Angwin: I wanted to start with the slogan that politicians have been using to describe the DSA, which is “what is illegal offline must also be illegal online.” Is that a fair description of the law?
I think it’s a very lame slogan. There are competing narratives for what they’ve done. But what is very clear is this is a European version of the NetzDG law
, which passed in 2018 in Germany. That law was about making sure that legal provisions that prohibit certain types of speech were actually enforced by internet platforms and social media in particular.
As more countries started adopting these types of laws, it started to cause a fragmentation of the European digital single market. And that’s what Europe doesn’t like at all. So, the DSA is really about making sure this is a European law matter.
Van Hoboken: Over the past few years, we have seen people lose faith in self-regulatory instruments like the 2016 code of conduct. After 20 years of working with a limited liability framework, the DSA signals a shift from the self-regulatory paradigm to an environment where the European Commission is saying, “We are going to regulate you and we are going to require you to follow a set of standards, conditions, and safeguards.”
The DSA is not a self-regulatory approach to illegal content but instead makes more explicit requirements of companies. These requirements are not specific to particular pieces of illegal content, but are more systemic. For example, companies have to be transparent about their terms of service. They have to offer transparency reports about how much illegal content they’re removing. They have to have a notice and takedown procedure for illegal content to fulfill specified criteria, and have a mechanism for users to complain about removals, along with other measures. For very large platforms, risk assessment and mitigation reports are also required.
In the past, the European Union has been criticized for lax enforcement of regulations, such as its landmark data privacy regulation, the GDPR
. How will these new obligations be enforced?
Concerns from our experience with GDPR definitely influenced how the DSA will be enforced. In Europe, we have the country of origin principle
for internet-based services, which states that if a tech company is established in one country, it has to follow the laws of the country where it’s established, and it doesn’t have to deal with 26 other regulators. From a business establishment point of view, this is very important. However, as platforms started to have a greater impact on every country in Europe, there was a bit of pushback, where countries did not want to be dependent on enforcement in a completely different country.
The DSA represents a compromise. For large, dominant platforms, the European Commission has the role of investigating and enforcing the DSA. This centralized enforcement is quite an interesting outcome of the whole process. Additionally, each member state will have an independent regulator, called a digital service coordinator. The specifics of these regulators have yet to be fully developed by the commission and the European countries.
Angwin: What might this new type of centralized enforcement look like and does this raise concerns about censorship?
Van Hoboken: Let’s use YouTube as an example. YouTube will have to conduct an assessment of a number of specifically identified systemic risks, including the risk of spreading illegal content, the risk of negative effects for exercising particular fundamental rights, and the risk of manipulation. Then they have to say, “We are adopting these mitigating measures to deal with these risks.” The commission would then look at whether the platform is doing a good job documenting, assessing, and mitigating these risks according to the legal standard. It’s going to be similar to a regulatory structured dialogue, with the DSA introducing a more structured framework for the commission to refer to.
As for censorship, that is indeed a concern. Something I will be watching is how exactly the European Commission will oversee and monitor companies. Initially, the big platforms are pretty much in the driver’s seat to produce a bunch of documentation, but you can imagine some of it may not be convincing. You can also imagine that some particular risks may not be identified. I think one of the benefits of the DSA is it does provide a stronger legal anchoring, but there’s definitely also the possibility for overreach.
Angwin: The DSA has the first ban on microtargeting for sensitive categories, right?
Van Hoboken: Yes, and that was one of the big battles. Tech companies argued that online advertisements finance the internet. Facebook actually bought big newspaper ads to say how they’re helping small businesses reach their customers. Despite this, there was quite a big push to basically get rid of behavioral advertising overall and to move away from that business model. I haven’t seen the final text of this, but the outcome seems to be that the DSA is very similar to what is already in the GDPR. The GDPR doesn’t have the specific rules with respect to behavioral advertising like the DSA does, but it has specific rules with respect to what you can do with sensitive data, and it also has rules with respect to processing the personal data of minors. It’s a lot of work to interpret and enforce those provisions, so the DSA may be helpful in that it makes some of those implied prohibitions explicit. However, it doesn’t really go much further than that, which I think for some is a disappointment.
Angwin: The DSA gives users more rights, including the right to appeal content removal decisions and access algorithms that aren’t based on behavioral data. What is your understanding of these greater user control mechanisms?
Van Hoboken: The DSA contains a general rule that a company’s terms of service have to be enforced in a proportionate, diligent, and objective manner. This includes the enforcement of a specific company’s policies, which often go much further than just illegal content since there are a lot of categories that are legal but harmful. Related to this is the complaint procedures in the DSA. These allow users to complain to the platform if they feel their content was wrongfully removed or to the digital service coordinator if they believe there was a violation of the DSA more generally.
It’s not clear to me that these complaint procedures will always be used in the right way. I could see the complaint procedures being weaponized by right wing populist communities quite easily, because it’s quite easy to complain, and you can use them for political reasons and draw attention to your cause.
It seems like (Facebook whistleblower) Frances Haugen’s testimony
were very influential, do you agree?
Yes, I think so. The type of risk management framework included in the DSA is aligned with the traditional business logic that Haugen has also advocated for. We see this type of risk-based approach—where a lot of emphasis is placed on risk management—included in a bunch of regulatory areas, like the AI Act
. Taking this into account, I think Francis Haugen spoke to the logic that had already been put forward by the regulators.
I think she actually would have liked to see these proposals be much more advanced. One of the things that Haugen said in Parliament is that yearly risk reports don’t make sense, and that you have to have continuous access to how these systems are operating. I think Haugen had a more radical vision of the model than the one that has been put forward. Perhaps this is where we will be in five years, since this is really a first attempt by European lawmakers, and the DSA is a new institutional setup. I think there’s an understanding that there will need to be some improvements and iteration on what has been put forward.
One of the things that drove the EU lawmakers to move quickly is that they wanted to set an international standard like they did with the GDPR. That being said, we have to look carefully at what kind of standard we are setting. Internationally, including in the Global South, certain elements could be picked up from this regulation, so it is important to look at what type of impact this has internationally and how businesses go about applying these rule.