Digital infrastructure may not the first sector that comes to mind when considering two of the new EU content laws, the Digital Services Act (“DSA”) and Regulation 2021/784 on addressing the dissemination of terrorist content online (the “TCOR”); most people will think of social media platforms or large marketplaces. However, data centre operators, cloud services and other hosting services providers fulfil an important function in their hosting of data and content used in the EU, and many of their customers and partners are also within the scope of the DSA and the TCOR. Consequently they have direct and indirect legal obligations under these laws and need to take account of them in their compliance programmes and business models.
What are the aims of the DSA and the TCOR?
The primary aim of the DSA is to upgrade and further harmonise rules across the EU regarding the identification, management and takedown of illegal content. The DSA provides for enhanced user rights, such as the requirement to provide users with a statement of reasons when their content is restricted, and access to a notice and action mechanism through which they can report what they consider to be illegal content. The DSA also provides for new rules on transparency on content moderation activities and content management. Along with these new rules comes an enhanced enforcement and sanctions regime.
The TCOR addresses the dissemination of terrorist content online. This law includes rules requiring the removal of specified content. It also imposes transparency obligations, such as the obligation to set out clearly in terms and conditions the policy for addressing the dissemination of terrorist content, including where appropriate a meaningful explanation of the functioning of specific measures, such as the use of automated tools.
Are data centres, cloud providers and other hosting providers regulated by these laws?
Yes, The DSA applies to a wide range of services, including caching, mere conduit, and hosting services. As storage of information is at the heart of the data centre and hosting services commercial model, providers will find that their services are in scope and action is necessary to comply. Some of these entities will also provide enhanced service features and so will need to consider if they also operate an ‘online platform’ under the DSA, which is a type of service which attracts more legal obligations than other hosting services. An online platform under the DSA essentially consists of a hosting service which allows for the storage of information and facilitates dissemination of that content to the public at the request of a service recipient.
Increasingly we see companies introducing additional and more sophisticated service offerings at infrastructure level, with services described as
- “Infrastructure as a Service” (IaaS), namely hosting hardware, software, data, and other infrastructure for customers;
- “Platform as a Service” (PaaS), namely hosting platforms for customers, on which the customers can develop, operate and manage content and software on the provider’s cloud service;
- “Software as a Service” (SaaS), which in these sectors often means the hosting provider introducing ‘value add’ cloud, data or software managed services to customers, usually via a web browser; and
- ‘Managed Services’ (MS) which usually means the hosting provider (MSP) assuming monitoring, cybersecurity and maintenance responsibilities.
Providers of these types of services will need to take particular care to ensure that they have properly considered what obligations they have under the DSA, as the DSA takes a layer approach to obligations, with compliance requirements increasing depending on the category of content intermediary services provided by the provider.
The TCOR applies to ‘hosting service providers’ offering services in the EU, irrespective of their place of main establishment. A hosting service provider is essentially a provider of services consisting of the storage of information provided by and at the request of a content provider (i.e. a user that has provided information that is stored and disseminated to the public).
These laws specify operational, technical, governance and legal steps which must be complied with. Service providers in scope of the DSA and the TCOR are subject to onerous obligations, and are potentially open to significant penalties if they fail to recognise this, and infringe these laws. Companies operating from outside of the EU, but servicing customers with the EU will also need to consider the scope of the DSA and TCOR, which will have extraterritorial effect in some cases.
What does this mean for customer relationships?
Not only will these laws apply to MSPs, data centre, cloud and hosting service providers directly, as the offer services that are in scope, but many of their customers will also be in scope as the services hosted are also covered by the DSA and TSR. As a result, service providers should look to manage the legal and regulatory risks involved with their services at a customer contract level, including by considering their current obligations, risk allocation and liability provisions in light of these new requirements. Contracts should also be adjusted to address the increased administrative and compliance burdens associated with these laws, such as response times to requests for information and access requests, regulatory audit and inspection rights, and the potential consequent associated costs.
In turn, customers receiving MSP, data centre, cloud, routing, transmission and hosting services will need to consider their own obligations under the DSA or the TCOR in respect of the content transferred to the provider, and their dependencies on those that are in the content management supply chain. As they currently do with regards to GDPR or the DSM Directive compliance regimes, customers may need to expressly address in contracts the dependencies which they have on service providers in fulfilling their compliance requirements.
The EU has introduced a considerable volume of new laws in relation to content and data which adjust the risk profiles and regulatory burdens place upon those who must comply with applicable laws. Many of those hosting data will be considering these DSA and TCOR contract changes alongside the changes required to address NIS2 (dealing with cybersecurity laws aimed at protecting networks on which the hosted content resides), the Data Act (which deals with requirements around allowing customer to move their content from provider to provider more easily) and other new laws impacting relationships in the EU.
For further information, please contact:
Deirdre Kilroy, Partner, Bird & Bird
deirdre.kilroy@twobirds.com