No 1 of our blogpost series: ‘Very large online platforms’ and ‘very large online search engines’ – how are they designated and what does it mean?
1. A short recapOn 25 April 2023, the Commission published the names of the first online platforms and search engines which have been designated as ‘very large online platforms’ (VLOP) or ‘very large online search engines’ (VLOSE) and which will face the most stringent set of rules under the Digital Services Act (DSA).
This is the first post of a series of blogposts focusing on the DSA’s key elements, such as its liability regime, the main due diligence and transparency obligations and the new enforcement structure. Today, we will take a closer look at the designation of VLOP and VLOSE and what that means for those providers whose services have been designated.
2. The Commission’s designation of a service as a VLOP or VLOSE and its consequences
The ‘monthly active recipient’ assessment: A challenging process for service providers
The first major milestone after the DSA entered into force last year was due on 17 February 2023: By then, providers of online platforms and inline search engines had to publish information on the number of the monthly active recipients (MAR) that engaged with each of their services on average during the last six months (Art. 24(4) DSA). This information was intended to enable the Commission to determine the reach of each service in the Union and to decide whether these services could pose a systemic risk to the online safety of European users due to their size, justifying the intensified compliance obligations for providers of VLOP and VLOSE. According to the European legislator, the threshold for this is currently 45 million monthly users, roughly 10% of the EU’s population.
The preparations for 17 February 2023 offered a first glimpse into the challenges service providers face when implementing the DSA: A result of an ambitious negotiation process, the DSA introduces new concepts and obligations but provides relatively little detail on its requirements, leaving ample room for interpretation. A good example for this is developing a methodology for calculating MAR figures – a first practical challenge for providers of online services.
Besides some basic information in Recital 77 and a rather high-level Q&A guidance document published by the Commission in early February 2023, no specific methodology on the requirement to publish user numbers has been given. Up to now, platform providers have dealt differently with the obligation. While some provided detailed reports on individual websites exclusively dedicated to the DSA, others restricted their publication to a brief statement on the threshold of 45 million at the end of the imprint or policy sections of their public websites.
We have worked with several international companies to prepare for this first obligation and to find the best possible solution for each client, factoring in the global nature of their businesses and wider company policies. Given the rationale for the publication (allowing the Commission to designate the VLOP and VLOSE) and the wording of the DSA („information on“), in our view, it appears sufficient to indeed include a brief statement on whether the threshold is met or not – in cases where there is doubt, the Commission would still have the opportunity to ask for further information. What would the additional value be of publishing an exact number? In the end, it doesn’t matter and there is no reason to publish whether a service has 1,000, 900,000 or 25 million monthly users as long as the number is below the threshold. Similarly, if the threshold is exceeded, it doesn‘t make a difference whether the number is 45 million or 80 million. While the general public and authorities may be interested in this information, the narrow rationale for the publication of this information has to be kept in mind at all times.
The Commission’s designation decision and its impacts
On 25 April 2023, the Commission designated 19 providers as VLOP or VLOSE based on the published user number data. Most of these services will be used by an average European citizen daily: Alphabet’s Google Maps, Google Play, Google Shopping and Youtube, Meta’s Facebook and Instagram, Amazon’s Marketplace and Apple’s App Store. Others are also familiar names in the digital space: Microsoft’s LinkedIn, booking.com, Pinterest, Snap Inc’s Snapchat, TikTok, Twitter, Wikipedia, Zalando and Alibaba’s AliExpress, whereas Bing and Google Search have been designated as VLOSE. The Commission’s designation decision – if not successfully challenged – will have far-reaching consequences for those affected:
First, the DSA applies on VLOP and VLOSE already four months after the designation decision. This means that designated providers will have to comply with the full set of new obligations under the DSA by 25 August 2023 – almost six months earlier than all other service providers in scope, for which the obligations become binding only from 17 February 2024 onwards.
Second, in addition to the obligations applicable to all online platforms or online search engines, respectively, Section 5 of Chapter III of the DSA introduces a stringent set of compliance obligations specifically for VLOP and VLOSE. Given that the obligations address the perceived risk that VLOP and VLOSE might pose a systemic danger to online safety, these additional obligations aim at identifying and managing these systemic risks, enhancing transparency for users and providing robust content moderation tools. Relevant systemic risks include, for example, the dissemination of illegal content to a broad audience, the danger to impair civic discourse and electoral processes in the Union, or negative impacts on the exercise of fundamental rights, and threats to public health or the safety of minors.
Key compliance obligations providers of designated platforms and search engines now face include:
- Risk assessment and mitigation: VLOP and VLOSE must analyze systemic risks that might be caused by the design of their platform or the functioning of their service, including, for example, use of algorithms. Once these systemic risks have been identified, they need to implement reasonable and effective risk mitigation measures. Such measure can include adapting the design of the online interface, the terms of services or content moderation processes.
- Independent audits: Once a year, providers must allow independent auditors to assess whether they comply with the obligations set out in the DSA at their own expense. For this purpose, the auditors may access relevant data and premises and pose oral or written questions. An audit report will be published following the assessment that includes a statement on whether the provider complied with the obligations in a ‘positive’, ‘positive with comments’ or ‘negative’ manner. On 5 May 2023, the Commission has published a draft for a delegated regulation specifying the rules for such audits.
- Increased transparency: To increase the transparency of their services for users, VLOP and VLOSE need to provide clear information on why users are recommended certain information and have to offer the right to opt-out from recommendation systems based on profiling. They will need to publish repositories of all ads served on their interface as well as an easily understandable, plain-language summary of their terms and conditions and bi-annual reports on content moderation, including the resources they use in that activity.
- Data access and scrutiny: The Digital Services Coordinators in the EU Member States and the Commission can request access to the data of VLOP and VLOSE which are necessary to monitor the compliance with the DSA. In addition, providers have to grant access to their data to vetted researchers for the sole purpose of conducting research that contributes to the detection, identification and understanding of systemic risks in the Union.
- Supervisory fee: The DSA introduces obligations for VLOP and VLOSE to pay the Commission an annual supervisory fee to cover the costs of the Commission in relation to its supervisory tasks. On 2 March 2023, the Commission adopted a Delegated Regulation which specifies the methodology and procedures to calculate and levy the supervisory fee, provides further details on the calculation of the overall estimated costs to be covered with the levied fees and on the determination of the individual fees.
The obligations will be enforced by the Commission as the main enforcement body for supervision and enforcement of the DSA vis-à-vis VLOP and VLOSE. In doing so, it is expected to work in close cooperation with the Digital Services Coordinators in the supervisory framework established by the DSA and is also bolstering its internal expertise from various relevant sectors. For example, the recently launched European Centre for Algorithmic Transparency (ECAT) will provide support with assessments as to whether the functioning of algorithmic systems is in line with the risk management obligations.
The road ahead
Providers of online services have to update the published information on their MAR numbers once every six months from now on. If the number should fall below the threshold of 45 million MAR for the period of one full year, the Commission will terminate the VLOP or VLOSE designation and providers can limit their compliance efforts to those obligations applicable only for online platforms or online marketplaces again.
The Commission has already indicated that it will look into designating further providers based on the data published until February and other information available to it. Due to the far-reaching consequences that come with the designation decision, providers of designated online services will carefully assess whether the Commission based its decision on correct information and whether the designation was lawful. It remains to be seen how service providers will deal with the additional obligations for their designated services or whether they will decide to challenge the designation decision in court.
