2024-2025 Global AI Trends Guide
In December 2020, the European Commission published the highly anticipated draft proposals for the Digital Services Act. The Digital Services Act introduces an updated set of obligations for many providers of digital services, including hosting providers, and will therefore also affect providers and users of cloud computing services. This article explores the applicability of the new Digital Services Act to cloud services and outlines potential cloud-specific challenges that may result from the new obligations under the Digital Services Act.
As reported in our previous article, the Digital Services Act will build on the eCommerce Directive and introduce a staggered set of obligations and liability rules for online intermediary services and online platforms, which millions of Europeans use every day. Similar to the concept under the eCommerce Directive, “intermediary services” as defined in the draft Digital Services Act comprise:
In addition, the Digital Services Act introduces the concept of “online platforms”, which comprises providers of hosting services which, at the request of the recipient of the service, store information and disseminate it to the public (unless that activity is a minor and purely ancillary feature of another service).
Cloud computing is usually used as a label for a broad variety of business models that primarily offer the use of scalable resources in data centers. Under European Union (EU) law, cloud computing services are typically understood as digital services that enable access to a scalable and elastic pool of shareable computing resources (see the definition Art. 4 (19) of the NIS Directive). At a high level, there are three key cloud business models that would fall under this notion of cloud computing services, namely:
It becomes clear that for the purposes of the Digital Services Act, cloud computing services may typically qualify as a “hosting service” (and thereby “intermediary services”) within the definition of the Digital Services Act proposal. This applies irrespective of whether the cloud computing services are offered towards business customers (i.e. in B2B relationships) or consumers (i.e. in B2C relationships).
It also applies whether or not the cloud provider is based in the EU, since the Digital Services Act is intended to apply to all digital services, as long as they are targeting customers in the EU.
In addition, particularly with regard to B2B scenarios, the customers of a cloud service provider may themselves qualify as “intermediary services”, such as when operating end-user-facing applications or platforms on the basis of a cloud environment, thereby leading to a situation of double hosting.
In certain scenarios, cloud providers may even fall into the definition of “online platforms”, especially where they operate a publicly accessible user interface on which cloud users can share content stored in the cloud with third parties.
Where a cloud provider qualifies as hosting service, it will be subject to the following key obligations under the Digital ervices Act proposal:
Additional obligations apply to intermediaries that qualify as online platforms, including a strengthened “notice and action” mechanism, including by which either the uploader of the potentially illegal content or the notifier may challenge the platform's decision (Art. 17-20 DSA).
Cloud computing business models often go far beyond mere data storage. Where a cloud service provides for more functionalities than the mere hosting of data, the concept of obligations of hosting providers under the current Digital Services Act proposal may give rise to some practical hurdles for providers of cloud computing services:
From a provider liability perspective, the Digital Services Act proposal largely adheres to the liability principles for hosting providers enshrined in the eCommerce Directive. Under Art. 5 DSA proposal, hosting providers will only be liable if they have been informed about illegal content (by the notice and action mechanism). An exemption from liability will apply if the cloud provider can prove in the individual case that it has no actual knowledge of the illegal content (which may be the case in the scenarios outlined above) or that it has acted without undue delay to remove the content or block access to it.
It will still take some time before the drafts finally come into force, and amendments to the proposed legislation are possible. As the next step, the Council of the European Union (“Council”) and the European Parliament must agree on final versions of the draft DSA, which will then negotiated in so-called trilogue meetings of the Council, the European Parliament and the European Commission. Once these meetings result in an agreement, the Council and Parliament will have to vote on the final text in order for the regulation to enter into force, which is currently expected for 2023/2024. Nevertheless, extensive legal changes are already foreseeable and it is recommended for companies to closely monitor the legal developments to allow for early adjustments to the new legal framework.
We have a dedicated multi-jurisdictional taskforce closely tracking the progress of the DSA, including experts in intellectual property, consumer and contract laws, data protection, technology regulation and policy and competition. For details of the taskforce click here.
Authored by Henrik Hanssen, Johannes Großekettler, Katharina Schwalke and Thilo Ortgies