Digital Services Coordinators and other competent authorities in the Digital Services Act: streamlined enforcement coordination lost?
This post relies on research being conducted in the framework of the ERC Starting Grant EUDAIMONIA (GA: 948473).
Regulation 2022/2065, also known as the Digital Service Act (hereafter, DSA or Act), is a landmark piece of EU legislation. By providing a clear set of due diligence obligations, especially risk-management and risk-assessment obligations for different categories of online intermediaries, the DSA provides much welcomed harmonised rules for a safe, predictable, and trusted online environment (Art. 1). However, its merit is not limited only to introducing new harmonised legal obligations. At least equally important has been the EU legislator’s ambition to establish an EU-structured institutional system through which those obligations are applied and enforced.
The DSA enforcement framework entrusts the European Commission with overseeing very large online platforms (VLOPs) and very large online search engines (VLOSEs) (art. 56(2)). All other online intermediaries will be supervised by their Member State of establishment (art. 56(1)), in which one or more competent authorities have to be designated. The DSA leaves Member States considerable freedom to choose which authorities will be involved in DSA enforcement and does not necessarily require the establishment of a new or specific authority. As a result, Member States may entrust multiple either new or existing competent authorities with the enforcement of (parts of) the DSA (art. 49(1)). At the same time, however, they have to designate, by 17 February 2024, one of their competent authorities as their Digital Services Coordinator (art. 49(3)). Digital Services Coordinators will take part, together with the European Commission, in the activities of the European Board for Digital Services, a network aimed at coordinating DSA enforcement among the Member States and within the Member State of which they are part (art. 61).
It should not come as a surprise that, confronted with those different options, different Member States have envisaged different types of arrangements in terms of designating their competent authorities. Faced with such diversified arrangements, this blogpost argues that insufficient attention has been paid to Article 49(2), third sentence of the DSA. That provision requires Member States to envisage coordination initiatives amongst their different competent authorities, including their DSC. To make this happen, this post calls for clearer EU-structured soft law guidance on coordination possibilities. It is submitted that failure to deliver such guidance may delay the effective enforcement of the DSA, resulting in the fragmentation of enforcement activities and in potentially long-winding and unnecessary infringement proceedings against some of the Member States.
Competent authorities and the DSA: room for administrative diversity
Although recital 79 of the DSA considers effective enforcement necessary, there is little doubt that the EU legislator has been quite generous in terms of institutional design freedom granted to the Member States to organize such enforcement. Recital 109 in that regard states that at least one authority (emphasis added) should be appointed with the task to supervise and enforce this Regulation. However, Member States ‘should be able to entrust more than one competent authority, with specific supervisory or enforcement tasks and competences concerning the application of this Regulation’. This could be understood as favouring the conferral of enforcement powers to already existing supervisory authorities competent in related fields.
The DSA’s provisions confirm that thesis. Although Article 49 formally distinguishes ‘Digital Services Coordinators’ from other competent authorities, it imposes the same stringent independence and effectiveness requirements on all of them (art. 49(4)). Article 50 DSA in that regard requires all competent authorities to operate in a fully independent manner. Article 51 for its part confers a set of minimum investigation and decision-making powers on each competent authority as well. As a result, all competent authorities must be structured in a similar fashion.
Among the different competent authorities, only the DSC will be responsible for the coordination among potential multiple competent authorities and cooperation with other Member States’ DSCs. Member States remain free to choose which competent authority they would designate as DSC. It would not be impossible, therefore, that DSA enforcement powers would be shared between electronic communications, data protection, consumer protection, child protection and competition authorities, whereby the child protection authority would then be designated as the DSC in one Member State. By contrast, another Member State could designate its telecommunications authority as the only competent authority which also takes on the role of DSC, leaving other potentially competent authorities completely out of DSA enforcement. Stated more generally, the latitude given by the DSA leaves the door open towards disharmony among Member States.
Member States’ competent authorities: so far, diversity reigns.
Anticipating the 17 February 2024 deadline, Member States have started to share which authorities they intend or will design as competent authorities in the context of the DSA. Against that background, some non-harmonious trends already emerge.
Italy has appointed its Authority for Communications Guarantees (Autorità Garante per le Garanzie nelle Comunicazioni or AGCOM) as Digital Services Coordinator through the Italian law on digital security for minors (art. 15). At the same time, this law broadly states that the Italian Competition Authority (Autorità garante della concorrenza e del mercato or AGCM), the Italian Data Protection Authority (Garante per la protezione dei dati personali), and any other competent national authority, within their respective competences, have to guarantee their cooperation for the purposes of the exercise of the functions of the AGCOM as Digital Services Coordinator. Further elements contained in the Italian law nevertheless suggest that the AGCOM is entrusted with all the tasks related to the enforcement of the DSA Regulation (art. 15(2)(3)). The reference to other regulatory bodies is simply meant to confirm that those preserve their own powers rather than being designated with specific tasks under the DSA.
France is in the process of approving a draft legislation that gives to the freshly created Regulatory Authority for Audiovisual and Digital Communication (Autorité de régulation de la communication audiovisuelle et numérique or Arcom) the role of Digital Services Coordinator. At the same time, and contrary to Italy, the National Data Protection Authority (Commission nationale de l’informatique et des libertés or CNIL) and the Directorate-General for Competition, Consumer Affairs and Fraud Control (Direction générale de la Concurrence, de la Consommation et de la Répression des fraudes or DGCCRF) would be responsible for regulating digital services providers established in France as ‘competent authorities’ in the meaning of the DSA (art. 25).
The German legislative proposal for the implementation of the DSA makes an even more articulate competence division choice (Art. 12). The Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway (Bundesnetzagentur für Elektrizität, Gas, Telekommunikation, Post und Eisenbahnen) is nominated as Digital Services Coordinator. As such, it exercises all the functions that are not attributed by the same law to other bodies. German law nevertheless also confers enforcement powers on the Federal Centre for the Protection of Children and Young Persons in the Media (Bundeszentrale für Kinder- und Jugendmedienschutz ist zuständige Behörde für die Durchsetzung) and the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) (art. 12(2)(3)).
Among other Member States Ireland wishes to designate its Media Commission (Coimisiún na Meán) as DSC, Romania seems to have opted for its National Authority for Administration and Regulation in Communications, Belgium envisages to appoint its Belgian Institute for Postal Services and Telecommunications (BIPT-IBPT) and the Netherlands will likely appoint the Consumer and Market Authority (ACM) as DSC. It remains to be seen to what extent those Member States will also designate other competent authorities as bodies responsible for the enforcement of the DSA. At present, little information is confirmed in that regard. As the majority of these initiatives are still in the process of approval, it cannot be excluded that other bodies will be appointed as competent authorities for implementation of the DSA in those Member States as well.
The cursory overview of the different scenarios that are progressively unfolding nevertheless already enables us to make two important observations.
First, Member States do not seem to favor the creation of a completely new and DSA-specific authority. In Member States where DSCs and/or other competent authorities have already been officially designated , the choice has been made rather to entrust existing communications, media or consumer protection authorities with DSA enforcement. Although it could have been deemed preferable to have the same kind of authorities being established across different Member States, the DSA explicitly allows for such diverse choices to be made. From that point of view, the designations made or in the process of being made are not as such problematic from a legal point of view. The experience with the European Competition Network, as evidenced by a communication of the European Commission on the occasion of ten years of Council Regulation 1/2003, has nevertheless shown that, absent more streamlined institutional arrangements, coordinated enforcement is not always easy to put in practice.
Second, however, an issue that currently appears to receive comparatively little attention is the much-needed coordination at Member State level between the DSC and other competent authorities at Member State level. The overview given here shows that such internal coordination is envisaged differently in Italy, France, and Germany. However, Article 49(2) DSA explicitly requires a Member State designating one or more competent authorities in addition to the Digital Services Coordinator to ensure that the respective tasks of those authorities and of the Digital Services Coordinator are clearly defined and that those different authorities cooperate closely and effectively when performing their tasks. It would seem that the setting up of such coordination and cooperation mechanisms would require a legislative framework for the exchange of information and coordination of enforcement activities. Questions can be raised as to whether the Italian, French and other frameworks put in place meet those standards. In the absence of additional clarifications from the DSA or the European Commission, it remains difficult for Member States to predict what is expected from them. Such certainty is nevertheless more than necessary, if only to prevent the Commission initiating infringement proceedings against a Member State for failure to respect the requirements of Article 49(2) DSA. In the field of data protection law, the Commission has not refrained from taking such action against some Member States.
Coordinating administrative diversity in the framework of the DSA: it is not too late for enhanced coordination guidelines.
Although being respectful of Member States’ administrative design choices, uncertainty surrounding the exact scope of coordination obligations flowing from Article 49(2) DSA risks, in our opinion, to delay and potentially hamper the correct and effective application of the Act’s obligations. It would therefore seem necessary to fill this void by offering Member States some more concrete guidance on how to ensure coordinated DSA enforcement.
On the one hand, it could be expected that some kind of best practices on how to coordinate activities between competent authorities in a single Member State could be developed in the context of the European Board for Digital Services. Article 61 DSA indeed allows the Board to contribute to the consistent application of the DSA. However, given the fact that the Board is not up and running yet, it seems impossible for such guidelines to be envisaged at this stage in the implementation of the DSA. That is to some extent a pity, as Member States could benefit from such clarifications at the moment when designating their competent authorities and DSC before the 17 February 2024 deadline.
On the other hand, the European Commission seems to be the most suitable entity to develop guidelines on how to ensure coordinated implementation guidance within a single Member State. Since the entry into force of the DSA, the Commission has indeed designated very large online platforms and search engines directly falling under its supervision, adopted a delegated regulation on calculating supervisory fees charged to those platforms and search engines and an implementing regulation outlining its own enforcement procedure. It also proposed a delegated regulation on how very large platforms’ and search engines’ audits need to be conducted. In addition, in October 20233, it also adopted a recommendation on coordinated action in the context of illegal contents.
Given this context and in light of the Commission’s willingness to provide additional rules or guidance in those other DSA subfields, we submit it would also be a useful way forward to provide Member States with guidelines on how to coordinate the functioning of their DSC and other competent authorities. When doing so, the European Commission would certainly not have to impose one single choice of coordinated enforcement on Member States. However, it could be envisaged that the Commission develops two or three coordinated enforcement structured templates between a DSC and other competent authorities within a single Member State. Each Member State designating multiple competent authorities would then have to comply with one of those templates. By doing so, Member States would retain the freedom to designate and structure their competent authorities, while encountering less uncertainty as to whether the coordinating mechanisms envisaged in their national law systems would be considered compatible with Article 49(2) DSA. In addition, having such guidelines could diminish the risk of having to start long-winding infringement procedures against Member States and focus on the actual enforcement of the DSA obligations vis-à-vis online intermediaries. Adopting such guidelines in the coming weeks or months makes sense for the Commission as it seems eager to get started with coordinated DSA enforcement. Taking steps in this direction sooner rather than later would be highly beneficial for achieving coordinated enforcement both across and within all EU Member States.