The European Union’s Digital Services Act (DSA) enters into force today — setting the clock ticking on designations that will determine which larger Internet platforms face an extra layer of rules in areas likes algorithmic transparency and risk assessment.
Larger platforms will also face centralized oversight by the European Commission in a marked change to the bloc’s decentralized (and much criticized) enforcement of data protection rules.
Platforms have three months to report their active user numbers to the Commission (by February 17, 2023) so it can make these designations.
The EU’s executive will use reported figures to determine which platforms are named VLOPs (very large online platforms) or VLOSEs (very large online search engines) under the DSA — and therefore subject to the tougher oversight.
The main criteria for the special regime to apply is a platform or search engine reaches more than 10% of the EU population or has more than 45 million users. Although the DSA allows the Commission some discretion in the information it can use to inform designations.
Likely candidates are platforms operated by the usual US Big Tech ‘FAANG’ giants — but some larger European tech firms should also fall into the category.
VLOPs and VLOSEs face an accelerated compliance timetable for the DSA as it provides them with just four months for this once a designation is made by the Commission — after which the bloc will be able to start enforcements against rule breakers.
This means the DSA regime is likely to be up and running in 2023 for these larger entities, assuming the Commission doesn’t delay making designations.
The flagship reboot of the EU’s ecommerce rulebook will also apply to smaller platforms and digital services but they have longer to comply — until 17 February 2024.
To support its supervision of VLOPs/VLOSEs, the Commission is setting up a European Centre for Algorithmic Transparency (ECAT) — to provide in-house and external multidisciplinary knowledge to help with algorithmic auditing.
“The Centre will provide support with assessments as to whether the functioning of algorithmic systems are in line with the risk management obligations that the DSA establishes for VLOPs and VLOSEs to ensure a safe, predictable and trusted online environment,” it said today.
Will Twitter be designated a VLOP?
One very pressing question for European regulators (and citizens) is whether Twitter will be designated a VLOP under the DSA or not?
The (relatively small) social networking firm is not expected to meet the bar for regulation under the DSA’s sister regime, the Digital Markets Act — an ex ante competition reform which will only apply to intermediaries with gatekeeper levels of market power. So the DSA is the main instrument the EU can use to clip Twitter’s wings.
And given drastic changes to how the microblogging platform is operating under new owner, Elon Musk, the Commission is already facing pressure to ensure the fullest force of the DSA regime is brought to bear on it and soon.
A report in today’s Financial Times couches the bloc’s regulators as being on a “collision course” with Musk’s chaotic piloting of the platform — citing sources familiar with EU regulators’ thinking saying there is concern in Brussels over the company’s ability to comply with the DSA, including in light of the mass sacking of 50% of its staff soon after he took over.
MEP, Christel Schaldemose, who will chair a group on the implementation of the DSA, told the newspaper that Twitter could “very well be the case to test DSA for the first time” — and urged the EU to make sure the DSA rules apply for Twitter, warning that if it does not do this the regulation “would be a failure”, adding: “I hope and expect the EU commission to act fast and firmly.”
TechCrunch has also heard concerns about Twitter’s ability to comply with the DSA from another direction. A source familiar with how Twitter was preparing for dialled up EU regulation — pre-Musk takeover — told us “lots” of work had been done but said it’s all been “stymied” by the transition.
We reached out to the Commission to raise concerns we’ve heard and ask about the question of Twitter’s compliance with the DSA.
A Commission spokesman declined to confirm whether the company will be designated a VLOP — saying the list and number of VLOPs will only be provided after the designation step has been completed. But they added: “The designation is relatively straightforward. If a company is around the threshold, it’s a good decision to go for compliance rather than to hover in an area where they are not complying.”
Despite the official EU line on whether Twitter will be a VLOP remaining ‘wait and see’, it’s notable that immediately Musk took over the company last month the bloc’s internal market commissioner, Thierry Breton, tweeted to put him on public notice — warning that Twitter must “fly by” the EU’s rules. Which — at the least — demands that a meaningful set of rules gets applied.
(And today Breton has doubled down with a Twitter subtweet in a DSA thread — writing: “Social media platforms will no longer behave like they are ‘too big to care’. Whether they have feathers or not 🐦”)
Since then, plenty more has happened to increase regulatory concern over Twitter’s direction of travel under Musk — including the resignation last week of a number of senior privacy and security Twitter staffers who had held key compliance-facing roles.
These departures included Twitter’s first (and until then only) data protection officer (DPO) — a role that’s required under long-standing EU data protection law. And yesterday we reported a further development: Twitter had informed its data supervisor in Ireland of the details of a replacement DPO. However it had only named an existing staffer as “acting” DPO.
That’s notable since, under the EU’s General Data Protection Regulation, the DPO role is required to be quasi-independent — so the conditionality and precariousness of Musk-Twitter naming an “acting” appointee could raise fresh compliance concerns by calling into question whether that requirement for quasi-independence is really being met.
We put questions about this to Twitter’s lead EU data protection regulator, Ireland’s Data Protection Commission, but at press time it had not responded.
Today, the Washington Post has also reported on a fresh missive from Musk to all remaining staff giving them an ultimatum to sign up for “hardcore” work by 5pm tomorrow or take a severance package and leave — underlining the level of pressure that remaining Twitter staffers are facing under Musk and suggesting more staff departures could be on the way.
While a Platformer report earlier this week painted a concerning picture of what’s happening to the trust and safety function inside Twitter — with recommendations made by trust and safety staff reportedly being ignored in favor of prioritizing accelerated product launch deadlines set by Musk.
A Twitter that’s been denuded of key expertise, with far fewer staff and a reduced capacity for engineering and administration — and where remaining staff are dealing with major workplace disruption and likely afraid for their jobs if they don’t do what Musk says — will obviously be less capable of complying with amped up regulatory requirements.
So the EU’s shiny new Internet rulebook looks set to be sorely tested — and soon.