Scope of the DSA

As reported in our previous article, the Digital Services Act will build on the eCommerce Directive and introduce a staggered set of obligations and liability rules for online intermediary services and online platforms, which millions of Europeans use every day. Similar to the concept under the eCommerce Directive, “intermediary services” as defined in the draft Digital Services Act comprise:

• “mere conduit” services (services that consist of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network, Art. 3 DSA);
• “caching” services (services that consist of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, for the sole purpose of making more efficient the information's onward transmission to other recipients upon their request, Art. 4 DSA); and
• “hosting” services that consists of the storage of information provided by, and at the request of, a recipient of the service (Art. 5 DSA).

In addition, the Digital Services Act introduces the concept of “online platforms”, which comprises providers of hosting services which, at the request of the recipient of the service, store information and disseminate it to the public (unless that activity is a minor and purely ancillary feature of another service).

Applicability to cloud computing services

Cloud computing is usually used as a label for a broad variety of business models that primarily offer the use of scalable resources in data centers. Under European Union (EU) law, cloud computing services are typically understood as digital services that enable access to a scalable and elastic pool of shareable computing resources (see the definition Art. 4 (19) of the NIS Directive). At a high level, there are three key cloud business models that would fall under this notion of cloud computing services, namely:

• “Infrastructure as a Service” (IaaS), consisting in the third party hosting of hardware, software, storage, servers and other infrastructure for its users; 
• “Platform as a Service” (PaaS), consisting in the hosting of a platform for users to develop, run and manage applications on the provider’s cloud service; and
• “Software as a Service” (SaaS), consisting in the hosting of application that can be used by customers over the internet (typically accessed using a thin client via a web browser).

It becomes clear that for the purposes of the Digital Services Act, cloud computing services may typically qualify as a “hosting service” (and thereby “intermediary services”) within the definition of the Digital Services Act proposal. This applies irrespective of whether the cloud computing services are offered towards business customers (i.e. in B2B relationships) or consumers (i.e. in B2C relationships).

It also applies whether or not the cloud provider is based in the EU, since the Digital Services Act is intended to apply to all digital services, as long as they are targeting customers in the EU.  

In addition, particularly with regard to B2B scenarios, the customers of a cloud service provider may themselves qualify as “intermediary services”, such as when operating end-user-facing applications or platforms on the basis of a cloud environment, thereby leading to a situation of double hosting. 

In certain scenarios, cloud providers may even fall into the definition of “online platforms”, especially where they operate a publicly accessible user interface on which cloud users can share content stored in the cloud with third parties. 

Relevant key obligations

Where a cloud provider qualifies as hosting service, it will be subject to the following key obligations under the Digital ervices Act proposal:

• Cooperation with national authorities (Art. 8-11 DSA): Hosting services shall cooperate with national authorities following orders to act against illegal content or to provide information about recipients of their services. They shall set up a single point of contact for national authorities which can be contacted by electronic means. If the hosting service is based outside the EU, it must determine a legal representative within the EU with power and resources to cooperate with national authorities.
• Terms & conditions (Art. 12 DSA): Hosting services’ terms and conditions must contain information about restrictions they may impose on any use of their services including information on any measures or procedures used for the purpose of content moderation.
• Transparency reports (Art. 13 DSA): Service providers will also be required to publish detailed reports on their content moderation at least once a year.
• "Notice and action mechanisms" (Art. 14 DSA) and “Statement of reasons” (Art. 15 DSA): Hosting services must set up mechanisms to allow any individual or entity to send notices about potentially illegal content by electronic means. If the service provider decides that the content is in fact illegal and therefore removes it, it must provide the uploader with a detailed statement of reasons as to why the content has been removed.

 Additional obligations apply to intermediaries that qualify as online platforms, including a strengthened “notice and action” mechanism, including by which either the uploader of the potentially illegal content or the notifier may challenge the platform's decision (Art. 17-20 DSA).

Cloud-specific challenges

Cloud computing business models often go far beyond mere data storage. Where a cloud service provides for more functionalities than the mere hosting of data, the concept of obligations of hosting providers under the current Digital Services Act proposal may give rise to some practical hurdles for providers of cloud computing services:

• For instance, data is often stored in an encrypted manner in cloud environments. Depending on the encryption method, cloud customers may have the sole control over encryption keys. Where the cloud provider cannot decrypt and access the content due to such encryption, compliance with the notice-and-action mechanism will typically require cooperation of the cloud customer.
• Where a third party business uses a SaaS provider in B2B scenarios, such third party cloud customer typically has direct authority and control over content. For example, if a cloud service provider is made aware of the presence of illegal content or harmful activities on a client website hosted in a cloud environment, the cloud service provider can usually only block access to an entire server, but cannot get access to the individual piece of content to remove it.

From a provider liability perspective, the Digital Services Act proposal largely adheres to the liability principles for hosting providers enshrined in the eCommerce Directive. Under Art. 5 DSA proposal, hosting providers will only be liable if they have been informed about illegal content (by the notice and action mechanism). An exemption from liability will apply if the cloud provider can prove in the individual case that it has no actual knowledge of the illegal content (which may be the case in the scenarios outlined above) or that it has acted without undue delay to remove the content or block access to it.

What are the next legislative steps?

It will still take some time before the drafts finally come into force, and amendments to the proposed legislation are possible. As the next step, the Council of the European Union (“Council”) and the European Parliament must agree on final versions of the draft DSA, which will then negotiated in so-called trilogue meetings of the Council, the European Parliament and the European Commission. Once these meetings result in an agreement, the Council and Parliament will have to vote on the final text in order for the regulation to enter into force, which is currently expected for 2023/2024. Nevertheless, extensive legal changes are already foreseeable and it is recommended for companies to closely monitor the legal developments to allow for early adjustments to the new legal framework.

We have a dedicated multi-jurisdictional taskforce closely tracking the progress of the DSA, including experts in intellectual property, consumer and contract laws, data protection, technology regulation and policy and competition. For details of the taskforce click here.

Authored by Henrik Hanssen, Johannes Großekettler, Katharina Schwalke and Thilo Ortgies