The DSA supervision and enforcement architecture
Ilaria Buri and Joris van Hoboken
Introduction
The supervision and enforcement structure of the DSA proposal has been described from the beginning as a strong one. Elements which contribute to strengthening the enforcement chapter include the involvement of the European Commission in enforcing the rules vis à vis the very large online platforms (VLOPs) and very large online search engines (VLOSEs) as well as the introduction of strict deadlines for the national regulators and for the Commission to act and proceed in their investigations.
The experience with the enforcement of the GDPR shows that ambitious substantive rules need effective and consistent enforcement mechanisms to deliver actual levels of protection for fundamental rights. Awareness about systemic issues in the enforcement of GDPR have heavily influenced the initial DSA proposal, as well as the following negotiations, with the idea of centralized Commission’s enforcement against VLOPs emerging as the most promising solution to prevent the reoccurrence of some of the biggest shortcomings in the enforcement of GDPR.
On last 23 April, the co-legislators reached a political agreement on some of the main points of the DSA. After almost two months, when many details of the regulation have been fine-tuned in technical (and closed doors) meetings, the final (provisional) agreement has been approved by the Council on 14 June and by the IMCO Committee on 16 June (before the plenary vote scheduled for 4 July).
This blogpost explores the main features of the DSA enforcement chapter. It outlines the enforcement architecture set out in the final DSA texts and in the previous proposals, particularly those of the EC and of the Council.
The analysis will be followed and complemented by another blogpost, which focuses on the implications – from a fundamental rights and democratic values perspective – of opting for the Commission as the body in charge of supervising and enforcing the DSA rules against the most powerful platforms.
What’s in the final text
The final text mainly reflects the Council’s version of the enforcement chapter (explained in the paragraphs below). The main elements of the final DSA enforcement rules can be summarized as follows:
- Competences (Article 44a): the new configuration of competences between the DSCs and the Commission is the main innovation from the original Commission’s proposal. As set out under Article 44a, the Member State where the intermediary has its main establishment will have exclusive powers for the supervision and enforcement of the DSA rules, except where such powers are attributed to the exclusive or shared competence of the Commission. Specifically, the Commission is granted exclusive powers with regard to the provisions under Section 4 Chapter III DSA, which apply only to very large online platforms (VLOPs) and very large online search engines (VLOSEs). These are Articles 25-33b of the final text, relating to systemic risks assessment and mitigation, data access for researchers, audit, recommender systems, etc. The Commission also has powers for the supervision and enforcement of rules, vis à vis VLOPs and VLOSEs, other than those under Section 4 Chapter III, such as the ones on notice and takedown, terms and conditions and trusted flaggers. However, a Member State (its DSC) will also be competent to supervise and enforce these latter rules against the same actors, “to the extent that the Commission has not initiated a proceeding in relation to an alleged infringement of the same obligation”.
- Cross border cooperation among DSCs (Article 45): unless the Commission is investigating the same infringement, the DSC of destination or the Board – upon request of at least three DSCs – can request the DSC of establishment to investigate a matter which affects users in their Member State. Within two months from the request, the DSC of establishment must communicate its assessment of the situation. Where the DSC of establishment fails to update the requesting DSCs of destination and the Board, or if the Board disagrees with the measures taken or planned, the matter can be referred to the Commission by the Board.
- Joint investigations (Article 46): the DSC of establishment can launch joint investigations with the participation of one or more other DSCs, both at its own initiative or upon recommendation of the Board. In the latter case, the Board acts on the request of at least three DSCs to investigate the suspected infringement of the Regulation in their Member State, with their Any DSC can request to be admitted to a joint investigation, if it can prove a legitimate interest. The views of the participating DSCs must be taken into account in the preliminary position issued by the DSC of establishment at the end of the joint investigation. In case of a substantial disagreement with that preliminary opinion, the matter can be referred to the Commission. Moreover, the DSC of destination joining the investigation is entitled to use its powers to investigate the information and intermediaries’ premises located on its territory.
- Enforcement of obligations of VLOPs and VLOSE (Article 50): the Commission can exercise its investigative powers, on its own initiative or upon a request from a DSC, even before the opening of proceedings. A DSC can ask the Commission to examine the matter when it has reason to suspect that a VLOP or VLOSE “has infringed the provisions of Section 4 Chapter III or has systematically infringed any of the provisions of [the] Regulation in a manner that seriously affects” users in its Member State. Where the Commission suspects that a VLOP or VLOSE has infringed any of the provisions of the DSA, it may initiate proceedings against it (Article 51). The Commission must provide the DSC and the Board with its preliminary findings and take “utmost account” of the Board’s views in taking a decision.
- Enhanced supervision of remedies concerning the obligations under Section 4 Chapter III DSA (Article 59a): the Commission must apply an enhanced supervision system when adopting a non-compliance decision with regard to the infringement of obligations laid down under Section 4 Chapter III DSA. The final text thus keeps the Commission’s initial proposal’s idea of enhanced supervision, but adapts the system in light of the new set-up of competences (exclusive competence of the Commission on these matters). The VLOP and VLOSE concerned must draw up an action plan outlining the measures needed to remedy the infringement. Following a Board’s opinion on the action plan, the Commission decides whether the plan is appropriate to address the infringement and subsequently monitors the action plan. The Commission can apply periodic penalty payments and impose a temporary restriction of access if no action plan is drawn up or if that is rejected or its implementation considered insufficient.
- The powers of the DSCs and the Commission (Article 41 and Articles 52 to 57): to carry out their tasks under the enforcement chapter of the DSA, the DSCs and the Commission are assigned several powers. They can require intermediaries, and VLOPs and VLOSEs, to provide information, take interview and statements, conduct inspections on-site adopt interim measures, take commitments and monitoring actions. The final text includes the Council’s specifications on the Commission’s power to conduct investigations. In particular, the Commission, the DSC and other competent authorities may ask the VLOPs and VLOSE to explain their “organization, functioning, IT systems, algorithms, data-handling and business conducts and address question to key personnel”. Where the concerned VLOPs and VLOSE oppose the inspection, the inspecting officials must be granted the assistance of the competent law enforcement.
- Fines (Article 42 and 59): Where a competent authority decides that there is an issue of non-compliance – in relation to an intermediary for the infringement of any obligation of the DSA, or against a VLOPs or VLOSE for the violation of the DSA rules, interim measures or binding commitments – the competent enforcer can apply a fine not exceeding 6% of the total worldwide annual turnover in the preceding financial year. Failures to supply correct and complete information, or to rectify it, or to allow an on-site inspection (or to comply with the Commission’s monitoring actions) may lead to a fine up to 1% of the total annual income or worldwide turnover.
- Right to lodge a complaint and right to compensation: the final text includes a right for the users of the services, and any organization representing them in exercising their DSA rights, to lodge a complaint against intermediaries for an infringement of the DSA, before the DSC of the users’ home jurisdiction. Moreover, under the new Article 43a, users will have the right to seek compensation from intermediaries “against any damage or loss suffered due to an infringement” of the DSA obligations.
How we got to the final text: enforcement under the different DSA’s proposals
Enforcement under the original EC proposal
Largely mirroring the enforcement architecture of GDPR, Article 40 of the original DSA proposal granted jurisdiction, for the supervision and enforcement of the DSA rules on due diligence and codes of conduct, to the Digital Services Coordinator (DSC) of the Member State where the intermediary has its main establishment (DSC of establishment). The Commission’s proposal also established the European Board for Digital Services (EBDS), an independent advisory group of DSCs.
The original proposal included important rules on the cross-border cooperation among DSCs (Article 45), which are confirmed in the final agreement. These rules concern the possibility for the DSC of destination – or for the Board, where the suspected infringement involves at least three Member States – to request the DSC of establishment to assess the situation and take the necessary measures.
The Commission DSA proposal also devised an enhanced supervision and enforcement system for VLOPs. This was significantly modified by the Council’s proposal in light of new attribution of competences between the DSC and the Commission. Under the original Article 50, the system would apply where a DSC of establishment decided that a VLOP had infringed “any of the provisions of Section 4 Chapter III”. After assessing the effectiveness of the VLOP’s action plan to remedy the infringement, the DSC of establishment had to transmit its opinion to the Commission, the Board and the VLOP on whether the violation had been terminated. Following that communication, the DSC of establishment was no longer entitled to carry out any supervisory or enforcement tasks (Article 50(4)).
In short, under the original proposal (Article 51), the Commission could step in and start proceedings, in view of adopting possible non-compliance decisions and fines, against the VLOP which:
- was suspected of having infringed the DSA rules – where the DSC did not follow up on the Commission’s request to take investigatory or enforcement initiatives (pursuant to article 45(7)), or where the DSC requested the intervention of the EC (pursuant to Article 46(2)) or;
- had been found to have infringed any of the provisions of Section 4 of Chapter III.
Enforcement under the Council’s proposal
The most interesting and innovative aspects of the Council’s negotiating position on the DSA, adopted in November 2021, concerned the enforcement rules. All these innovations made it to the provisional text agreed in June 2022.
The Council’s general approach on the DSA, and its enforcement chapter, is the result of some important political developments. In the second half of 2021, the country-of-origin principle became one of the most contentious aspects of the DSA negotiations in the Council. France, in particular, argued that this principle should be re-considered and that the authorities of the country of destination should be granted specific powers of intervention and enforcement. Around October 2021, a group of Member States, headed by France, started calling for a centralized approach towards VLOPs, where the Commission would hold exclusive supervision and enforcement powers.
The Council’s proposal revolved around two pillars: on the one hand, it preserved the country-of-origin principle, and granted exclusive powers to the Digital Services Coordinator (DSC) of establishment for the supervision of those intermediaries who do not qualify as VLOPs or VLOSEs. On the other hand, the Council’s text (Article 44a) attributed exclusive powers to the Commission for the supervision and enforcement of VLOPs and VLOSEs with regard to the obligations established under Section 4 of Chapter III. Thus, compared to the initial proposal, the Commission would be put in the driving seat in assessing VLOPs’ behaviour under the rules set out in Section 4 of Chapter III DSA, and not just potentially stepping in when a VLOP is suspected or has been found by the DSC of establishment to have infringed such rules.
The Council’s choice reflects the view that the Commission is probably more resilient in facing the VLOPs than the regulator of a Member State (such as for instance Ireland) where the relative role played in the economy by the platform industry is disproportionately large.
As explained above, another aspect in which the Council proposal foresaw a supervisory role for the Commission was in the supervision and enforcement vis à vis VLOPs and VLOSEs concerning DSA obligations other than those set out under Section 4 of Chapter III. Here, the Commission and the Member State of establishment are granted shared powers. Specifically, the Member State of establishment has competence to exercise its powers, if the Commission has not started a proceeding for the same matter.
Enforcement under the European Parliament’s proposal
With the exception of a few amendments, the European Parliament’s position on the DSA left the Commission’s proposal on enforcement substantially unchanged. A notable proposition of the European Parliament was that of making mandatory the Commission intervention vis à vis VLOPs, under Article 51. The other important proposal from the EP, which we find in the final DSA text (Article 43a), is a new article on compensation, the impact of which is potentially significant.
Concluding remarks
The final DSA text reflects the Council’s position on enforcement, which combines the country-of-origin principle with a decisive centralization of powers, in the hands of the Commission, when it comes to enforcement against the most powerful platforms.
While the finalization of the DSA legislative process is approaching, and the rules against the VLOPs will be the first to enter into force, many crucial details around implementation and enforcement are still unknown. At the Member States level (including for instance in Germany), the question of which authority will take on the role of DSC remains unanswered.
At the same time, at the Commission level, it is unclear which DG will be put in charge on DSA enforcement and how it will make sure they have sufficient human and technical resources to ensure effective implementation. In this regard, BEUC published a letter in May urging the Commission to “rapidly communicate to the public which measures are being taken” to deploy all the resources needed for effective implementation (including cooperation between the relevant DGs).
Another critical aspect concerns the contribution that several actors other than regulators – such as users, researchers, civil society organizations – are meant to play in the enforcement of the DSA rules. In particular, vetted researchers can be granted access to VLOPs data to contribute to the identification and understanding of systemic societal risks and of the impact of the risk mitigation measures. Researchers have an important role – at least in principle – in the DSA enforcement puzzle. This role is particularly relevant from a fundamental rights perspective, as researchers contribute to the identification of systemic risks which affect fundamental rights, and to the assessment of the measures put in place to address those risks. Thus, it is disappointing to see that, in the final text, only the DSC of establishment has the power to take a final decision over awarding researchers a vetted status. This choice, fully centered on the country-of-origin principle, contradicts the rationale behind the Commission’s centralized enforcement against the VLOPs and VLOSE which emerged in the DSA debate (i.e., it brings back most decisions to the Irish regulator). As research access to data is pivotal in monitoring the behaviour of these powerful actors, the power to vet researchers should have been given (also) to the Commission. Centralization at the level of the DSC of establishment, on a matter as important as research access to data, will predictably lead us where the DSA conversation on enforcement started, i.e. with unprocessed requests and delays piling up before few (mainly one) DSCs.
Ilaria Buri is a research fellow at the Institute for Information Law, University of Amsterdam, where her work focuses on the “DSA Observatory” project. She previously worked as a researcher at the KU Leuven Centre for IT and IP Law (CiTiP) on matters of data protection and cybersecurity. She is admitted to the Bar in Italy and, prior to joining academia, she gained extensive experience as a practitioner in law firms and worked at the European Commission (DG Climate Action).
Joris van Hoboken is a Professor of Law at the Vrije Universiteit Brussels and an Associate Professor at the Institute for Information Law, University of Amsterdam. He works on the intersection of fundamental rights protection (privacy, freedom of expression, non-discrimination) and the regulation of platforms and internet services. At the VUB, he is appointed to the Chair ‘Fundamental Rights and Digital Transformation’, established at the Interdisciplinary Research Group on Law Science Technology & Society, with the support of Microsoft.
Photo by Photo Boards on Unsplash