From February 17, 2024, the Digital Services Act (“DSA”) will apply to providers of intermediary services (e.g., cloud services, file-sharing services, search engines, social networks and online marketplaces). These entities will be required to comply with a number of obligations, including implementing notice-and-action mechanisms, complying with detailed rules on terms and conditions, and publishing transparency reports on content moderation practices, among others. For more information on the DSA, see our previous blog posts here and here.

As part of its powers conferred under the DSA, the European Commission is empowered to adopt delegated and implementing acts* on certain aspects of implementation and enforcement of the DSA. In 2023, the Commission adopted one delegated act on supervisory fees to be paid by very large online platforms and very large online search engines (“VLOPs” and “VLOSEs” respectively), and one implementing act on procedural matters relating to the Commission’s enforcement powers. The Commission has proposed several other delegated and implementing acts, which we set out below. The consultation period for these draft acts have now passed, and we anticipate that they will be adopted in the coming months.

Pending Delegated Acts

  • Draft Delegated Act on Conducting Independent Audits. This draft delegated act defines the steps that designated VLOPs and VLOSEs will need to follow to verify the independence of the auditors, particularly setting the rules for the procedures, methodology and templates used. According to the draft delegated act, designated VLOPS and VLOSEs should be subject to their first audit at the latest 16 months after their designation. The consultation period for this draft delegated act ended on June 2, 2023.
  • Draft Delegated Act on Data Access for Research. This draft delegated act specifies the conditions under which vetted researchers may access data from VLOPs and VLOSEs. The consultation period for this draft delegated act ended on May 31, 2023.

Pending Implementing Acts

  • Draft Implementing Act on Transparency ReportingThis draft implementing act sets out the detailed rules applicable to intermediary service providers on transparency reporting, setting out, among other things, the reference dates for the reporting period. The draft implementing act provides that the information provided in the transparency reports must be broken down, at a minimum, by calendar month. An Annex to the implementing act sets out the proposed template for transparency reports. The consultation period for this draft implementing act ended on January 24, 2024.
  • Draft Implementing Act on Information Sharing SystemsThis draft implementing act (i) details the procedure and form of the information sharing system used to enable information sharing and communication between the European Commission, Digital Services Coordinators (“DSCs”), and the European Board for Digital Services (“EBDS”); (ii) establishes the concerned parties respective responsibilities; (iii) specifies general privacy rights (e.g., access rights and confidentiality obligations); and (iv) details roles that concerned parties play on personal data aspects. The consultation period for this draft implementing act ended on January 5, 2024.

What’s Next?

As noted above, we anticipate that the delegated and implementing acts will be adopted in the first two quarters of 2024. The procedure for adoption of delegated acts is included in Article 87 of the DSA, and requires that: (i) the Commission consults experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of April 13, 2016, on Better Law-Making; (ii) the Commission notifies the adoption of said delegated act to the European Parliament and Council; and (iii) the Parliament and Council do not object within a period of three months from the notification of adoption of said delegated act. In the case of implementing acts, the procedure for adoption of said acts is reflected in Article 83 of the DSA, which states that the Commission will be required to invite all interested parties to submit their comments within a dedicated period of time (no less than one month), and follow the advisory procedure referred to in Article 88 of the DSA by consulting the Digital Services Committee.

*Delegated acts are acts supplementing existing legislation on non-essential parts or amending specific and non-essential elements of a determined legislative act. Implementing acts are acts laying down the uniform conditions for implementing legally binding EU acts. Both are non-legislative instruments and provide tools for the European Commission to further clarify certain key aspects of a specific legislation — in this case, the DSA.

***

The Covington team will continue to monitor developments on the implementation and enforcement of the DSA and continue to report on them on our blog. We are happy to assist with any questions on the topic.

This blog post was drafted with the contribution of Diane Valat.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Lisa Peets Lisa Peets

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she…

Lisa Peets leads the Technology Regulatory and Policy practice in the London office and is a member of the firm’s Management Committee. Lisa divides her time between London and Brussels, and her practice embraces regulatory counsel and legislative advocacy. In this context, she has worked closely with leading multinationals in a number of sectors, including many of the world’s best-known technology companies.

Lisa counsels clients on a range of EU law issues, including data protection and related regimes, copyright, e-commerce and consumer protection, and the rapidly expanding universe of EU rules applicable to existing and emerging technologies. Lisa also routinely advises clients in and outside of the technology sector on trade related matters, including EU trade controls rules.

According to the latest edition of Chambers UK (2022), “Lisa is able to make an incredibly quick legal assessment whereby she perfectly distils the essential matters from the less relevant elements.” “Lisa has subject matter expertise but is also able to think like a generalist and prioritise. She brings a strategic lens to matters.”

Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.