Last week, the European Commission (the Commission) adopted the first designation decisions under the Digital Services Act (DSA) which designated certain services as Very Large Online Platforms (VLOPs) and / or Very Large Online Search Engines (VLOSEs) in accordance with Article 33(4) of the DSA.
17 VLOPs and 2 VLOSEs were designated under the decisions adopted by the Commission:
- VLOPs: Alibaba AliExpress; Amazon Store; Apple AppStore; Booking.com; Facebook; Google Play; Google Maps; Google Shopping; Instagram; LinkedIn; Pinterest; Snapchat; TikTok; Twitter; Wikipedia; YouTube; Zalando.
- VLOSEs: Bing; Google Search.
It has been reported that a second wave of VLOP/VLOSE designations by the Commission may follow. The Commission is currently investigating the user data of services such as Spotify, Telegram, Pornhub and AirBnB who have claimed that they have less than 45 million monthly active users (MAU) in the EU. These services may also be designated if their MAU numbers are revised.
When do VLOP/VLOSEs’ DSA obligations begin to apply?
The providers of the services that have been designated as VLOP/VLOSEs must comply with relevant obligations under the DSA from four months after the Commission’s notification of designation i.e. 25 August 2023. The obligations aim to empower and protect users online (including minors) by requiring the VLOP/VLOSEs to assess and mitigate their systemic risks and to provide robust content moderation tools. Some of the key obligations for VLOP/VLOSEs that will come into effect from 25 August 2023 include:
- the obligations to perform risk assessments to assess the “significant systemic risks” that stem from the provision of their services. This would include risks in relation to the dissemination of illegal and other harmful content through their services. VLOP/VLOSEs will be required to put in place reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified in their risk assessment, with particular consideration for the impacts of such measures on fundamental rights;
- the obligation to establish an independent compliance function that reports directly to the management body of the provider and can raise concerns and warn the management body of non-compliance risks;
- the obligation to conduct independent audits which assess the provider’s compliance with certain obligations arising under DSA, as well as any commitments to the codes of conduct;
- the obligation to comply with detailed transparency reporting requirements including the requirement to make publicly available reports, setting out the main findings of the external audit and the results of the risk assessment;
- The requirement to create, maintain and make available a publicly accessible repository of all ads that have been presented on their platform. The repository must include information on the period during which the advertisement was/is being presented to recipients of the service, and for one year after the ad’s final exposure. The repository must also contain additional information relating to ads, including the parameters used to specifically display the ad to one or more particular groups of recipients and the total number of service recipients reached (with aggregate numbers broken down by Member State, if applicable).