Gearing up for the Digital Decade? Assessing the enforcement mechanisms of the EU’s platform regulation bills

Background

2022 is shaping up to be a big year for European digital policymaking. The Digital Services and Digital Markets Acts as well as the Artificial Intelligence Act will reverberate beyond the EU’s borders. For the EU’s comprehensive vision for platform regulation to become reality, it will be crucial to coordinate the enforcement mechanisms of these laws.

The EU took a big step towards its goal to become a “global role model for the digital economy” at the turn of the year. On January 20, 2022, the European Parliament adopted the proposed Digital Services Act (DSA) with a big majority, paving the way for talks between the Commission and Member States. The parliamentarians had already given the green light to the sister law, the Digital Markets Act (DMA), on December 15, 2021. The DSA imposes stricter obligations on how platforms regulate content while the DMA aims to keep so-called “gatekeeper platforms” from abusing their market power to the disadvantage of competitors and consumers. Next on the parliaments’ agenda will be the upcoming debate over the draft Artificial Intelligence Act (AIA), which defines guardrails for the use of AI technologies based on their risks to society. The AIA would complete the triad of new laws to regulate big tech platforms – and turn the EU into a pioneer on digital governance.

Together, the three laws can be seen as a response to the fundamental shifts the global platform economy has brought to our markets and societies. We have moved past a naïve enthusiasm about social media platforms’ role in connecting people globally towards a focus on the dangers that an unregulated platform industry poses to our democracies and societies. The role of disinformation, conspiracy theories and hate speech have influenced US presidential election campaigns and the British Brexit referendum in 2016. They have hampered global efforts to combat the Covid-19 pandemic and they have inspired acts of violence such as the Christchurch shooting in New Zealand.

In the wake of these events, the pressure to reform (outdated) regulation for so-called “intermediaries” increased significantly. The EU’s eCommerce Directive defines intermediaries as companies that provide access to a communication network or to a service that allows for transmission of communication in such a network. It became increasingly difficult to justify a state of affairs in which powerful social media platforms (such as Facebook, YouTube, or Twitter) did not have to take responsibility for unlawful content via their services, and in which their influence over the public sphere could remain uncontrolled. Lawmakers around the world are considering various options for limiting the power of “Big Tech” by addressing their data-driven business models. These models have led to the amplification and rapid dissemination of hate speech and disinformation due to the use of biased algorithms. Given the power of social media platforms over markets and societies, it is necessary to take a closer look at the provisions regarding oversight and enforcement of the rules for their regulation.

A significant trend has been the shift from self-regulation to more specific obligations for platforms. The current proposals contain the creation of new enforcement mechanisms and competent authorities. Since the policy discussions on platforms, data, and AI are interrelated, lawmakers should be aware of the potential advantages in cross-linking their enforcement. Will the current EU bills overlap in terms of enforcement, and will the new competent authorities coordinate?

Platform governance and the current EU bills

Although digital platforms have operated for almost 20 years, there is still an ongoing debate about how to treat them. While platforms tend to present themselves as mere technology companies, scholars argue that their activities make them media companies. Subsequently, legal scholars are still discussing how to categorize them in (national) legal frameworks. The more platforms gain power over markets, data, and the way people receive information and form their opinions, the more they will be compared to states in terms of their power-based relationship to individuals and society. This has led to demands for a “constitutionalization” of social media platforms, whereby regulation holds them accountable to the principles of the rule of law.

These arguments gained traction after Big Tech companies were implicated in a series of high-profile scandals such as when it became known that the British consulting firm Cambridge Analytica had harvested personal data of millions of Facebook users and used it for targeted advertising to support the presidential campaign of Donald Trump in 2016. In the wake of such negative headlines, lawmakers began to challenge the current model of limited platform liability for incendiary content – both illegal as well as legal but harmful content. In 2017, Germany moved forward against unlawful content, with the Network Enforcement Act (NetzDG), a law requiring platforms to implement flagging mechanisms and examine complaints over illegal content swiftly. A few months later, France passed a law against information manipulation on digital platforms. Both laws require platforms to provide transparency reports to the supervisory authority, which in turn makes them available to the public. It was in light of these initiatives by single Member States that the EU decided to update its rules for digital platforms.

The debate about regulating platforms extends beyond law. It is a debate about how to govern digital platforms without disproportionally restricting fundamental rights. The goal is to maintain public online spaces for communication and deliberation without fueling hate and polarization. The nature of the services these platforms provide leads to a new form of (corporate) governance for the digital age. Whilst governance can be understood as “reflexive coordination,” regulation can be defined as targeted interventions, thus possibly included in a broad definition of governance. Platform governance is a relatively new term, bringing together multidisciplinary perspectives from media and communication, law, governance, and tech research. The concept includes the governance of platforms and the governance by platforms (i.e. self-regulation of platform content).

Over the past five years, there has been increasing demand for going beyond the self-regulatory approach previously followed by regulators around the world. The EU’s current intermediary liability regime under Art. 14 and 15 eCommerce-Directive allows social media platforms to self-regulate and limits state interference with regard to speech regulation. The eCommerce Directive was adopted in mid-2000, following a regulatory trend set by the US regulator with Sec. 230 of the Communications Decency Act that was intended to facilitate innovation and the growth of the digital economy. Under Art. 14 eCommerce, service providers can only be held liable for user-generated content on condition that they have no knowledge about unlawful content or act “expeditiously to remove or to disable access to the information” upon notice (so-called “notice and take-down”). Under Art. 15 (1), Member States shall not oblige providers “to monitor the information which they transmit or store” or “to seek facts or circumstances indicating illegal activity.” This regime facilitated the rise of global digital platforms that were free to instate their own rules, while being protected by broad exemptions from liability.

The EU's new systemic approach

From the eCommerce Directive (2000) to, most recently, the General Data Protection Regulation (GDPR), the EU has been eager to offer one-size-fits-all regulation that will allow Member States to adapt according to their national particularities while safeguarding the cross-border character and viability of both the EU Single Market and, especially, digital platforms. Of course, the scope of discretion varies depending on the type of legislation, whereby directives (like the eCommerce Directive) delegate the question regarding the means of implementation to the Members States, while regulations (like the GDPR), allow a higher degree of harmonization and more clarity because they do not require an implementation act.

To update the eCommerce Directive, the Commission, as mentioned, proposed two legislative initiatives: the Digital Services Act (DSA) and the Digital Markets Act (DMA).[1] Together they form the DSA Package. The heart of the regulatory package is the DSA, containing detailed rules for platforms and building on a broad spectrum of mechanisms. According to the EU Commission, the DSA’s key goals are better protection of “consumers and their fundamental rights online,” to “establish a powerful transparency and a clear accountability framework for online platforms” and to “foster innovation, growth and competitiveness within the single market.” The Commission chose to keep the current liability regime of Art. 14 and 15 eCommerce, while adding additional obligations to serve the protection of the digital public sphere. To do so, it proposed a systemic approach, matching the type of platform with “asymmetric due diligence obligations” according to its “role, size and impact in the online ecosystem.”

The new rules shall apply to all online intermediaries operating on the EU single market, starting from “intermediary services” providing basic network infrastructure. This broad category includes “hosting services,” which in turn include the category of “online platforms.” The latter is the category that has been most in the spotlight of the public debate because social media platforms, app stores and marketplaces are considered the new gatekeepers of the digital public sphere. They are expected to implement measures for a better handling of user complaints regarding unlawful content. Section 3 DSA provides complaint-handling (Art. 17) and dispute-settlement systems (Art. 18), closer attention to trusted flaggers (Art. 19) as meaningful partners for content moderation, and stricter sanctions against users who frequently misuse the platform (Art. 20). A central provision is the obligation to publish transparency reports on content moderation activities under Art. 13 and 23.

There are additional and stricter rules in the DSA for “very large online platforms” (VLOP) that, according to the Commission, “pose particular risks in the dissemination of illegal content and societal harms” because “they have acquired a central, systemic role in facilitating the public debate and economic transactions due to their reach.” According to Art. 25 (1) DSA, VLOPs are platforms that provide their services to at least 45 million users within the EU. They will be subject to additional obligations such as risk assessments (Art. 26), mitigation measures (Art. 27), independent audits (Art. 28) and provision of user-friendly information regarding the parameters used for their recommender systems (Art. 29) as well as for advertisements on their platform (Art. 30). These enhanced transparency obligations expand to providing data “necessary to monitor and assess compliance with this Regulation” to regulators and academics (Art. 31) and more frequent reports (Art. 33). In sum, the DSA combines the probability of online harms with enhanced responsibility, but sticks with the category of unlawful content instead of broadening it to harmful content.[2]

Supervision and Enforcement

The EU’s legislative initiatives would be considered a paper tiger if they did not provide adequate enforcement mechanisms. Indeed, enforcement, defined as “a matter of deploying a strategy or mixture of targeted strategies for securing desired results on the ground,” is key for successful regulation. Enforcement means are not limited to penalties. In fact, in many situations, other techniques can be preferable. Public authorities can have far-reaching powers to sanction infringements with penalties, but they might fail if they lack information from peers or a superordinate authority. Practicable and effective enforcement mechanisms are even more pressing considering the very high density of new rules. For example, some fear a regulatory inflation that will come at the expense of platforms that do not employ large departments devoted to the implementation of legal requirements.

Compliance, oversight and enforcement require clarity both 1) regarding obligations for platforms, and 2) regarding the expectations of the new authorities in charge of supervising and enforcing. A gap between the laws’ wording and their interpretation, both by those who implement and those who enforce it, might be inevitable. However, this gap should be kept to a minimum by ex ante communication and sufficiently clear rules. When public authorities and corporations both share their respective assessment of the situation, they have a common point of reference to build on. The DSA’s preamble stresses this point with regard to VLOPs due to the way they influence many aspects of online activities.[3]

Finally, the EU legislator clearly wants to avoid mistakes it made with the GDPR when introducing more than one enforcement approach. The risk of conflicting enforcement mechanisms is especially high for the triad of platform regulation bills due to their cross-sectoral nature. Economic regulation can no longer capture how we deal with digital platforms, which permeate so many aspects of everyday life. This also became obvious in the public debate about the Directive on Copyright in the Digital Single Market in 2019, where the impact of sectoral regulation and its enforcement (i.e. “upload-filters”) had wide-ranging implications for media freedom and the opinion-forming process of EU citizens, raising the question of whether social media platforms should be subjected to media regulation.[4] In Germany, there was a similar discussion during the drafting of NetzDG on the topic of whether online platforms should be subject to media regulation rather than law enforcement.

The same questions arise for the enforcement of the DSA and DMA as well as the AI Act. The current bills employ various regulatory logics and have different goals. The coordination of enforcement therefore will be crucial for achieving the overarching vision.

1. Enforcing the Digital Services Act

Enforcing the DSA is one of the main challenges of the legislative initiative, given the many elements of co-regulation that further empower platform’s internal processes. Although lawmakers clearly want to end the period of self-regulation, they still conceive platform regulation as a task for both the state and the private actors. So far, one of the most important criticisms from politicians and civil society has been that large platforms did not do enough to prevent illegal content. While platform regulation should not encourage over-blocking, which is why overly strict sanctions are discouraged, at the same time, previous attempts at self-regulation have failed to be effective, which has spurred lawmakers to react. As already mentioned, the German NetzDG, as well, has its origins in the vacuum created by social networks failing to fulfil their self-obligations to combat online hate speech.

For purposes of supervision and enforcement of the measures provided for in the DSA, stipulated in Chapter 4 of the draft law, new authorities, known as Digital Services Coordinators (Art. 38 to 46), are to be created at national level. The coordinators of the various Member States are to form the European Board for Digital Services at the EU level (Art. 47 to 49). According to Art. 38, it is left to the Member States to create the competent authority as Digital Service Coordinator (DSC) and, possibly, to connect it to an existing body. Under Art. 39, the DSCs are to perform their tasks in “an impartial, transparent and timely manner,” as well as to “act with complete independence.” At the national level, the DSA mandates the formation of one central competent authority to perform the tasks, but more than one would also be accepted.

So far, only a few Member States have passed a law (beyond the eCommerce Directive) on intermediaries, so this is indeed a novelty for most Member States. Others have made progress in this area in recent years, such as Germany, in the form of the NetzDG. The question in Germany is whether the authority responsible for the NetzDG (the Federal Office of Justice) should also become a DSC. Another example is France, which has designated its media authority (CSA) with the oversight of platform regulation.

The DSCs are to be given far-reaching powers, both in supervision, enforcement and, if necessary, the imposition of sanctions. Accordingly, whether this task is entrusted to an authority with a focus on law enforcement or media regulation is a question of paramount importance. Moreover, the requirements laid out in Art. 39 DSA could constitute an obstacle to designating an agency like the German Federal Office of Justice, due to a lack of independence because it is subordinate to the Federal Ministry of Justice and Consumer Protection. The same requirements might also constitute an argument against the central role of the Commission as a regulator and, instead, in favor of a centralized EU Media Agency.

With regard to local competence, the draft follows the “country of origin principle” (Art. 40 DSA). According to this principle, the DSC of the country in which the service provider has its registered office or its legal representative according to Art. 11 DSA is responsible. If, in contravention to Art. 11 DSA, the provider has not appointed a representative, each member state is to be responsible for DSA enforcement.

2. Enforcing the Digital Markets Act

Although the DMA’s regulatory goal is quite different from the DSA, they are closely intertwined and are supposed to somehow form a regulatory entity named the “DSA Package” (by the Commission). The DMA prohibits large platforms, which by nature function as gatekeepers, from employing “unfair practices towards the business users and customers that depend on them to gain an undue advantage.” Particularly with regard to VLOPs, the scopes of application can overlap. According to Art. 3 DMA, a “provider of core platform services shall be designated as gatekeeper if: it has a significant impact on the internal market; it operates a core platform service which serves as an important gateway for business users to reach end users; and it enjoys an entrenched and durable position in its operations or it is foreseeable that it will enjoy such a position in the near future.” Assuming that a platform service has most impact on the market when it has high user numbers, many VLOPs will probably meet the requirements for gatekeepers, and vice-versa.

Unlike the DSA, the DMA does not stipulate the creation of a new competent authority in each Member State. Instead, the Commission will be the competent regulatory body – which comes as no surprise from a competition law perspective. The DMA’s scope of application is much smaller than the DSA because it targets gatekeepers only. The risk of diversity in interpretation and enforcement across the EU is of course the main argument against a decentralized enforcement model. A Digital Markets Advisory Committee (DMAC) shall be created to assist the Commission by providing national expertise (Art. 32). The role of the DMAC is purely of advisory nature. It shall be a Committee within the meaning of Regulation (EU) No 182/2011, which means it can be consulted at the Commission’s discretion and deliver non-binding opinions on technical questions.

3. Enforcing the AI Act

In April 2021, the EU Commission published its first draft of an Artificial Intelligence Act (AIA). It was (and still is) the first proposal worldwide to regulate AI and, therefore, much discussed by experts. Its very broad scope of application and its unusual structure are just some of its features that raise a lot of questions. From a platform regulation perspective, it seems necessary to include this proposal in the debate and to not overlook this interrelation between online platforms, market dynamics and the future of technology. Since social media platforms already use AI systems, for instance to perform content moderation activities (among others), there is an existing connection and we should expect the further implementation of AI applications to online platforms. Platforms will be concerned by specific transparency obligations under Art. 52 (1) AIA regarding the possible interaction between human users and ‘bots.’ Additionally, social media platforms might get involved with the obligations for the users of AI systems, since their business models are based on user-generated content.

Regarding the enforcement of compliance rules, there are similarities with the DSA on the governance mechanisms. Art. 56 AIA stipulates the creation of a European Artificial Intelligence Board (EAIB) and the designation of national competent authorities (Art. 59). Under Art. 59 AIA, the national supervisory authority shall “act as notifying authority and market surveillance authority.” The text is silent on the question as to whether the national competent authority could be the same as the DSA’s DSC. Complementing the Explanatory Memorandum (sec. 5.2.6.), the AIA’s Preamble is more explicit on the oversight and enforcement mechanisms. According to recital 77, “Member States hold a key role in the application and enforcement.” Indeed, the appointment and the configuration of the competent bodies’ responsibilities and functions is the responsibility of the Members States. The problem is that the expected shortcoming regarding enforcement mirrors other weak points of the draft law. Due to the fact that it is “stitched together from 1980s product safety regulation, fundamental rights protection, surveillance and consumer protection law,” its enforcement risks staying behind expectations.

Enforcement coordination: a blind spot?

The EU Commission’s overall goal is a comprehensive legal framework for a digital public sphere that would promote the protection of fundamental rights and European values. It was not a coincidence that the Commission published the proposals within a few months of each other. Moreover, it is quite explicit about its ambition to provide a framework that could serve as a model for non-European countries. Given this strategic positioning, one would expect it to take sufficient account of the possible synergies in the enforcement of these new regulatory frameworks and to propose a consistent (and not only sector-specific) governance model. The next subsections will assess whether the current proposals provide sufficient coordination mechanisms for a coherent platform governance model.

1. Among the new authorities

First, the draft laws could contain a proposal for a horizontal coordination between the new authorities created, as well as with existing public authorities in the digital sector such as the Data Protection Authorities (under GDPR).

Art. 38 (2) DSA stipulates that the DSCs “shall cooperate with each other, other national competent authorities, the Board and the Commission.” Cross-border cooperation among DSCs is planned under Art. 45. Furthermore, all DSCs are mandated to form a European Board for Digital Services (Art. 47 to 49 DSA). The role of the European Board for Digital Services (EBDS) is to advise the DSCs and the Commission in order to achieve the consistent application of the DSA, especially with regard to the supervision of VLOPs. The EBDS thus represents an opportunity for DSCs to exchange and consult at EU level on the supervision and enforcement of the DSA.

Regarding horizontal coordination with the bodies proposed in the DMA and the AIA, there is nothing in the texts so far, although there is a high probability that competences of the various regulations will overlap, for the following reasons:

  • The DSA does not mention the DMAC. The DMA mentions the DSA as the complementary law and the coherence between the two as far as regulatory objectives are concerned, but not the possible cooperation between the DSCs and the DMAC. On the one hand, the missing nexus is understandable, as the DMAC is not an enforcement agency, but merely fulfils a consultative function. On the other hand, a formalized connection between the EBDS and the DMAC is desirable, in order to possibly issue joint statements and recommendations.
  • The AIA, too, mentions its consistency with the DSA, but no coordination mechanism between the EAIB and the EBDS or the DMAC. It does, however, stipulate cooperation with the European Data Protection Supervisor.

2. Between the European Commission and the new authorities

Second, consistent enforcement of new regulation could be achieved by virtue of a vertical coordination between the EU Commission and the new authorities. In this respect, the three drafts analyzed are somewhat more informative.

In the DSA there are a couple of connections between the Commission and the new authorities:

  • As already mentioned, Art. 38 (2) stipulates that the DSCs shall cooperate with the Commission. They are effectively reporting to the Commission, e.g. about certifications of out-of-court dispute settlement bodies (Art. 18 (5)) and trusted flaggers (Art. 19), about annual reports (Art. 44) and in cases of cross-border cooperation (Art. 45).
  • The Commission is involved in many aspects of the DSA, such as issuing guidance for trusted flaggers under Art. 19 (7) or the mitigation of risks by VLOPs (Art. 27 (3). Sometimes the Commission will function in a manner detached from the DSCs, as in the development of standards and codes of conduct (Art. 34-37). However, most actions are planned to be taken in agreement with the DSCs.
  • The connection between the Commission and the EBDS is expected to be close. Under Art. 48 DSA, the EBDS will be chaired by the Commission, which will also set the agenda.

Under Art. 59 (6) AIA, the Commission will be in charge of facilitating the exchange among the national competent authorities, but not in a cross-sectoral manner, that is, between the AIA and the DSA – although (as previously mentioned) there might be overlaps with regard to the addressees. Regarding the DMAC and the EAIB, the connection to the Commission is very close, given that they act as advisory bodies to the Commission. They, too, shall be chaired by the Commission (Art. 57 (3)), who will also set the agenda.

Conclusion: Do all roads lead to Brussels?

As mentioned in the beginning, the DSA is at the heart of the EU’s platform regulation. Hence, it is reassuring that, at least within the DSA, both horizontal and vertical cooperation between the DSCs themselves and between the DSCs and the Commission are intended. Of concern, however, is the fact that there is no discernible institutional cooperation between the new authorities of the different bills. It seems as if the conception is that the laws will be enforced completely independently of each other and therefore there is no need for coordination. The lack of horizontal cooperation gives the impression that the EU – contrary to its stated intentions – does not have a strategy thoroughly thought out to the end. Perhaps this shortcoming could be balanced by the central role of the Commission. But should all of the responsibilities ultimately lay with the European Commission?

Experts have welcomed the proposals and, especially in case of the DSA, lawmakers’ focus on oversight and enforcement mechanisms. Many have highlighted the need to learn from the experience with the GDPR. Most have stressed the need to further conceptualize the proposals’ ideas and think ahead of the interpretation by enforcers and courts. The brief assessment of vertical and horizontal coordination in this paper confirms this impression. There is currently a window of opportunity to “lay out a more detailed system of EU-wide cooperation” and to create an interlinked “ecosystem of oversight.”

 

A longer version of this text was first published on November 23, 2021 by the Heinrich-Böll-Stiftung Tel Aviv office and the Israel Public Policy Institute as part of the German-Israeli Tech Policy Dialog. The opinions expressed in this text are solely that of the author/s and do not necessarily reflect the views of the Heinrich-Böll-Stiftung.


[1] Note that all references in this text to the DSA, DMA and AI Act refer to the proposals in their first-draft version.

[2] Unlike the UK: Draft Online Safety Bill, retrieved from https://www.gov.uk/government/publications/draft-online-safety-bill

[3] Preamble to the DSA Proposal, recital 56, p. 31.

[4] In France, for instance, the oversight has so far been attributed to the media regulator: Conseil Supérieur de l’Audiovisuel.