Month: May 2024 | Kancelaria LBKP Legal

Obligations of online platforms under the Digital Services Act – selected issues

Posted on 28 May 2024 by Jakub Chlebiej

In this article, I will focus on discussing the obligations that online platform providers have under the Digital Services Act (DSA).

Many services qualify under online platforms. These can be social media (e.g. Meta services such as Facebook or Instagram), a market place type service (e.g. Allegro, Amazon), or venues for publishing videos (e.g. Youtube). In recent years, the provision of services in the form of online platforms has become one of the leading sectors of the digital economy. Therefore, the EU legislator decided to pay a great deal of attention to these entities when creating the DSA and imposed a number of obligations on them.

Who is an online platform provider?

At the outset, it is important to identify who an internet platform provider is.

An online platform under the DSA is a hosted service (see our blog article [__] for more information on this) that stores and disseminates information to the public at the request of the recipient of the service.

However, the DSA provides exceptions to whether a particular service qualifies as an internet platform. Such an exemption applies where the activity is an insignificant or solely ancillary feature of another service or an insignificant function of the main service, and for objective and technical reasons cannot be used without such other service, and the inclusion of such feature or function in such other service is not a way to circumvent the application of the DSA.

Merely establishing that a particular provider meets the prerequisites of being an online platform does not at all mean that the DSA will need to be applied to it. If a provider is a micro or small enterprise as defined by the European Commission Recommendation 2003/361/EC, then – with one reporting exception – it will not be required to implement the arrangements provided for online platform providers. These are as follows:

– micro enterprise – has fewer than 10 employees and a turnover or annual balance sheet total of less than EUR 2 million;

– small enterprise – has fewer than 50 employees and a turnover or annual balance sheet total of less than EUR 10 million.

But here, too, we have an exception to the exception 😊 Even if the online platform provider is a micro or small enterprise, it will have to comply with these obligations if, at the same time, it has the status of a very large online platform provider. This is because, with this qualification, the size of the provider and, above all, its outreach (more on this below) does not matter.

Below is a general summary of the obligations provided for DSA online platform providers only (Chapter III Section 3 DSA):

But beware: we still need to remember the following rules:

I. The online platform provider must also comply with the obligations that are provided for each intermediate service provider (Chapter III Section 1 DSA) and hosting service provider (Chapter III Section 2 DSA). This is because an online platform provider is, by definition, also a hosting provider, one of the types of intermediate services.

II. Further obligations for an online platform provider will arise if its platform allows consumers to conclude distance contracts with traders (so-called B2C platforms) (Chapter III Section 4 DSA).

III. Even more obligations will arise when the provider has the status of a very large online platform provider, i.e. it has an average number of monthly active service customers in the Union of at least 45 million and has been designated by the European Commission as a very large online platform.

IV. Last but not least, notwithstanding the obligations imposed by the DSA, an online platform provider must comply with the obligations imposed on it by other legislation (such as Regulation 2021/784 on the prevention of the dissemination of terrorist content on the internet, or the RODO).

The obligations of online platform providers that I have listed above are briefly summarised below.

Internal complaint handling system

This is an extension of the obligations imposed on each service provider relating to the moderation of content on its resources. Provider platform online must enable odbiorcom service, in that people who make the notification, by at least six months from the decision related to the moderation to the internal system of the complaint internal.

Po some time supplier platform issued a decision in which came to the position of the user A and removed with platform XYZ content user B, which was informed about it. User B does not agree with this decision and therefore files a complaint against it, which will be dealt with by that provider’s just internal complaint handling system.

Of course, this is one of the scenarios where the internal complaints handling system is applicable.

More information about this procedure can be found in this article.

Out-of-court dispute resolution mechanism

A further obligation on online platform providers is to ensure that users and eligible persons (i.e. filers who are not users) can use an out-of-court dispute resolution mechanism.

It is important to note that this is not another stage of the online platform provider’s handling of the case. The case is resolved by an external entity. The online platform provider must indicate to the interested party that the right to use this measure.

The interested party may refer the dispute resolution request to an out-of-court (e.g. certified) body. As a general rule, the online platform provider may not refuse to enter into such a case.

Prioritisation of requests

It is incumbent on the provider of the online platform to implement the necessary technical and organisational measures within its organisation to ensure the prioritisation of notifications made by trusted whistleblowers. These are entities identified by the Digital Services Coordinator that:

have specific expertise and competences to detect, identify and report illegal content;
are independent of online platform providers;
take steps to report accurately and objectively and with due diligence.

Meeting such an obligation may involve, for example, establishing a separate reporting channel for these entities, independent of reports made by others.

Mechanisms for responding to abuse of services

The DSA requires the provider of an online platform to implement mechanisms that the provider can use when abusers use the services it provides. Very often, this is done by those engaged in ‘trolling’.

Firstly, the provider suspends for a reasonable period of time and after issuing a prior warning the provision of services to recipients of the service often transmitting obviously illegal content.

Secondly, the provider suspends for a reasonable period of time and after issuing a prior warning, the processing of reports made through the reporting and action mechanisms and complaints made through the internal complaint handling systems by persons or entities making frequently obviously unfounded reports or by complainants making frequently obviously unfounded complaints.

For example, user A, who has an account on the social networking platform XYZ, reports to its provider as potential illegal content any post by user B that concerns the political situation in the country. User A does not agree with the views of user B, as he himself advocates a different political option. On the other hand, without the need for expertise, the provider of the XYZ platform notices that none of user B’s contributions contain illegal content and that the contributions themselves are constructive criticism. In such a situation, the XYZ platform provider warns user A that he or she is abusing his or her reporting rights and calls on him or her to stop this practice. Despite the call, user A continues to make reports of user B’s statements. Consequently, the provider suspends the processing of user A’s submissions for 1 month.

Additional reporting obligations

An online platform provider has more reporting obligations than a standard intermediate service provider. Below are examples of these obligations.

In addition to the information contained in Article 15 of the DSA (see the article at this link for more information), the online platform provider must also make the following data publicly available (usually on the online platform’s website):

related to the conduct of disputes by the online platform provider:

the number of disputes submitted to out-of-court dispute resolution bodies;
the results of the resolution of those disputes; and
the median time taken to conduct dispute resolution proceedings; and
the share of disputes in which the online platform provider has implemented the decisions of that body.

2. The number of service suspensions broken down by suspensions made due to:

transmission of manifestly illegal content;
making manifestly unfounded claims; and
the filing of manifestly unfounded complaints.

In addition, at least every six months, providers shall, for each online platform or search engine, publish information on the average number of active monthly users of the service in the Union on a publicly accessible section of their online interface.

At the same time, providers of online platforms or search engines shall, upon request and without undue delay, provide information on the average number of monthly active recipients of the service in the Union to the digital services coordinator responsible for the place of establishment and to the European Commission.

Prohibition on the use of dark patterns

An online platform provider must not design, organise or operate its online interfaces in a way that misleads or manipulates the recipients of the service or otherwise materially interferes with or impairs the ability of the recipients of their service to make free and informed decisions. The DSA refers to these types of practices as ‘deceptive web interfaces’, but the business most commonly uses the phrase ‘dark patterns’. The use of dark patterns is an extremely common phenomenon, including in e-commerce. Through such interfaces, users often buy products they do not need at all, or buy more than necessary.

It should be noted here that the regulations of the RODO and the Unfair Market Practices Directive (implemented in the Polish legal order as the Act on Counteracting Unfair Market Practices) take precedence over the DSA provision in this respect.

Transparency of online advertising

Online platform providers that present advertisements on their online interfaces shall ensure that – with regard to each specific advertisement presented to each individual recipient – the recipients of the service are able to clearly, explicitly, concisely and unambiguously and in real time:

state that the information is an advertisement;
state, on behalf of a natural or legal person is presented advertisement;
identify the natural or legal person who paid for the advertisement, if that person is not the natural or legal person referred to in point b;
find relevant information, extracted directly and readily from the advertisement, on the main parameters used to determine the target audience to which the advertisement is presented and, if applicable, how those parameters are varied.

In addition, providers provide a function for service recipients to make a declaration as to whether the content they provide is or contains commercial information (do you sometimes see on platforms that a particular material is ‘sponsored’? 😊).

Another important obligation imposed on online platform providers is the prohibition to present profiling-based advertising to the recipients of the service under the provisions of the RODO using special categories of personal data (e.g. data on health status or political views).

Use of a transparent recommendation system

Online platform providers that use recommender systems shall set out in simple and accessible language in their terms of service the main parameters used in their recommender systems, as well as any options for service recipients to change or influence these parameters.

The main parameters explain why certain information is suggested to the service recipient. These include, at a minimum:

the criteria that are most relevant in determining the information suggested to the service recipient; and
the contribution of each parameter (‘how much they weigh’) in determining the recommendation to the user.

In other words, this way we should know that we often see pictures of funny cats on the platform because we watch a lot of videos with them in attendance 😊.

If several options are available for recommender systems that determine the relative order of the information presented to the recipients of the service, providers shall also provide a function that allows the recipient of the service to select and change the preferred option at any time. This function must be directly and easily accessible in the specific section of the web interface of the online platform where the information is prioritised.

Protection of minors on the internet

A final area of obligation for online platform providers relates to the use of their services by minors. These obligations are as follows:

the introduction of appropriate and proportionate measures to ensure a high level of privacy, safety and protection of minors in the services provided by providers (the solutions developed in the RODO are very helpful here);
prohibiting providers from presenting profiling-based advertising on their interface using the service recipient’s personal data if they know with reasonable certainty that the service recipient is a minor.

Compliance with the above obligations does not oblige online platform providers to process additional personal data in order to assess whether the service recipient is a minor.

Machinery ordinance – new standards for production and distribution

Posted on 21 May 2024 by Jakub Chlebiej

Significant changes for machine builders and distributors coming soon!

The law of new technologies does not end with the IT or Game Dev industry. New technologies are also strongly present in the industries of automation and robotics, machine manufacturing, electrical and electronic equipment, including household appliances, which we use every day in our homes – and not only smart and IoT devices.

The production, safety requirements or rules for the marketing and distribution of machines, tools and other equipment are regulated by numerous pieces of EU legislation (mainly directives).

Those involved in the production and distribution of machinery will soon be facing significant changes. These will be introduced by the already enacted Regulation (EU) 2023/1230 of the European Parliament and of the Council of 14 June 2023 on machinery and repealing Directive 2006/42/EC of the European Parliament and of the Council and Council Directive 73/361/EEC (the “Machinery Regulation”).

It will replace the 2006/42/EC Machinery Directive currently in force. The Machinery Regulation does not only apply to industrial and consumer machinery. It also covers small vehicles for personal use and light electric vehicles such as scooters and bicycles.

The Machinery Ordinance introduces changes such as:

Provision of product manuals in digital format. Hard copy information will still have to be made available, but only at the request of customers.

Clarification of when a substantial modification of a machine occurs that triggers a reassessment of the product’s conformity with safety requirements and the issuing of a new CE marking.
Mandatory third-party conformity assessment for six categories of ‘high-risk’ machinery.
Introduction of general requirements on cyber security and artificial intelligence.

The provisions of the Machinery Ordinance will take effect from 14 January 2027. However, many entities are already legitimately preparing for their implementation.

If you have any questions related to the current regulations on the topic of machine manufacturing and distribution or the changes that the Machine Ordinance will introduce, please feel free to contact Ewa Knapińska of our law firm.

#NewTechnologies #Robotics #Manufacturing #Distribution #MachineIntelligence #LegalRegulations

Relation of RODO to the Digital Services Act

Posted on 17 May 202417 May 2024 by Jakub Chlebiej

1. DSA and RODO -relationship status: “it’s complicated”.

Recent months have seen many e-commerce businesses implementing the EU regulation, the Digital Services Act (DSA), in their organisations.

It is important to remember that the DSA does not operate in a vacuum. In addition to it, e-commerce entrepreneurs need to be aware of other regulations that they must comply with in order to be fully compliant. One of these is precisely RODO. One can even venture to say that DSA will not be properly implemented if RODO has not been implemented in the organisation beforehand.

The DSA Regulation in its wording indicates how it relates to the RODO. In general, the DSA is unaffected by the EU data protection regulations (i.e. primarily the RODO). At this point, a lawyer will use the expression that the RODO is lex specialis to the DSA. This means that the provisions of RODO are specific to those of the DSA. The Digital Services Act is only complementary to the RODO regulations.

Below are a few areas where you should be mindful of RODO when implementing DSA in your organisation.

2. RODO and dark patterns

One example is the prohibition of dark patterns -‘deceptive interfaces’. Under Article 25(1) of the DSA, online platform providers may not design, organise or operate their online interfaces in a way that misleads or manipulates the recipients of the service or otherwise materially interferes with or impairs the ability of the recipients of their service to make free and informed decisions.Importantly, this regulation applies when the provisions of the RODO and the Unfair Market Practices Directive will not apply. What does this mean? Even if an online platform provider uses dark patterns, it must first be established whether they are not related to the collection or processing of personal data or whether they are targeted at consumers. If neither of theseis the case, then the DSA regulation should be used.

Thus, the RODO remains more relevant than the DSA when combating dark patterns. It is important in this context to pay attention to, among others, the European Data Protection Board’s Guidelines 3/2022 (Guidelines 3/2022 on Deceptive design patterns in social media platform interfaces: How to recognise and avoid them, adopted 14.2.2023 (version 2.0)).

3. RODO and profiling

One area that the DSA has paid particular attention to is the issue of the presentation of advertising based on profiling using personal data.

What is profiling? Under the RODO, it is any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of an individual, in particular to analyse or predict aspects relating to that individual’s performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

The DSA Regulation primarily refers to profiling in the case of online platform providers.

Firstly, online platform providers are not allowed to present profiling-based advertisements to service recipients using special categories of personal data.What are these ‘special categories of data’, which are also referred to as ‘sensitive data’? The RODO indicates that they are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning the health, sexuality or sexual orientation of that person.

Secondly, online platform providers are not allowed to present profiling-based advertising on their interface using the personal (not only sensitive!) data of the service recipient if they know with sufficient certainty that the service recipient is a minor.

Thirdly, providers of very large online platforms and very large search engines that use recommender systems (more at this link) provide at least one option for each of their recommender systems that is not based on profiling.

4. RODO and the protection of minors

Another area of the DSA where knowledge of the RODO is necessary for implementation is the issue of the protection of minors (from the perspective of the DSA of those under 18). Above, I mentioned the prohibition on presenting profiling-based advertising to minors using personal data. Below is another obligation.

Providers of online platforms accessible to minors shall put in place appropriate and proportionate measures to ensure a high level of privacy, security and protection of minors in the services they provide. This is a similar approach to the privacy by design and privacy by default model introduced in the RODO. In other words, when putting in place appropriate measures to ensure the privacy, safety and protection of minors, it is necessary to draw on the acquis of the RODO in this respect, particularly in the context of Articles 25 and 34 of that Regulation. It is also important to make use of guidance developed both by the EROD (e.g. 5/2020 on consent under Regulation 2016/679) or by the supervisory authorities of individual EU Member States (e.g. ‘The Fundamentals for a Child-Oriented Approach to Data Processing’, developed by the Irish Data Protection Commission).

Summary

These are just a few examples that show how important RODO is from an DSA perspective. The implementation of the Digital Services Act in an organisation will not be complete if proper implementation of RODO has not taken place in advance. This means that it is already worthwhile for each e-commerce business to check the validity of its data protection solutions.