of submitting notices diligently, accurately and objectively.

 

OPPs shall take the necessary technical and organisational measures to ensure that notices submitted by trusted flaggers, acting within their designated area of expertise are given priority and are processed and decided upon without undue delay.

 

Trusted flaggers must publish at least once annually easily comprehensible and detailed reports on notices they submitted during the relevant period.

 

Measures and protection against misuse


Having issued a warning, OPPs must suspend their services to users that frequently provide manifestly illegal content, for a reasonable period of time. This applies also to the processing of notices and complaints by complainants that frequently submit manifestly unfounded notices or complaints that are manifestly unfounded.

Transparency reporting obligations for OPPs

OPPs shall report to the local authorities: the number of disputes submitted to the out-of-court dispute settlement bodies; the outcomes of the dispute settlement; the median time needed for completing the dispute settlement procedure; the share of disputes where the OPP implemented the decisions of the body; the number of suspensions imposed for the provision of manifestly illegal content, the submission of manifestly unfounded notices and the submission of manifestly unfounded complaints.

 

OPPs must publish for each online platform or online search engine information on the average monthly active users in the EU, calculated as an average over the period of the past six months and in accordance with the any specified methodology. Such up to date information must also be provided to the local Digital Services Coordinator and the Commission, upon their request and without undue delay.

 

Digital Services Coordinators must inform the Commission when an OPP or online search engine provider meets the threshold of average monthly active users for designation under the DSA.

Online interface design and organisation

OPPs must not design, organise or operate their Online Interfaces in a way that deceives or manipulates users or in a way that otherwise materially distorts or impairs the ability of users to make free and informed decisions. This does not apply to practices covered by GDPR or the Directive on unfair business-to-consumer practices.

Advertising on online platforms

For each specific advertisement presented by an OPP to each individual user on its Online Interface the OPP shall ensure that the user is able to identify, in a clear, concise and unambiguous manner and in real time: that the information is an advertisement; the advertiser (and the person who paid for the ad if different from the advertiser); the main parameters used to determine the user to whom the advertisement is presented and how to change those parameters, if applicable.

 

OPPs must provide users with a functionality to declare whether the content they provide is or contains commercial communications; and must ensure that other users can identify that content is or contains commercial communications, as described.


OPPs must not present advertisements to users based on ‘profiling’ using ‘special categories’ of personal data, as defined in GDPR.

 

Recommender system transparency

A ‘recommender system’ is a fully or partially automated system used by an online platform to suggest specific information to users or prioritise that information in its Online Interface, including as a result of a user’s search or otherwise determining the relative order or prominence of the information.

 

OPPs that use recommender systems must set out in their Service Terms in plain and intelligible language the main parameters used and any options for the users to modify or influence those parameters, including at least: the criteria which are most significant in determining the information suggested to the user; and the reasons for the relative importance of those parameters.


Where several options are available to determine the relative order of information presented to users, the user must be allowed to select and modify their preferred option at any time in the specific section where the information is being prioritised.

Online protection of minors

OPPs accessible to minors must have appropriate and proportionate measures to ensurea high level’ of privacy, safety, and security of minors; and must not present ads based on profiling users’ personal data when they are reasonably certain that the user is a minor (without having to process additional personal data to assess whether the user is a minor).

Section 4 - Additional provisions applicable to E-commerce Platforms

Exclusion for micro and small enterprises

This Section applies to OPPs that allow consumers to conclude distance contracts with traders (“E-commerce Platform Provider” or “EPP”), including those that have been designated as VLO platforms. But it does not apply to EPPs that qualify as micro or small enterprises or that previously qualified as a micro or small enterprise for 12 months after losing that status (unless the traders are VLO platforms).

 

Traceability of traders 

EPPs shall ensure that traders can only use those online platforms to promote messages or offer products or services to EU-based consumers if the EPP has first obtained the trader’s contact details, identity document, payment details, membership of any trade body and self-certification by the trader committing to only offer products or services that comply with the applicable rules of EU law.

 

EPPs must use best efforts to assess whether the information is reliable and complete, through the use of any freely accessible official online database or Online Interface made available by a Member State or the EU or by requesting the trader to provide supporting documents, but traders are liable for the accuracy of the information provided. If the trader fails to provide the required information, the OPP must suspend service to the trader until it does. The trader must have the right to lodge a complaint (without prejudice to the requirements for restriction, suspension or termination under the Regulation on fairness and transparency for online traders).

 

EPPs must store the information for six months after the end of the contractual relationship with the trader concerned, then must delete the information. The EPP may only disclose the information to third parties where so required in accordance with the applicable law, but must  make certain information available on its online platform to users in a clear, easily accessible and comprehensible manner, at least where information on the product or service is presented.


Compliance by design

 

EPPs shall ensure that their Online Interfaces are designed and rganized in a way that enables traders to comply with their obligations regarding pre-contractual information, compliance and product safety information under applicable EU law, including contact and labelling information.

 

EPPs must also make reasonable efforts to randomly check in any official, freely accessible and machine-readable online database or Online Interface whether the products or services offered have been identified as illegal.

 

Right to information

 

Where an EPP becomes aware that an illegal product or service has been offered by a trader to EU-based consumers through its services, that provider must inform consumers who purchased the illegal product or service (if the EPP has their details) within the preceding six months that the product or service is illegal; the identity of the trader; and any relevant means of redress.  If the EPP does not have the contact details of all consumers concerned, it must publish the information in a way that is easily accessible on its Online Interface.

 Section 5 - Additional obligations for providers of VLO platforms and of VLO search engines

 Risk assessment and mitigation 

VLO Providers must diligently identify, analyse and assess any systemic risks in the EU stemming from the design, functioning or use of their service and its related systems at least annually and prior to deploying functionalities that are likely to have a critical impact on those risks. The risk assessment must be specific to their services and proportionate to the systemic risks, taking into consideration their severity and probability. The supporting documents must be held for at least three years and be provided on request to the Commission and local Digital Services Coordinator.


VLO providers must have reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified, with particular consideration to the impacts of such measures on fundamental rights.

Crisis response mechanism 

Where extraordinary circumstances lead to a serious threat to public security or public health in the EU (‘crisis’), the Commission can require VLO providers to assess whether, and if so to what extent and how, the functioning and use of their services significantly contribute to a serious threat; identify and apply specific, effective and proportionate measures to prevent, eliminate or limit any such contribution; and report to the Commission on the assessments, on the measures taken.

 

Independent audit

VLO Providers must be independently audited at least once annually at their own expense to assess compliance with the above obligations; any commitments undertaken pursuant to codes of conduct adopted under the DSA and the crisis protocols for extraordinary circumstances affecting public health and security. 

The auditors must be independent and not have any conflicts of interest with the VLO Provider or any legal person connected to that provider (no non-audit services related to the matters audited or any legal person connected to that provider in the 12 months prior to the beginning of the audit and no commitment to providing them with such services in the 12 months’ after; not provide the auditing services for longer than 10 consecutive years; fees cannot be contingent on the result of the audit; must have proven expertise in the area of risk management, technical competence and capabilities, as well as having proven objectivity and professional ethics, based in particular on adherence to codes of practice or appropriate standards.

An audit reports must be substantiated, in writing, and shall include certain specified information, including an opinion that is either ‘positive’, ‘positive with comments’ or ‘negative’; with  operational recommendations on specific measures to achieve compliance and the recommended timeframe to achieve compliance. The VLO Provider then has a month to adopt a report setting out the measures necessary to implement recommendations or justify not doing so. 

Recommender systems 

VLO Providers must provide at least one option for each of their recommender systems which is not based on profiling as defined in GDPR. 

Additional online advertising transparency 

VLO Providers who present advertisements on their Online Interfaces shall compile and make publicly available in a specific section of their Online Interface (through a searchable and reliable tool that allows multicriteria queries) and APIs, a repository containing certain information about the ads for the entire period during which the ad is presented until one year afterwards, making reasonable efforts to ensure that the information is accurate and complete, including whether the advertisement was intended to be presented specifically to one or more particular groups of users and if so, the main parameters used for that purpose including where applicable the main parameters used to exclude one or more of such particular groups; and the total number of users reached, broken down by Member State; and where a specific advertisement was taken down for illegality or incompatibility with the VLO Provider’s terms and conditions, the repository shall instead include the information required for statements of reasons or the legal basis for take-down orders. 

Data access and scrutiny 

VLO Providers must provide their home Digital Services Coordinator with access to data necessary to monitor and assess compliance with the DSA within a reasonable period specified in any request, which may only be accessed for the purpose of monitoring and assessing compliance with the DSA and the DSC must take due account of the rights and interests of the VLO Providers and the users concerned, including the protection of personal data, confidentiality, trade secrets, and security of the VLO service. VLO Providers must explain the design, logic the functioning and the testing of their algorithmic systems, including their recommender systems; and provide access to ‘vetted researchers’ conducting research that contributes to the detection, identification and understanding of systemic risks in the EU and assessment of the adequacy, efficiency and impacts of the risk mitigation measures.

Compliance function

VLO Providers must have a compliance function that is independent from their operational functions and composed of one or more compliance officers with sufficient authority, stature, qualifications, knowledge, experience, ability, resources and access to the management/board to monitor the VLO Provider’s compliance with the DSA and carry out certain specified functions. The head of compliance must report directly to the management body and cannot be removed without prior approval of the management body.


The management body of the VLO Provider shall: define, oversee and be accountable for the implementation of the provider's governance arrangements that ensure the independence of the compliance function, including the division of responsibilities within the organisation of VLO Provider, the prevention of conflicts of interest, and sound management of systemic risks;  approve and review at least annually, the strategies and policies for taking up, managing, monitoring and mitigating the risks; and devote sufficient time to the consideration of mitigation measures and ensure that adequate resources are allocated to risk management.

 

Transparency reporting obligations

VLO Providers must publish their transparency reports at least every six months (rather than annually) with certain additional information, including the human resources that the provider of VLO platforms dedicates to content moderation; the qualifications and linguistic expertise of moderators; and indicators of accuracy and related information on the use of automated content moderation, each broken down by each official language of the Member State(s) where its services are offered. 

Supervisory fee 

Each VLO Provider will be charged an annual supervisory fee that takes into account the costs incurred in the previous year; is proportionate to the VLO Provider’s number of average monthly active users in the EU; but must not exceed 0,05 % of its worldwide annual net income in the preceding financial year.