Who’s Afraid of the DSA?

The Digital Services Act goes into effect for the largest online platforms and search engines today, writes Tech Policy Press staff writer Gabby Miller.

From today, the largest tech companies must comply with the European Union’s Digital Services Act (DSA). But, many of the details of how the law will be enforced are still being worked out.

The enforcement of the DSA follows that of the Digital Markets Act (DMA), which went into effect on May 2. The pair of laws were passed last year to create a safer, more open internet and level the playing field for businesses. While the world looks on at how enactment and enforcement will play out in the long run, digital intermediaries must now settle into new DSA compliance responsibilities, such as making it easier to remove illegal content on their platforms and clamping down on disinformation, limiting certain data and targeting practices, and eventually providing data to independent researchers.

The laws apply initially to nineteen Very Large Online Platforms (VLOPs) and Search Engines (VLOSEs). The European Commission issued its first round of designation decisions on April 25, 2023 to seventeen platforms and two search engines that each reach at least 45 million monthly active users. These include social media and platforms including Facebook, LinkedIn, YouTube, Instagram, and Twitter; commerce platforms such as Amazon, Zalando, and Alibaba’s AliExpress; and the search engines Google and Bing.

Not every company was pleased to receive the designation. This summer, German online retailer Zalando and Silicon Valley giant Amazon filed separate legal actions to the European General Court–Europe’s second highest court–challenging their classifications as VLOPs. In a June statement to Reuters, Zalando accused the European Commission of misinterpreting its user numbers for its “mainly retail business model.” Exactly two weeks later, on July 11, Amazon alleged in its suit that it was being “unfairly singled out,” claiming that, outside of the US, it is not the largest retailer in any other country where it operates.

Special attention is being paid to Twitter, now X, which earned a spot on the VLOP list. The platform’s owner, Elon Musk, famously hates regulation and abandoned the European Union’s Code of Practice on disinformation in May. In response to X’s exit from the Code this spring, the European Commissioner who oversees digital policy, Thierry Breton, tweeted that Twitter can run but “can’t hide” and that by August 25, fighting disinformation will be a legal obligation under the DSA.

Breton has since traveled to Silicon Valley to conduct a voluntary “stress test” on X ahead of today’s compliance deadline. He claimed both Musk and CEO Linda Yaccarino took the exercise “very seriously.” Musk, in an interview with the France 2 TV channel, also promised that X will “obey the law.” So far, the company has not released any public documentation of its plans for compliance.

All designated online platforms and search engines have four months to fully comply with the DSA obligations or risk fines of up to six percent of a company’s global turnover. Repeated breaches could even result in a full-on ban of operations within the EU.

Table: Gabby Miller/Tech Policy Press

Google, Meta, Microsoft, Pinterest, Snapchat, TikTok, and Wikipedia have all published detailed compliance plans ahead of today’s deadline. (See the AirTable chart above for a summarized version of these plans, which will be updated if and when new statements become available.) At the time of publication, Tech Policy Press has not received compliance plans from any of the other seven companies listed. An Apple spokesperson did, however, provide in an emailed statement that “the goals of the DSA align with Apple’s goals to protect consumers from illegal and harmful content” and they are “working to implement the requirements of the DSA with user privacy and security as our continued North Star.”

Compliance requirements outlined by the DSA broadly address greater user empowerment, stronger protection of minors, more transparency and accountability, and more content moderation. Regulated companies also must publish their first annual risk assessments to the Commission by the end of the year. Details remain sparse for some key obligations, though.

Questions continue to swirl around how exactly risk will be defined. The current working definition under the DSA’s Article 26 remains vague, leaving it largely up to tech companies to decide what will rise to the level of “systemic risk” in this first round of assessments. What additional data tech firms must provide and how it will be shared with vetted researchers and independent auditors to fulfill Article 31's transparency obligations, while remaining General Data Protection Regulation (GDPR) compliant, is still to be determined.

The next major DSA deadline is just six months away.

On February 17, 2024, the DSA will fully apply to all digital services, including companies below the threshold of 45 million monthly users. Enforcement will be a huge undertaking for member states’ respective Digital Services Coordinators (DSC). While the European Commission oversees DSA compliance for Very Large Online Platforms and Search Engines, the coordinators are tasked with application and enforcement for all other digital services in their respective member states, explained Julian Jaursch, a project director at Stiftung Neue Verantwortung (SNV) who’s written extensively about what a strong DSC model should look like.

“Everyone talks about Tiktok, Instagram, Google Search, but there's thousands of smaller online marketplaces, online forums, and social media sites that are a bit smaller, maybe national or language or topic-specific” that will need oversight, Jaursch said.

These smaller but still significant platforms and search engines often don’t have the big budgets and legal teams that designated companies like Meta do. They’re also structured much differently from one another, leaving the companies to figure out how different DSA provisions will apply to them with little guidance. In Germany alone, there are more than 5,000 non-VLOPs, according to a calculation by its government.

Few have officially begun the DSC selection process. Farthest along is Ireland, which recently named John Evans as the Digital Services Commissioner of its broadcasting and online media regulator Coimisiún na Meán. France has designated Arcom, the Audiovisual and Digital Communication Regulatory Authority, as its coordinating authority. And three weeks ago, after months of internal political conflicts, Germany released its DSC proposal.

Even as the law comes into effect for the largest tech firms today, “it will still take some time to build up the platform oversight structures, both within the member states and the European Commission, to actually enforce the DSA. It's a huge task,” Jaursch said. It will likely be years before we can judge whether the law works and what areas need improvement. But, as Jaursch warned, Brussels must deliver, given the global political stakes.