The DSA’s crisis approach: crisis response mechanism and crisis protocols

Introduction

As the recently published Digital Services Act (DSA) becomes applicable to the biggest platforms, the debate about this new regulation keeps on gaining momentum. While the online platforms have just published their Average Monthly Active Recipients – which will lead to the European Commission’s designation of some of them as Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs) – many questions remain open on the operationalization, implementation and enforcement of the special obligations applicable to VLOPs and VLOSEs.

Alongside systemic risk mitigation obligations, the DSA also introduces significant rules on the measures that platforms must adopt in times of crisis, as set out under the provisions on the crisis response mechanism and voluntary crisis protocols.

In particular, the hastily-added crisis response mechanism (Article 36), together with the voluntary crisis protocol (Article 48), has caused quite a stir within civil society. The voluntary crisis protocol provision already found its way in the DSA in the original proposal, but the crisis response mechanism was added during the third trialogue in March 2022. Both crisis provisions have been added due to online platforms’ important role in the dissemination of information in crisis times – important and reliable information on the one hand, and disinformation and propaganda on the other hand.

The trigger for adding the crisis response mechanism stems from Russia’s invasion of Ukraine and the European Commission’s wish to require VLOPs to take certain additional measures in times of crisis (Recital 91). The introduction of the crisis response mechanism came after the EU Council’s ban of Russia Today and Sputnik which included the platforms’ obligation to ban all of Russia Today’s and Sputniks’ content on their services.

As stated, the crisis provisions caused a lot of debate; 38 civil society organizations signed a statement in April 2022 expressing serious concerns around the crisis provisions. One of the main concerns was the Commission’s power to “unilaterally declare an EU-wide state of emergency”. In addition, the Commission defined “crisis” rather vaguely, based on which the Commission would be able “to uphold crisis measures for years on end” – leaving room for concerns around the rule of law, legitimacy and legal certainty. Next to that, due to the lack of time limit in the provision, the Commission would be able to “quasi-permanently restrict the public access to and dissemination of information, until challenged in court”. Lastly, the wording of the crisis response mechanism made the provision too open to considerable interpretation, and highly controversial. The then-proposed provision “would enable far-reaching restrictions on freedom of expression, and of the free access to and dissemination of information for millions of people”, as described by AccessNow.

In this blog post, we will see to what extent the critiques have been addressed in the final version of the DSA. We will do so by looking at what these crisis provisions entail, what exactly qualifies as a crisis, the interplay between the European Board for Digital Services (the Board), the Commission and platforms during such crises and lastly: the position of fundamental rights during these crises.

Although some of the critique has been addressed, many questions remain unaddressed. For example, the Commission cannot unilaterally declare a state of crisis anymore, and (some form of) time limits for the measures have been added to both of the provisions. Nevertheless, the Commission still has a large amount of power, mainly due to vague definitions and effort obligations, rather than clear, unambiguous language and hard obligations.

Article 36 – Crisis response mechanism

First, let us take a closer look at the contents of the first crisis provision: the crisis response mechanism in Article 36. The provision is addressed at VLOPs and VLOSEs, not all online platforms.

In case of a crisis, the Commission can – upon recommendation by the Board – adopt a decision that requires VLOPs or VLOSEs to take one of the following actions:

  1. Assess whether their service significantly contributes to a crisis (Article 36(1)(a));
  2. Take measures that prevent, eliminate or limit that contribution (Article 36(1)(b));
  3. Report to the Commission on the assessment (Article 36(1)(c)).

Recital 91 seeks to clarify what such measures (Article 36(1)(b)) could entail with examples such as “adapting content moderation processes”, “adapting terms and conditions, relevant algorithmic systems and advertising systems”, “further intensifying cooperation with trusted flaggers” or “promoting trusted information”. Risk mitigating measures in Article 35(1) and voluntary crisis protocols in Article 48(2) are mentioned as possible measures to apply under Article 36(1)(b) as well. As some of these measures are quite vaguely defined (e.g., “adapting content moderation processes”), it is hard to predict what actual, concrete measures can be expected. In addition, Article 36(1)(b) states that the measures may also be of a pre-emptive nature (instead of only mitigative). This would broaden the scope of possible measures even further. The Commission shall ensure that the measures will not exceed a period of three months (Article 36(3)(c); this could be in response to the earlier described civil society critique that a time limit must be included in the provision.

The choice of “specific” measures remains with the VLOPs themselves (Article 36(5)), but the Commission monitors those measures (Article 36(7)) and may “engage in a dialogue” with the VLOPs to assess whether those measures are effective and proportionate (Article 36(6)). In case the Commission considers the measures undertaken by VLOPs to be ineffective or inappropriate, the Commission can require VLOPs to review the measures (Article 36(7)) or cease to apply the measures (Article 36(8)(a)).

In short, under Article 36, the Commission may require VLOPs to take certain measures to mitigate risks stemming from a crisis situation. Although the VLOPs can decide on the substance of those measures themselves, the obligation to take measures, is binding and stems from the Commission together with the Board. How the DSA defines ‘crisis’, I return to below after discussing voluntary crisis protocols.

Article 48 – Voluntary crisis protocols

In addition to Article 36, Article 48 DSA states that the Commission may initiate drawing up voluntary crisis protocols to address crisis situations in the online environment. The Commission may initiate these crisis protocols for example when “online platforms are misused for the rapid spread of illegal content or disinformation or where the need arises for rapid dissemination of reliable information” (Recital 108).

The Commission may initiate the drawing up of these voluntary protocols on recommendation of the Board (Article 48(1)). VLOPs, and where appropriate other platforms and search engines, are encouraged to participate in drawing up, testing and application of those crisis protocols (Article 48(2)). Some of the measures that the Commission aims to include in the protocols are:

  1. Prominently displaying information from public authorities and other “reliable” bodies on the crisis (Article 48(2)(a);
  2. The instalment of a point of contact for crisis management by VLOPs (Article 48(2)(b);
  3. Adaption of the resources dedicated to compliance with several of the platforms and VLOPs’ obligations, such as the notice and action mechanism (Article 16), trusted flaggers (Article 22) and the risk mitigating measures (Article 35) (Article 48(2(c)).

The Commission “shall aim to ensure” that the crisis protocols, among other things, set out the parameters based on which a crisis has been identified, the time frame for the protocol and safeguards to address negative effects on the exercise of fundamental rights (Article 48(4)). It is quite remarkable that the Commission shall only “aim to ensure” to disclose this information as access to this information is crucial to assess the legitimacy and the efficacy of these decisions.

In case the Commission finds that a crisis protocol fails to effectively address the crisis situation, which includes failing to safeguard fundamental rights, it shall request VLOPs to take additional measures.

Definition of “crisis”

One of the most important questions about the crisis provisions is: what qualifies as a crisis? As mentioned above, much of the critique from civil society was focused on the lack of a clear definition. This critique might be understandable; even though Article 36 is quite lengthy with 11 paragraphs and almost 1,000 words, the Commission opted to define “crisis” in only one sentence (Article 36(2)):

“[…] a crisis shall be deemed to have occurred where extraordinary circumstances lead to a serious threat to public security or public health in the Union or in significant parts of it”.

Thus, in short, a serious threat to public security or public health – connected to an extraordinary circumstance – can be regarded as a crisis. Although the title of the provision suggests that it is about the instalment of a response mechanism, the earlier mentioned pre-emptive nature of Article 36 (broadening the scope of possible measures by including preventive measures) is evident in its focus on threat.

The question then shifts to what qualifies as a “threat”. In what stage a threat can be established, is not specified by the DSA, other than that the threat must be “serious”. Recital 91 clarifies this only by way of examples instead of criteria. These examples contain broad concepts such as “armed conflicts”, “acts of terrorism”, “natural disasters”, “pandemics”, even including “emerging conflicts” (by which the pre-emptive nature of the provision is stressed again). By the wording of Article 36, it thus seems that the Commission aims to prepare for a broad range of possible crises, even including the stages leading up to such a crisis. We live in a world in which systemic and interrelated crises are integrated in our daily lives; only think of the climate crisis. With such a broad definition of “crisis”, the Commission could, provided that the Board is on board, indirectly impose far-reaching measures on the access to information. From a fundamental rights perspective, and particularly when considering the principles of legality and the rule of law, these vague and non-defined terms appear problematic. Article 48 defines “crisis situations”, rather than “crises” slightly differently than Article 36 in paragraph 1:

“[…] extraordinary circumstances affecting public security or public health.”

The difference is that Article 36 includes “serious threats” under its definition of a crisis, while Article 48 refers only to – apparently – situations that affect public security or public health. This implies that the definition in Article 48 is narrower than Article 36, because Article 48 is not pre-emptive and ‘only’ covers situations in which public security or public health is actually affected. The political and social context in which these provisions will operate – where current and incoming systemic crises are intertwined and will mutually aggravate each other – warrant the question of whether recourse to crisis mechanisms and crisis protocols might become anything but exceptional in the future. Despite the fact that the use of a word like “extraordinary” implies differently, the broad wording allows for extensive interpretation of crisis situations, and therefore creates a low threshold for the Commission to take action based on the crisis provisions in the DSA. Notably, where Article 36 requires the Commission to aim to ensure to limit the measures to a period of three months, under Article 48, the Commission shall ensure to set out “a clear procedure for determining the period” of the measures (although this period would be strictly necessary for addressing the crisis).

What measures to expect?

The above paragraphs are an attempt to briefly explain the essence of the two crisis provisions that are, despite their length, not very clear as fair amount is open to considerable interpretation. This section discusses the possible measures that platforms can apply to address crisis situations.

Measure 1: dissemination of reliable information

As mentioned, one of the main measures that platforms can take under both provisions, is the dissemination of information “provided by Member States’ authorities” or “other relevant reliable bodies” (Article 48(2)(a), see also Recitals 91 and 108 on “trusted information” and “reliable information”)).

Despite the fact that the intention to counteract disinformation might be understandable, it is also controversial. Because who decides what falls under “reliable information”? Member states? The Commission? Platforms themselves? Although Article 48 states that this information should be provided by Member States’ authorities or other reliable bodies, it does not clarify who appoints those reliable bodies and what information qualifies as reliable or trustworthy.

The Council of Europe has published important guidance with standards from the Council of Europe on the prioritisation of public interest content online. The Guidance note states that “States may, where necessary, introduce appropriate and proportionate measures to ensure prominence of public interest content online” (in line with the Guidance note) , but also notes that “States should refrain from obliging platforms and intermediaries to carry specific pieces of content or specific information that these States deem to be of public interest” under paragraph 17. In case states do require prioritisation of public interest content, the requirements “should be framed in general terms” to allow platforms “a considerable margin of discretion as to the implementation”, so they can develop “more detailed criteria to determine public interest content”. So, based on the Guidance note, platforms themselves should in the end decide in a transparent, fair and non-discriminatory manner on their prominence of public interest content regimes, albeit in line with the principles as laid down in the Guidance note.

Article 48 DSA does not clarify who decides on the actual policies, nor does it specify based on what criteria content can be qualified as reliable. Therefore, it cannot be determined whether Article 48(2)(a) is in actual contradiction with the Guidance note as provided by the Council of Europe, but the fact that Article 48 does not specify these important matters can be problematic in itself. This Guidance note may prove useful for future implementation of Article 48 in a human-rights compliant manner.

Measure 2: point of contact

The second measure that Article 48 proposes, is the instalment of a specific point of contact for crisis management (Article 48(2)(b). This can be an electronic point of contact as referred to in Article 11, or the compliance officer that VLOPs and VLOSEs must install (Article 41). Recital 42 states that trusted flaggers can also “use” the point of contact for platforms, which seems to mean that – apart from the Board, the Commission and Member States – trusted flaggers too, can approach the point of contact directly, for example to bring illegal and crisis related content to the platforms’ attention. For VLOPs, this point of contact can be their compliance officer(s). The compliance officer has, among other things, the task to monitor VLOPs’ compliance to commitments made under the voluntary crisis protocol (Article 41(3)(f)).

Measure 3: adaption of resources

The last possible measure that Article 48(2)(c) states, the adaption of resources, leaves room for a lot of questions. First and foremost: what does “adaption of resources” mean? And what resources are we talking about? The provision refers to resources dedicated to compliance with five other DSA provisions, which are: the notice and action mechanism (Article 16), the internal complaint-handling system (Article 20), the use of trusted flaggers (Article 22), measures and protection against misuse (Article 23) and lastly the risk mitigation measures (Article 35). Although this list may narrow the scope of the resources, it is still unclear what the provision entails. Is this about increasing the budget for trusted flaggers? Or broadening the scope of notifications that can be submitted via the notice and action mechanism, for example by allowing notifications of (lawful) disinformation?

Other measures

The crisis response mechanism provision (Article 36) refers to these three measures as laid down in Article 48, but it also names the measures as laid down in Article 35(1), governing the risk mitigation by VLOPs. Such measures include the adaption of algorithmic systems, including recommender systems, cooperation with trusted flaggers, taking awareness-raising measures and adapting their online interfaces to give users more information. This seems in alignment with Recital 91 that states similar measures that can be applied under the crisis response mechanism.

Supervision – what if platforms say no?

What happens in case the Commission and a platform don’t agree on the crisis measures and a platform refuses to incorporate measures as suggested by the Commission? Let’s digest what the two crisis provisions state about supervision.

Crisis response mechanism – Article 36

Formally, under Article 36, VLOPs have the last say in what measures to apply. But we will see that the Commission probably will be involved “behind the scenes” in the choice of measures under the crisis response mechanism.

In case the Commission considers the measures to be ineffective or inappropriate, the Commission – acting on the Board’s recommendation – may require the VLOP to (1) cease (Article 36(8)(a)) or, after consulting the Board, (2) review the measure (Article 36(7)). The first scenario is simple: VLOPs should simply stop the measure at hand. But the second scenario is a little bit more diffuse: what exactly does it mean “to review”? The requirement to review is legally binding, but what happens after the obligatory review?

Technically speaking, it seems like VLOPs are allowed to review, and then to decide to keep on applying their measures. But it might be more realistic to state that VLOPs probably won’t be entirely free to decide what measures they want to apply and that the Commission will be involved anyway. For example, the Commission monitors the application of the measures (Article 36(7)). Although the provision does not specify what this monitoring task encompasses, there is some form of supervision on compliance. Additionally, the Commission can “engage in a dialogue” with VLOPs to discuss the effectiveness and proportionality of the measures as applied by VLOPs (Article 36(6)).

These two forms of involvement by the Commission could be interpreted as the Commission wanting to nudge VLOPs taking certain alternative measures, instead of legally ordering platforms to do so. But none of this can be substantiated until we have actually hit crisis mode in the eyes of the Commission and the Board. Until then, what happens after the review, and what the monitoring by the Commission further entails, is not easy to predict.

Voluntary crisis protocol – Article 48

The nature of the protocols set out under Article 48 is voluntary. For both VLOPs and non-VLOPs, the Commission can only request the platform to revise the protocol, but it cannot enforce any changes to the protocol or its measures (Article 48(5)). For VLOPs though, non-compliance to the crisis protocols they have voluntarily adhered to, can eventually lead to sanctions under the risk mitigation framework as laid down in Section 5 of the DSA.

The supervision process for Article 48 brings some questions. Article 48(3) states that “the Commission shall, as appropriate, involve Member State’s authorities, and involve Union bodies, offices and agencies” in drawing up, but also supervising the crisis protocols. How these actors relate to each other is not specified.

In any way, in case the Commission does not agree with a platform’s undertaken measure, the Commission shall request the platform (also possibly non-VLOPs) to revise the protocol, including taking additional measures (Article 48(5)). So far, this is still voluntary and thus in line with the nature of the provision; the Commission can only make request platforms to revise the measures, but it cannot prescribe specific actions.

Adherence to crisis protocols has more significant implications for the VLOPs, which are subject to independent audits. Part of that audit is to assess compliance to any commitments undertaken pursuant to the crisis protocols (Article 37(1)(b)). In case the audit report is not ‘positive’”, the VLOP has to take due account of the recommendations addressed to it (Article 37(6)). It can do so by either implementing those recommendations or by setting out alternative measures to address non-compliance.

A VLOP’s failure to comply with its commitments under a crisis protocol can become relevant as a systemic risk mitigation measure under Article 35(1)(h). If that is the case, then the whole risk mitigation framework would become applicable, including potential fines in case of infringement (Artice 74). In that sense, VLOPs’ adherence to a crisis protocol may start off as voluntary but non-compliance can have serious consequences.

Interaction between the Board and the Commission

Another important facet of this EU-wide crisis management is who decides when a crisis occurs. One of the main critiques from civil society was based on the fact that the former Article 27a DSA, the crisis response mechanism, stated that the Commission could unilaterally declare a crisis situation which would have far-reaching restrictions on freedom of expression and information, as described below. This seems to have been changed: under Article 36(1), the Commission is entitled to declare a crisis, upon recommendation of the Board. The Board should also be involved when the Commission wants to require platforms to review their crisis mitigation measures under the crisis response mechanism (Article 36(7)) or when the Commission wants to require VLOPs/VLOSEs to cease application of those measures (Article 36(8)). More generally, “the Commission shall take utmost account of the recommendation of the Board issues pursuant to this Article” (Article 36(10)). The Board may also recommend the initiation of the crisis protocols (Article 48(1)).

The Board is an independent advisory group consisting of delegates from member states’ Digital Services Coordinators (Article 61). Each member state shall have one vote (and thus one representative) (Article 62). The Board can – by voting of simple majority (Article 62(3)) – recommend the Commission to adopt a decision requiring platforms to take action related to the crisis. The Board’s involvement may help to legitimise the crisis decision, since all member state DSCs can have their say (instead of the Commission only).

Fundamental rights during crisis times – a weakened position?

As mentioned in the beginning of this blog post, much of the criticism on the crisis provisions relates to the possible negative effect on fundamental rights, particularly the right to freedom of expression and information. The first draft of the crisis mechanism was criticised as the Commission could require platforms in a unilaterally-declared and vaguely-defined crisis to take set of ill-specified measures that could directly impact the information that EU citizens are able to impart for an unknown period. This would enable far-reaching restrictions on the free flow of and access to information, thereby possibly interfering with the right to freedom of expression and opinion as enshrined in both Article 10 ECHR and Article 11 of the EU Charter. This section will look into whether the critiques around the possibly weakened position of fundamental rights, in particular the freedom of expression and opinion, have been addressed in the crisis provisions.

First, for the crisis response mechanism, under Article 36(1), VLOPs “shall take due account” of potential implications for fundamental rights as enshrined in the Charter when applying crisis measures. The Commission shall on their side “ensure” that the actions that they require VLOPs to undertake are “strictly necessary, justified and proportionate”, having regard to the “actual or potential implications for the rights and legitimate interests of all parties concerned, including the possible failure of the measures to respect the fundamental rights enshrined in the Charter”. Despite the fact that these obligations are binding for both parties (what does it mean though to “take due account”?), this wording seems to read a bit pessimistic; almost as if the Commission already envisages the possible failures to respect fundamental rights, including its own failure.

Second, for crisis protocols, under Article 48(4)(e), the Commission “shall aim to ensure” that crisis protocols “set out clearly” safeguards to address any “negative effects on the exercise of the fundamental rights enshrined in the Charter, in particular the freedom of expression and information”. In contrast to Article 36, the Commission is only required to “aim to ensure”.

In the case then that platforms actually fail to safeguard the exercise of fundamental rights in a crisis protocol, they can be requested by the Commission to revise the protocol and take additional measures (Article 48(5)), but again – it is unclear what revision means and what those measures could entail.

To end on a positive note, according to Article 36(8)(c), the Commission may amend its decision requiring VLOPs to apply crisis controlling measures “by taking account of experience gained in applying the measures, in particular the possible failure of the measures to respect the fundamental rights enshrined in the Charter”. This way, it seems like the Commission has given itself some leeway to adapt its decisions based on knowledge obtained along the way, in order to safeguard fundamental rights.

Closing remarks

Although this blog post might have raised more questions than it gave answers, it hopefully contributes to unwrapping these complex, yet very important DSA crisis provisions. Many of the open questions around the crisis due diligence rules revolve around the unclear interaction between these two provisions, as they barely reference each other. As we live in a time of multiple crises – the climate crisis, the war in Ukraine, Covid-19 – these provisions become particularly relevant and increasingly likely to be used. Therefore, it also becomes increasingly relevant to understand how these provisions will be operationalised and to make sure that their application is consistent with fundamental rights.