By Peter Schaar
Just before Christmas, the European Commission gifted us with a draft Digital Services Act (DSA) – COM (2020) 825 final of 15.12.2020. The new regulatory framework aims to better protect consumers and their fundamental rights online, create a powerful and clear framework for transparency and accountability of online platforms, while improving innovation, growth and competitiveness of the European economy.
Even though the Commission has opted for the regulatory instrument of a regulation (i.e., an EU law directly applicable in all member states), the draft leaves the member states largely free with regard to the definition and handling of illegal content, access and monitoring measures by government agencies. For this reason alone, there can be no real talk of full harmonization.
No paradigm shift
Those who expected the DSA to bring about a paradigm shift toward open data and open standards are likely to be disappointed. The DSA does contain additional transparency rules and provides that the general functioning and parameters of the algorithms used by large online platforms are to be disclosed. However, there is an obligation to ensure access to data only for very large online platforms. It is also limited to scientists and finds its limits when security concerns, trade and business secrets are affected.
A significant innovation is the differentiation of legal requirements according to the functionality, size and importance of the respective services and the associated enforcement mechanisms. The functional differentiation is made between intermediation, hosting and online platforms. While the previous liability privileges remain in place for intermediary and hosting platforms, online platforms are held more accountable. The extended requirements for online platforms relate specifically to dealing with illegal content and manipulative practices, for which new transparency obligations are also introduced.
The obligations of service providers are graduated according to company size. Micro and small companies are exempted from a number of obligations. In contrast, additional requirements are provided for “very large online platforms” that reach more than 10% of the EU population (45 million). Such platforms must align their internal structures with the requirements of the DSA (risk management and compliance), make their recommendation systems transparent and give users appropriate choices, ensure data exchange with authorities and research, establish codes of conduct and cooperate with authorities in the event of a crisis. They must also systematically examine how their actions affect democracy.
The DSA does not provide for independent supervision, such as that envisaged in the General Data Protection Regulation (GDPR). The task of enforcing the requirements of the regulation is assigned to national authorities (in particular to “Digital Services Coordinators”), which are to be supported by a new European body for digital services. Violations are to be punishable by fines of up to 6% of annual turnover. By comparison, the maximum sanction for data protection violations under the GDPR is 4%. Proceedings against very large online platforms are reserved for the European Commission.
Points of contact with data protection
Even though the DSA is intended to leave the provisions on data protection untouched, there are a number of points of contact and overlaps with the GDPR and other data protection regulations. For example, personal data is processed in many cases – in view of the enormous and growing possibilities for linking, more and more data can be assigned to individual persons.
All specifications as to how this data is to be handled accordingly concern the data protection guaranteed by Art. 8 EU-ChFR This applies to both the metadata and the content. Obligations to cooperate and surrender such data to government and private bodies (for example, in the case of suspected criminal acts or copyright infringements), processing, blocking and detection systems are always also relevant to data protection and must comply with the principle of proportionality. In addition, algorithmic systems that make decisions themselves in an automated manner or prepare them, just like the recommendation systems mentioned in the draft, are also subject to rights and obligations under data protection law, which are not restricted by the DSA.
Finally, there are overlaps in supervision. For example, it should be clarified that the authorities responsible for the supervision of services should in principle be obliged to notify the competent data protection authorities of any breaches of data protection rules they have identified. The European Digital Services Board should coordinate recommendations, specifications or procedures with data protection relevance with the European Data Protection Board.
To return to the initial question: The DSA is not the “silver bullet,” as the Commission itself also states. But the new legal act can become another important building block of a Europe-wide legally secure data infrastructure that respects citizens’ and consumers’ rights. To this end, however, it is necessary to eliminate the identifiable weaknesses. We look forward to the corresponding proposals from the European Parliament.