Will the DSA have the Brussels Effect?
Introduction
The Digital Services Act (DSA) is a comprehensive effort by the European Union (EU) to regulate digital services. Many on-lookers in Europe and beyond its borders wonder about whether the DSA will influence activities outside of Europe via a “Brussels Effect.” In this contribution, we argue that when it comes to extraterritorial spill-over effects of the DSA that are driven by economic incentives or de facto standardisation and private ordering, the strength of any DSA Brussels Effect will depend on several factors: the type of obligations in question; compliance costs; the extent of regulatory imitation by other countries; and finally, the existence of any countervailing legal regimes. Under this analysis, the chances of spontaneous voluntary implementation beyond the EU’s borders for four key parts of the DSA — content moderation procedures, transparency and governance obligations, and risk management rules — seem modest. Some content moderation rules might reach beyond the European continent through the ensuing industry standardisation.
Four key components of the DSA
The DSA regulates how online service providers make content moderation decisions. It subjects companies to an elaborate set of prescriptive rules that organize the process of notification, evaluation, removal, and contestation (Articles 16 to 21). Affected individuals are given a right to an individual explanation of such decisions (Article 17), the right to appeal decisions internally for free (Article 20), and the right to appeal externally before independent out-of-court dispute settlement bodies (Article 21).
Providers are further obliged to issue annual or bi-annual transparency reports about how they conduct content moderation (Articles 15 and 24). Companies of a certain size and reach must also submit all their individual content moderation decisions to a centralised database (Article 24(5)). The largest online platforms or search engines (so-called Very Large Online Providers (VLOPs) and Very Large Online Search Engines (VLOSEs)) have further disclosure obligations (Article 42). VLOPs and VLOSEs must also provide access to data to researchers to study risks and mitigation strategies on their services (Article 40).
All providers have some obligations to appoint points of contact (Articles 11 and 12), or legal representatives (if not established in the EU [Article 13]); however, only the largest ones have extensive governance obligations. VLOPs and VLOSEs must appoint compliance officers who must have certain standing with the senior management of companies (Article 41). VLOPs and VLOSEs also must appropriately train their staff, including content moderators, and monitor risk management within companies (Articles 34, 35, 42(2)(b)).
Finally, mid-sized or bigger online platforms must design their services in compliance with certain statutory risk-related imperatives, such as avoiding misleading or manipulating practices (Article 25), or design that fails to protect the safety, security, and privacy of children as their users (Article 28). VLOPs and VLOSEs are subject to periodic risk assessment and external review by auditors under the supervision of the European Commission and national regulators.
Predicting extraterritorial spill-overs
Simply stated, the Brussels Effect causes EU rules to “spill over” into other jurisdictions through private actions of companies (a “de facto” effect) or harmonising changes in law by outside jurisdictions (a “de jure” effect). We focus on de facto spill-overs, which, if they occur, arise from the choices of individual firms.
Feasibility of localised implementation
Whether spill-overs occur first and foremost depends on what companies find useful and cost-effective. However, in some cases, usefulness and cost-effectiveness can be forced or incentivised by the global nature of the product. If a new EU obligation cannot be easily siloed into a specific location—whether for technical or other reasons—companies might prefer to extend their compliance across jurisdictions. For instance, if certain design features of the systems are harder to split and localise to certain jurisdictions only, companies might extend the implementation of the rules governing such features beyond the EU. The ability to localise implementation is thus one of the key issues.
Many of the DSA’s rules probably can be localised. For example, companies seem to have localised all obligations regarding the opt-out from the recommender systems (see here, here, and here), thus signalling that splitting markets is not too difficult in this instance. There may be areas where the services cannot be designed differently for different markets but that will probably be an exception, at least for large players that already comply with requirements from multiple jurisdictions.
Cost
In most cases, the main reason why companies might extend the application of the DSA beyond the EU is cost: because they find it cheaper to keep one set of rules for several markets. This might be the case for some notice-handling content moderation rules. Given that companies must build new processes for European users, the cost of extending some of those rules to other jurisdictions might be lower than keeping two or more separate complaint-handling systems. However, some of the user-protecting obligations under the DSA, such as the broad possibility to appeal visibility restrictions of any kind, are both unique and quite costly, and thus less likely to be implemented in other countries without a legal mandate.
Indirect effects
Other indirect effects on the markets are possible too. The industry’s reliance on a single set of rules could help to standardise processes, improve demand for and interoperability of moderation tools, and thus increase the new market entry in the area. For content moderation, the DSA can become a shipping container moment, which gives an entire industry vocabulary, structure and building blocks. Section 512 of the US Digital Millennium Copyright Act (DMCA) has functioned in this way for the last twenty-five years—companies applied many of its features well beyond US copyright disputes because it provided guidance that could be used to structure takedown practices across types of complaint and across jurisdictions. The DSA’s far more detailed requirements could serve as the updated “shipping container” for companies looking to update their content moderation practices. Such dimensions can help spur a lot of innovation and business activity around industry-wide content moderation solutions that can be customised, repurposed, or applied on a cross-platform basis. A bigger market means better solutions.
Looking at specific examples, in theory, industry-wide standardisation around content moderation can also facilitate the convergence concerning voluntary and DSA-mandated transparency reporting. This might depend on how separate the US and EU back-end systems are and how convergent the DSA’s requirements are with companies’ current practices. Transparency reporting is neither easy nor cheap, especially for companies running on legacy systems. The DSA could have a nudging effect that could move some providers to transparency reports, or more detailed transparency reports, in other countries, such as the US, but this might take time. And other incentives may push companies in the opposite direction. For example, being more transparent than others also has its costs associated with extra scrutiny by private actors and public authorities.
Additional considerations
Further, some DSA obligations may be unattractive for voluntary compliance for other reasons: because they are too expensive, because they require local institutions that don’t exist, or because they create bad policy precedents from a local perspective. For instance, out-of-court dispute settlements are both costly and cannot work without appropriate certified out-of-court dispute settlement bodies. Periodic risk assessment and auditing also is not cheap. Moreover, companies could rationally fear that legal change abroad would become politically easier if major industry players change their private policies to match the DSA requirements.
An interesting case in this regard is researchers’ access to data to study platforms. Due to a lack of vetting processes in other countries, the companies would seem to be easily able to reject extending access to non-public data to researchers from outside the EU. However, these researchers, to the extent that they are interested in studying EU-relevant risks, can benefit from the EU regime. Arguably, they can use their respective countries as control groups, and thus undertake more globally-relevant research as well.
Moreover, the scraping/API provision of the DSA facilitates access to publicly available data, again without limitation to the nationality of those who are undertaking the research. Even if foreign governments do not follow the EU’s approach, they might favour that their researchers can benefit from the EU regime and might complain if their researchers cannot access similar tools. Thus, public pressure in other countries might force companies to extend some of the features of the system beyond the EU, even though there usually is little immediate positive economic benefit from such transparency for the companies.
Conflicting rules
Finally, the DSA’s extraterritorial effect might be enhanced by reinforcing local rules, but also undermined, or entirely prevented, by conflicting rules in other jurisdictions.
Consider how the US DMCA interacts with the DSA. The DSA is mostly stricter in what it requires companies to do compared to the US law (although, exceptions do exist, such as the fact that the DSA’s DMCA-style repeat-infringer rule does not apply to mere conduits). But there are potential conflicts that could prevent companies from replacing DMCA-required or -influenced practices with DSA-style practices.
For example, the DSA includes protections for targets of removal requests that could be significantly more effective than the DMCA’s analogues. The DMCA says that online service providers “shall” reinstate content upon receipt of a counter-notice but in practice, this often doesn’t happen. The reason is the liability asymmetry: liability risk for not taking down infringing material is far greater than the liability risk for leaving up non-infringing material. Copyright remedies in the US can be very severe, and the main notice senders have deep pockets, creating strong incentives toward removal for providers. The affected target would have to rely on section 512(f), which allows challenges only for “knowing, material misrepresentations”. This is a very high barrier for recovery, thus making 512(f) effectively a dead letter.
The DSA in the EU aims to re-balance exactly that liability asymmetry by imposing countervailing due diligence obligations for the benefit of affected individuals. The question is whether they could be of any use outside the EU. For global actions that affect both markets simultaneously, the new EU liability could change the overall risk calculation. However, if companies can split their compliance by geo-locating it, in all likelihood, the DSA will not change the local US risk calculation, at least for copyright disputes. And most other disputes fall within the safe-harbor protections of section 230 of the Communications Decency Act (CDA)—which, broadly speaking—allows companies to make the moderation decisions they prefer. In other words, to the extent that companies can separate their compliance, they will act in a more balanced way in the EU than in the US.
Furthermore, the DMCA and the CDA both lack disclosure requirements; given the incentives described above, this could undermine the willingness of providers to provide more information to affected individuals. Because the DMCA requires only limited information from notifiers as compared to the DSA—and outside of copyright, little information is required by US law at all—providers might be stuck with the existing disclosures, whatever their intentions or other motivations.
Finally, other jurisdictions could have laws that directly conflict with the requirements of the DSA. While CDA section 230 and the US First Amendment jurisprudence might conflict in spirit with some of the DSA obligations, they do not prevent companies from voluntarily extending the DSA rules to the US market and individuals. The more tangible conflicts may ultimately be those where federal or state statutes prevent companies from doing what they are required to do in the EU, such as removing or disclosing something. In such cases, the only way how companies can comply with both regimes is to geo-localise their compliance.
Conclusions
Our brief analysis suggests that many most ambitious parts of the DSA will probably have modest impact on the other countries unless these countries adopt similar laws. From all the new obligations, the most promising is the potential impact of the DSA content moderation rules on the industry standards for processes and tools, and potentially the data access regime. However, the overall outcome depends on many variables, including those that might not be even well understood within the companies at the time when they are implementing the DSA. Changes that seem costly and without benefits today, might easily prove to be useful and less costly tomorrow. Thus, we shouldn’t be too quick to judge the law’s overall de facto Brussel’s Effect. However, DSA compliance offers a moment for another important lesson. The compliance attitude of companies — that is, how ready they are to redesign their products for specific markets and engage in geo-localised enforcement to prevent giving the DSA an extraterritorial effect — will show us the true colours of how “universal” or “global” the digital services as products are in the mid-2020s.