The newly passed Digital Services Act (DSA) in the European Union is what some may call Rorschach legislation or, depending on your point of view, an intermediary liability bill, an illegal content bill, or even a platform accountability bill. However we choose to label it, we should ask ourselves: Is it the path forward? Let’s examine the bill and understand what makes it novel, unique, and potentially the future of how online platforms are regulated.
The DSA is a complex and dense piece of legislation that creates rights and obligations for users and online service providers, creates new institutions at the level of the EU, and builds on previous standards and regulations. Beyond the specific pieces of rights and obligations that others have already explained in depth, the DSA is novel in two ways and unique in at least two other ways within the platform governance discussion. While part of its uniqueness is connected to its existence as a creation of the EU, the holistic approach it takes allows for complex and layered solutions to a wide array of platform governance issues. These aspects have an important role to play in whether it can be the blueprint for other jurisdictions.
How Is the DSA Novel?
First, the inclusion of multi-stakeholder consultations in the policy development process likely made the DSA function on a measured compromise approach that is both innovative and not as disruptive to the ecosystem as it could have been. A very good example of what this means is that the early conversation around the DSA, and the original concern from many stakeholder groups, was that it would negatively “update” intermediary liability rules laid out in the e-Commerce Directive, which provides a very broad liability safe harbor to intermediaries, practically shielding them from having to worry about third-party content. And, now that the process has concluded, it seems that the DSA did not remove or damage those liability protections. The framers came up with a more complex and layered upgrade to such rules that extrapolates the initial debates on whether intermediaries should be held accountable for failing to remove or act on content. While closed-door lobbying ultimately could have achieved similar outcomes, an open consultation process clarifies what industry, civil society, and government agencies think and where legislation can actually achieve multiple goals.
Second, the DSA enshrines asymmetric regulation as a realistic and reasonable approach to platform governance. Asymmetric regulation means subjecting companies to different levels of regulatory requests or restraints based on factors such as their size, with respect to the rest of the industry. Here, through the creation of rules targeting the main, large players (in this case, so-called Big Tech) and without built-in general assumptions of ability to follow the rules, the DSA brings in a more proportional approach. This means, to some extent, fewer top-down and generic rules that will never be the object of compliance due to the lack of resources, and different, usually stricter, rules for companies above a certain threshold. The novelty of this approach means the DSA likely underscores both the good and the bad.
While simply speculative at this point, seeing how the DSA has just entered into effect, the benefits are obvious. The framing of the bill is general obligations for all, with extra responsibilities for the very large online platforms (VLOPs) and very large search engines. Understanding that there is no certainty of regulatory burden being perfectly calibrated, the DSA can relieve any outsized pressure for smaller companies given that the compliance steps are more proportionate and not designed with the largest players in mind. Thus, the DSA offers a relevant chance of sidestepping concerns about regulation further entrenching big technology companies to the extent that it introduces an added level of regulatory (and compliance) concerns for these actors plus new watchdog institutions at both the European and state levels. Further, the enhanced responsibilities for VLOPs include a novel approach in and of itself, co-regulatory mechanisms, that can provide insight into these companies without fear of their resource-heavy cost bearing down on smaller players. What some observers have argued, however, is that an intense focus on the VLOPs, while important as well as the catalyst for this regulation, ultimately may mean less oversight for smaller players that can just as easily act in nefarious or negligent ways.
How Is It Unique?
The DSA is unique in the platform governance space first and foremost because of its European circumstances: It is built on top of previous regulatory experiences such as the General Data Protection Regulation and the e-Commerce Directive. At the same time, its framers were cognizant of a new momentum for platform governance that acknowledges that the problem goes beyond the debate around liability for user-generated content. Procedurally, the DSA made it through the gauntlet of European policymaking (through the Commission, the Parliament, the Council, and the highly secretive and opaque “trilogues”) while also being designed in a very thoughtful manner that took into account international context. It’s important to note again that this approach isn’t unique by itself—it’s the status quo for the EU—but for the platform governance experts involved in providing comments, lobbying, or even just paying attention, from the outside, it was intensely unique.
Similarly, the DSA exhibits a holistic perspective on platform concerns rather than a singular focus on a particular issue, which has mostly been the norm in the Global North, including in EU member states. This approach favors grand action not just due to the asymmetric regulatory approach it encompasses but also by bringing to the table key topics such as human rights impact assessments and transparency. It may not be complete, or fully comprehensive, but previous related action like privacy legislation can present a pattern: looking at the ecosystem of concerns, striving to make connections on issues, and trying to creatively and efficiently use the institutional scaffolding it creates. All of these are signs of a thoughtful and successful vision, which so far has been unique when tackling platforms.
Can It Be the Standard?
Based on how the German NetzDG has taken off as the de facto standard across the world, it is easy to see how the DSA could do the same. Governments across the world, ranging from democracies to totalitarian regimes, are eager to regulate the online space. Whether it’s to appease parts of the population asking for accountability for online harms, or simply in order to wield more power, nations are looking for existing legislation that they can adapt. The DSA can certainly be a frontrunner: It has a nuanced perspective, it defines things clearly, and it has several pieces that are easy to adapt even for stricter jurisdictions like the U.S. What makes it both unique and novel, however, may end up being roadblocks for its exportability.
Exporting something as large and comprehensive as the DSA is challenging, although its European framers see it as a potential standard-bearer. On the part of the companies, figuring out compliance with the DSA can still be a daunting process, one that we are still in the beginning of, to know if it can be successful by itself before it can be fully adapted and adopted somewhere else. On the government side, unlike NetzDG, which focuses on a singular topic and has one existent oversight mechanism, the DSA’s size and scope make it more difficult to be made compatible as a whole. And while the DSA is required to harmonize with member states, the regulatory tradition of EU members is generally slightly more stable than those of the majority of the rest of the world and is built on national laws, including NetzDG, plus decades of EU directives breeding at least a general similarity. Thus, somewhat counterintuitively, the DSA’s implicit design, ready-made to be adapted, may not be relevant to how compatible it would be outside of the EU.
Due to its European influences, where overlapping jurisdictions are common, the DSA is bulky in terms of oversight. Creating new semi autonomous institutions can be a welcome innovation in a context that is used to, and thrives in, such an arrangement—as it did for the GDPR—but it’s not something that can be exported easily. The required regulatory capacity for any DSA-like, and even DSA-lite, legislation would be high because, reading the several hundred pages of the DSA, an important aspect becomes clear: These oversight institutions provide the much needed teeth for so many of the obligations and rights enshrined within. These enforcement mechanisms can easily be considered the lynchpin in the DSA, without which the grand construction may not be effective. Smaller pieces of the DSA by themselves can certainly serve as guideposts for other countries, and can be relevant and useful, but without strong regulatory structures, the perspective of the DSA as the unified standard per se is diminished.
Looking at it from a broader point of view, one removed from the DSA’s characteristics, be they unique, novel, or otherwise, a different issue looms. Even though the DSA takes a holistic approach, there are other aspects of the online ecosystem, like business practices and company voting structures, that many experts suggest need to be tackled concurrently. Simply relying on importing a DSA/DSA-lite piece of regulation may be seen as insufficient by some advocates and other stakeholders and may not be enough to alleviate deeper causes for concern.
Fundamentally, it’s too early to say whether the DSA can end up being the standard for other jurisdictions, although pieces of it may end up in platform governance legislation around the world either way. It’s a novel and unique piece of platform governance, but its complexity and the uncertainty surrounding its very recent coming into force make it difficult to understand thoroughly just yet.