by Can Şimşek
The EU Commission presented its much debated legislative proposal entitled Digital Services Act (DSA) back in December 2020 as part of a dual package that also contains the Digital Markets Act (DMA). The proposed DSA aims to harmonize the European law surrounding online content by laying down ex-ante rules for online platforms. Accordingly, new obligations concerning transparency as well as the removal of harmful content will be introduced for online services providers. Most importantly, “very large online platforms” (VLOPs) such as Google, Facebook, Amazon etc. will have additional obligations due to their sizes. The threshold for being defined as a VLOP and falling under these additional obligations is currently estimated as serving more than 45 million service recipients within the EU. This threshold will be adjusted by the Commission so that it consistently corresponds to 10% of the Union’s population. Consequently, the DSA has the potential to fundamentally change the internet as we know it. Yet, there are still serious tensions between the Member States as well as between the European Parliament and the Council regarding how to construct the DSA on top of the General Data Protection Regulation (GDPR) which was introduced in 2016 and came into force on 25 May 2018.
The most discussed aspect of the proposed DSA is the new liability regime that it introduces by substituting the Articles 12 to 15 of the E-Commerce Directive. According to the DSA draft, service providers acting as “mere conduits” will not be liable for the information transmitted, similarly to the old regime. (In order to remain as a mere conduit, the platforms should not initiate the transmission; should not modify the information nor select the receiver.) On the other hand, digital service providers will be obliged to act against illegal content (article 8) and provide information about the recipients of the service (Article 9) once they receive an order, issued from a relevant administrative or judicial authority. They will also be obliged to document their activities in relation to the removal and disabling of information considered to be illegal or contrary to the providers’ terms and conditions, within “transparency reports” (Article 13).
Another key aspect of the DSA proposal is the legacy of the GDPR. In fact, the GDPR precedes the proposed DSA by laying down the main principles of processing personal data that also serve to progress towards a better online environment: “transparency, fairness and lawfulness”. Following Article 5 of the GDPR, these principles should be applied to all kinds of personal data processing activities. As the proposed DSA also upholds and elaborates these principles for online services while introducing a new regime for them, the interplay between the GDPR and the proposed DSA is extremely important. In this regard, the DSA specifies what “transparent data processing” looks like in the context of online platforms. First of all, Article 24 of the proposed DSA requires transparency for online advertising practices, including an obligation to display the information on whose behalf the advertisement is being shown and why it is being shown to the particular service recipient. For this purpose, sub-paragraph (b) obliges the platforms to provide “meaningful information about the main parameters used to determine the recipient to whom the advertisement is displayed”. In other words, online platforms will need to be transparent about their profiling activities for advertisement purposes. Further to that, the European Data Protection Supervisor (EDPS) published an opinion on the DSA which calls for a phase-out, leading to the prohibition of targeted advertising on the basis of pervasive tracking. Yet, it is rather unlikely that a total prohibition on targeted advertising will be included in the final version of the text.
The proposed DSA also empowers the users by giving them a partial right to choose between different algorithms. Accordingly, VLOPs will be obliged to share information about the “recommender systems” they use and give different options to the service recipients if possible (Article 29). Thereby, the European lawmaker hopes to mitigate the negative societal impacts of the recommender systems such as radicalization and polarization by putting transparency into service of individual autonomy and fairness. In this respect, the DSA will oblige VLOPs to conduct risk assessments on the systemic risks (Article 26) as well as taking reasonable and effective measures aimed at mitigating those risks (Article 27). Most importantly, they will also be obliged to submit themselves to external independent audits at least once a year (Article 28) whereas digital services coordinators (the agencies responsible from the enforcement of the DSA), the European Commission and vetted researchers will have access to the relevant data of the VLOPs in order to assess compliance with the rules and identify harms or abuses (Article 31). With these measures, the EU lawmaker aims to eliminate discriminatory or unfair practices to a great extent and ensure that personal data is processed transparently, fairly, and lawfully as foreseen by the GDPR.
Since the presentation of the DSA in December 2020, Member States have been deliberating about the Council’s position whereas seven committees in the European Parliament have been drafting their reports and opinions on the DSA. In July 2021, the Committee on Civil Liberties, Justice and Home Affairs (LIBE) adopted the Opinion on the EU‘s upcoming Digital Services Act drafted by MEP Patrick Breyer who stands for amending the DSA proposal in a way that it would reinforce the right to privacy as well as protection of personal data. In this document, the LIBE Committee proposes to introduce further items to the DSA such as “the right to use and pay for digital services anonymously wherever reasonably feasible” and a right to encryption. Such amendments proposed by the LIBE Committee demonstrate that EU lawmakers are concerned about the GDPR’s shortcomings in terms of safeguarding online privacy and data protection. On the other hand, it is worth noting that the idea of granting a right to remain anonymous on the online platforms and encryption might go against the current, given the increasing security concerns and the anti-encryption trend in the EU. Still, Patrick Breyer claims that “the European Parliament proposal will be much more ambitious than the Commission’s proposal, in some aspects it could be groundbreaking”.
After all, it is understandable why the LIBE Committee thinks that additional rules addressing online privacy and transparent data processing would be useful to provide more legal clarity. As mentioned, the proposed DSA is meant to complement the GDPR to some extent. However, the weakest side of the GDPR is not its substance but its enforceability. As a matter of fact, the enforcement model of the GDPR caused complaints to pile up in Ireland’s Data Protection Commission as many companies do not comply with the GDPR. Given that the proposed DSA shares a similar enforcement model with the GDPR, it is possible that the same situation will occur. For one, France questions the efficiency of the one-stop-shop approach and suggests empowering local authorities, at least for taking interim-measures and “emergency binding decisions”. On the other hand, Ireland and several other Member States are fighting back against France’s proposal to change from the “country of origin” principle, which was established by the e-commerce directive, to a new model which is a bit closer to the “country of destination” principle. The idea is to give more power to the local authorities where the service recipients reside (“country of destination” principle), instead of leaving the enforcement solely to the country where the firms are located (“country of origin” principle).
To sum up, reinforcing the GDPR and improving upon its weaknesses seems to be gaining an increasing importance in the context of DSA negotiations. Could the Parliament actually end up consolidating the DSA? Could the Council agree on a more efficient enforcement model? Eventually, will the EU manage to push transparency and accountability further while safeguarding online privacy and freedom of expression? Well, it is still too soon to reach a conclusion since thousands of amendments are on the way. The rather controversial opinion of the Committee on Legal Affairs is the latest document adopted on the DSA and the next decisive event will be the vote of the European Parliament Committee on Internal Market and Consumer Protection in November. As the debates and decisions unfold during the following months, we will witness whether the final version of the text will differ too much from the spirit of the initial draft.
Can Şimşek is a lawyer (LL.M) and a research assistant at the Digital, Governance and Sovereignty Chair.