Takeaways from the European Commission Digital Services Act

While all participants complimented the aims of the DSA, many panelists flagged several practical  implementation and enforcement questions that remain unanswered, such as:

Systemic risks: Definitional questions related to systemic risk and lack of clarity relating to the depth and  granularity expected for the assessment.

Data access: Practical implementation questions related to researcher data access. Stakeholders envisage  the DSA being a “data-generating machine” for researchers to drive evidence-based solutions for systemic  risks. Since it remains unclear what types of data and metadata Very Large Online Platforms (VLOPs) and  Very Large Online Search Engines (VLOSEs) will need to make available, this might result in discussions  with respect to what is enough for compliance.

Implementation logistics and enforcement questions, including:

• Personal data. What is sensitive personal data; does this also include data generated by platforms  (related to user profiling)?
• Stakeholder group’s roles and responsibilities. How (practically) will various groups in the platform  ecosystem (regulators, auditors, civil society, researchers, etc.) play their part?
• Know your business client (KYBC). What “reasonable efforts” should VLOP/VLOSE undertake to  verify the accuracy and completeness of the information provided by traders and the products or  services they offer?

That said, there are clearly significant expectations for the DSA to be a vehicle for change and a  “new normal” for global regulation.

Representatives from civil society, consumer interest groups, and other nongovernment organizations (NGOs)  shared concerns and called for the effective enforcement of the DSA, in part citing their experiences with  General Data Protection Regulation (GDPR) enforcement.

DSA enforcement is expected to drive change in the Big Tech industry. For example, in the opening session,  Renate Nikolay, deputy director general in DG CNECT of the EC, referred to a three-pronged enforcement  approach: (1) enforcement of hard law; (2) working systemically to achieve the DSA goals, including the Systemic  Risk Assessment (SRA); and (3) new rights for the ecosystem via increased access to data for researchers.

Additionally, the DSA enables formal enforcement of Codes of Conduct to which VLOPs/VLOSEs are signatories.  Frequently mentioned was the Code of Practice on Disinformation, which is expected to become a Code of  Conduct under the DSA later this year or early next year. Civil society groups and NGOs hope to participate in  enforcement and improvement of the DSA (in part, via their review of platform data and by contributing to the  Codes of Conduct).

Researchers need more data and more time to disentangle causality from correlation across multiple  themes (body image, child safety, disinformation, well-being, etc.). As an example, there is hope that  product “nudges” could help teens moderate their social media use, but researchers do not yet know  how effective this nudge technology could be. Also, researchers mentioned that (at the moment) it is not  possible to determine the extent to which mental harm may be caused by platform design features versus  individual personal circumstances and environmental factors. Researchers also highlighted that detailed  studies of person-specific data are required to draw meaningful insights, particularly to better understand  behaviors of misinformation super-spreaders. Once researchers better understand specific models and key  risk indicators, the EC could set specific thresholds for platforms to track.

In addition, researchers also raised concerns about the qualifications needed to gain access to data and  that they will need data in a consistent format (i.e., standardized application programming interfaces) to  draw insights across platforms. Researchers also flagged uncertainty whether the researcher community  will have the capacity to rapidly absorb this new data (once it becomes available) due to (1) current  decentralized project-specific funding approaches and (2) the fact that most of the people who understand  these algorithms work for the very companies that are the subject of this regulation.

SRAs were discussed in every panel that KPMG attended. Stakeholders hope the SRAs will function as a  catch-all for any ambiguities in other DSA provisions. A lack of clarity relating to the depth and granularity  expected from SRAs among the various stakeholder groups (e.g., NGOs, researchers and academics, and  VLOPs/VLOSEs) was evident. A similar concern was noted regarding the methodologies to be used and the  extent to which (1) granular information on SRAs will be shared versus redacted versions and (2) the speed  (timeliness) in which this information will become available. The EC “took note” of these timeliness  concerns.

A panelist representing the Digital Trust and Safety Partnership noted the tension around completing a  novel risk assessment as a compliance exercise. That said, notable academics voiced clear fatigue (or even  frustration) over VLOP/VLOSE concerns, noting that (1) such risks have been under discussion for a long  time and (2) the perception that VLOPs/VLOSEs are successful, leading, innovative companies that should  be able to navigate the uncertainty. Existing frameworks, such as the Human Rights Impact Assessments,  were suggested to inform platforms’ systemic risk methodologies.

In addition, academics recommend granular, data-driven risk assessments based on specific scenarios,  with the potential to have different assessment processes for various scenario types. (The KPMG point  of view is that this type of scenario-based stress testing is quite different from annual risk assessment  methodologies adopted in cross-industry enterprise risk management programs.)

There is also particular interest in how VLOPs/VLOSEs will prove that mitigations are effective.  Representatives from NGOs specifically referred to Recital 90 and that they want to be formally  engaged with respect to both the risk assessment and measuring the effectiveness of mitigations.

Multiple sessions began by level-setting that European Union (EU) citizens must use the internet to  participate fully in society (i.e., going analog was not a recommendation from any panelist). That said, some  citizens may not be equipped to evaluate disinformation, families may not have the parenting skills to  adequately prepare their children, and minors need more support making informed choices about their use  of social media.

Child rights advocates cautioned that the overall goal of DSA should not be to box children into a lesser  version of the internet; online platforms need to consider the full range of child rights. An emphasis only on  child safety risks makes children overly cautious online, rather than building their curiosity and resilience via  age-appropriate online experiences.

Stakeholder groups are enthusiastic about innovative and reliable age verification technologies as a vehicle  to ensure minors participate confidently in age-appropriate experiences online. For example, in a panel on  child safety, a company discussed their engagement with minors and the teen community, as well as their  multiple tools that empower teens to shape their online experience.

Several panelists expressed a hope that the DSA will shift practices away from so-called “surveillance  advertising” towards more contextual advertising. That said, they acknowledged a delicate balance between  protecting rights and generating value. Cited research projected significant revenue loss if companies limit  the use of third-party cookies for ad targeting.

Panelists flagged the challenges associated with delineating “special category” data from other personal  data could lead to broad interpretations of the restrictions on targeted advertising, which could further  compromise the sustainability of existing ad-funded business models.

These obligations are also intended to address concerns about treating “users as products,” particularly around  advertisements and minors. Multiple sessions discussed the urgent need to stop user profiling for minors, and  child safety advocates raised questions about the ethics of advertising to children at all. There was also mention  of how these concepts will play out in more nuanced advertising via social media influencers. In a session  around child safety, Discord highlighted its business model that does not include advertisements.

The DSA was described as a unique opportunity to enhance intellectual property (IP) protections and  engender a greater sense of trust for businesses and users trading online. At the same time, consumer  organizations cited statistics to back up their perspective that voluntary measures had not addressed  consumer doubts regarding the authenticity of products and services available online.

With respect to copyrights, panelists highlighted the overlap between the DSA and (lex) specialists such as the  Copyright in the Digital Single Market (CDSM) directive for VLOPs that are also Online Content Sharing Service  Providers (OCSSPs). VLOPs will need to take (additional) measures to ensure an adequate level of copyright  protection, such as increased due diligence specific to copyright, notice, and take down and stay down.

Panelists also called for online platforms to place greater focus on prevention rather than relying on take-down  measures to remove IP infringing (i.e., illegal) content. Preventive measures can benefit businesses, consumers,  and platforms by encouraging greater economic activity online.

Policymakers acknowledged that it will take time to rationalize the tensions between the DSA and other (EU)  legislation—particularly GDPR and the CDSM directive. Stakeholders referred to the GDPR legislative process,  implementation, and enforcement as a case study to inform how policymakers strive to make the DSA successful.

Specifically, the panelists pointed out that the risk-based approach that the DSA envisions requires organizations  to reflect on the risks identified and mitigated, and the methodologies used in that process. Furthermore, the SRA session highlighted that alignment between the DSA Systemic Risk categories and existing Human  Rights and Fundamental Rights categories is not airtight. It was also mentioned that rather than simplifying and  harmonizing, the DSA may increase complexity in key areas (e.g., online advertising, online commerce, copyright  protection etc.).

Civil society groups are extremely optimistic about the DSA audits for VLOP/ VLOSE, and policymakers emphasized  how the DSA audit could inform enforcement priorities. There were some questions raised about the feasibility for  any audit firm to perform an audit as vast as the DSA audit (especially in the absence of defined audit standards).

An updated version of the DSA Audit Delegated Act is expected to go to European Parliament in Q3,  after which the definite version will enter into force in early Autumn.

Online platforms (OPs) and search engines (SEs) (non-VLOP/ VLOSE) do not have to perform a SRA or take formal  risk mitigation measures, but they are still expected to comply with the bulk of the DSA, meaning they will need  to prevent dissemination of illegal content. OPs and SEs still need to identify risks that also apply to them and their  type of platform/search engine. For this, a more compact risk assessment than the VLOP/ VLOSE SRA could be  appropriate.

A workshop for online marketplaces highlighted the specific challenges for horizontal regulation for such a  diverse space that is already highly regulated. As an example, the nuances and risks for travel services or ticket  sellers are quite different from the specific challenges related to online business-to-consumer or consumer-to-  consumermarketplaces. Representatives from online marketplaces (European Tech Alliance and eBay) noted how the DSA requirements build on existing safeguards, including anti-money-laundering processes. That said, panelists  from consumer advocacy and toy safety organizations emphasized the wide reach of illegal or harmful goods  currently available online. For the DSA to be successful, EC enforcement will need to help facilitate dramatically  improved outcomes for consumers.

1 The EC event organizers will publish formal notes and make all workshop recordings public in the coming weeks.
See session breakdown here. KPMG will refresh our insights as these additional sources of information are made public.