The EU’s introduction of the Digital Services Act (“DSA”) aims to address the growing trend of calls for greater protections for individuals against online harms and a harmonisation of the requirements and obligations imposed on service providers. Building on the provisions of the E-Commerce Directive, the DSA attempts to regulate online harms within the European Market, as well as impose transparency requirements on service providers to ensure compliance.
This article specifically considers the territorial scope of the DSA and the extent to which it will apply to intermediary service providers (“ISPs”) out of the EU. It considers the concept of ‘substantial connection to the Union’ which is determined either by reference to the place of establishment of intermediary service providers or from the ‘specific factual criteria’ as defined in the DSA.
What is the territorial scope of the EU Digital Services Act?
The DSA attempts to regulate providers of online intermediary services, who by their very nature operate in a world without borders. Subsequently, the scope of the DSA would always have to extend beyond the EU to non-EU ISPs who provide services to EU citizens. Much like Regulation (EU) 2016/679, the EU General Data Protection Regulation (“EU GDPR”), the DSA applies extra-territorially to providers offering their services to EU citizens, meaning providers who target their services to those within the EU will be required to comply with the obligations contained in the DSA.
The extra-territorial nature of the DSA applies in a similar way to the EU GDPR, albeit with some notable differences. Article 2(1) of the DSA notes that it shall apply to:
“intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment”.
This wording is akin to the extra-territorial scope of the EU GDPR which applies to the processing of European data subjects data regardless of whether the controller or processor are themselves established in the EU. In particular, it mirrors the application of the EU GDPR through the extension of its scope to non-EU ISPs who offer services to recipients based in the EU.
However, whilst the DSAs application may be similar, the wording of its scope differs to the wording provided under the EU GDPR through its definition of ‘offering services’, which is defined under Article 3(d) of the DSA as “enabling natural or legal persons in one or more Member States to use the services of a provider of intermediary services that has a substantial connection to the Union”.
‘Substantial connection to the Union’ is defined as:
“a connection of a provider of intermediary services with the Union resulting either from its establishment in the Union or from specific factual criteria, such as:
- a significant number of recipients of the service in one or more Member States in relation to its or their population; or
- the targeting of activities towards one or more Member States”.
To this extent, both the concepts of ‘establishment’ and the ‘offering’ of services apply to both the EU GDPR and DSA, albeit with some notable divergence given the different areas both regulations apply to. Whilst there is no directly applicable case law to the DSA’s scope as of yet, the principles relating to the extra-territorial scope of the EU GDPR that have been established under case law and from guidance issued by the European Data Protection Board (“EDPB”) may provide some guidance as to how the DSA’s scope will also be interpreted.
How to determine if an ISP has a ‘Substantial Connection to the Union’?
Whether an ISP has a substantial connection to the Union will be determined either by reference to their place of establishment or from the ‘specific factual criteria’ identified above.
Establishment in the EU
In respect of establishment, there is much debate under the EU GDPR surrounding what constitutes ‘establishment in the Union’, much of which is beyond the scope of this analysis. In short, establishment has developed into a much wider concept than simply where that ISP may be based geographically. Recital 22 of EU GDPR states that “establishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.” Subsequently, entities can be deemed to have an establishment within the EU regardless of whether they are actually based there. ‘Stable arrangements’ in this context could simply be an EU employee or agent carrying out activities for that ISP, or engaging EU companies to assist them in the ‘effective and real exercise of activities’.
The EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (“EU GDPR Guidelines”) have confirmed that the interpretation of ‘effective and real exercise of activities’ will be determined by whether the activities which the EU based entity is engaging in are ‘inextricably linked’ with the activities which will be regulated under that regulation. The EU GDPR Guidelines give the example of an e-commerce website operating in China who solely process data in this location, but have a European office which focuses on marketing its services to EU markets. This would be considered ‘inextricably linked’ to the processing of personal data by the Chinese entity whereby the processing of data that takes place in China is then used by the European entity in connection with EU sales.
From an DSA perspective, this implies that where non-EU ISPs have stable arrangements in place with European entities which relate to activities covered under the DSA, which includes the targeting of European markets, they will be considered established and subsequently caught by its scope.
Factual criteria
In respect of the specific factual criteria, the DSA is silent on whether this will be confined to the criteria listed or whether there are any additional factual criteria which may be relevant (albeit the use of the wording ‘such as’ implies this is a non-exhaustive list).
The criteria that there be a significant number, in relation to its population, of recipients in a Member State using the service is a novel concept not present under EU GDPR. It is unclear as to what exactly will constitute a ‘significant number’, which it appears the EU have left open for the courts to decide, but ultimately it appears that where non-EU ISPs have a base of users within a Member State, they may be caught by the scope of the DSA.
It is also unclear as to what exactly will constitute the ‘targeting of activities’ to Member States from ISPs.
In Pammer v Reederei Karl Schluter GmbH & Co and Hotel Alpenhof v Heller, in the context of the application of Article 15(1)(c) of Regulation (EC) No 44/2001 (“Brussels I”), the Court of Justice ruled that in determining whether a trader is considered as ‘directing’ its activity to a Member State, the trader must have manifested its intention to establish commercial relations with such consumers. The court provided a non-exhaustive list of evidence from which it may be concluded that the trader’s activity is directed to the Member State of the consumer’s domicile:
- the international nature of the activity,
- mention of itineraries from other Member States for going to the place where the trader is established,
- use of a language or a currency other than the language or currency generally used in the Member State in which the trader is established with the possibility of making and confirming the reservation in that other language,
- mention of telephone numbers with an international code,
- outlay of expenditure on an internet referencing service in order to facilitate access to the trader’s site or that of its intermediary by consumers domiciled in other Member States,
- use of a top-level domain name other than that of the Member State in which the trader is established,
- mention of an international clientele composed of customers domiciled in various Member States. It is for the national courts to ascertain whether such evidence exists.
In Verein für Konsumenteninformation v. Amazon EU Sarl, the Court of Justice has confirmed that ISPs will not be considered to have an establishment in the EU simply because their website is accessible there.
Recital 8 of the DSA outlines a number of factors which will be taken into account when determining whether an ISP’s activities are ‘targeted’, such as:
- the use by the ISP of a language or currency generally used in that Member State;
- the possibility of ordering products or services to that Member State;
- the use of a relevant top-level domain by that ISP;
- the availability of an ISPs application in the relevant national application store;
- the provision of local advertising in that Member State or that ISP advertising in a language used in that Member State; or
- the handling of customer relations, such as providing customer services in a language generally used in that Member State.
The EU GDPR Guidelines also list a number of factors which may be taken into account when deciding whether services have been offered under the EU GDPR (which may also be relevant to the application of the DSA), such as:
- the company paying a search engine operator for an internet referencing service in order to facilitate access to its site by consumers within the EU
- the company has launched marketing and advertising campaigns directed at an EU country audience, or
- the mention of dedicated addresses or phone numbers to be reached from an EU Member State.
Ultimately, the current wording of the DSA remains unclear as to exactly what providers may be caught by the DSAs scope. In absence of any further guidance from the EU, it will likely be for the courts to determine to what extent the DSA will apply to providers outside the EU. For now, non-EU ISPs remain unclear as to exactly whether their activities will mean they are required to comply with the terms of the DSA. Outside of Very Large Online Platforms and Search Engines (being those designate as such by the European Commission and who reach more than 45 million average monthly active recipients) whose obligations shall commence sooner, most ISPs will have until 17 February 2024 to assess their operations and determine whether they will be required to comply with the obligations of the DSA based on the criteria and factors outlined above.
What does in mean in practice for UK businesses?
Given the nature of ISP businesses, it is likely that UK businesses marketing their services to any EU customers may be required to comply with the obligations imposed by the DSA. A potential issue here is that the UK also intends to implement its own standards in respect of online safety and ISPs through the much debated Online Safety Bill (“OSB”), which is currently making its way through Parliament. Whilst the provisions of the OSB are yet to be finalised, its introduction could see ISPs in the UK subject to a dual regime of both the OSB and DSA, which will evidently create a significantly administrative and financial burden in respect of compliance. It remains to be seen to what extent UK Government will attempt to alleviate this in the drafting of the OSB, but for now exactly what regime and obligations UK providers may be subject to remains in a state of flux.
This article was first published on Lexis®PSL on 17 February 2023.