The European Union is in the process of adopting its Digital Services Act (DSA), a law that will govern how content can be shared and viewed online. But this landmark legislation won’t help secure our rights without strong enforcement.
The enforcement mechanism of the DSA hasn’t shared the same spotlight other “hot topics” received throughout the ongoing legislative negotiations, but it is an incredibly important one. Without effective and properly functioning enforcement, the future “content moderation rulebook” that should revolutionise the platform governance model will remain an empty shell.
This is not the first time that the European Union has set itself up to be the forerunner in internet regulation. Back in 2018, the internationally acclaimed General Data Protection Regulation (GDPR) was labelled the new world standard for privacy and data protection. While the GDPR is a legislative success, it has been an enforcement failure. The blame is often placed at the feet of insufficiently funded and understaffed Data Protection Authorities (DPAs), whose slow action has left a huge number of complaints — from both individuals and NGOs — unaddressed. But, in reality, this is just one part of a much more complicated story.
So what can the EU learn from its experience with the GDPR to ensure strong enforcement of the DSA?
What went wrong? GDPR as a legislative success but enforcement failure
Although the lack of sufficient funding and adequate resources for national DPAs are one of the culprits responsible for GDPR’s slow enforcement, the most significant issue is the complexity of the so-called “one-stop-shop” mechanism, and the lack of harmonisation between national procedures.
Through the “one-stop-shop”, an individual can bring a data protection complaint to the authority in the country where they live, even if the company against which they lodge the complaint is located elsewhere. Companies can also designate one country as their “main establishment” to ensure that any complaints received against them are funnelled into the one DPA. In practice, if a user in Latvia files a complaint against Facebook — whose “main establishment” is in Ireland — it will be the Irish Data Protection Commission (DPC) that leads the investigation, but it will have to consult with the Latvian DPA, as well as any other authority that may have interest in the case, to protect the rights of people living in their jurisdictions. While online platforms have to deal with only one authority, people have to pass through several authorities and courts in order to get their rights protected. This process also creates a risk of forum shopping and bottlenecking as companies are allowed to select the particular authority they wish to deal with.
We have conducted in-depth, ongoing research on GDPR enforcement, and have identified the main areas that create hurdles for the “one-stop-shop” mechanism:
- Inadequate communication exchange between national authorities;
- Lack of strict deadlines to answer requests for investigation and enforcement;
- Differences and contradictions between national procedures; and
- Difficulty in determining companies’ main establishment.
This research has invaluable lessons for future enforcement mechanisms of the DSA. If properly addressed, the DSA proposal will not risk becoming another “paper tiger.”
The DSA’s enforcement layers
At first glance, it seems that the European Commission’s DSA proposal sets a course in the right direction for enforcement, with a layered enforcement system to avoid the GDPR bottleneck scenario, calibrated with the newly established enforcement powers of the Commission. This, however, opens the door to a number of difficulties.
The Coordinator level
The first layer of DSA enforcement relies on Member State-appointed Digital Services Coordinators who are responsible for supervising intermediary services at the national level. In order to secure direct communication between regulators and online platforms, the DSA proposal requires all providers of intermediary services to establish a single point of contact or a legal representative in one of the Member States where they provide their service (see Articles 10 and 11 of the DSA proposal). The biggest similarity between GDPR’s “one-stop-shop” system and the DSA proposal is the central role of Digital Services Coordinator in the platform’s country of establishment — or the Coordinator of Establishment — that has sole jurisdiction over cross-border cases (Article 40 of the DSA proposal). This time, however, it seems that the Commission thought ahead, and included strict deadlines that the Coordinator must comply with when answering investigation and enforcement requests from another Coordinator or the European Board of Digital Services — an independent advisory body gathering national Digital Services Coordinators. The design of the DSA’s first enforcement layer creates a scenario of fast-moving enforcement, where, in stark contrast to the GDPR’s years-long deadlock, decisions are delivered within months.
The European Commission/VLOP level
The second layer of the DSA enforcement mechanism concerns only Very Large Online Platforms (VLOPs), and allocates strong enforcement powers to the European Commission which would become the main VLOP regulators. This would exclude oversight from Member States, and could significantly weaken the position of the European Board of Digital Services in the enforcement scheme. The justification behind such centralisation is to safeguard efficient and fast oversight of the VLOPs’ operations. Furthermore, some believe that the centralised oversight will help the EU to intervene in those Member States with a severe lack of independence in their judiciary and where the regulators are controlled by the State. However, expecting from one legislative proposal to fix Irish, Luxembourgish, Hungarian, and Polish problems at once is naive, and potentially dangerous.
However, importantly, the European Commission is the first and foremost executive body of the European Union, and the separation of powers is the key safeguard that provides for checks and balances, preventing one public authority from abuse of these powers and dismantling democratic order. It is an essential precondition for the functioning of the rule of law. While the logic behind the DSA’s centralised oversight over VLOPs’ is understandable to some extent, it creates a space for potential democratic deficit in the core of the EU institutional framework.
The Commission is now empowered to issue non-compliance decisions (Article 58) and to impose fines on VLOPs (Article 59). And, based on the wording of compromise amendments currently being discussed by the European Parliament reviewed by Access Now, some Members of the European Parliament intended to grant a special set of interim measures that would enable the Commission to directly remove content or to restrict the access to an online interface in cases of repeated violations by VLOPs. Equal distribution of powers among public institutions does not only safeguard democratic discourse, it also prevents the possibility of corporate capture. To this day, it is unclear what enforcement unit of the European Commission will be in charge and how its independence will be secured — so would centralised enforcement solve the problem, or simply move it from a few underperforming states to Brussels?
Setting up DSA enforcement for success
Finding the perfect balance for enforcement at the EU level is proving to be the most difficult, yet important, challenge for any tech policy regulation. Three years under the GDPR has offered us key learnings for EU institutions, while spotlighting some successes. As we could soon discover, empowered, fast-moving Coordinators of establishment may pave a way for robust, speedy enforcement, but could face major roadblocks if unchecked power is handed to the Commission. A cooperation model rather than a centralised one, with clear deadlines and harmonised procedures at EU level, coupled with actionable procedures, will go a long way in ensuring strong enforcement, and the DSA’s success.