GAA clubs and other local groups may be unaware they are subject to new EU digital framework

Karlin Lillington: Ireland has an opportunity to become a centre of excellence for advising on compliance

Many organisations may have missed that they already need to engage with the Digital Services Act.
Many organisations may have missed that they already need to engage with the Digital Services Act.

The EU’s new Digital Services Act (DSA) has been widely touted as a regulatory framework for the huge online and social media platforms we all know, and may or may not love.

If a service reaches more than 10 per cent of the EU’s population (45 million users), the European Commission may designate them as very large online platforms (VLOPs) or very large online search engines (VLOSEs), subject to more significant regulation.

But the DSA may apply to many other smaller organisations such as online forums (including a non-commercial hobby forum, or a Mastodon community), a website comments section, a customer discussion area, a video channel, or an online marketplace. The EU says the act pertains to “all digital services that connect consumers to goods, services, or content.”

In the EU’s terminology, the Digital Services Act won’t actually be ‘applied’ to organisations until February 17th, 2024, but the rules came ‘into force’ on November 16th, 2022

And as the first formal DSA deadline has just passed for organisations — the requirement to report estimated user numbers was last Friday, February 17th — some organisations are likely to find themselves already technically in breach of the act.

READ MORE

The DSA is a big new act and plenty of experts (read, specialist lawyers) are also struggling to grasp its parameters, so some deadline leeway is likely to be granted. But small and medium-sized companies, non-profits and organisations and individuals running anything that could be constituted an online community or service would be wise to thoroughly investigate whether they fall under the DSA’s oversight mechanisms.

Many organisations may have missed that they already need to engage with the DSA. In the EU’s terminology, the DSA won’t actually be “applied” to organisations until February 17th, 2024, but the rules came “into force” on November 16th, 2022, which meant organisations needed to begin to assess whether they were obliged to meet last week’s first hard deadline of submitting user numbers.

Jeanne Kelly, a founding partner of the Irish branch of international law firm Browne Jacobson, says the main body of companies the act applies to are the “very large” online social media and market platforms and search engines such as Google, Meta, Amazon, or LinkedIn.

But the act applies a sliding scale of regulation to organisations across a wide and somewhat murky range of definition. So, a surprising spread of other organisations is likely to have at least some requirements under the act. She offers the example of residents’ associations or GAA clubs with online forums, or large personal advertisement websites.

Kelly says there may also be companies that mistakenly believe the act doesn’t apply to them because they don’t have EU offices. But the act applies to companies that have recipients of their services in the EU. This, she says, is similar to protections given under California laws to California residents that impose obligations on companies in other US states if they experience, say, a data breach that affects Californians.

What's in the new cost of living package?/Scams target Revolut users

Listen | 44:47

Right now, operators of online services need to determine if they fall under the act or fit within its exceptions — and therefore if they needed to submit user numbers last week.

Kelly says this is another area where organisations may mistakenly think they don’t because their user numbers are too small if they use the long-established definition of “active” users — people who are registered users, or who have made purchases. But the act determines user numbers by whether an individual simply engaged with the service, which could mean following a link to a Facebook post, or watching a TikTok video, although not registered with those platforms.

Organisations may fall in and out of regulation if user numbers vary over time. If required to register under the DSA, organisations will need to supply user numbers every six months, and could conceivably drop below a previous regulatory threshold. Or, they may find they move up into additional obligations. “If you suddenly get the benefit of a big wave of support or growth, well, you get this extra regulatory burden,” she says.

The next DSA milestone comes in the next four months when the commission designates which companies qualify as VLOPs and VLOSEs

Kelly finds this to be a particularly interesting DSA feature, designed in part to track “hockey stick” explosive growth early on. That, she says, should help prevent corporate acquisitions that could result in market dominance and inhibit broader market and economic growth, and avoid far more complicated later-stage regulatory measures like breaking up monopolistic companies.

The next DSA milestone comes in the next four months when the commission designates which companies qualify as VLOPs and VLOSEs. But those will be fairly obvious — the real challenge is for others to figure out if they have obligations under the DSA. Kelly readily acknowledges this may be difficult for companies and small organisations without internal law expertise, facing a brand new, untried piece of regulation. Basic EU guidance was only issued on February 1st.

On the national upside, given the sheer number of technology companies here, Ireland has an opportunity to become a centre of excellence for advising on compliance, says Kelly. On the other hand, that’s unlikely to be of much help to a local GAA club or hobby forum administrator without any budget for compliance advice.