The EU's 2030 Digital Agenda sets the course for a European digital future, with accompanying new legislation. This new legislation brings numerous changes and obligations for various organizations and is therefore also relevant for M&A practice, as the scope of due diligence investigations will expand significantly as a result of the new legislation.

Legal Data Due Diligence

We're now accustomed to conducting privacy due diligence based on regulations such as the General Data Protection Regulation (GDPR). However, a privacy due diligence review will now be too narrow in scope. Before conducting due diligence, it's important to understand which regulations are relevant to a transaction, what obligations this entails for organizations, and (potentially) the risks for a buyer. Therefore, consult our online tool at www.legaldataduediligence.nl to determine which EU data laws may apply to the target company before a transaction.

This blog provides guidance for M&A practitioners on the Digital Services Act (DSA) . We discuss the core obligations, scope, risks, and key considerations for M&A practitioners.

DSA

The Digital Services Act (DSA) aims to create a safer online environment, protect users' fundamental rights, and promote transparency and accountability in online platforms. The DSA imposes due diligence obligations on both small and large digital service providers, ranging from intermediary services to online platforms and search engines. In short, the DSA applies to businesses involved in online services that share user-generated content. Consider, for example:

• Online platforms: marketplaces, app stores, social media, reviews;
• Hosting services: cloud gaming, web hosting, media streaming, forums/reviews;
• Search engines and aggregators;
• Internet service providers and domain name registrars;
• Advertising platforms and matching services;
• SaaS for publishing/exchange/storage of content for third parties;
• Digital marketplaces (B2B/B2C).

All providers of intermediary services must comply with the new obligations under the DSA from 17 February 2024 .

What are the core obligations?

The applicable obligations depend on the entity's classification. The DSA has a tiered system: the more closely a provider is involved with customer information, the more obligations apply. For example, online platform providers must also comply with obligations for hosting providers and online intermediaries. Key obligations include:

• Content moderation: measures to detect, report, and remove illegal content. Hosting services and online platforms must have a reporting mechanism for individuals and organizations.
• Criminal Offences: Hosting providers that discover information that indicates a criminal offence will immediately inform the relevant authorities and provide any available relevant information.
• Transparency: at least an annual transparency report on content moderation. Online platforms are also subject to advertising transparency obligations (clarity regarding advertising and on whose behalf; no profiling based on sensitive personal data).
• Terms and Conditions: Clear information regarding restrictions on the use of the service and its tracking. Additional requirements apply to very large online platforms and very large online search engines.
• Central Contact Points: a central point of contact for communication with customers, Member States, the European Commission and the Digital Services Council.
• Internal complaints handling system: users who receive a decision following their report must be able to file a complaint electronically against that decision.

Does the law apply to the target?

The DSA has a broad scope and applies to various digital service providers offering their services in the EU, regardless of whether they are established within or outside the EU. This includes online intermediaries, hosting providers, online platform providers, very large online platforms (VLOPs), and very large online search engines (VLOSEs).

What are the risks (fines, etc.)?

Failure to comply can result in fines of up to 6% of global annual turnover. Failure to provide mandatory information can result in a fine of 1% of global annual turnover. In addition, a penalty of 5% of global daily turnover per day can be imposed for as long as the violation continues.

VLOPs and VLOSEs are overseen by the European Commission and national supervisory authorities (in the Netherlands: the Netherlands Authority for Consumers and Markets (ACM) and the Dutch Data Protection Authority (AP)). Oversight of other service providers lies with the national supervisory authorities.

What should you pay attention to during a transaction?

• Does the company meet its DSA obligations?
• Has the company recently received fines or measures from ACM or AP?
• Are there content moderation and reporting procedures in place that align with the DSA?
• Are there internal policies for collaboration between legal, technical, and compliance departments?
• Does the provider inform itself about illegal activities on the platform in accordance with the DSA?
• Is there a transparency policy for advertising?
• Are users adequately informed about rights and procedures?
• Are there mechanisms to challenge content moderation decisions?
• Are periodic risk assessments carried out?
• Are procedures for cooperation with authorities clearly defined?

Conclusion

The new EU data regulation has a significant impact on M&A practice, particularly on the due diligence process. The scope must be expanded to include "Legal Data Due Diligence" to identify applicable legislation, compliance, and risks.

Non-compliance can lead to high costs, fines, reputational damage, and loss of value. Both buyers and sellers are advised to check beforehand whether the legislation applies and whether the organization is compliant.

Want to know more?

Contact one of our specialists.