DSA launch, platform obligations, and enforcement challenges – the Digital Services Act is another piece of transforming online regulation in Europe. With the DSA rolling out new rules, many are asking how effectively they’ll be implemented. We posed three key questions to Dr. Tobias Mast, expert advisor to the German Bundestag on the DSA, to get his insights on the launch, the hurdles ahead, and how the DSA aims to balance the scales between platforms and users.
How did the launch of the Digital Services Act (DSA) go, and which processes and mechanisms have already been implemented?
The DSA was drafted and passed quite quickly, especially compared to the General Data Protection Regulation (GDPR). The first obligations affected platforms as early as November 2022, in preparation for the full implementation of the DSA in February 2024. This has overwhelmed many companies and Member States. The DSA sets requirements for many more platforms than, for instance, the German Netzwerkdurchsetzungsgesetz (Network Enforcement Act, NetzDG) did. Smaller platforms, in particular, have been slow to meet their legal obligations. For example, Article 24(5) of the DSA requires that all moderation decisions and their justifications be entered into a database operated by the European Commission – in reality, however, only a small fraction of those obligated are currently doing so.
Germany has also found it challenging. The German Digitale-Dienste-Gesetz (DDG), which implements the DSA, could not be finalised until May 2024. As a result, the Bundesnetzagentur (Federal Network Agency) initially had to act as a “designated” Digital Services Coordinator in correspondence to European and third-country authorities. The fact that, alongside the Federal Network Agency, the Landesmedienanstalten (state media authorities), the Bundeszentrale für Kinder- und Jugendmedienschutz (Federal Agency for Child and Youth Protection in the Media), and the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (Federal Commissioner for Data Protection and Freedom of Information) are also responsible for implementing the DSA under § 12 DDG will also require considerable coordination. However, it’s understandable that these issues are arising at the start. As a country with relatively progressive internet laws, Germany has had to undertake a substantial overhaul of its existing regulations. Previously less committed countries were faced with the task of first creating the corresponding authority structure and adapting to the ambitious set of rules.
Where do you see obstacles in implementing the DSA, have sufficient lessons been learned from enforcing the GDPR?
Like every EU legal instrument, the DSA aims for a uniform and effective application across the Union. However, this goal is challenged by the fact that “Big Tech” – the largest digital companies, such as Alphabet (Google), Meta (Facebook, Instagram), and others – have relocated their European headquarters to Ireland for tax reasons. As was the case with the GDPR, under the so-called country-of-origin principle, the enforcement of the DSA is primarily the responsibility of the regulatory authority in the Member State where the company is based. In data protection law, this bottleneck role fell to Ireland, which, according to many, did not meet the demands.
The DSA has learned from this by shifting certain powers to the European Commission and strengthening cooperation among national authorities. Furthermore, it appears that the Irish DSA authority is taking its role seriously, as highlighted by its recently adopted “Online Safety Code”. Beyond this, the DSA, as a new regulatory framework, faces the typical challenges: its provisions need to be systematically analysed and clarified, particularly by the European Court of Justice; responsible authorities must recruit skilled staff, continue training, and foster productive exchanges. It’s up to the European Commission to keep the DSA’s provisions up-to-date through delegated acts so that they remain relevant to evolving risks within the platform economy.
Can the DSA address the power imbalance between online platforms and their users?
The DSA certainly makes a substantial effort to do so. It offers various means for users to assert their rights and raise concerns about issues on platforms. Anyone who believes that a moderation decision affecting them is incorrect can appeal it—sometimes at multiple levels. Individuals can also report platform misconduct to the coordinating authority. In addition, platforms are encouraged to design their algorithmic recommendation systems and interfaces in ways that support user autonomy. Moreover, platforms must be increasingly transparent with both authorities and the interested public. With its EU-wide approach, the DSA also prevents platforms from simply withdrawing from a highly regulated country; the European single market is too large for that. Fines linked to annual revenue ensure that even the largest companies can be penalised meaningfully.
Whether specific requirements, such as the crisis response mechanism expected of the largest platforms or the obligation to reduce systemic risks arising from their services, will be effective remains to be seen. However, the DSA is undoubtedly the world’s most ambitious attempt to regulate online platforms in line with fundamental rights and user autonomy. Given the pioneering nature of this regulation, weaknesses and areas for critique are inevitable. Therefore, the DSA should not be seen as a final step but rather as the current stage of development, which must keep pace with real-world changes from now on.
The views and opinions in this article do not necessarily reflect those of the Heinrich-Böll-Stiftung European Union.
