European Policy, Privacy & Data
A Series on the EU Digital Services Act: Ensuring Effective Enforcement
With the CDT Europe “Digital Services Act Series”, we take a deep dive into the recently adopted EU Digital Services Act (DSA), the bloc’s flagship online platforms governance Regulation. We break down key obligations, reflect on the potential impact of the legislation and pose recommendations towards the next steps in bringing the legislation to life. We hope that this series provides a more comprehensive understanding of the DSA and its implications and will support future analysis as the European Commission takes steps to supplement and implement the legislation.
(Have a look at our first and second editions in the series, on Tackling Illegal Content Online and Due Diligence in Content Moderation.)
Does the EU’s DSA risk becoming another “paper tiger” (a critique often aimed at the EU’s other major tech legislation, the General Data Protection Regulation (GDPR)? A legislative framework is only as impactful as its enforcement, and many have charged that the GDPR’s impact has been muted by the relative lack of enforcement. EU co-legislators have attempted to learn from the missteps of the GDPR by putting into place an ambitious and layered enforcement regime, with emphasis on timely national level enforcement and a significantly empowered European Commission. However, the feasibility of the proposed regime and, more importantly, its alignment with rule of law safeguards, remain uncertain.
With this final entry in our blog series, we break down the proposed enforcement regime in more detail, identify the challenges that lie ahead for the various regulatory bodies, and briefly reflect on how the DSA may influence efforts to create coherence between global online platform governance frameworks.
A Layered Enforcement Regime
The primary aim of the DSA is establishing harmonisation for the regulation of digital services across Europe; as an EU Regulation and not a Directive, it is directly applicable in every member state. The DSA requires an enforcement regime that operates seamlessly to ensure equal application of the regulation throughout the Union. Although some substantive amendments to the enforcement provisions were made during the negotiations on the text, the core structure set forth in the initial draft by the European Commission has been maintained: enforcement is split between national regulators and the European Commission, with support to be provided by a newly established entity known as the Board.
Digital Services Coordinators
Each EU Member state will assign a national authority to the role of Digital Services Coordinator (DSC), which will be responsible for all matters related to supervision and enforcement of the DSA at the national level (Article 38). As an existing authority can be assigned the role of DSC, discussions happening amongst member states show a broad preference for audio-visual media regulators to fulfil this role, though specific tasks can be assigned to other competent authorities such as electronic communications regulators or consumer protection authorities. The DSC must coordinate cooperation between all relevant competent authorities and must be clearly independent, remaining free from political or private influence (Article 39).
DSCs’ powers of investigation include, but are not limited to, requiring intermediary services to provide information and the ability to carry out (or request a judicial authority to order) inspections of premises to seize information related to suspected infringements. Some of their enforcement powers include imposing fines or periodic penalty payments, requesting a judicial authority to temporarily restrict access to an online service, and the power to adopt interim measures (Article 41). Additionally, Member States where the main establishment of a provider of an intermediary service is located shall have exclusive powers for the supervision and enforcement of those entities (Article 44a), with the exception for where the European Commission may have exclusive competence or has not initiated proceedings for the same alleged infringement against a very large online platform or search engine, details of which are elaborated below. A fundamental role of the DSCs is also to act as the single point of contact for the next set of enforcement bodies, the European Commission and the Board.
The DSA endows the European Commission with significant supervisory and enforcement powers, partly with the goal of streamlining enforcement and to prevent shortcomings from lax member state enforcement. The European Commission will be the primary regulator for very large online platforms (VLOPs) and very large online search engines (VLOSEs). This more centralised approach for VLOPs/VLOSEs is due to the potential cross-border impact that failure to comply with the regulation may have. More specifically, the Commission will have exclusive powers for provisions in Section 4 of Chapter III, the due diligence obligations (Articles 25-37), including risk assessments (Article 26), independent audits (Article 28), and additional online advertising transparency (Article 30). Though it should be noted that these exclusive powers are without prejudice to certain administrative tasks which are assigned to DSCs in member states, already giving us a hint of the complexity to come.
The European Commission will maintain investigatory powers which can be exercised through an own-initiative investigation, or at the request of a DSC who suspects possible infringement of the regulation by a VLOP/VLOSE that is affecting users within their respective member state. Similarly, the Commission may require VLOPs/VLOSEs to provide information relevant to their investigation into a suspected infringement; within these requests the Commission must provide the legal basis, specify what information is required and set a time period within which the information must be provided (Article 52). Alongside this, the Commission can issue non-compliance decisions (Article 58); impose fines not exceeding 6% of the service provider’s total worldwide annual turnover; and make legally binding the commitments made by VLOPs/VLOSEs to ensure compliance (Article 56). The European Commission, however, will need to consistently consult the Board in relation to several enforcement actions.
The European Board for Digital Services Coordinators (‘the Board’) is a brand-new and purportedly independent advisory group, which is tasked with supporting consistent application of the DSA. The Board is made up of all the DSCs, who all maintain voting rights in this formation, and is chaired by the European Commission, who does not have voting rights. The Board’s role is primarily advisory, and will include contributing to the drafting of Codes of Conduct and supporting joint investigations between DSCs and the European Commission. The Board can advise the European Commission and DSCs about appropriate enforcement measures, especially for VLOPs/VLOSEs, and can adopt opinions addressed to the DSCs. Though these opinions are not legally binding, the decision by a DSC to deviate from an opinion must be substantiated and can be taken into account when the European Commission assesses the compliance of a relevant member state with the regulation.
This multi-layered regime aims to strengthen the European Commission’s ability to enforce the EU regulation whilst putting into place mechanisms for national regulators to avoid the pitfalls of GDPR enforcement. The final text, however, is not entirely clear about how such a regime will operate in practice and raises additional questions about the potential politicisation of enforcement, enforcement overreach and regulatory independence.
Challenges to Effective Oversight
Our previous blog touched upon the issue of financial and human resourcing capacity; as it stands, significant investment is going to be needed across the board in order for the foreseen mechanisms to be in place by the time the DSA comes fully into force in early 2024. Although several EU member states already have relevant regulatory bodies such as data protection authorities or audio-visual and media regulators that are able to enforce aspects of the DSA, no singular entity has the capability to do so uniformly. Given that the DSC will be the primary coordinator for all relevant authorities, the process of appointing which entity will become the DSC and reassigning previously held responsibilities will be a highly politicised venture. There is also the overarching risk that resourcing for DSCs will vary across member states, leading to uneven enforcement across the bloc.
The position of the Digital Services Coordinator of Establishment, which is the DSC of the Member State where an intermediary service or its legal representative is established (typically Ireland or Luxembourg) will also prove challenging given the existing tensions with GDPR enforcement. (When a small number of states are the place of establishment for a significant majority of tech companies, regulatory bodies in those states can quickly become overwhelmed.) The DSC of Establishment can lead joint investigations (Article 46) and be requested by other DSCs to assess suspected infringements and to take the necessary investigatory and enforcement measures, if the European Commission hasn’t already initiated an investigation for the same alleged infringement (Article 45). In this latter article, and in an attempt to avoid GDPR enforcement bottlenecks, EU co-legislators have incorporated increased accountability mechanisms by ensuring DSCs of Establishment have two months to communicate to all enforcement bodies their findings and the measures adopted. Should there be a disagreement, however, the issue can be referred to the European Commission, who also has two months to assess the matter. This mechanism will likely generate potential conflicts as numerous requests can be submitted. Because they will need to be addressed within a limited time period, tensions between the DSC of Establishment and the Commission may arise, all of which could weaken the enforcement regime.The challenges to the enforcement regime go beyond the practical and political, as once again rule of law concerns are prevalent; this is particularly evident when analysing the responsibilities of the European Commission. Advocates recommended early in the DSA negotiations process that a more centralised approach would be required in order to avoid the blockages experienced with GDPR enforcement, and that this could be achieved through a new EU agency such as a European Digital Services Coordinator. However, this was not the approach that was adopted, and existing European Commission teams will simply be assigned additional new roles.
This is problematic from the rule of law perspective. Fundamentally, the Commission is the executive of the European Union, with responsibility for upholding the treaties, and is not an expert regulator. In this role as guardian of the Treaties, the European Commission can take member states to Court for the non-implementation of EU laws. Given that the DSA effectively assigns an implementation role to the European Commission through its coordination of the board and DSCs, there is an inherent conflict of interest. The European Commission is unlikely to take a member state to Court for non-implementation for fear of highlighting its own shortcomings. More granularly, the powers the European Commission has been endowed with are not always subject to sufficient oversight. For example, the Commission may order VLOPs/VLOSEs to implement interim measures on the basis of a prima facie finding of an infringement. Though these measures are only valid for a fixed period, that period is to be determined by the European Commission. The Commission can also make use of the enhanced supervision system to identify remedies to address infringements in relation to Section 4 of Chapter III. The measures the Commission can require a VLOP or VLOSE to adopt include a commitment to participate in a relevant “voluntary” code of conduct (Article 35), which subsequently brings into question their voluntary nature and risks these codes becoming de facto law.
Lastly, the Board is not a new independent governance structure with its own legal personality, but a formation of all DSCs and supported by ad hoc resources from the European Commission and the relevant member state authorities. The importance of having a separate legal personality and independence has been well demonstrated by the European Data Protection Supervisor Office, which does not shy away from robust review of EU laws and practices in relation to data protection and privacy. The agreed regime simply does not alleviate concerns about the European Commission’s ability to remain independent and avoid being politically pressured in relation to its enforcement responsibilities, either by Member States through the Board where the Commission holds no voting rights or by industry.
Overall, the enforcement regime of the DSA paints a mixed picture. The split competence between the European Commission, the DSCs and the Board is not as clear cut as it may seem. Member states will have oversight for some aspects of enforcement for VLOPs and VLOSEs, especially the DSC of Establishment, which could lead to politicised enforcement or a fracturing of the harmonisation the DSA is intended to create. The final text also does not provide sufficient clarification in terms of potential disputes between DSCs or over the use of enforcement powers where the European Commision is also given scope to initiate investigations for the same alleged infringements.
These challenges could be sufficiently addressed if member states provide DSCs with adequate resourcing and if an environment of trust between all enforcement bodies is nurtured from the outset. It is also vital to include formal cooperation with civil society as an independent, rights-focused stakeholder as part of the process from the very beginning. Much like the role of the Board, an established body such as an Advisory Committee would enable civil society and experts to contribute opinions, recommendations and be consulted in areas where increased democratic scrutiny would be particularly pertinent, and could help alleviate some of the weaknesses identified here in the enforcement regime of the DSA.
What Will Be the Global Impact on Online Platform Governance Enforcement?
With such a complex regime it is difficult to ascertain the potential global influence of the DSA from the enforcement perspective; it will very much be a waiting game to see how this all develops in practice. Should the EU and respective Member States be able to address the issues we have identified, and successfully create a fluid enforcement regime, the process could meaningfully advance the DSA’s aims of increased industry accountability and the protection of fundamental rights online.
Governments and regional and international organisations across the globe are currently engaged in conversations about how to update the status quo of online content governance. There is considerable momentum in this space, and the policymaking environment is potentially even ripe for a global model which facilitates cross-border cooperation. This has long been a topic of deep consideration among civil society and multistakeholder initiatives, such as the Internet & Jurisdiction Project, which has created resources for policymakers including a toolkit on cross-border content moderation, and the recent proposal of modularity for Internet governance from Susan Ness and Chris Riley at the Annenberg Public Policy Center. This type of initiative aims, to the extent possible, to create internationally aligned best practices and shared mechanisms that facilitate industry to achieve compliance with legislation across multiple jurisdictions without the need to create a supranational treaty. Otherwise, the risk of proliferation of conflicting regulatory regimes is high — with grave consequences for human rights.
The DSA regulators could set the foundation for these concepts. By addressing the issues identified in this analysis, the EU could establish an enforcement regime which provides a concrete example of a framework for enforcement that works effectively across borders and on which modularity could be built. This process will surely require a degree of trial and error, however; resolving the outstanding rule of law contradictions and adopting a holistic, feasible approach to shared enforcement is an essential starting point.
Calls from advocates for a centralised approach to enforcement, upheld by a new independent EU agency who would be sufficiently resourced, were unfortunately only met halfway. The DSA has put in place an enforcement regime that may not have taken the leap it truly needed. Successful implementation of the entire enforcement regime will be highly dependent on resisting political pressure, embracing meaningful accountability, and cooperating with EU co-legislators to work diligently over the next eighteen months to put the appropriate mechanisms in place.
The EU cannot purport to be the global regulatory leader in online content governance if its flagship regulation is unenforceable and undermines the rule of law. As implementing and delegated acts are developed, there remains an opportunity to address the outstanding issues, areas of potential conflict and enforcement hurdles. The European Commission and Member States need to adopt a holistic, transparent and honest assessment of what they have set forth in the DSA, and recalibrate their methodology to centre the preservation of fundamental rights and democratic accountability as they work to bring the DSA to life.