Basic obligations of intermediate service providers according to the DSA

Under the Digital Services Act (hereinafter: “DSA“), due diligence obligations have been imposed on intermediate service providers for a transparent and secure online environment.

Due to the fact that the concept of indirect service provider includes many, different types of entities (often of different structure and size), as well as the fact that the concept of indirect service is itself broad and includes a catalog of services with different specificities, the legislator recognized that due diligence obligations must be tailored to the type, size and nature of the intermediary service in question, and therefore a catalog of basic duties – that is, duties that apply to all providers of intermediary services – and, in addition, additional duties – that apply to particular types of providers of intermediary services, due to the specificity and size of the services they provide – was singled out. Basic duties should be performed by an intermediate service provider of any type.

The basic due diligence obligations of intermediate service providers include:

  • Designation of points of contact.

 

Indirect service providers are required to designate a single electronic point of contact and to publish and update relevant information regarding this point of contact. The imposition of such an obligation on intermediate service providers is aimed at ensuring smooth communication between the provider and the recipient of the service, as well as between the provider and member state authorities, the European Commission, the European Digital Services Board.

Unlike a legal representative, a point of contact does not have to have a physical location, it is a virtual place. A point of contact can serve duties imposed under various other laws, not just under the AUC. Information on points of contact must be readily available and updated on the supplier’s website.

The point of contact for service recipients should, first and foremost, allow them to communicate directly and quickly with the intermediary service provider, electronically, in a user-friendly manner, including by allowing service recipients to choose their means of communication, which must not rely solely on automated tools. In practice, this means first and foremost that the service recipient should have a choice of at least two communication tools, one of which must not rely solely on automated tools.

 

  • Appointment of legal representative.

 

Indirect service providers that are based in a third country (i.e., outside the EU) and offer services in the European Union should appoint a legal representative in the EU with sufficient authority and provide information on their legal representatives to the relevant authorities and make such information public.

Indirect service providers shall specifically designate in writing a legal or natural person to act as their legal representative in one of the member states where the provider offers its services. The legal representative may represent one or more intermediate service providers.

 

A legal representative is not only an attorney for service of process in matters related to the issuance of DSA decisions by the authorities. He must also be able to cooperate with the authorities, respond to summonses received. The legal representative should receive authorizations for actions that ensure compliance with the decisions of the competent authorities.

In order to fulfill the obligation to appoint a legal representative, intermediate service providers should ensure that the appointed legal representative has the authority and resources necessary to cooperate with the relevant authorities. Adequate resources should be viewed as appropriate competence and experience, as well as having the relevant organizational, legal or technical capabilities to perform such a role.

 

  • Include in the terms and conditions of service information on restrictions on the use of services.

 

Indirect service providers should include in their terms of service (i.e., regulations that are part of user contracts, for example) information on any restrictions they impose on the use of their services with respect to information provided by recipients of the service. Such information must include an indication in terms of any policies, procedures, measures and tools used for content moderation, and should also include information on the rules of procedure for handling complaints internally. The Digital Services Act formulates an additional requirement that the aforementioned information be provided in a manner that is simple and understandable to the recipient, and that the information be machine-readable.

Providers of intermediate services directed primarily at minors (e.g., because of the type of service or the type of marketing associated with the service), should make a special effort to explain the terms of use in a manner that is easily understood by minors.

Special obligations related to the inclusion of restriction information in the terms of service were imposed on intermediate service providers qualifying as very large online platforms or very large search engines. The rationale for imposing additional obligations was primarily cited as the need for such large entities to provide special transparency regarding the terms of use of their services. Providers of very large web browsers and very large search engines, in addition to the obligation applicable to all types of intermediate service providers to provide terms of use, are also required to, among other things: provide a summary of such terms, make the terms available in the official languages of all member states in which they offer their services.

 

  • Reporting obligations.

The AUC also imposes an annual reporting obligation on intermediate service providers for any content moderation they have done during the period.

The report should include, among other things, the following information:

  • Number of warrants received from member state authorities;
  • Number of notifications made under DSA Article 16;
  • Relevant and understandable information on content moderation done on the suppliers’ own initiative;
  • Number of complaints received through internal complaint handling systems in accordance with the provider’s terms of service;
  • Any use of automated means for content moderation.

The European Commission has the authority under the DSA to adopt implementing acts to establish templates setting forth the form, content and other details of the reports, including harmonized reporting periods. The Commission is currently working on the adoption of such a template.

***

Want to learn more about the basic obligations of intermediate service providers under the Digital Services Act? For more, check out the publication by our law firm’s advisors: [Link to publication].

Artificial intelligence – what it is (from a legal point of view) and how the world is dealing with it

“In the rapidly evolving field of technology, artificial intelligence (AI) is a disruptive force that has not only transformed industries, but has also raised many questions and legal challenges.”

Chat GPT asked to present artificial intelligence in the context of legal challenges.

Is there a definition of artificial intelligence?

Currently, there is no legal definition of artificial intelligence either in Poland or in the European Union. A similar situation also exists in other major jurisdictions around the world. Probably the closest definition to AI is the definition of ‘automated decision-making’ in the RODO, which may include some AI systems.

The RODO, in Article 22, defines automated decision-making as:

“… a decision which is based solely on automated processing, including profiling, and which produces legal effects in relation to (…) a person or significantly affects that person in a similar manner.”.

However, this definition in its current form is not specific enough to sufficiently ‘cover’ the concept of artificial intelligence systems as we know them today.

From a legal point of view, artificial intelligence is therefore ‘just’ a technology or a set of technologies and is regulated in the same way as any other technology – through a number of different rules applicable to specific contexts or applications. It can be used for good purposes or to cause harm, its use can be legal or illegal – it all depends on the situation and the context.

Why is the regulation of artificial intelligence so important?

The pace of artificial intelligence development is accelerating. And because artificial intelligence is a ‘disruptive force’, different countries are struggling to describe the technology for legislative purposes. In the past, legislators rarely considered creating new legislation at an international level specifically for a single technology. However, recent years have proven that more and more technological breakthroughs require a rapid legal response – you don’t have to look far, just think of cloud computing, blockchain and now artificial intelligence.

For example, different parts or components of this technology may be owned by different people or companies (for example, copyright of a certain programme code or ownership of databases), but the idea of artificial intelligence is public. And as more and more AI tools and knowledge are made available to everyone, in theory anyone can use AI tools or create new tools. This may involve potential abuse, which is why regulation of the technology is so important.

Why else? Everyone agrees that artificial intelligence has the potential to change the economic and social landscape around the world. Of course, this is already happening, and the process is accelerating every day – which is as exciting as it is frightening. The speed at which new technologies are developing makes it difficult to predict the results. It is therefore crucial to have some legal principles in place to ensure that artificial intelligence is used in a way that benefits everyone. And since it is a ‘global phenomenon’, it would be best if there was at least a universal agreement on what artificial intelligence is from a legal point of view.

However, this is unlikely to happen globally. Some countries are trying to define artificial intelligence by its purpose or functions, others by the technologies used, and some are combining different approaches. However, many key jurisdictions are trying to agree on a definition of AI and find common principles. This is important to avoid practical problems, especially for providers of global AI solutions, as they will soon face numerous compliance issues. Only at least basic interoperability between jurisdictions will allow AI to reach its full potential.

EU approach

Various countries in the European Union have tried to ‘approach’ the AI issue in many ways. However, if we are looking for a quick answer to the question “what is the most likely definition of AI in the EU?”, most will refer us to the Artificial Intelligence Act, or AI Act, or rather its draft. Member states are deferring concrete decisions until the final version of the AI Act, which will comprehensively regulate the technology at the European level in all member states, is adopted.

The current publicly available version of the AI Act contains the following definition of an artificial intelligence system:

“An AI system is a machine-based system designed to operate with varying levels of autonomy and that may exhibit adaptiveness after deployment and that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”

Source: https://www.linkedin.com/feed/update/urn:li:activity:7155091883872964608/

Which can be translated as: “An artificial intelligence system is a machine system designed to operate with varying levels of autonomy, which can exhibit adaptability when deployed and which, for explicit or implicit purposes or hidden purposes, infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.”

This is in contrast to the last text of the AI Act of 2023, which defined an artificial intelligence system as “software developed using one or more of the techniques and approaches listed in Annex I that can, for a given set of human-defined purposes, generate outputs such as content, predictions, recommendations or decisions that affect the environments with which it interacts.”

The EU has thus moved closer in its definition of an artificial intelligence system to the OECD standard.

And what is this standard? In November 2023. The OECD (Organisation for Economic Co-operation and Development) updated the definition of AI contained in the OECD AI Principles. This is the first intergovernmental standard on AI (it was adopted in 2019). Numerous authorities around the world have committed to applying this definition directly or with minor modifications. The European Union is also part of this group.

Source: https://oralytics.com/2022/03/14/oced-framework-for-classifying-of-ai-systems/

OECD definition of an AI System:

An AI system is a machine-based system that , for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different AI systems vary in their levels of autonomy and adaptiveness after deployment.”

(PL: “An artificial intelligence system is a machine-based system that, for explicit or implicit purposes, infers from the input received how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments. Different artificial intelligence systems vary in their level of autonomy and adaptability once deployed”).

Current OECD artificial intelligence system model

In addition to this definition, the OECD recommendations set out five additional value-based principles for the responsible management of trustworthy artificial intelligence.

These include:

inclusive growth, sustainability and prosperity;
human-centred values and justice;
transparency and ‘explainability’;
robustness, safety and security;
accountability.
In the context of the above, countries that have committed to the OECD Principles on Artificial Intelligence should reflect the aspects listed (at least in theory). In this context, the EU is on the right track.

How is artificial intelligence interpreted at a global level?

United States

Obviously, one of the most active jurisdictions when it comes to artificial intelligence is the United States.According to the National Conference of State Legislatures website, at least 25 states, Puerto Rico and the District of Columbia have introduced legislation on artificial intelligence in 2023, with 15 states and Puerto Rico passing resolutions in this area. Individual states have taken more than 120 initiatives in relation to general AI issues (legislation on specific AI technologies, such as facial recognition or autonomous cars, is monitored separately).

The approach in the United States thus varies. As an interesting aside, in May 2023, a bill was introduced in California calling on the US government to impose an immediate moratorium on the training of artificial intelligence systems more powerful than GPT-4 for at least six months to allow time for the development of an AI management system – its status is currently ‘pending’, but it does not seem likely to be adopted.

Regarding the definition of artificial intelligence, there is no uniform legal definition in the US. However, one of the key pieces of AI-related legislation – the National AI Initiative Act of 2020. – established the National Artificial Intelligence Initiative Office and defined artificial intelligence as “a machine-based system that can, for a given set of human-defined goals, make predictions, recommendations or decisions affecting real or virtual environments”. It goes on to explain that “artificial intelligence systems use machine- and human-based inputs to – (A) perceive real and virtual environments; (B) abstract such perceptions into models through analysis in an automated fashion; and (C) use model inference to formulate options for information or action”. However, the document mainly focuses on the organisation of the AI Office to support the development of this technology in the United States, rather than regulating artificial intelligence itself.

The US has committed to the OECD’s principles on artificial intelligence. However, there is also other guidance on what to expect from federal AI regulations. “The Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People” is the place to start. It was published by the White House Office of Science and Technology Policy in October 2022 and contains a list of five principles to “help provide guidance whenever automated systems may significantly affect the rights, opportunities or access to critical needs of the public”. These principles include:

1. secure and efficient systems

2. protection against algorithmic discrimination

3. data privacy

4. notification and explanation

5. human alternatives, considerations and fallback solutions

The definition of artificial intelligence systems covered by Blueprint includes two elements: (i) it has the potential to significantly affect the rights, capabilities or access of individuals or communities and (ii) it is an “automated system”. An automated system is further defined as “any system, software or process that uses computing as all or part of a system to determine outcomes, make or support decisions, inform policy implementation, collect data or observations, or otherwise interact with individuals and/or communities. Automated systems include, but are not limited to, systems derived from machine learning, statistics or other data processing techniques or artificial intelligence and exclude passive computing infrastructure.” To clarify, “passive computing infrastructure is any intermediary technology that does not influence or determine the outcome of a decision, make or assist in making a decision, inform the implementation of a policy or collect data or observations”, including, for example, web hosting.

In terms of other key jurisdictions, none of the following have any widely recognised legal definition, but:

China

China has defined standards at the national level and local adaptations that are based on certain definitions related to the functionality of artificial intelligence systems;

Hong Kong

has created guidelines for the ethical development and use of artificial intelligence, which define artificial intelligence as “a family of technologies that involve the use of computer programmes and machines to mimic the problem-solving and decision-making abilities of humans”.

Japan

Japan has set out an ‘AI Strategy 2022’. It has been issued by the Cabinet Office’s Integrated Innovation Strategy Promotion Council. It suggests that ‘AI’ refers to a system capable of performing functions deemed intelligent.

Singapore

Singapore, on the other hand, has attempted to define ‘AI’ as a set of technologies that are designed to simulate human characteristics such as knowledge, reasoning, problem solving, perception, learning and planning and, depending on the AI model, produce a result or decision (such as a prediction, recommendation and/or classification). This definition is provided in the Model Framework for the Management of Artificial Intelligence issued by the Infocomm Media Development Authority and the Personal Data Protection Commission.

***

Attempts to create a legal definition of artificial intelligence are ongoing around the world. Currently, one of the most recent proposals is that proposed by the OECD. The enactment of the AI Act in its final version will certainly accelerate the process of unifying the approach to the definition of AI worldwide. The question remains open as to whether some countries will not, however, want to ‘distinguish’ themselves with a strongly liberal approach to AI in order to attract the creators of this technology to themselves (without particularly caring about the legal and ethical aspects).

Authors: Mateusz Borkiewicz, Agata Jałowiecka, Grzegorz Leśniewski

Contact

Any questions?see phone number+48 663 683 888
see email address

Hey, have you
signed up to our newsletter yet?

    Check how we process your personal data here