Views: 2
The providers of the first 19 very large online platforms (VLOPs) and very large search engines (VLOSEs) designated in April 2023 must publish their annual risk assessment and audit reports for the first time, under the Digital Services Act (DSA). The reports shall include such aspects of their services as e.g. dissemination of illegal content, disinformation or the protection of minors.
Introduction
The Digital Services Act and Digital Markets Act aim to create a safer digital space where the fundamental rights of users are protected and to establish a level playing field for businesses. Online platforms and e-commerce are on the agenda of the EU digital transition; hence the providers of the designated services (both VLOPs and VLOSEs) are invited to present the published risk assessments to the national Digital Services Coordinators, civil society organisations and other stakeholders.
These reports must include the assessments that providers of VLOPs and VLOSEs carried out to identify and analyse the risks stemming from their services, such as the dissemination of illegal content, disinformation or the protection of minors. These reports also outline the measures VLOPs and VLOSEs have put in place to mitigate the identified risks. With the publication of these reports, the DSA is set to bring a new era of transparency and accountability to the tech industry, helping to protect users and society from potential harm and promoting a safer, more responsible online environment.
More on VLOPs or VLOSEs in: https://digital-strategy.ec.europa.eu/en/policies/dsa-vlops
Background
Starting in the second year in which the specific DSA obligations for VLOPs and VLOSEs apply to them, their providers have an obligation to publish each year reports on their risk assessments of the ongoing year, their risk mitigation measures, as well as their audit reports and audit implementation reports.
Where applicable, they also must publish information about consultations they conducted with external experts in support of the risk assessments and the design of risk mitigation measures.
Providers of VLOPs and VLOSEs must assess systemic risks stemming from their services at least once a year, and in any event always prior to deploying new functionalities that are likely to have an impact on the risks they are obliged to identify under the DSA, and they must put in place mitigation measures tailored to the risks they identified as part of that risk assessment.
The DSA also requires providers of VLOPs and VLOSEs to ensure that their services undergo a compliance audit at least once a year, leading to an audit report by an independent auditing organisation, The providers must transmit it to the Commission and the Digital Services Coordinator of establishment without undue delay upon completion.
Where auditors make recommendations concerning compliance with the DSA, providers must present their reactions to those recommendations in an audit implementation report.
Source and reference to: https://digital-strategy.ec.europa.eu/en/faqs/qa-audit-reports-under-digital-services-act
Confidential information in reports
According to the case-law of the Court of Justice of the European Union (e.g. Case T-198/03, Bank Austria Creditanstalt) information is to be considered confidential where it satisfies cumulatively the following three pre-requisites for protection: a) it must be known only to a limited number of persons; b) its disclosure must be liable to cause serious harm to the person who has provided it or to third parties; and c) the interests liable to be harmed by the disclosure must be objectively worthy of protection, which is to be assessed when weighing the interests opposing publication against the public interest in the publication.
Exceptions to the obligation of publication are to be interpreted restrictively. Justifications for redactions must be clear and well-explained. Each redaction has to be assessed on a case-by-case basis and an explanation of the reasons for that redaction, in view of the conditions outlined in Article 42(5) DSA, has to be provided.
Where providers of VLOPs and VLOSEs redact information on the basis of confidentiality claims, they must substantiate their claims that the information qualifies as confidential (i.e. that it fulfils all three conditions enumerated above) in the statements of reasons that they submit to the Digital Services Coordinator of establishment and to the Commission.
Incomplete, unsubstantiated, generic or only partially substantiated claims cannot be deemed to justify redactions. Providers of VLOPs and VLOSEs must justify confidentiality claims concerning specific parts of text in their reports. For example, confidentiality cannot be claimed on the risk assessment reports as a whole.
Where absolutely necessary to protect information which has been deemed to constitute confidential information, providers can paraphrase the text at issue in the public versions of the reports.
Ensuring transparency
Article 42(4) DSA establishes a yearly publishing cycle of reports, with the aim of ensuring transparency. The purpose of that publishing cycle is to enable the public to compare the risk assessment reports of VLOPs and VLOSEs referred to in Article 34 DSA with the independent audit reports of VLOPs and VLOSEs referred to in Article 37(4) DSA.
Moreover, Article 37 DSA requires providers of VLOPs and VLOSEs to ensure that their services undergo audits at least once a year, resulting in mandatory audit reports. The first yearly audit report is due one year after the rules for VLOPs and VLOSEs began to apply to the service in question.
Article 42(4) DSA requires providers of VLOPs and VLOSEs to publish their audit reports at the latest three months after their receipt from the auditing organisation. Three months after the date of receipt of the audit report, the provider of VLOPs and VLOSEs must also publish the other reports listed in Article 42(4) DSA, including “a report setting out the risk assessment pursuant to Article 34”. Both the audit report and the other reports mentioned in Article 42(4) DSA that providers of VLOPs and VLOSEs must publish, including the risk assessment report, are those of the ongoing year.
Given that an audit report only needs to be compiled and published one full year following the entry into application of the rules for VLOPs and VLOSEs to a designated service, the obligation to publish the risk assessment report in Article 42(4) DSA also only applies as of one year after that date. Consequently, while providers of services designated as VLOPs and VLOSEs in April 2023 were obliged to compile their first risk assessment reports in August/September 2023, Article 42(4) DSA only requires those providers to publish their risk assessment reports for 2024 alongside their audit reports for 2024. The Commission nevertheless encourages providers of VLOPs and VLOSEs to also publish their risk assessment reports of the first year in which the rules for VLOPs and VLOSEs apply to their services even if their annual audit report was not yet due.
National Digital Service Coordinators, DSCs
The Commission and the national Digital Service Coordinators (DSCs) are responsible for supervising, enforcing and monitoring the DSA. Each EU member state has to designate and empower a Digital Services Coordinator, DSC responsible for all matters relating to the application and enforcement of the DSA in that country.
In April 2024, the European Commission decided to open infringement procedures by sending letters of formal notice to 6 EU states where significant delays in the designation and or empowerment of their Digital Services Coordinators had to be expected. At that time, Estonia, Poland, and Slovakia still had to designate their Digital Services Coordinators.
In addition, despite designating their Digital Services Coordinators, Cyprus, Czechia and Portugal still have to empower them with the necessary powers and competences to carry out their tasks, including the imposition of sanctions in cases of non-compliance. In the meantime, Estonia and Slovakia have formally designated and empowered their Digital Services Coordinators.
In July 2024, the European Commission decided to open infringement procedures by sending letters of formal notice to 6 additional member states (Belgium, Spain, Croatia, Luxembourg, the Netherlands and Sweden) concerning similar delays; Belgium still has to designate its Digital Services Coordinator. In addition, despite designating their Digital Services Coordinators, Spain, Croatia, Luxembourg, the Netherlands and Sweden still have to empower them with the necessary powers and competences to carry out their tasks, including the imposition of sanctions in cases of non-compliance.
When deciding on the next steps, the Commission will take into account the relevant national developments and the communication by the member states of the designation and empowerment of their Digital Services Coordinators.
Source: https://digital-strategy.ec.europa.eu/en/policies/dsa-dscs
More on Danish Competition and Consumer Authority in: https://kfst.dk/forbrugerforhold/digitale-formidlingstjenester-dsa
Conclusion
The assessment and review publications should take place at the latest three months after the receipt of the report on the yearly compliance audit that each VLOP and VLOSE must undergo. This means that for each service, the publication date depends on when the independent auditing organisation is required to send its audit report to the provider.
The DSA requires providers of VLOPs and VLOSEs to ensure that their services undergo an independent audit at least once a year, leading to an audit report by the auditing organisation.
For the first 19 VLOPs and VLOSEs designated by the Commission in April 2023, the DSA became applicable in August 2023 and the audit reports were due between 28 August and 4 September 2024 at the latest, depending on the date the provider acknowledged receipt of the designation decision.
In any event, providers of VLOPs and VLOSEs must transmit the reports concerning their risk assessments (including the ad hoc risk assessment reports prior to deploying new functionalities), risk mitigation measures and compliance audits to their Digital Services Coordinator of establishment and to the Commission without undue delay upon completion.
Where the Commission considers that redactions are unjustified and thus that the provider of a VLOP or VLOSE has not fully complied with its transparency obligations, it may consider such action to constitute an infringement of the regulation.