Or what should Hungarian small businesses expect?

Published on ArsBoni!

Introduction

On 19 October 2022, the EU adopted the Digital Services Act (which we will refer to as DSA),1 further extending the scope of the regulation to cover the provision of certain online activities for certain online activities.

Companies will have to comply with it from 17 February 2024 on, and this will be a directly applicable regulation, with no mandatory domestic transposition or any domestic legislation necessarily taking place. The new regulation will affect the activities of many internet service providers, including those who provide their services only to non-consumers. It is therefore worth explaining the new requirements of this Regulation.

The Regulation itself contains a number of rules that are specific to size, and in this article we will only discuss those requirements that also apply to small businesses. This article will not only focus on the new rules of the Digital Services Act. Inevitably, we will also show how the rules differ from those of the P2B (platform-to-business) Regulation (P2B Regulation), which has been applicable for two and a half years, as there is a large overlap in content between these two regulators.

In the spirit of EU competitiveness, the family of rules governing the activities of small businesses has therefore been extended to include a new member, adding to the existing plethora of rules on data protection, warranties and electronic contracting, consumer protection, commercial, taxation, copyright and IT security supervision.

(As a reminder, small enterprises in EU law2 are defined as enterprises with fewer than 50 employees according to the accounts and either an annual balance sheet total or an annual net turnover of less than €10 million – not including the complicated parts due to non-independent enterprises.)3

Who are these intermediary service providers?

The term “intermediary service provider” was defined in the E-Commerce Directive4 (quite independently of the concept of the intermediary under Hungarian civil law). The main purpose of the definition was to support the objectives of the E-Commerce Directive, and not to create a doctrinally appropriate concept. One of the main objectives of the Directive was to address the “clouds” gathering over the then infant Internet commerce in line with the international regulatory practice of the time. The tool was a horizontal exemption mechanism for the whole of the EU (then the European Community) for the various Internet service providers. The Directive in this context was essentially a version of the US federal Communications Decency Act and Digital Millennium Copyright Act (DMCA), adapted for the European Community.

The use of the term intermediary in the Directive consists of building on a very broad concept of information society service (ISS) to define three further very broad categories of services (Articles 12-14). If a service provider provides a service that qualifies as such, i.e. is an intermediary service provider, the directive/regulation will in fact significantly reduce its legal risks, not only at national level but also at EU level.

Information society services themselves cover essentially all online services that are currently available in this area (see Directive 98/34/EC). Nevertheless, twenty-five years ago, it was important to conceptually separate internet/online type services provided electronically at a distance and at the individual request of a recipient from the similar services of the time, such as sales from physical vending machines and mail order sales of data carriers, telecommunications and broadcasting services, financial services and even lawyer services provided by a telephone5.

This concept of ISS was originally supplemented by three additional sub-types (mere conduit, caching and hosting), and all three types covered a very wide range of Internet services, with a scope growing over time, both at the technical level and among business end-users.

By way of example, it is worth listing the market services that the legislator has clearly classified under each legal category in the DSA6 and in its preparation7:

(a) “mere conduit”: includes internet access providers for end-customers and (wholesale) internet transit services, internet exchanges, wifi access point providers, VPN providers, domain name (DNS) servers (since the DSA), top-level domain registries and registrars, and even certificate authorities;8

b) “caching”: caching proxy servers, content delivery network (CDN) services;

(c) “hosting”: web hosting, media sharing platforms (photo, music, video, blog), file sharing applications, cloud infrastructure and platform services (IaaS, PaaS); social networks (including e.g. TikTok) and discussion forums, online marketplaces (eBay, Craigslist), multi-user online games (Xbox Live, WoW), search engines, rating systems.

In Hungary, it was already clear from 2001 that search providers were also considered as intermediary service providers,9 while at the EU level this was clarified by a Luxembourg court decision.10 Subsequently, in 2016 and 2020, the term ‘intermediary service provider’ was further extended to include application service providers and video sharing platform service providers. Now, only the term ‘application service provider’ is outside the EU extended EU terminology of ‘intermediary service provider’.

New definition of online platform providers

The European Union has also introduced a new term from 16 November 2022, a new type of intermediary service provider being an “online platform” (Article 3): “a hosting service which, at the request of the recipient of the service, stores and publicly disseminates information …”, giving as an example “social networks or online platforms enabling consumers to conclude contracts with traders at a distance”. The online platform was already a hosting sub-type of intermediary service provider, but the DSA will impose significant new obligations on this category.

It should be remembered that, in the case of the online platform, the service itself is the storage and dissemination of information at the request of each user. So, if an online service provider makes available e.g. illustrations itself (which illustrations are not collected from the users), this is not a hosting service and not an online platform service, because the essence of its service here is to make available its own service, not to store and distribute information at the request of a user. If the same service provider collects these illustrations from its users and makes them available, it will be an online platform service provider (even if it will effectively have several different types of user categories, e.g. a sub-site for illustrators and a sub-site for downloaders).

Not included in the definition, but an essential element of online platforms is that they facilitate interaction between two independent users, i.e. there are at least two layers of service: the platform service always has another layer of interaction built on top of it – whether it is that as a social network, users (consumers) engage in non-profit communication with each other through the information they post on the platform (distribute), or whether it is that these platform users are enabled to provide business services to additional end-users, e.g. operating online marketplaces. For colleagues seeking a more in-depth understanding of the topic, I would also recommend reading Zsolt Ződi’s thorough historical analysis.11

It should also be emphasised that the concept of online platform in the Regulation can be interpreted too broadly, basically hosting services can be included in this conceptual scope, where there is no reason to apply rules arising from the specific characteristics of the platform. This should be understood as cloud services that aim to provide a specific platform or infrastructure to end-users. This is also referred to in recital 13 of the Regulation: ‘… cloud services and web hosting services that function as infrastructure, such as the underlying infrastructure hosting of an Internet-based application, website or online platform, should not be considered as services that publicly distribute information stored or processed at the request of a user.

About the rules that apply to all small business intermediary service providers

The E-Commerce Directive imposed very few obligations on intermediary service providers. Basically, under the liability rules, it only said what these entities should do if they became aware of infringing information in the case of caching and hosting providers12, and these liability rules were changed only minimally (see below), and the lack of a general monitoring obligation as a main rule was maintained.

The two simple obligations of the E-Commerce Directive (the general obligation to provide information and the specific rules on commercial communications) remain unchanged for intermediary service providers (but the Directive does not require compliance by intermediary service providers, but by all providers of information society services).

However, the conditions under which online service providers are obliged to deal with unlawful content have been significantly extended. For all intermediary service providers, there is now a clear expectation that they must comply urgently with requests from other Member States, even from courts or authorities, through national coordinators, with regards to blocking or reporting.

This in itself will tie up considerable resources for service providers – including if they wish to check whether the authority is entitled to access the requested data or to request blocking.

The general obligations of the E-Commerce Directive on provision of data will be extended by requiring intermediary service providers to maintain and publish a separate contact point for public authorities and another one for users. In addition, it is not sufficient to designate a contact point that is only an automated device, such as a chatbot13.

The fact that the DSA has also set its own requirements regarding the content of their terms and conditions in order to protect users is expected to significantly disrupt the operations of most intermediary service providers. The new requirements relate in general to the disclosure of information about restrictions on use (including possible moderation, automated decision making and complaint handling), but also include an obligation to notify users of unilateral changes. We will see in the next section that even more detailed obligations apply to business platforms.

Obligations of hosting providers

Even the smallest hosting providers will be subject to a number of new obligations.

The first set of obligations will detail the procedure for dealing with content that is suspected to be infringing, how to report it and how to make the investigation process more transparent. As the obligation to receive notifications will apply to a large number of service providers, and as the Regulation sets out detailed technical conditions, it is expected that in practice a standardised notification interface and service will be developed, similar to the cookie acceptance mechanisms.

As part of ensuring transparency, hosting providers will have to explicitly indicate if the processing of notifications is automated in any way – i.e. this is not only an obligation for automated decision making, but also information on any form of automated processing. However, the Regulation does not set a specific deadline for the processing of notifications.

Also to ensure the protection of users and the transparency of service providers’ decisions, the Regulation imposes a requirement to give reasoned notice (information) to users on the restriction of certain uses.17 The rules on the justification are described in relative detail in the Regulation, hoping to limit the narrow-mindedness of service providers’ decisions, which may be sensitive to users.

Finally, the Regulation imposes a reporting obligation on hosting providers in the event that they have information that suggests that someone has committed a “crime that threatens the life or safety of a person.”14

It can be seen that if an intermediary service provider wishes to comply with all of these obligations, it will incur non-negligible costs – even though the EU impact assessment found this to be a negligible cost.15

Obligations of online platform providers

For small businesses, the range of obligations specifically applicable to online platform will be minimal, as most of the provisions are exempted by the DSA.16

Thus, for online platforms, the bulk of the obligations are the same as those applicable to hosting providers, with two additional additions.

One addition relates to the category of online marketplaces within the scope of online platform providers: a provider cannot be exempted under the intermediary exemption if it appeared to an average consumer that the order in question was fulfilled by the marketplace itself or by an operator controlled by it.17 Online platform providers are generally interested in reshaping the balance of power between their different categories of users to their own advantage. For example, if a customer in a local service market is satisfied with the service of a provider (e.g. a competent electrician). However, the platform that dominates access to that local service may not be interested in the customer calling that provider directly next time, even if only because of its share loss, and therefore the platform may design its service to minimize the relevance and identifiability of the actual provider to customers. It is this ‘disruptive’ tendency that this rule is intended to curb (albeit in the case of products rather than the services in the example).

The other addition is an obligation to provide data, where they will have to provide their six-month average number of users, according to a methodology to be defined in future legal acts, at the request of the Member State coordinator.

The “online intermediation service”: less known specific rules for B2B platforms

It is also important for our purposes to understand the little known “online intermediation service18 In practice, an online intermediation service will necessarily be an intermediary service as well (and also an online platform) under the DSA, but the definition of the term is not using the term intermediary. The reason is that this concept predates the Digital Services Act. For some strange purposes, the Commission has not sought to align the terminology of these two regulations, only referring in the draft DSA to the P2B Regulation as a “lex specialis”.

The concept of online intermediary services and the P2B Regulation were issued to allay fears about platforms designed for commercial “re-use”. Thus, only services aimed at business users are covered, where the “platform service” itself is intended to facilitate transactions between business users and consumers.19

Thus, the P2B Regulation does not cover platforms of a consumer nature (typically social networks, TikTok, etc.), whereas the DSA’s online platform term covers these consumer-to-consumer platforms as well.

The P2B Regulation, although narrower in scope than the Digital Services Act, contains more detailed and prescriptive rules. It is difficult to see how the Regulation applies in practice, even though it has been applicable since July 2020. In Italy, the competent authority has already published a guidance document following a public consultation,20 but in other countries (such as Hungary) it is not known which authority will act on any related issues. Only three out of 27 Member States have so far taken the trouble to designate an authority or organisation representing the interests of business users under the P2B Regulation. The Commission should also have sent its report to Parliament on the experience in applying the P2B Regulation more than a year ago – the draft report is already available, according to public procurement reports, but it is not yet public.

Let us briefly review how the obligations of the P2B Regulation differ from those of the DSA.

Compared to the DSA’s general obligations on contract terms, the P2B Regulation imposes more detailed obligations. In particular, it is not sufficient to inform users of (unilateral) changes to the terms and conditions, but it also sets a minimum time limit for the amendment. Apart from narrow exceptions, the time period for the amendment must allow the business users to adapt to the notified change (but not shorter than 15 days). The terms and conditions must also provide information on how the use of the platform affects the intellectual property rights of the business user and on the additional channels through which the platform provider will sell products also offered by its own user.

The conditions relating to the restriction of service are also much stricter. While under the DSA, only the general restriction conditions applicable to hosting providers are imposed on small business services (see point 5) and small businesses are exempted from the more detailed rules on the restriction of abusive uses21, under the P2B Regulation, small businesses do not benefit from such relief. They must provide in their contractual terms and conditions details on how they will deal with manifestly infringing content, notify their users of the restriction on a durable medium at the latest at the time of the restriction and allow their users to seek clarification by means of a complaint.22 Regardless of the suspension, the time limit for terminating the provision of the service must not be less than 30 days.

Both online search providers and online platform providers are obliged to publish an explanation of their ranking of users under the P2B Regulation,23 and small businesses are not exempt from this obligation (whereas they are exempt from this in the DSA).24

Finally, it is only under the P2B Regulation that small businesses are required to provide information to their users in their contractual terms and conditions on how they can access their data entered or generated in the course of providing services.25

Summary

Given that the P2B Regulation and the DSA Regulation will affect a significant number of service providers even at national level, it would be appropriate to intensify the dissemination of information on these two EU legal acts. The actual application of the P2B Regulation is still pending in many countries, including Hungary, despite the fact that the deadline for its application has been overdue for two and a half years. It is likely that those business users affected are not even aware that their rights in this area are not being respected, that the necessary information is not being published. Member States and authorities, with few exceptions, are not helping the situation.

As the date of 17 February 2024 approaches, it is increasingly likely that the impact of these two regulations will only become more widely known by users and service providers alike. However, the later small businesses start to prepare for these - not insignificantly costly - changes, the more expensive the cost of compliance will be and the less opportunity there will be to implement coordinated, cost-effective IT and legal solutions.

(Last updated 28 January 2023)

[^2] Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (P2B Regulation), https://eur-lex.europa.eu/eli/reg/2019/1150/oj.

  1. REGULATION (EU) No 2022/2065 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 October 2022 on the Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act), https://eur-lex.europa.eu/eli/reg/2022/2065

  2. Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises, http://data.europa.eu/eli/reco/2003/361/oj, for Hungary, see the definition as part of the Act XXXIV of 2004 on small and medium-sized enterprises, on the support for their development. 

  3. These exemptions under the DSA do not apply to medium-sized enterprises. 

  4. Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market. 

  5. See Annexes V to VI of Directive 98/34/EC of the European Parliament and of the Council of 22 June 1998 laying down a procedure for the provision of information in the field of technical standards and regulations (as amended by Directive 98/48/EC). 

  6. DSA (28)-(29) preambular paragraphs. 

  7. see SWD(2020) 348 final Commission Staff Working Document: Impact Assessment Report Accompanying the document PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC, 15 December 2020, https://eur-lex.europa.eu/resource.html?uri=cellar:5ebd61c9-3f82-11eb-b27b-01aa75ed71a1.0001.02/DOC_2&format=PDF and Sebastian Felix Schwemer, Tobias Mahler and Håkon Styri, ‘Legal Analysis of the Intermediary Service Providers of Non-Hosting Nature’ (1 July 2020) https://papers.ssrn.com/abstract=3798494, accessed 21 January 2023. 

  8. DSA (recital 29) 

  9. Act CVIII of 2001, § 2(l). 

  10. Judgment of the Court of Justice of the European Union of 12 December 2006 in Joined Cases C-236/08 to C-238/08 Google France and Google v Vuitton, ECLI:EU:C:2010:159. 

  11. Zsolt Ződi, ‘Characteristics of the European Platform Regulation: Platform Law and User Protection’ (2022) 7 Public Governance, Administration and Finances Law Review, p. 91 https://folyoirat.ludovika.hu/index.php/pgaf/article/view/6319, accessed 17 January 2023. 

  12. articles 13(1)(e), 14(1) and (2), 15. 

  13. recital (43) and Article 12(1). 

  14. Article 18 

  15. SWD(2018) 138 final COMMISSION STAFF WORKING DOCUMENT IMPACT ASSESSMENT Accompanying the document Proposal for a Regulation of the European Parliament and of the Council on promoting fairness and transparency for business users of online intermediation services, point 6.2, https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52018SC0138

  16. articles 19\ and 29. 

  17. Article 6(3). 

  18. The term used in the P2B Regulation is "online intermediation service", whereas the term used in the E-Commerce Directive and the DSA is intermedi[ary]{.ul} service. The first is an online intermediary service provider, the second an intermediary service provider – although all intermediary service providers are necessarily online under the Electronic Commerce Directive and the DSA, and the P2B Regulation bases its definition of online intermediation service on the ITOS, not on the term "intermediary service" in the Electronic Commerce Directive. 

  19. ibid., Article 2, point 2. 

  20. E.g. for airbnb, booking, Shopify we found such provisions following from the P2B regulation, but not for e.g. eBay and Amazon online store. 

  21. DSA Article 23 

  22. Article 4 of the P2B Regulation 

  23. See on this the Commission Communication: Guidelines on ranking transparency pursuant to Regulation (EU) 2019/1150 of the European Parliament and of the Council, https://eur-lex.europa.eu/legal-content/HU/TXT/HTML/?uri=CELEX:52020XC1208(01) 

  24. Article 5 of Regulation P2B and Article 27 of DSA 

  25. P2B Regulation Article 9