More than an advisory group: why The European Board for Digital Services has key roles in DSA enforcement

/in

Julian Jaursch

Two days after the Digital Services Act (DSA) became applicable in its entirety across the EU, a new group of regulators introduced by the DSA met for the first time: On February 19, 2024, the European Board for Digital Services (“the Board”) had its inaugural meeting in Brussels. While it is billed merely as an “independent advisory group” in the DSA (Article 61(1)), the Board has important functions beyond this rather modest description. It is indispensable in key areas of the DSA implementation and enforcement process, such as risk assessments for very large online platforms (VLOPs, that is, services with more than 45 million users per month in the EU) or data access requests filed by researchers.

The Board’s full role does not become obvious from only considering the DSA articles describing its structure and tasks. So, in addition to looking at this basic job description, this contribution lays out the main responsibilities found elsewhere in the DSA (see figure 1). It argues that the Board has the potential to become a valuable forum for exchange, a motor for timely secondary legislation and a deliberative check on regulatory decisions, especially if it builds strong relationships with research and civil society organizations, for example, via a dedicated outreach unit. Whether this potential can be realized depends on its members, that is, the 27 national Digital Services Coordinators and the European Commission.

Figure 1.

 

1. The Board as an important forum for exchange

The DSA provisions which define the composition and task of the Board are quite concise. As will be argued, this allows for enough space to be ambitious and develop the Board into a strong, well-connected group in the interest of consumer-friendly and proportionate enforcement of the DSA. Three DSA articles describe the Board’s overall role, structure and tasks (Articles 61-63), which can be summarized as follows:

  • The Board is an independent advisory group made up of all Digital Services Coordinators (DSCs) and the Commission. The DSCs are the national regulators overseeing DSA enforcement in the member states (for an analysis of their roles, see Jaursch 2024).
  • The Commission chairs the Board meetings but does not have voting rights, whereas member states have one vote each.
  • The Board’s goals are to contribute to a consistent application of the DSA and specifically to guidelines and analysis, and to assist the Commission and DSCs in VLOP oversight. To achieve these goals, the Board is tasked with supporting joint investigations, analysis of DSA reports and the development of standards, issuing opinions and recommendations to the DSCs and advising the Commission.
  • The Commission must provide administrative support for the Board and consent to its rules of procedure.
  • The Board can invite external experts and consult with interested parties.

This basic overview reveals two important features of the Board: the diversity of its members’ institutional backgrounds and its explicit role as a forum to engage with outside experts. The membership’s diversity stems from the fact that EU countries have nominated regulators from various fields to be their DSCs. As this overview shows, in some member states such as Austria and Ireland, the media regulators will be the DSC, whereas other member states have designated competition or consumer protection authorities (Denmark and Latvia, respectively) and still others like Czechia and Romania opted for their telecoms regulator (some member states also have “converged” regulators covering a number of the mentioned regulatory fields which will become DSCs, such as the Netherlands). Consequently, the Board will be made up of regulators with different fields of expertise. This is in contrast to groups such as the Body of European Regulators for Electronic Communications (BEREC), the European Data Protection Board (EDPB) or the soon-to-be-established European Board for Media Services, which bring together only telecoms, data protection and media regulators, respectively.

The fact that the Board is given the option to engage with various regulatory but also non-regulatory organizations (Article 62(5) and (6)) underscores its role as a forum for exchange. Reading the Board’s basic set of tasks, this shines through as its major function. It not only connects national regulators to each other and to the Commission, but also explicitly foresees contact with outside experts, leading to information exchanges and non-binding recommendations.

The information exchange facilitated by the Board can potentially cover a wide range of topics, as the Board’s remit is rather broad. For instance, the first objective mentioned speaks of “contributing to the consistent application” of the DSA (Article 61(2)a). This provides the Board the opportunity to speak out on virtually all matters related to enforcing the DSA. Another example is the Board’s task to contribute to the analysis of “emerging issues” regarding the DSA (Article 61(2)b). This is, again, an option for an ambitious Board to collate practical experiences, conduct or fund studies and produce opinions on diverse topics. The Board is in a particularly good position to do this because it brings together national and EU-level enforcement experiences, combines knowledge and networks from various regulatory fields and can deliberately count on external expertise. Whether the Board can thus tap its full potential, depends on how motivated the Board members are and how many resources they can muster. Without determined and resourceful Board members, the wording carries the risk that the Board will only take on a passive role and rarely take the initiative simply because the DSA contains such a wide-ranging and vague list of its role and tasks.

Beyond this information-sharing and network-building role, the Board’s basic job description does hint at some other tasks. For example, it mentions the crisis response mechanism (Article 62(3)). That is not the only area where an explicit role in enforcement is reserved for the Board, though. There are a number of key DSA procedures that require the Board involvement, as the next section shows.

2. The Board as an essential part of DSA enforcement

The first section presented the Board’s key role as an information and networking hub. In addition to this function, the Board is indispensable for important oversight tasks in the DSA. In the following, I highlight four major areas where DSA enforcement necessarily requires the Board.

2.1 Addressing potential DSA violations, including by VLOPs

The DSA envisions shared enforcement responsibilities between the Commission and the member states. Broadly speaking, the Commission is responsible for overseeing VLOPs at the EU level, while DSCs and other national regulators oversee platforms in their respective countries. However, whenever there is an overlap between national and EU levels or between member states, the Board can take an active role. This is most prominently found in the provisions for cross-border cooperation and joint investigations:

  • Cross-border cooperation means that a DSC asks another DSC to investigate a potential infringement (if the Commission has not worked on the same alleged infringement before). The first DSC can do that on its own or band together with at least two others and ask the Board to make the request (Article 58(2)).
  • A joint investigation means that a DSC asks another DSC to investigate a potential infringement together. Again, the DSC can initiate such a joint investigation on its own or at least three DSCs can request the Board to make a recommendation for a joint investigation (Article 60(1)b).

In both cases, the Board can refer the matter to the Commission under certain circumstances (Article 59). Crucially, these types of DSC cooperation might concern not just smaller platforms but also VLOPs, if the Commission has not initiated proceedings for the same alleged infringement. Another instance of the Board being involved in overseeing VLOPs is its mandate to provide an opinion on a VLOP’s proposed “action plan” to comply with the DSA, which must be taken into “utmost account” by the Commission (Article 75(1-3)).

2.2 Providing guardrails in the crisis response mechanism

The DSA’s crisis response mechanism is meant for the Commission to request special risk assessments and risk mitigation measures from VLOPs in times of crises (Article 36). However, the Commission can only do so upon a recommendation of the Board. The original draft of the DSA article left the determination of a crisis situation and the power to address VLOPs solely to the Commission. Especially because the DSA contains a wide definition of crises that could include natural disasters, violent attacks or pandemics – any “extraordinary circumstances” leading “to a serious threat to public security or public health” (Article 36(3)) – the Commission’s unchecked role was rightfully met with criticism (EDRi 2022). Now, there is at least a required deliberation with the group of 27 DSCs (for a deeper analysis, see Buijs and Buri 2023).

While stronger checks on the Commission could be envisioned (EDRi 2022), the Board’s involvement in the crisis response mechanism is still an important guardrail. It should ideally allow for a meaningful deliberation whether the crisis response is proportionate and how various fundamental rights might be affected by mitigation measures such as changes to platforms’ algorithmic systems or content moderation practices. Thus, if the crisis response mechanism is activated, the Board has a big responsibility to be swift but also rigorous in making its recommendation to the Commission. It only has 48 hours to do so (Article 62(3)), which is understandable given the emergency situation. At the same time, this tight deadline should not lead to the DSCs being steamrolled by the Commission as the chair of the Board or to any decisions being rushed at the expense of fundamental rights considerations. Good cooperation and communication practices between the Commission and the DSCs are crucial and should ideally be established at the outset of the Board’s existence to create a basis of trust to work with in times of crises.

2.3 Consulting with the Commission on data access for researchers and other topics

The DSA rules that allow researchers from academia and civil society to request data from VLOPs do not work without the Board. These provisions could be a key innovative feature of the DSA because they would give researchers a legally prescribed way to access data from VLOPs. In the past, this was rarely possible. It was only the case that individual platforms collaborated with researchers on a voluntary basis on companies’ terms (for an overview of the data access rules, see Jaursch and Lorenz-Spreen 2024).

The practical details of the data access regime will be spelled out in a separate piece of secondary legislation. This delegated act must be adopted by the Commission, after consulting with the Board (Article 40(13)). This might seem to be only a minor role for the Board, since it is the Commission drafting the delegated act, after all. Yet, without the Board’s involvement, the process cannot be completed. Other consulting roles for the Board include the mandatory guidelines for trusted flaggers (Article 22(8)), the optional ones on the ad archive for VLOPs (Article 39(3)) and voluntary standards (Article 44(1)). These consulting tasks highlight the need for the Board to develop knowledge on various aspects of the DSA (as required by Article 64(1)).

Once these guidelines and delegated acts are in place, it is unclear how big the Board’s role might be in adapting them in the future. However, even (or especially) if there is no big role in those cases, the Board’s efforts to develop the initial texts with an emphasis on benefiting researchers and consumers is crucial.

2.4 Analyzing VLOP risk assessments and other reports

VLOPs have to assess potential systemic risks at least once a year and mitigate those risks, for example, regarding the spread of illegal content or potential risks for privacy or freedom of expression (Articles 34 and 35; for more on risk mitigation measures, see Jaursch and Bahro 2023). These risk assessments are internal corporate documents which must be reviewed by regulators and auditors (Article 34(3); also Article 37(2) and Article 42(4)). Crucially, they form the basis for an annual review of prominent systemic risks, to be completed by the Board in cooperation with the Commission (Article 35(2)).

This task is a prime example of how the Board’s intelligence-gathering and network-building responsibilities intersect. In producing its annual systemic risk report, the Board can invite and consult with experts, not just from regulators but also research and advocacy organizations. Such outside experts could be a big help for the Board because they have studied platforms closely, for instance, with regards to particular user groups or certain fundamental rights (for analyses on the role of academia and civil society in the DSA, see Vergnolle 2023, Meyer-Resende and Kuchta 2023 and Eder 2023). Instead of only engaging with researchers on an ad-hoc basis for the annual reports, it could be useful for the Board to learn about systemic risks and “emerging issues” on a rolling basis. Looking ahead, a permanent communication channel with academic and civil society representatives should be established for this, which will be discussed in the next section.

3. Outlook: Setting up and enhancing the Board

In the immediate aftermath of its first meeting on February 19, the Board still only existed in a rudimentary form because not all DSCs had officially been designated yet. Building administrative structures and getting the hang of the Commission’s DSA information-sharing system takes time. Over the short-term, then, it is most important for the Board to ensure its basic functionality, so it can fulfill its immediate tasks, including work on the delegated act on data access, on complaint mechanisms for users and dealing with applications for trusted flaggers.

Developing the infrastructure for the Board and working on the to-do list that was long even before the first official meeting will capture the Board’s attention for some time. However, along the way, it will become necessary for the Board to answer remaining open questions. How will potential conflicts between member states be resolved? Will regulators that have historically focused on different issues and companies find it difficult to understand each other and collaborate beyond the informal cooperation that has happened already (see European Commission 2023)? What if the Commission and DSCs do not see eye to eye on Board processes or even substantive DSA questions?

The most fundamental question concerns the Board’s future posture. Will it be mostly led by the Commission as chair and be a rather passive and reactive group? Or will there be ambitions and resources to develop the Board into an active and busy hub for a growing community of practice around the DSA? The law certainly leaves ample openings for the Board to become a connecting force for such a community of practice, which is necessary to enforce the DSA (see Husovec 2022, Jaursch 2024).

One option for the Board to support the community of practice on the DSA is to build loose and informal cooperation networks. The Board could cultivate contacts with experts on an ad-hoc basis, for instance, via personal meetings, conferences or consultations. This has been going on since long before February 2024 and is a rather obvious and basic mode of engagement.

Another option is a highly formalized and permanent exchange, for instance, in the form of an advisory body to the Board, composed of researchers and advocates from around the EU and beyond. This could be a promising long-term option, if important questions around the advisors’ numbers, selection, composition, tasks and reimbursement are addressed (cf. Vergnolle 2023 for an analysis of potential “expert groups” on the DSA at the Commission and in the member states).

For a more immediate measure in between these two options, the Board could form a dedicated outreach unit at the Commission’s Board secretariat that structures and expands existing contacts. The European Centre for Algorithmic Transparency (ECAT), which supports the Commission with scientific analysis around VLOP enforcement, has taken this route: It is currently developing a “communication and community building” team. Several national authorities have similar approaches, in the form of international cooperation units within their organizational structures. To not duplicate the ECAT’s efforts, it could be explored if the Board and ECAT could collaborate in their outreach ambitions, especially regarding academia and civil society.

What could emerge out of such a collaboration between the Commission, the ECAT and the Board is a joint and permanent single point of contact for researchers and advocates. Academia and civil society would benefit from this, being able to reach the Commission and the DSCs with studies and evidence that cover more than one member state, instead of having to find contacts in the Commission, ECAT and 27 member states. The regulators and the ECAT would benefit as well, by having a well-structured overview of the research being conducted on DSA-related topics. Ultimately, the public would benefit from a transparent, meaningful exchange between regulators and researchers that contributes to effective and proportionate DSA enforcement.

The Board is designed as a group of both EU-level and national regulators, it has specific tasks in VLOP oversight, particularly around risk mitigation, and is mandated to analyze emerging issues. This unique setup makes the Board a suitable place to coordinate efforts on EU-wide matters of platform regulation from various fields. The Board should therefore seize the opening provided by the DSA to help develop a community of practice around the DSA.

 

Julian Jaursch is a policy director at the not-for-profit think tank Stiftung Neue Verantwortung (SNV) in Berlin, Germany. He focuses on platform oversight and has published policy analyses and recommendations on the DSA.