The European Union has confirmed the names of over a dozen platforms that will face the strictest level of regulation under its recently rebooted and expanded ecommerce rules, aka the Digital Services Act (DSA).
The list is a mix of familiar digital services, from social media apps to search engines and app stores — with no real surprises. The lion’s share of regulated platforms are developed by US based for-profit firms, with a few international (mostly European) players in the mix, and one non-profit (the online encyclopedia Wikipedia).
The full list of 19 platforms that are being designated in this first wave is as follows:
- Alibaba AliExpress
- Amazon Marketplace
- Apple AppStore
- Google Play
- Google Maps
- Google Search
- Google Shopping
The listed platforms that have been confirmed meet the criteria as either very large online platforms (VLOPs) or very large online search engines (VLOSEs), in the regulation’s jargon. (Actually, just two VLOSE are being designated at this point (Bing and Google Search); the other 17 are all VLOPs.)
A VLOP or VLOSE designation carries extra requirements to assess and mitigate systemic risks attached to the use of algorithms and AIs, meaning the platforms must be proactive about analyzing and reporting potential issues related to the operation of technologies like content ranking tools and recommender systems.
The EU’s idea is to use mandatory algorithmic transparency requirements to drive accountability — meaning regulated platforms won’t be able to turn a blind eye to AI-amplified harms as the law also requires they put in place “reasonable, proportionate and effective mitigation measures” for identified risks, with their reporting and mitigation plans subject to independent audit and oversight by the European Commission (with the support of a newly opened European Center for Algorithmic Transparency). While penalties for non-compliance can scale up to 6% of global annual turnover.
Risks they must consider include AI-driven or algorithmic harms to fundamental rights like freedom of expression; civic discourse and electoral processes; public security and public health; gender-based violence; child safety; and mental health.
The regulation also imposes some limits on microtargeted advertising — with a prohibition on processing sensitive data for ad targeting or the use of children’s information. While marketplaces have some requirements to check the identity of sellers.
Users of VLOPS/VLOSE must also be provided with clear information on why they are recommended certain content; and have the right to opt-out from recommendation systems based on profiling — applying pressure to ad-funded business models, such as Meta’s, which hinge on tracking and profiling web users.
Elsewhere, the regulation demands platforms have clear T&Cs — and enforce them diligently and non-arbitrarily.
The principle criteria for being regulated as a VLOP/VLOSE under the DSA is to have more than 45 million monthly active users in the EU. Platforms were required to report their numbers to the EU back in February so the Commission could begin the process of designation.
To say that some of the named platforms may be rather unprepared for this special regime of DSA compliance is an understatement: The Commission already warned Twitter last November of the “huge work” it faces to comply with the bloc’s rules.
Since then Twitter’s erratic owner, Elon Musk, has only continued to channel abject chaos — such as, for example, dismantling the platform’s legacy verification system which had granted Blue Checks to notable accounts and replacing that long-standing authenticity signal with a scammers’ paradise since anyone willing to pay Twitter $8 a month can now buy a faux Blue Check which mimics the look of the old system but does not involve any meaningful verification check.
Musk has also demonstrated a penchant for making arbitrary and even spiteful decisions — banning users at whim and even removing some legacy verifications sooner than others (apparently just for the lols) while also paying for a handful of celebrities to retain their Blue Checks, creating the (false) impression that they have paid Musk for the badge — none of which seem likely to sit well with DSA requirements for plain and fair dealing.
Another requirement that platforms have a mechanism for users to flag illegal content and act on notifications expeditiously similarly looks tricky for Twitter under Musk — given it’s already facing enforcement by the German government for failing to take down illegal hate speech under the country’s illegal hate speech regime.
The pan-EU DSA also requires VLOPs to support researchers by, in the first instance, providing access to publicly available data — and later on (via delegated act) establishing a special mechanism for vetted researchers so they can conduct research into systemic risks in the EU. And, yet again, Musk has raced in the opposite direction — drastically reducing third party researchers’ access to platform data by cranking up the cost of using Twitter’s APIs.
It’s almost as if the regulation was drafted with Musk in mind. But of course its drafting long predates the billionaire shit-poster’s tenure at Twitter.
While the DSA certainly has its critics, the prospect of a broader backlash against the EU’s approach to updating its digital rulebook seems rather less likely than it might have been had Musk not taken his accelerated wrecking ball to Twitter over the past half year or so.
Suddenly, the prospect of responsible, non-arbitrary management being a requirement that’s imposed on major platforms start to look kind of necessary/prescient.
There is still a grace period before these larger platforms are expected to be compliant with the DSA but it’s now just a matter of months: Firms that have been designated VLOPs/VLOSEs have four months to comply with obligations under the DSA — which includes publishing their first risk assessments — so the 19 listed services (and dozen companies plus one non-profit) face a busy summer ahead if they’re to meet the August 25 compliance deadline without breaking a sweat.
Twitter certainly has its work cut out if it’s to avoid a world of regulatory pain couple with the existential risk, were Musk were to opt to keep flouting the rules, of a regional shutdown being imposed on it. Albeit, no political body is going to want to be the one ordering a Twitter shutdown so there would likely be an extended showdown of financial enforcements prior to such a terminal step.
VLOPs/VLOSEs must also comply with the general provisions of the DSA, which will apply more broadly to digital services and smaller platforms from early next year, placing obligations on how they must respond to reports of illegal content, as well as in areas like notice and action mechanisms and complaint handling, in addition to transparency obligations and plenty more.
The Commission has suggested (via Politico) that there could be a second batch of VLOPs/VLOSE designations in the next few weeks as it said it will be conducting checks on some other platforms which told it they do not meet the criteria in order to confirm whether that’s the case.
We’ll be tuning into a Commission technical briefing on the VLOPs/VLOSE designations later today — so may update this report with further details…