Who is affected by the DSA? What does your company have to do? Do you need a legal representative under the Digital Services Act? | Prighter
Blog

The role of the legal representative under the Digital Services Act

Special obligation for non-EU companies

Andreas Women called Katharina in a pantsuit. Women called Charlotte in a pantsuit.

Andreas Maetzler, Katharina JOKIC, Charlotte Mason

Picture

The Digital Services Act (DSA) is another key corner stone of the “Digital Strategy for Europe” and part of a new generation of regulations for digital governance. The DSA is designed to protect users against illegal and harmful content and goods as well as the spread of disinformation in the digital world. Its aim is to ensure user safety, protect fundamental rights, and create a fair and open online platform environment.

Like the GDPR, the DSA has extra-territorial scope meaning that it applies to companies without an establishment in the EU as well to EU companies. However, the scope of the DSA is narrower than the GDPR in that it only applies to organizations providing intermediary services. This makes it essential for an organization to classify the type of service it provides to determine whether its activities are caught by the EU Digital Services Act. This classification becomes even more important considering that the level of obligations for intermediary services imposed under the DSA are dependent on the type of service provided with an increase in the level of obligations according to the risk profile of the relevant services. An overview of this increase in obligations is set out in Annex 1.

Regardless of the nature of the services offered, all non-EU intermediary service providers are required to appoint a legal representative in the EU. While the concept of the legal representative under the DSA is very similar to that of the GDPR, there are some significant differences in the role of the DSA representative.

1. The scope of the Digital Services Act

The DSA applies to all online intermediary services with additional requirements on hosting services, online platforms and very large online platforms (VLOPs) and very large search engines (VLOSEs).

The DSA applies to companies without an establishment in the EU where non-EU providers are “offering” such services within the EU. To qualify as “offering” a service, an intermediary service needs to be accessible by EU recipients and needs to have a substantial connection to the EU. Besides an establishment, a substantial connection results from specific factual criteria such as:

  • a significant number of recipients of the service in the EU;
  • the targeting of activities towards the EU.

Whether the number of recipients in one or more Member States is significant depends on the proportion of users in comparison to the whole population.

To determine if a provider targets its activities towards recipients in the EU, all relevant circumstances need to be taken into account. Especially the use of a language or a currency of a particular Member State, the ability for users to order such products or services, or the use of a relevant top-level domain indicate the targeting of recipients. Furthermore, the availability of an application in the relevant national application store, local advertising or advertising in a language used in that Member State, or the handling of customer relations in such language are factors which may result in targeting. In contrast, the mere technical accessibility of a website from the Union does not establish a substantial connection to the Union.

2. The type of service providers of intermediary services

The classification of the type of service determines which obligations under the DSA apply to a provider of intermediary services. This gradation is a risk-based approach that imposes stricter obligations on types of services which present a higher societal risk.

Picture

The base layer, which covers all types of services under the DSA is called Intermediary Services. Any additional classification builds on this base layer with subcategories of Intermediary Services. Intermediary Services are:

  • “Mere Conduit” Services (e.g. Internet Service Provider „ISP“),
  • “Caching” Services (e.g. Content Delivery Networks “CDNs”),
  • “Hosting” Services (see below);

Additional obligations apply to Hosting Services. Hosting Services involve the storage of information provided by users (e.g. cloud computing, web hosting, paid referencing services or services enabling sharing information and content online, including file storage and sharing). This category of Hosting Services catches a large variety of companies which may be surprised by the applicability of the DSA on their business.

Online Platforms are a sub-category of Hosting Services in that they not only host information for a user but also disseminate the information to the public. By doing so, Online Platforms bring together sellers and users (e.g. online marketplaces, app stores, collaborative economy platforms and social media platforms). If the Online Platform serves not only business users but also consumers, additional obligations apply.

Online platforms and search engines reaching more than 45 million consumers on average per month in Europe are classified as very large. Because of the particular risks associated with the dissemination of illegal content and societal harms, specific rules apply to such VLOPs and VLOSEs. An overview over the tiered system of obligations is attached as Annex 1 (see point 4).

It may not always be easy to define the applicability of the Digital Services Act on a service provider. To get an indication complete our self-assessment here.

The concept of the representative has become an essential part of all European regulations for digital governance, including the GDPR, NISD and NISD II, TCOR, the Digital Governance Act, the AI Act and the upcoming ePrivacy Regulation. Despite this, the implementation of the representative requirement is not consistent across these legislative frameworks, making it all the more important to shed some light on the role of the representative under the DSA and the differences from the original concept introduced by the GDPR.

Like the GDPR, the DSA legal representative is designed to be a substitute for a company’s own subsidiary in the EU. The minimum requirement for the representative is therefore to have a physical presence in the EU to carry out its role. While this may be an obvious part of the role, a number of providers are little more than a post box themselves. A proper setup of the physical presence is not only a compliance requirement, it is also a practical need to fulfil the tasks of a representative and to deliver benefits to the client and local stakeholders.

According to Art 13 DSA the main task of the DSA representative is to be the addressee for the competent national authorities, the European Commission and European Board for Digital Services. National authorities with competences for matters subject to the DSA can be judicial (e.g. courts) or administrative authorities (e.g. telecommunication authorities) including law enforcement authorities (e.g. the police or prosecution offices). As the term “legal representative” already suggests, the role is mainly to deal with authorities in the event of legal proceedings. The representative is expected to ensure efficient and timely cooperation with the competent authorities, particularly to ensure receipt of, compliance with, and enforcement of decisions of the competent authorities. Compliance with the Digital Services Act is therefore a joint task between non-EU intermediary service provider and its legal representative. For this reason, the legal representative may be held liable for its client’s non-compliance with the DSA. This concept of joint liability also formed part of the draft version of the GDPR but was abandoned during the law-making process and did not make it into the final version. Nevertheless, some Member States included such joint liability in their national data protection laws.

This leads to the question of who can be a legal representative under the Digital Services Act. To fulfil the main purpose of the legal representative the DSA provides for some quality requirements. According to Recital 44 the legal representative needs to have the necessary powers and resources to cooperate with the relevant authorities. In practical terms this means that the representative needs on the one hand to have a wide-ranging power of attorney covering proceedings by judicial, administrative and law enforcement authorities. On the other hand, the legal representative needs to have sufficient experience and be properly qualified to deal with such proceedings.

In addition to requiring the pre-requisite qualifications, the DSA also includes requirements relating to the financial stability of the legal representative. To safeguard the concept of joint liability the legal representative needs to have financial resilience, meaning that the DSA excludes providers who are subject to reconstruction proceedings, bankruptcy, or personal or corporate insolvency.

As with the GDPR it is sufficient to appoint a representative in one Member State to cover the whole of the EU. However, unlike the GDPR, the Digital Services Act awards the appointment of the representative with the one-stop-shop principal meaning that only the authorities of the Member State where the representative is located are competent to handle cases related to a client.

In addition to the core responsibilities, the legal representative needs also be able to support non-EU clients with other obligations under the Digital Services Act as non-EU providers of intermediary services should be able to rely on the expertise of the legal representative. The legal representative especially may take over the operational function of the electronic point of contact considering the language requirements for the communication with users.

For more details on Prighter DSA services as legal representative see here

4. Annex 1: The tiered system of obligations under the DSA

Picture