A single set of rules that apply across the whole EU is how the European Commission describes the Digital Services Act ((EU) 2022/2065) (DSA) and the Digital Markets Act ((EU) 2022/1925) (DMA).

The foci of this legal framework are:

• the safety of users online;
• governance with, at the forefront, the protection of fundamental rights; and
• an online platform environment which is fair and open.

Read more about the DSA package here.

In the context of recent news

The DSA entered into force on 16 November 2022, although most operative provisions did not take effect until 17 February 2024. The DMA entered into force on 1 November 2022 and came into effect on 2 May 2023.

To put these EU regulations in the context of recent news, the European Commission:

• on 3 July, launched a public consultation on the first review of the DMA (closes 24 September 2025): read the press release here.
• on 2 July, adopted a delegated act on data access under the DSA relating to researchers obtaining access to the internal data of Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) – read the press release here.
• on 1 July, provided a reminder that harmonised transparency reporting rules start to apply – read the press release here.
• on 18 June, accepted and made binding the commitments under the DSA of the VLOP AliExpress – read the press release here.

Extraterritoriality: substantial connection to the EU

In this blog we foreground the extraterritoriality of the DSA – looking at the ‘substantial connection to the Union’ wording within the regulation. We also explore some of the obligations for entities in-scope, the tiering of those obligations, and consequences of non-compliance.

What are online intermediaries and platforms?

The European Commission explains:

• ‘Digital services include a large category of online services, from simple websites to internet infrastructure services and online platforms.
• The rules specified in the DSA primarily concern online intermediaries and platforms. For example, online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms’.

UK-based suppliers of ‘intermediary services’

The DSA applies to intermediary services offered to recipients (businesses or consumers) in the EU. This is Article 2(1) of the DSA on its Scope:

• This Regulation shall apply to intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment.

So, the DSA applies irrespective of where the provider is incorporated or located.

Substantial connection

However, to be in-scope, a provider of the intermediary services would need to be established in the EU or connected to the EU based on specific factual criteria. This is referred to in the DSA as a substantial connection.

Specific factual criteria

In the preamble to the DSA (recitals (7) and (8)) there are guiding words on having a ‘substantial connection to the Union’. In addition, there are these definitions within the DSA:

‘to offer services in the Union’ means enabling natural or legal persons in one or more Member States to use the services of a provider of intermediary services that has a substantial connection to the Union

‘substantial connection to the Union’ means a connection of a provider of intermediary services with the Union resulting either from its establishment in the Union or from specific factual criteria, such as:

• a significant number of recipients of the service in one or more Member States in relation to its or their population; or
• the targeting of activities towards one or more Member States

Enforcement – fines of up to 6% of worldwide annual turnover

The European Commission has powers under the DSA to investigate and to sanction. For non-compliance generally, the European Commission is able to impose fines of up to 6% of worldwide annual turnover. Following a specific procedure, and as a last resort measure, the Commission can request temporary suspension of the service.

Read more about the enforcement framework under the DSA here.

VLOPs and VLOSEs

For the purposes of the DSA, the Commission designates providers having more than 45 million users per month in the EU (or 10% of the EU’s population):

• Very Large Online Platforms (VLOPs), and
• Very Large Online Search Engines (VLOSEs).

The Commission maintains a webpage providing an overview of the VLOPs and VLOSEs that it supervises and its main enforcement activities. Enforcement issues include:

• protection of minors;
• conducting due diligence on traders;
• informing consumers about illegal products;
• giving researchers access to data;
• risks of breaching data protection law;
• providing a searchable and reliable repository for advertisements; and
• avoiding the use of dark patterns.

Read about the supervision of VLOPs and VLOSEs here.

Formal proceedings against a designated VLOP

The European Commission has issued information requests or started formal proceedings against online platforms, the first proceedings being in December 2023. These were against the platform X (formerly Twitter), with preliminary findings (the first under the DSA) released on 12 July 2024.

Read more about findings on breaches of the DSA here.

Tiering of obligations under the DSA – it’s not just VLOPs and VLOSEs!

There are certain obligations imposed by the DSA which are applicable to all providers. Providers of intermediary services include:

• VLOPs and VLOSEs;
• online consumer marketplaces;
• online platforms;
• hosting service providers; and
• ‘mere conduit’ and ‘caching’ providers.

Obligations are tiered, with the fewest applying to mere conduit and caching providers, and the most stringent applying to VLOPs and VLOSEs.

Provisions applicable to all in-scope

Obligations on all providers of intermediary services include:

Designate a single point of contact for:

• the provider to communicate with Member States’ authorities, the Commission and the European Board for Digital Services (Article 11), and
• recipients of the service to communicate with the provider (Article 12).

Appoint a legal representative in the EU if not established there – for the purpose of being addressed in addition to or instead of the provider (Article 13).

• Providers must give their legal representative the powers and resources to cooperate with Member States’ authorities, the Commission and the European Board for Digital Services, and to comply with their decisions.
• The legal representative can be held liable for non-compliance with the DSA, without prejudice to the liability and legal actions that could be initiated against the provider.
• The name, postal address, email address and telephone number of the legal representative must be notified to the Digital Services Coordinator in the relevant Member State. This information must also be publicly available, easily accessible, accurate and kept up to date.

Include provisions in their terms and conditions clarifying any restrictions on use of their service in respect of information provided by recipients of the service (Article 14).

Comply with transparency reporting obligations (Article 15).

• A Transparency Reporting Regulation (2024/2835) was published in November 2024 and sets out what providers of intermediary services need to do.
• There is a template in Annex I and instructions in Annex 2 – use of the template is obligatory from 1 July 2025.
• Note the first reporting cycle ran to 16 February 2025; the second is shortened and runs to 31 December 2025.

Hosting service providers and upwards have additional obligations.

Codes of conduct

In addition to the DSA, there are various associated voluntary Codes of Conduct. Read more about the DSA Codes of Conduct.

The Commission has also published (5 February 2025) a statement about its approach to the challenges posed by e-commerce imports. Read the EU toolbox for safe and sustainable e-commerce here.

Key takeaways

All providers of intermediary services within scope of the DSA, not just VLOPs and VLOSEs, have obligations under the DSA, albeit that those obligations are tiered.

The European Commission has issued information requests and started formal proceedings against online platforms, with its main enforcement activities against the VLOPs and VLOSEs it supervises viewable on its dedicated webpage. We await the outcome of the proceedings against X and other VLOPs.

Related, the approach to online safety legislated for in the UK has followed another pathway – there are similarities and differences between the DSA and the Online Safety Act 2023 (OSA). Rather than the DSA’s focus on transparency and accountability, the emphasis of the UK’s OSA is protecting users, particularly children, from illegal or harmful content.

We end this blog though where we began, with the DSA and the DMA together forming the package, the set of rules that for the European Commission aims, ‘…to create a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses’. Here we have explored the extraterritoriality of the DSA, but note too that the DMA has extraterritorial effect.

The DMA establishes criteria to identify ‘gatekeepers’. These gatekeepers are large digital platforms (e.g., Alphabet, Google’s parent company) which provide a ‘core platform service’ (CPS), such as an online search engine (e.g., Google Search), or an app store or a messenger service.

We will revisit the DMA and its effect on businesses which depend on gatekeeper CPSs in a future blog. In the meantime, you can read more about the DMA’s designated gatekeepers and their associated CPSs here.

We’re here to help

Our experienced team of technology solicitors can support you if you would like to learn more about the EU’s DSA or the UK’s OSA.

This last week has seen closing submissions being made in the case of Getty Images (US) Inc vs Stability AI Ltd. It would not be an exaggeration to say that this is probably the most significant copyright case in the last decade.

Background to the case

At its heart is whether, as Getty claim, the scraping of millions of images from its website, without consent, and using them to train Stability’s AI model “Stable Diffusion”, and then the subsequent outputs from Stable Diffusion, infringe the copyright Getty own in those images.

Now that the trial is over, a judgment would normally be expected in three months, so by October 2025. The judge, Joanna Smith J, is developing a high-profile in so called soft IP cases (broadly those that cover for example trade marks and copyright rather than the more “sciencey” patent cases), having previously had her judgment in the Lidl v Tesco litigation where she found Tesco’s yellow and blue Clubcard branding infringed Lidl’s trade marks and passed them off upheld by the Court of Appeal. An appeal in this Getty case seems inevitable given what is at stake.

The question of how copyright laws are going to be applied in the development of AI has achieved global profile in recent years. Significant litigation (in addition to the Getty case in the UK) is underway in several other jurisdictions, including the USA. High profile UK artists such as Elton John and Paul McCartney have spoken publicly about their alarm over AI “ripping off” artists. On the other hand, there is political pressure for the UK to be at the forefront of AI development not least in its search for economic growth, and there have been suggestions from some politicians of reform of the law to enable this to happen, such suggestions often not being particularly well informed about how copyright law actually works.

The subject Getty case is almost several trials in one – there are substantive disputes involving a number of key IP rights, namely infringement of trade marks, passing off, infringement of copyright, infringement of copyright’s cousin database rights, and associated “safe harbour” defences. This is a very high-level summary, as many of the issues, particularly round the copyright and database rights claim, are complex.

What are the claims?

This article focuses on the copyright and database right claims and their associated defences, as those issues are the most pertinent to the relationship of our copyright laws to AI.

There are really three different but related copyright claims being advanced by Getty;

• Input
• Output
• Deployment

To establish the UK court’s jurisdiction, Getty needed to be able to show that there was downloading and storing of copyright works on hardware located in the UK as part of the process of training Stable Diffusion. Stability having done so in “the cloud” is unlikely to be enough. The problem for Getty here is that this is most likely to have taken place in the USA. But what if Stability had employees based in the UK doing this?

It would appear from the closing submissions that Getty may not have focussed on this aspect of their case by the end of trial and after the witnesses had been cross examined. We will have to wait for the judgement to find out, and obviously interested commentators such as myself are not privy to Getty’s thinking about its strategy and tactics in the case.

For claimants generally, although a case based on inputs is perhaps the most obvious way or first thought about how to advance a copyright AI case, the jurisdictional problems are likely to be significant where the AI models being trained are overseas, notably in the USA and China, and on cloud-based networks.

Output

This aspect of the case is all about whether the images then produced by Stable Diffusion infringe Getty’s copyright. Getty need to prove that a substantial part of their copyright works were reproduced in the output images created by Stable Diffusion (Stability argue that the images produced do not reflect “a substantial part of the intellectual creativity” of the photographer who took the original photograph). The actual legal test talks to “reproducing the work in any material form”, which has been interpreted by the courts as reproducing the whole or a substantial part”.

We will have to wait for the judgment to see if this subtle difference in language is intended to obscure what is actually an infringement, although it is understood from the closing submissions that this aspect of the case has also not been pressed by Getty.

Deployment

For most neutral observers, this is where it is probably felt that Getty have the best chance of success. The infringement case here is known as “secondary infringement”, which occurs where an infringer, (here, Stability), without licence of the copyright owner imports into the UK an article which is, and which he/she knows or has reason to believe is, an infringing copy of the copyright work.

The latter knowledge aspect of this test is likely to be easier to establish. It is the first aspect that still presents some serious challenges – does the word “article” cover something that is intangible such as an AI model? And can something be an “infringing copy” even if the article (assuming Stability is found to be an article) does not have any “copies” retained inside it?

Article

Stability’s argument is that the word “article” was never meant to mean anything other than a physical article one can touch hold and see. Getty on the other hand argues that legislation has always been read in light of subsequent technological developments. This sounds like a powerful argument – the law almost always lags behind technological developments – see for example how copyright law has adapted to the rise of the internet over the last two decades, with on line video platforms such as YouTube.

Infringing Copy

Getty say that infringing reproductions of copyright works were necessary to train Stable Diffusion, notwithstanding that such copies were transient in nature and not retained in the finished article. The relevant legislation (Copyright, Designs and Patents Act 1988) provides that copying can include the making of transient copies.

Legal defences to the claims

Stability rely on what are known as “E Commerce Safe Harbours”, which although deriving from an EU Directive take effect in the UK, even after Brexit. The particular defence likely to be most critical is the “hosting defence”. In outline, provided an intermediary operates within certain parameters outlined in the relevant legislation, it cannot be an infringer.

Stability says it is like Google – it merely processes data entered by third parties (i.e. users in Stability’s case, advertisers and users in Google’s case). Stability says it plays no active role in creating a new image and has no responsibility for its users’ actions. It is users they say who upload any infringing image. Thus, Stability seeks to shift responsibility onto its users, who one assumes might also be described as customers, saying it knows nothing of specific acts they may have committed.

Countering this defence, Getty says Stability is not an “intermediary” within the meaning of the hosting defence, as it is in a bi-partite not tri-partite relationship with its users, and in a bi-partite relationship one cannot be an intermediary. Further, Getty says, Stability goes well beyond a role which is merely technical, automatic and passive, which are characteristics required to fall within the safe harbour provided by the hosting defence.

Looking ahead to the judgment and its possible implications and consequences

Stability has said in its closing submissions at the end of the trial that if it loses, then UK users would not have access not only to Stable Diffusion, but also other internationally trained AI models – at least until the training of such models does not infringe a rights owners’ copyright works. Cue more hand waving from politicians agitating for a change in the law in search of economic growth.

But it would be equally true would it not that such an outcome would devalue the enormous value creative industries bring to the UK surely? According to a recent article in the Financial Times, the government has estimated that the UK’s creative industries generated £126bn in gross added value to the economy in 2022, roughly 5% of GDP, whilst employing around 2.4 million people. The FT question whether the “value add” of the AI industry will ever be of comparable scale.

Getty on the other hand says that a narrow interpretation of the relevant statute (i.e. a finding of non-infringement) would be problematic, and it is difficult not to see the force in that submission.

Some of those in favour of permitting scraping to further the advance of AI in the UK point to the “fair use” provisions in the Copyright, Designs and Patent Act 1988. Stability had originally relied on the “pastiche” fair dealing defence, arguing that the outputs generated are imitating the original work and are not a substitute nor does the imitation cause any harm to the original work, Generally, speaking the so called “fair use” provisions are for the purposes of “criticism review and reporting” before the introduction of the “caricature, parody, or pastiche” defence following the Hargreaves Review in 2012.

Whilst the trial presented an opportunity for judicial comment on the use and breadth of the pastiche defence, it is unsurprising that Stability chose to drop its pastiche defence during trial. The use of millions of images without payment for commercial enterprise does not fit easily within those provisions, as perhaps Stability and their lawyers recognised. As is always the case, it is for parliament to change the law, if a government feels change is needed, and for the courts to interpret the statutes in place at any one time.

It’s unlikely that this will be the last hearing in this case, and a trip to the Court of Appeal, and possibly even the Supreme Court, seems likely given the public interest