Skip to main content

The Clock Has Started: EU DSA VLOP & VLOSE Designations Announced

Technology transcends borders, as do regulations and fines. If your US company has EU operations or users, you may be impacted by trends in the European regulatory landscape. Further, non-compliance with some of these EU regulations are calculated as a percentage of global revenue.

The European Commission issued a key development in Europe’s ‘Digital Decade’ effort in April this year. Driven by recent concerns regarding disinformation, advertising, harm to minors, and illegal content, the EU’s Digital Services Act (DSA) sets out tiered and cumulative obligations aimed at better protecting users and enhancing accountability and transparency. As part of the DSA implementation, the European Commission announced on April 25, 2023 (here), the designation of 17 Very Large Online Platforms (VLOP) and 2 Very Large Online Search Engines (VLOSE) that reach at least 45 million monthly active users within the EU.

VLOPs and VLOSEs are expected to adapt systems, processes, and operations to implement and/or update mechanisms for DSA compliance within four months. There are a broad range of obligations that require different areas of the company to work together to resolve. Some of the regulation focus areas include, but are not limited to, the following:

  • Management of Harmful Content
    • Implementing or refining processes to address orders to act against illegal content and report on the actions taken.
    • Building user-friendly mechanisms to enable users to report illegal content and inform users on restrictions imposed.
    • Tuning and monitoring technologies to address requirements.
    • Building or refining trusted flagger processes which prioritise reports from trusted flaggers1.
    • Mobilising or refining recourse processes and mechanisms.
  • Risk Management, Compliance, and Audit
    • Conducting a systemic risk assessment and mitigating those risks, including appropriate and proportionate measures to protect minors. For VLOPs and VLOSEs, the first annual systemic risk assessment needs to be completed within four months of designation.
    • Mobilising readiness efforts and engaging an independent auditor for the required annual audit.
    • Standing up a compliance function and appointing the required roles and clearly defining the responsibilities, including the designation of a DSA Compliance Officer.
  • Advertising
    • Labeling advertisements clearly, concisely, and in plain English.
    • Evaluating how information targeting is conducted to determine it is not based on special categories of personal data2.
    • Building/refining and maintaining a publicly available advertisement repository that includes, but is not limited to, information on the content of the ad, the natural/legal person on whose behalf the ad was displayed, the main ad targeting parameters, and the number of users reached and, where it applies, aggregate numbers for the recipients who were targeted.
  • Transparency and Data Access
    • Defining recommender system (i.e., a system that makes targeted recommendations for a user) parameters clearly and concisely in your Terms of Service.
    • Building standardised data collection methods and scaling data management capabilities to provide Transparency Reports on specific activities in a repeatable and effective manner.
    • Designing processes to facilitate data access to regulators and vetted researchers.

If you are wondering what this means now that the clock has started for the VLOPs and VLOSEs, we have a few thoughts:

  • Take a Programmatic Approach: The same underlying concerns on trust and safety are playing out in the US, the EU, and other jurisdictions globally. Approaching the onset of regulations in a programmatic and thematic manner streamlines risk and compliance management across your operations. Focus on a scalable strategy.
  • Understand your Current State: Many organisations already have industry leading processes and systems in place to support a safer internet. Understand the effective mechanisms in place and conduct analyses and assessments of these activities to understand where the gaps in your programme are and where work is needed to meet these obligations and manage content risk. Evaluate and build.
  • Invest in your Infrastructure: Building a scalable programme that addresses regulations across multiple jurisdictions in a programmatic manner requires broad foundational risk and compliance components, including a risk taxonomy, control framework, obligation library, technology, right-sized resourcing, a clearly defined governance and operating model, and data management capabilities. Invest now.
  • Functional Integration: To respond in a timely manner to these obligations and operate effectively to enable the business, functions from product managers to data scientists to engineers to policy, legal, and compliance need to break down pre-existing silos and work in a harmonised and integrated way that may be a significant change for many organisations. Design and mobilise an interaction model.

Unsure of what this means for your business? Our industry leaders are here to provide guidance.

[1] Trusted Flaggers’ as referred to in Article 22 of the Regulation (EU) 2022/2065

[2] ‘Special categories of personal data‘ as referred to in Article 9(1) of Regulation (EU) 2016/679