Fostering responsible business conduct in the tech sector – the need for aligning risk assessment, transparency and stakeholder engagement provisions under the EU Digital Services Act with the UNGPs

This blog, coauthored by CDT Europe, is a product of the UN Human Rights B-Tech Project and is part of a blog series focused on the intersection between human rights and the responsibilities of technology companies.

***

The UN Guiding Principles on Business and Human Rights (UNGPs) call for a smart mix of regulatory and voluntary measures to prevent and address harm from business conduct and practices, including in the technology sector. As an example of regulatory measures, the EU has engaged in ground-breaking efforts to regulate tech companies including (though not exclusively) with the aim of fostering an inclusive, open, safe online environment where human rights are upheld and promoted. A major piece of these regulatory efforts is the EU Digital Services Act (DSA) which covers all online intermediaries including very large online platforms and search engines.

The DSA sets out novel approaches to the regulation of digital technologies and for platform governance more broadly. Of note, the DSA adopts a tiered approach in establishing obligations for online platforms and intermediaries in addressing illegal content and introduces due diligence obligations in the aim of creating a safer and more rights-respecting online environment, with the most extensive provisions reserved for the very largest of online platforms.

While the law entered into force on 16 November 2022, aspects on risk assessment, transparency, and stakeholder engagement for implementing some provisions remain to be specified in further detail through secondary legislation known as Delegated Acts or through guidelines developed by the European Commission. Clarifications regarding these provisions will shape the effectiveness of the enforcement, among others with regard to business respect for human rights, and hence implementation, and compliance by the companies in scope of the law.

When it comes to regulating companies, the UNGPs stress the importance of internal and external policy coherence in terms of expectations towards companies to uphold rights-respecting conduct. In the EU context this implies not only horizontal coherence between different EU instruments as appropriate, but also vertical coherence with international standards. Equally with regard to the DSA, horizontal coherence needs to be closely examined with regard to the due diligence requirements that are foreseen in the yet to be adopted EU Corporate Sustainable Due Diligence Directive (CS3D), while vertical coherence with international standards requires alignment with the UNGPs and the international human rights framework more broadly.

This blog analyses how provisions in the DSA on risk assessment, transparency and stakeholder engagement compare with the UNGPs, and concludes with recommendations for ensuring next steps towards implementation are aligned with UNGPs where relevant.

The blog is based on both desk-based research and a series of consultations with stakeholders and experts carried out by the UN Human Rights B-Tech Project and the Centre for Democracy and Technology Europe.

Considerations regarding human rights due diligence/risk assessments

The process-oriented due diligence character of the DSA aligns in many parts with the UNGPs, but does not explicitly refer to “human rights due diligence”. The DSA obligates “Very Large Online Platforms” (VLOPs) and Search Engines to carry out risk assessments taking into account a broad list of human rights risks, as well as to take risk mitigation measures in response to identified risks. More specifically, the risk assessments are required to account for so-called systemic risks pertaining to dissemination of illegal content, negative effects relating to fundamental rights, and negative effects relating to other societal concerns such as public health and minors, civic discourse, online gender based violence as well as demands disclosure on specific practices, such as recommender systems. It is important that risks to any of the rights outlined in the EU Charter (of Fundamental Rights) are assessed.

Further clarity is needed as to how “systemic risk” relates to the international human rights framework, notably the UNGPs, as well as guidance as to how companies are expected to understand the definitions of the “systemic risks”, for example what constitutes a risk to “civic discourse and electoral systems”. Such guidance should be included in guidelines developed by the European Commission, which are currently foreseen for Article 35 mitigation of risks but not Article 34 Risk Assessments;it would be pertinent for the Commission to outline both how to assess and mitigate risks. This guidance should also define what constitutes a high-quality risk assessment regarding risk to people for the purpose of auditing. A mix of both social science and computer science methodologies for risk assessments might be required as the systemic risk categories catch a broad range of issues, with both social as well as technical implications.

Stakeholder engagement as part of the expectations towards company conduct

The requirements in the DSA for stakeholder consultation VLOPs align with UNGPs expectations, in so far as that the DSA encourages companies to involve independent experts, civil society organisations and affected persons in the process for compliance with certain due diligence obligations. Hence, there is alignment with the UNGPs when it comes to drawing on internal and external human rights expertise (GP 18 (a), as well as involving the perspectives of potentially affected stakeholders (18 (b)).

“Providers of very large online platforms and of very large online search engines should ensure that their approach to risk assessment and mitigation is based on the best available information and scientific insights and that they test their assumptions with the groups most impacted by the risks and the measures they take. To this end, they should, where appropriate, conduct their risk assessments and design their risk mitigation measures with the involvement of representatives of the recipients of the service, representatives of groups potentially impacted by their services, independent experts and civil society organisations. They should seek to embed such consultations into their methodologies for assessing the risks and designing mitigation measures, including, as appropriate, surveys, focus groups, round tables, and other consultation and design methods. In the
assessment on whether a measure is reasonable, proportionate and effective, special consideration should be given to the right to freedom of expression.” ~ (Recital 90 DSA)

The DSA differs from the UNGPs by not specifying the methodologies for robust stakeholder engagement. Consequently, the depth and quality of stakeholder engagement that will be carried out by companies to comply with the DSA might not meet the standard required by the UNGPs, if quality criteria are not further specified in the delegated acts or guidelines. Moreover, specifying such criteria would help to ensure that companies will carry out meaningful human rights due diligence building on substantive stakeholder engagement, instead of the legislation potentially fostering an environment in which online platforms adopt a purely compliance-focused approach.

Transparency requirements for companies in scope

The DSA’s focus on transparency is an essential feature and echoes well with the UNGPs, which call for communication as a means of providing transparency and accountability to individuals or groups, who may be impacted, and to other relevant stakeholders, including investors. The transparency obligations imposed on VLOPs will generate data that will be useful not only for the EU, but also in global policy debates relating to platform accountability. At present, regulatory exercises depend on the limited data currently shared by companies. The routine transparency exercise triggered by the DSA will be vital to improve the quality of design, evaluate approaches, and showcase evolving best practices. This increase in transparency requirements can potentially drive a race to the top and help differentiate laggards from leaders in the field.

Recommendations

Often presented as an “adaptive regulation”, the DSA provides for several follow-up mechanisms. Such mechanisms should enable further clarity as to how “systemic risks” related to the dissemination of content relate to the international human rights framework. They should also ensure that alignment with the UNGPs is upheld and implemented in business practices to assess risks, provide transparency, and engage with stakeholders. The following key questions will be important to guide the next steps for the DSA implementation and enforcement, lead by the European Commission but relying on cooperation from both civil society and companies in scope of the law, to ensure greater alignment with the UNGPs:

Risk assessment/human rights due diligence

• Clarify the expectations towards human rights risk assessment and the importance of assessing and acting on human rights risks stemming from or being linked to platform activities requiring priotization of measures according to the severity of potential adverse impacts (scope, scale, and remediability as assessment criteria); this includes specifying what constitutes a good approach for assessing risks to people for the purpose of auditing.
• Describe more clearly what constitutes a systemic risk, for example, provide guidance as to how certain concepts such as ‘civic discourse’ or ‘democratic participation’ is to be understood by platforms and search engines undertaking the risk assessments and anchor these debates on the standards at stake namely the rights to freedom of expression, freedom of assembly, freedom of association, privacy and participation.
• Issue guidelines for the risk assessments as well as the already foreseen guidelines on mitigation of risks using the UNGPs and other examples of Human Rights Impact Assessments as a reference.

Stakeholder Engagement

• Emphasise that complying with the DSA needs to include robust stakeholder engagement, particularly with potentially affected stakeholders as stipulated in the UNGPs, including a broad range of representative CSOs working on human rights and digital space.
• Ensure a strong consultative role for stakeholders, including civil society, affected people and groups, in supporting the EC and national regulators in monitoring the implementation and enforcement of the DSA, and in holding platforms to account to their due diligence and transparency obligations.

Transparency

• Ensure disclosures by companies are structured in a format that allows for meaningful information of stakeholders, including about how voices from potentially affected stakeholder groups, including users and non-users, have informed company policy.
• Require companies to make information public by using clearly defined metrics and methodologies to allow stakeholders to differentiate laggards from responsible leaders, and track progress over time about content moderation policies, procedures, and practices and how these relate to human rights.
• Align follow-up mechanisms with the UNGPs, including the enforcement architecture. The recommendations and guidance produced by the UN B-Tech Project and Accountability and Remedy Project of OHCHR should inform the design of the enforcement architecture.

These points will need to be considered in the context of the risk assessments and DSA as a whole being an iterative process, with recommendations being incorporated as more insight into the Article 34 and 35 processes become clear. It is important to make sure implementation and enforcement of the DSA is conducted with a global perspective in mind in terms of consistency of the UNGPs’ application. Implementation of these recommendations will ensure that a ground breaking piece of regulation like the DSA contributes to policy coherence in the area of tech regulation to ensure better human rights protection while not sending mixed signals businesses – not only in relation to international human rights standards such as the UNGPs but also in relation to other relevant EU files such as the CS3D or in other jurisdictions, in particular pertaining to expectations towards risk assessment/human right due diligence.