The EU Digital Services Act is due to come into force for most “intermediary” service providers that offer a service to EU citizens from February 17, 2024. The Act will impact a number of US-based healthcare IT companies and may influence future federal and state legislation in the United States.
The Digital Services Act is a new EU law that updates the existing EU Electronic Commerce Directive. Among its objectives, the Act aims to address illegal and misleading online content, better protect Internet users from fraud, and provide more control over what personal data is collected and how it is used. The Act also includes new legal requirements for Very Large Online Platforms (VLOPs – i.e., Amazon and eBay), and Very Large Online Search Engines (VLOSEs – i.e., Bing and Google).
The Act applies to all conduit, caching, and hosting services accessible by EU citizens regardless of where the service provider is based (similar to the General Data Protection Regulation). Therefore, US-based social media companies, e-commerce platforms, collaboration tools, content sharing platforms, messaging apps, and advertising networks (among others) will have to comply with the EU Digital Services Act if they provide a service to or for EU citizens.
The Issue of Provider Liability
Chapter 2 of the EU Digital Services Act is similar to §230 of the Communications Decency Act inasmuch it provides immunity for online service providers with respect to third party content generated by its users. However, unlike §230, if a service provider becomes aware of illegal activity or illegal content (Article 6) or is ordered to act against such activity or content (Article 9) and fails to remove or disable access to the activity or content, they are in violation of the Act.
With regards to the scope of provider liability, there is a question about whether a website that hosts chatrooms and forums, or allows users to add public comments, is covered by the Act. Strictly speaking, such a website fulfils the definition of an online platform because users can interact with it. However, in the definitions section of the Act (Article 3), an online platform is defined as:
“a hosting service that, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons, cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of this Regulation”.
Because it is unclear how EU regulators will interpret “minor” and “ancillary”, it is advisable for US-based websites that support user interaction to comply with Chapter 2 of the Act and Article 18 of Chapter 3 – which requires providers that suspect criminal activity to report their suspicions to EU law enforcement authorities. It may also be necessary to comply with Chapter 3, Article 23, which requires providers to suspend users who frequently post illegal or misleading information.
Other Relevant Articles in the EU Digital Services Act
The EU Digital Services Act has a scale of compliance obligations depending on the nature of each organization’s qualifying activities. VLOPS and VLOSEs have to comply with all applicable Articles, while organizations that only provide (for example) an online platform do not have to comply with the risk management, audit, and data access requirements. In the context of what the US healthcare IT industry can learn from the EU Digital Services Act, the following Articles are the most relevant:
Point of Contact
Similar to the requirements of HIPAA and the FTC Act, healthcare IT companies in the US that provide any form of intermediary service for EU citizens must appoint a “point of contact” similar to a Data Protection Officer under the General Data Protection Regulation. This is a requirement of the EU Digital Services Act even if the company does not qualify as a covered entity under GDPR because it does not collect, process, or store personal information relating to an EU citizen.
The “point of contact” must be contactable in a user-friendly manner (Article 12) and how the appointed individual can be contacted must be publicly available (i.e., not an automated service) so they can be contacted by users of the service and by regulatory authorities. Additionally, the point of contact must be located in the EU; so, if a company does not have a physical presence in the EU, it must appoint a “legal representative” (Article 13).
Transparency Reporting Obligations
The transparency reporting obligations of the EU Digital Services Act cover everything from how the service has moderated content and what algorithms have been used to moderate content, to what complaints have been received and what content has been removed from the service as a result. Providers of intermediary services that do not qualify as a small or micro enterprise will be required to produce a report at least annually (Article 15).
Complaint and Redress Mechanisms
Each organization is required to develop and publicize complaint and redress mechanisms (Article 17). These not only apply to handling complaints from users about illegal and misleading content but also complaints from users who have had content removed by a provider. Member states have the authority to produce their own guidelines on how to deal with malicious, unfounded, or repeated complaints, and this will likely involve the documentation of such (unactioned) complaints.
Restrictions on Deceptive Designs
Article 25 of the EU Digital Services Act prohibits the design or operation of online interfaces that deceive users or manipulate them into making a decision. Examples of such practices include giving more prominence to one option over another and repeatedly requesting that a user make a decision via a pop-up that interferes with the user experience. Additionally, the procedure for terminating a service or subscription must be just as easy as signing up for the service or subscription.
Profiling and Targeted Advertising
Several Articles have restrictions or requirements for advertising. Article 26 includes rules for ensuring users are aware an advertisement is an advertisement (or a commercial communication of any sort) and prohibits user profiling and targeted advertising using certain categories of personal data. Article 28 further extends the prohibition of profiling and targeted advertising to all websites and online platforms that are accessible to minors.
The Traceability of Traders
To mitigate the risk of EU citizens being scammed by anonymous vendors, any website or online platform that offers goods or services supplied by a third party trader must obtain the trader’s name, physical address, phone number, email address, and a copy of their registration documents before advertising their goods or services (Article 30). Additionally, third party traders will only be allowed to advertise goods or services that comply with EU laws.
How Might the EU DSA Impact the US Healthcare IT Industry
The EU DSA is designed to modernize the digital space, create a safer online environment, and reign in the influence of large search engines, e-commerce websites, and social media platforms. The fundamental principles of accountability, transparency, and user protection will impact the US healthcare IT industry inasmuch as US healthcare IT companies provide services to European healthcare systems in the following areas:
- Electronic Health Records Systems
- Telehealth Solutions
- Data Analytics
- Interoperability Solutions
- Medical Imaging Software
- Cybersecurity Services
- Cloud-Based Services
- Billing and Revenue Cycle Management
- Population Health Management
While many of these services may not be subject to the EU DSA because the service provider is not an “intermediary” between the healthcare system and the end user, any other services that qualify as “covered services” will have to comply with the regulations for data transparency and governance, algorithmic accountability, and vendor traceability. Additionally, companies will have to implement mechanisms for complaint handling and redress where required.
The penalties for violations of the EU DSA will be “proportionate to the nature and gravity of the infringement, yet dissuasive to ensure compliance”. Initially, the Digital Services Coordinator is likely to pursue a path similar to how the HHS Office for Civil Rights approaches HIPAA violations – technical assistance and corrective action plans. However, the Coordinator has the authority to fine companies up to 6% of their global turnover and suspend the service until it is compliant.
What the US Healthcare IT Industry Can Learn from EU DSA
EU data privacy legislation is often an influencing factor on federal and state legislation in the United States. California’s Consumer Privacy Act was the first of many state laws modeled on the EU’s General Data Protection Regulation, and the proposed American Data Protection and Privacy Act (ADPPA) further extends individuals’ rights and the data governance requirements of most state laws, plus provides for a conditional private right of action.
Some states have also borrowed from the EU Digital Services Act before the EU law becomes effective. The Indiana Data Privacy Law and the Montana Consumer Data Privacy Act (both passed this year) require covered organizations to conduct data impact assessments before using data for profiling or targeted advertising, while New York’s proposed Privacy Law gives Internet users the right to opt out of both profiling (for any reason) and targeted advertising.
Other Articles in the EU DSA have made appearances in federal legislation. The INFORM Consumers Act requires online marketplaces to collect, verify, and disclose (when required) the identities of certain vendors similar to the EU DSA’s Traceability of Traders Article, while the proposed American Innovation and Choice Online Act places similar restrictions on VLOPs and VLOSEs with regards to the order in which products or search results are displayed to users.
Possibly the most important thing the US healthcare IT industry can learn from EU DSA is the likelihood of §230 of the Communications Decency Act being amended or repealed and interactive online platforms becoming liable for user content posted on them. In 2020, the Department of Justice made four recommendations to Congress ranging from carving out exemptions for specific content to removing all protections for lawsuits brought by the federal government.
Although Congress has not yet acted on the recommendations, numerous legislative proposals (for example, the “Social Media NUDGE Act”) may make it necessary for healthcare IT companies to build content monitoring into interactive apps and – if necessary – develop complaint and redress mechanisms to explain removal decisions and resolve disputes. Due to the volume of legislation that proposes amendments to §230, this is likely to become a requirement sooner rather than later.
Why it is Important to Consider Future Changes Now
There is a great deal of legislative and regulatory activity in the healthcare sector at the minute. In addition to the proposed changes to HIPAA and the cyber incident reporting requirements of the 2022 Critical Infrastructure Act, healthcare IT companies may have to redesign apps and services to comply with the EU Digital Services Act as well as new domestic laws determining how personal health data is collected, retained, and used (i.e., “My Body, My Data Act”).
Because of the number of laws and regulations that may soon require priority attention, it is recommended compliance teams and engineering teams communicate about what changes may be required to existing apps and services, and how they can be planned for now in order to avoid future penalties for non-compliance. Any companies unsure of their compliance obligations under the EU Digital Services Act – or any domestic legislation – should seek professional compliance advice.
The post What the US Healthcare IT Industry Can Learn from the EU Digital Services Act appeared first on HIPAA Journal.