A first impression of regulatory powers in the Digital Services Act
The European Commission Proposal for a Digital Services Act (DSA), released on 15 December 2020, is one of the cornerstones of the Commission’s ‘A Europe Fit for the Digital Age’ political agenda. Alongside its sister, the Digital Markets Act (DMA), the DSA is the main tool to regulate Big Tech platforms and to create a “safe and accountable online environment.”
One of the salient questions in the DSA is who gets the decisive say in regulating – exercising oversight and ensuring compliance – over “very large platforms” or VLOPs. At EU-level, these decisions usually tend to oscillate between centralised and decentralised approaches. The regulatory model proposed in the DSA is highly centralised, with the Commission putting itself forward as the sole regulator with teeth vis-à-vis VLOPs. This choice can be linked to enforcement failings by some national regulators under the General Data Protection Regulation (GDPR), but it might also create tensions with general requirements of independence and impartiality of regulators. The proposed European Board for Digital Services (EBDS) only has an advisory role vis-à-vis the Commission’s powers – implying that any DSA-specific regulator, or decentralised power to member states’ authorities, is excluded in the proposal. These issues will be unwrapped one by one.
The DSA adopts a graduated approach to online platforms, with different rules applying for different platform ‘sizes’. Only VLOPs will be subject to the full scope of the proposed Regulation. VLOPs “provide their services to a number of average monthly active recipients of the service in the Union equal to or higher than 45 million” (Article 25(1)). The number of 45 Million corresponds to 10% of EU citizens. This covers more platforms than the “usual suspects” (those owned by e.g. Google and Facebook), and that the proposal might seek to counteract the accusation that the DSA is targeted at Big Tech only.
It is nevertheless noticeable that the DSA tables an adversarial approach to regulating VLOPs, based on the assumption that these aren’t trustworthy. A reasonable approach, given the numerous problematic Big Tech practices that have been uncovered over the years. On this basis, the DSA proposes sanctions for platforms for, among others, “[the] supply [of] incorrect or misleading information” (Article 52(2)).
The Commission as the central regulator
Article 50 DSA grants the Commission generic regulatory powers to request information, to conduct interviews and on-site investigations, to issue interim measures, and to make commitments binding. Before initiating proceedings, the Commission must only consult the European Board for Digital Services (EBDS, Article 51). The EBDS’ purely advisory role indicates it will not really stand in the Commission’s way.
The EDBS’s composition might be a source for concern. None of the existing regulatory authorities are part of it sui generis, as is the case with the European Data Protection Board (EDPB; previously Article 29 Working Party), which consists of national DPAs. Note, however, that DPAs already existed at the time of GDPR’s inception. The draft DSA proposes that national authorities get to squabble among themselves about who gets to be the newly-introduced Digital Services Coordinator (DSC), which should safeguard compliance with the DSA at national level. National representatives of DSC’s participate in the EDBS. Already, there are open questions on who might be designated DSC at national level, how they function in hierarchies of and in relation to other national regulators, and whether they might fragment the national regulatory landscape.
Integrating national DSCs in the EBDS allows the Commission to both maintain and circumvent the so-called country of origin principle. This principle prevents media laws of one member state to encroach on media laws of another: for example, whenever a Spanish media provider providers services across Europe, they are still regulated in Spain. The principle is deeply-enshrined in Digital Single Market legislation. Its implementation in the GDPR, however, caused all complaints regarding Big Tech platforms to go to the Irish DPA, given that Facebook, Google and other VLOPs share Ireland as their EU country of origin. In effect, this DPA has not only been overwhelmed and thus slow, but likely also struggles to respond adequately to systemic financial and power asymmetries between Itself, the Irish treasury and VLOPs. With its proposed regulatory position in the DSA, the Commission can claim to be retaining the country-of-origin principle prima facie, while still ensuring it is able to expeditiously conduct investigations, pass non-compliance decisions and issue fines. This is likely a lesson drawn from the GDPR.
Meanwhile, consolidating regulatory powers against VLOPs within the Commission may foster efficiency and speediness in oversight procedures – in cooperation with, but uninterrupted by the EDPB – and might, given the potentially large impact of such investigations, result in quick responses or actions to Commission notices of non-compliance, or to fines imposed.
Size and impact of fines
The fines which the Commission can levy against VLOPs for infringements are potentially huge – up to 6% of its total turnover in the preceding financial year (Article 59 (1)). As sole regulator, the Commission holds potential for better VLOP compliance. Past experiences with the GDPR have shown that some national Data Protection Authorities (DPAs) in member states where VLOPs have their point of establishment were much less expeditious in passing (high) fines. For example, it took the Irish DPA 8 years after the announcement of the GDPR in 2012 to issue its first substantial fine.
In competition law, the Commission has comparable regulatory powers as in the draft DSA. However, it remains to be seen whether she will impose significant fines on VLOPs. So far, competition law fines have been relatively low, compared to the percentage the Commission could have charged, and fines in this realm have not pushed platforms into compliance. Likewise, GDPR fines imposed on platforms (and other actors) have not done much to fundamentally change their behaviour. Why would the fines under the DSA be any different?
Questions of independence and impartiality
In contrast to VLOPs, non-VLOP platforms are regulated by national DSCs. These must perform oversight in an impartial, transparent, timely and independent manner (Article 39 DSA). Where such smaller platforms are concerned, the DSA aligns with the requirements of independence and impartiality – both supporting pillars of the fundamental right of access to a court (Article 47 EU Charter of Fundamental Rights). Independence and impartiality of regulatory oversight must be guaranteed a priori, by national authorities (Article 39 DSA), given smaller platforms may often not be able to afford expensive and lengthy legal proceedings to get justice done.
The Commission is no independent regulator. Potentially, the requirement of independence and impartiality of the regulator may be different with VLOPS; they can afford lengthy and expensive proceedings up until the European Court of Justice. Indeed, fair proceedings do not require that every party must have had access to an independent and impartial regulator in all phases of proceedings (Crompton v United Kingdom). This approach is also reflected in EU competition law, where tracking down and punishing those in breach has also been entrusted to the Commission (Article 105 TFEU). In analogy with competition law, it could plausibly be argued that in adopting ‘non-compliance decisions’ (Article 58 DSA), and in imposing fines (Article 59 DSA), there is no need for an independent regulator. This conclusion might be more appropriate for the Digital Markets Act, which more closely resembles competition law.
In essence, the DSA closely relates to media and data protection law, where impartial and independent regulators are the norm. Therefore, some have pleaded for an independent, impartial DSA-specific regulator at EU level. This could perhaps contribute to a unified EU-approach towards VLOPs’ content moderation practices, and guide national DSCs towards more consistent policy. However, proposals for new regulators are always controversial. How would a new regulator relate to existing regulators and their powers at both EU level and national level? For example, if such an independent regulator would develop new norms, how would these be democratically legitimized? An independent regulator cannot be politically interrogated. In other words, new players with new powers need robust justification. At the moment, it is not clear whether such justification exists – and it remains to be seen whether a new regulator will be suggested in the negotiation process at all.
The DSA is an ambitious proposal attempting to wholly reshape the regulation of VLOPs. While the main themes of the proposal may seem straightforward, the devil is always in the detail, and there will no doubt be sensitivity about who gets to exert regulatory control over VLOPs at national and EU level. Ensuring independent oversight and law enforcement vis-à-vis VLOPs might perhaps better align with the GDPR and EU media law; however, a new EU-level regulatory institution with powers from national parliaments’ perspective may not find fertile ground – for good reasons. At face value, it is striking how much of the Commission’s proposal has seemingly been inspired by the failings of the GDPR. It remains to be seen what of its approach may withstand the negotiation processes and intense lobbying efforts.
Both dossiers caught me by surprise and are worth of technical appreciation. Legislative proposals from the Commission are sometimes very carefully crafted, set on course with an ballistic eye of smart Commission officials. The centralist approach is how the Commission curves it in. I fully agree that they would hit the Acquis in a different shape, get more institutionally dispersed in the deliberations, and the Commission staff appear aware of that and prepared the dossier for that exactly to happen. Furthermore as a package the DSA is a well made lobby decoy, as the real meat is found in the DMA. Yet, the interested public just discusses the DSA fully aware of „the other one“. Personally, I find the DMA by far more challenging.
It is quite predictable how the current dossiers would be normally amended in the course of the legislative process: Commission, chapeau bas! The most remarkable aspect of both is the size-matters principle as such, a principle that would enable targeted regulation of the platforms without stifling the market at large.
There are quite some opportunities in the current draft where the professional appraisal has to be mostly on the „technical“ architecture of the dossiers rather than their substance. I’d wish for the European Parliament and Council to strengthen the interoperability instruments. Business could benefit from regulatory excellence and the leverage of interoperability soft law appears to be most promising.
The GDPR with its sadomasochist-inspired notion of individual consent as its panacea for turning evil into agreement, is a torture chamber for the market without direct practical effect and guidance on privacy preservation. Consent rituals are the vows of the digital age, and as military vows they simulate choice and commitment, laying a symbolic obligation in your hands while at the same time you are the very taker of rules. The classic but clear regulatory approach of DSA/DMA does not fall in the trap of individual choice. They take an upfront approach and also cut out the Brussels theater. No SME stakeholder representative tokens needed this time. The current drafts may as well end as a „torture instruments“ put on display where the rational counter-offers by affected players would be self-regulation, co-governance simulations and concessions, decentralization, and otherwise delay of the dossier. Or both become a snowball of ideas, hopefully not many bad ones. Exciting times. I’d say let’s make the best out of it.