A tale of classified documents and online platforms: How to comply with new EU rules

Sign up for the GI Daily here to get the biggest news straight to your inbox

In April, Massachusetts Air National Guard member Jack Teixeira was arrested in the US by the FBI for allegedly leaking classified documents about the war in the Ukraine on Discord.

Since then, much has been written about the investigation as well as other cases of restricted information sharing on gaming forums relating to games such as War Thunder.

But what impact do such leaks have on the platforms on which this information is posted? What are their responsibilities and liabilities for the content that they host?

A shifting landscape

Historically in Europe, platforms have not been liable for any illegal content on their site provided they had no actual knowledge of such content and, if they became aware, moved quickly to take it down.

This has been the legal position since June 2000, a lifetime ago in digital development, when we were all playing games on Game Boy Colours and the original PlayStation.

Since then, technology has changed (to say the least) and the role of online interactions and user generated content in games, on gaming platforms, and on social media, has exploded. Online safety and, in particular, the role that platforms play in policing the internet has become a hot topic for governments and regulators across Europe.

In the UK, the debate on how to regulate in this space still rages, with the UK Online Safety Bill still crawling its way through the parliamentary approval process.

For the EU however, the answer is settled. And that answer is the Digital Services Act.

The next generation of digital services

The Digital Services Act, published in October 2022, represents the next generation of the regulation of online services in the EU, with compliance required by 17 February 2024.

While the headlines focus on the application to the social media giants, the Digital Services Act actually covers a broad spectrum of digital services which will impact many in the games sector, from those games with in game comms or user generated content, to live streaming services and chat rooms, and even certain back end game infrastructure and services.

The Digital Services Act takes a tiered approach to compliance, which escalates depending on the type of digital service you provide and the perceived risk that it creates to the dissemination of illegal content.

And the Digital Services Act comes complete with fines of up to 6% of worldwide turnover for non-compliance.

So what do I need to do?

Here are five key things you can do to prepare for the DSA.

• 1. Check whether the services you provide are in scope

The Digital Services Act applies to any intermediary services which are offered to users based in the European Union. So even if you don't have any presence in the EU, you could still be in scope if your users/players are.

What counts as an intermediary service is also broad. This includes those that store information provided by and at the request of another party and those that make that information available to the public at that party's request.

So if you're storing third party information (whether an individual's or a business') or making it available to the public, then you're likely to be in scope. Where you have multiple games or services, you'll need to carry out this assessment on each service as different rules may apply.

• 2. Confirm what type of intermediary service you provide

The Digital Services Act creates a number of categories of intermediary services including hosting services, online services and very large online platforms. Each category builds on the last and adds further requirements with which to comply.

Carry out analysis now on where you sit and what you need to do to be compliant. Certain exceptions or caveats might be available, which could enable you to avoid some of the more onerous requirements.

• 3. Report number of active users (if you're an online platform)

If you are considered an online platform, you should have already reported the number of average monthly active users of the services. If you haven't already done so, it's something to address quickly.

• 4. Take down illegal content when you become aware of it

The old rules for hosting services still apply. So in order to avoid liability for the third party content that you host, you need to implement measures within your organisation to take this content down quickly when you become aware of it. This is something that the games industry has typically been proactive with, adopting many tools and methods to ensure a great player experience.

• 5. Identify what new obligations apply to you and take the necessary compliance steps

Each category of intermediary service comes with a number of new requirements and obligations. Which requirements apply will depend on the type of intermediary service you provide (and remember you may have multiple services which fall under different regimes).

For hosting services, you'll be focused on things like updating your terms and conditions to reflect restrictions on use of your services and your content moderation approach, transparency reporting and notice and take down obligations.

The good news is that you have until 17 February next year to [comply]. The bad news is that there may be a reasonable amount of operational, legal and technical issues you need to address

Online platforms (those making third party information publicly available) will have additional requirements to comply with. This includes implementing a complaints handling system for those that disagree with a decision made on illegal content, an out of court settlement procedure, and rules around the transparency of online advertising. Additional rules are applicable to online platforms which are also consumer marketplaces (such as app stores).

For those platforms which are accessible by minors (likely to be a larger number of the gaming space), there are specific requirements around ensuring childrens' privacy, safety and security.

In addition to the above, very large platforms and search engines (those with 45 million or more active users) have the most onerous obligations, including assessment of systematic risks in the way their platforms operate and disseminate illegal content, implementing measures to address these risks and crisis response mechanisms.

Compliance with all of this will take time. The good news is that you have until 17 February next year to do this. The bad news is that, depending on the category you fall into, there may be a reasonable amount of operational, legal and technical issues you need to address. Time to get going!

What else should I be aware of?

While the Digital Services Act is the key regulation on online safety across the EU, there is also country specific legislation spinning up in areas like Germany and Ireland. And of course the UK's Online Safety Bill still rumbles on. This all means that those in scope will end up needing to comply with a patchwork of legislation across Europe.

This will require some soul searching on how to manage compliance, with some having the resources to tackle this at an individual country/regulation level, while others will take a more holistic approach to compliance and apply the highest standard across all countries. In extreme situations (as has been hinted at by certain leading communications providers), we may see businesses exiting certain markets all together.