The Enforcement Aspects of the DSA, and its Relation to Existing Regulatory Oversight in the EU
Bengi Zeybek and Joris van Hoboken
(Institute for Information Law, IViR – University of Amsterdam)
Effective implementation and enforcement of the DSA are crucial to realizing its goals: promotion of fundamental rights and innovation in digital services, and harmonization of rules to improve and safeguard the functioning of the internal market. The DSA has been subject to extensive discussion in the context of the new obligations it introduces for providers of digital services (for example, risk mitigation obligations and freedom of expression, data access and scrutiny, recommender systems). But so far relatively limited attention has been paid to its provisions about enforcement and oversight (for example, here and here). In fact, some of the most significant changes in the Council’s general position on the DSA to the proposed text of the Commission concern the supervision and enforcement chapter of the DSA (Chapter IV). The draft of the DSA approved by the European Parliament (see an analysis of the IMCO Committee’s final report on the DSA here), makes it mandatory for the Commission to start proceedings against VLOPs suspected of having infringed any provision of the DSA or found to have infringed the provisions on additional obligations applicable to VLOPs.
One important perspective on the enforcement structure proposed in the DSA concerns its interplay with existing and future enforcement structures under other related Union law applicable to intermediary service providers. Broad in scope, the DSA introduces rules that are closely related to other areas of law (e.g. data protection, audio-visual media regulation, consumer protection, telecommunications, terrorism content), which are already subject to oversight by independent national regulatory authorities. Risk of overlapping or conflicting measures for digital services providers may obscure enforcement goals, hamper the effectiveness of the DSA and internal coherence of EU law. One may imagine citizens may feel confused as to how best to enforce their rights considering this patchwork of applicable legislation and regulatory oversight. This unclear enforcement environment would also be unfavourable to achieve the goals of the Digital Single Market. This blog post briefly discusses the enforcement aspects of the DSA, and its relation to existing enforcement structures applicable to intermediary service providers in the EU.
The enforcement of the E-Commerce Directive (ECD), the predecessor of the DSA, relied on self-regulatory initiatives, with Member States having wide discretion in the regulation of platforms (Article 16 to 20 of the ECD). Within that framework, some countries, such as France and Germany put in place national legislations on platform content regulation. As part of the Digital Single Market strategy, the EU, too, adopted a number of legal instruments applicable to online service providers. Some of these are vertical (Directive on Copyright in the Digital Single Market, Regulation on addressing the dissemination of terrorist content online), some are horizontal (the General Data Protection Regulation and consumer protection laws such as the Consumer Protection Cooperation Regulation) and some sectoral (Audiovisual Media Services Directive and e-Privacy Directive) in nature.
The enforcement regimes set up under other related Union acts mentioned above may overlap or conflict with those envisioned for the enforcement of the DSA, as they oversee the application of closely related areas of law. For example, the Commission’s proposal does not align itself with the existing consumer protection laws on mandatory disclosures by traders who conclude online contracts with consumers (Article 22 of the Commission’s Proposal). Obligations under consumer protection laws are already subject to enforcement by national and European bodies. On matters related to data protection, the EDPB expresses concern that the processing of personal data is central to the activities regulated in the DSA (e.g. obligations on risk mitigation and recommender systems), which may risk conflicting guidance or even different outcomes in enforcement actions by supervisory authorities.
The DSA aims to close the regulatory gap and address the national fragmentation that emerged under the ECD with horizontally applicable fully harmonized rules and requires the assignment of an independent national agency tasked with the enforcement of the DSA itself. One of the justifications found in the Explanatory Memorandum for the horizontal (cross-sectoral) scope of the DSA is that existing sector-specific instruments do not provide fully-fledged rules on the procedural obligations related to illegal content. The DSA will apply without prejudice to other acts of the Union law regulating the provision of online services such as the AVSMD, the Regulation on addressing the dissemination of terrorist content online, the e-Privacy Directive, the Unfair Commercial Practices Directive (Recital 10) and Union rules on copyright and related rights (Recital 11). The GDPR will apply to all aspects of the DSA that involve processing of personal data.
Enforcement and Oversight Structure under the DSA
In its Chapter IV, the DSA outlines the proposed framework for enforcement, implementation, cooperation and sanctions. In line with the delicate balance between the country of origin principle and the wish of Member States to exercise power over online platforms directly, it reflects a complex interaction between national and European authorities. It gives strong enforcement powers to the Commission for the supervision of the VLOPs’ obligations and establishes cooperation mechanisms to facilitate stakeholder participation in the enforcement of the DSA violations.
The Commission’s Proposal appoints the Digital Services Coordinator (“DSC”) of the Member State of establishment as the main enforcement authority (Article 38 and 40). Member States will also be able to designate other competent authorities for the enforcement of the DSA, for example for specific sectors, such as electronic communications’ regulators, media regulators or consumer protection authorities (Recital 72 and Article 38). DSCs are also responsible for coordination at national level for the enforcement of the DSA: DSCs shall cooperate with each other, other national competent authorities, the European Board for Digital Services (“EBDS”) and the Commission (Article 38(2)). DSCs are endowed with investigation (e.g. retrieving evidence), enforcement (e.g. making compliance agreements, imposing fines and other interim measures) and other additional powers available upon exhaustion of the aforementioned powers (e.g. applying for injunctions). Additionally, the DSA sets up EBDS as an independent advisory group of national Digital Services Coordinators (Article 47), to be chaired by the Commission.
Where a DSC of establishment finds that a VLOP infringed its obligations under Section 4 of Chapter III (on risk mitigation, independent audits, recommender systems, data access and scrutiny and enhanced transparency obligations) it must make use of the ‘enhanced supervision for very large online platforms’ (Article 50). In doing so, it must take into account the recommendation and opinion of the Commission and the Board. The Commission can also initiate proceedings at its own initiative or upon the Board’s recommendation against VLOPs (Article 51).
The Council’s position on the DSA further strengthens the enforcement powers of the Commission, perhaps to prevent enforcement problems emerged as a result of the country of origin principle under the GDPR. For EU consumer protection, the CPC Regulation provides a similar centralized enforcement framework under the Consumer Protection Cooperation (CPC) network, with the Commission coordinating actions that relate to widespread infringements with a Union dimension.
The Council position, too, designates the DSC of establishment as the principal enforcement and supervisory authority for intermediary service providers that do not qualify as VLOPs or VLOSEs. Different from the Commission’s Proposal, obligations such as risk mitigation, independent audits, and data access obligations under Section IV of Chapter III for VLOPs and VLOSEs, the Commission is given exclusive powers for enforcement and supervision. Enforcement and supervision powers for the rest of the obligations set out for VLOPs and VLOSE are shared between the Commission and Member States, to the extent that the Commission has not acted. Furthermore, a mutual assistance scheme that facilitates information sharing between the Commission, the Board, and the DSCs of destination is included in Article 44b of the Council’s position.
Other Relevant European and National Enforcement Structures
How do the enforcement mechanisms explained above interplay with existing enforcement structures established under other acts of the Union? As mentioned above, the DSC of establishment is key to the enforcement of the DSA, in line with the country of origin principle. The DSC function did not exist before (in contrast to the GDPR and Data Protection Authorities), so at the national level, there remains a confusion as to who will be appointed as the DSC. Indeed, at the national level, legal and institutional context of platform regulation are complex and varied among Member States, involving different administrative bodies that may be potential DSCs. These may be new independent administrative authorities created under new laws (see, for example, the Netherlands and Ireland) or existing supervisory authorities (see, for example, Germany). Beyond the body that will be assigned as the DSC (and additional competent authorities), their hierarchical relationship with other independent regulatory bodies and at which instances competent authorities would be performing tasks related to the DSA and when related to other laws are other issues that still need to be addressed. This is a pressing concern also because DSCs may be additionally tasked with enforcing other laws: the Proposed Regulation on the Transparency of Political Advertising foresees DSCs to enforce some of its provisions.
The DSA aims to ensure unity of its enforcement through strong cooperation mechanisms between the DSCs, national competent authorities and the Board and the Commission (Articles 38, 44, 45, 46). But the proposed DSA pays little explicit attention to other relevant enforcement authorities to address situations of potential overlap in competencies and lacks institutionalized and structured cooperation between other competent oversight authorities in matters of mutual concern. One common criticism in this regard (see BEUC, EDPB, and ERGA) is that the DSA fails to provide a clear legal basis for the DSCs, the EBDS and the Commission to cooperate and/or consult with other EU enforcement networks. The involvement of other regulatory bodies is generally discretionary: Article 38(2) of the Commission’s Proposal leaves it at the Member State discretion to provide for regular exchanges of views with other authorities. The EBDS may invite other national authorities to the meetings (Article 48(1) of the Commission) and may cooperate with other Union bodies, offices, agencies, and advisory groups (as well as external experts as appropriate (Recital 91 and Article 48(5) of the Commission).
Considering the many obligations applicable to online platforms, the Commission as the central EU-regulator to supervise VLOPs as proposed by the Council may be a positive development to ensure consistent application of the DSA. Still, while performing its enforcement duties for VLOPs, in particular on risk assessment, recommendations and audits, the Commission may also have to deal with country-specific issues such as the permissible limits of free speech, which may necessitate coordination with sector-specific national bodies. The Commission’s coordination with national and European bodies is also necessary to ensure consistency of enforcement against smaller platforms for obligations not specific to VLOPs.
However, concerns over the independence of the Commission as an executive body, including in its position as the chair of the EBDS, and its legitimacy as the central regulator as foreseen in the Council’s position still stand. If the Commission is to be the sole enforcement body for VLOPs for the abovementioned obligations, another outstanding issue would be the composition of the department that would oversee the enforcement of the DSA within the Commission and how and whether it would secure the expertise and resources to ensure compliance of VLOPs’ specific obligations under the DSA.
On the other side of the coin is that speed and efficiency is key to achieving enforcement and implementation goals. As mentioned above, many stakeholders call for clear mechanisms for further cooperation and coordination among other relevant enforcement bodies. Given the cross-border nature and multiplicity of services provided by VLOPs, stringent cooperation and coordination efforts may cause delays in enforcement of the DSA. The other way around, DSA enforcement efforts, especially given the expertise and resources they require (see Article 49a of the Council position and the Article 38(4a) of the EP position), should not interfere with the enforcement of other relevant acts of the Union.
The DSA introduces some remarkable set of obligations for platforms for a safer online environment, subject to independent regulatory oversight, thereby leaving the age of content self-regulation behind us. But it seems like effective cooperation and an ongoing intent to make compromises between Member States, the Commission and the Board will be essential to the successful enforcement and implementation of the DSA. Indeed, proper enforcement of the DSA calls for a nuanced set of actions and diligent cooperation and coordination. In any case, it seems necessary to identify and address possible overlaps and conflicts with other relevant acts of the Union law to prevent fragmentation in the supervision of the DSA and to ensure its smooth implementation.
Joris van Hoboken is a Professor of Law at the Vrije Universiteit Brussels and an Associate Professor at the Institute for Information Law, University of Amsterdam. He works on the intersection of fundamental rights protection (privacy, freedom of expression, non-discrimination) and the regulation of platforms and internet services. At the VUB, he is appointed to the Chair ‘Fundamental Rights and Digital Transformation’, established at the Interdisciplinary Research Group on Law Science Technology & Society, with the support of Microsoft.