European Commission’s powers to fine, impose remedies, and block access to VLOPs under the DSA

The exposure to fines

The European Commission has the power to impose fines on VLOP providers not exceeding 6% of their total worldwide annual turnover in the previous financial year, where the provider intentionally or negligently infringes obligations imposed under the DSA, fails to comply with interim measures, or fails to comply with legally-binding commitments it has made.

The Commission interprets ‘the provider’ as a reference to the undertaking involved, and not merely the entity legally responsible for the service. The ‘undertaking’ is a well established EU law concept and it includes the parent entity and the entire group. Thus the 6% maximum applies to the worldwide turnover of the group, and not merely to that of any individual legal entity. Moreover, the competition law precedents would suggest that the Commission can impose the fine jointly and severally on the parent company of the group as well as the entities directly involved in the infringement. 

The notion of ‘intentionally or negligently’ is also not an original concept. In the competition law context, it is satisfied by the deliberate commission of an act designed to achieve anti-competitive ends or in the knowledge that anti-competitive effects would result, or where the undertaking concerned could reasonably foresee that the conduct would have anti-competitive effects. In short, it is a relatively low threshold. It can be expected that a similar approach will be followed when applying the DSA.

How the fines are calculated

The legal maximum’ is just that – a maximum. It says nothing about how the Commission will actually exercise its fining power. For this, the DSA requires the Commission to have regard to the nature, gravity, duration and recurrence of the infringement. 

‘Nature’. The DSA involves an extensive variety of obligations, ranging from some that are essentially technical, to others that involve systemic conduct, and yet others that concern critical fundamental rights of individuals. It is thus unsurprising that the DSA seems to envisage that the Commission will apply some form of categorisation before assessing gravity in the context of the category concerned.

‘Gravity’ refers to the seriousness of the infringement, by reference to the values protected by the legislation in question. The DSA is intended to advance a variety of important public interests, for example ensuring a safe, predictable and trusted online environment, especially for consumers, minors and users at particular risk of being subject to hate speech, sexual harassment or other discriminatory actions; addressing the dissemination of illegal content online and the societal risks that the dissemination of disinformation or other content may generate; and protecting fundamental rights. It is against this context that the Commission will assess the gravity of the infringement. The DSA expressly envisages that Member State fines will take into account the number of recipients of the service affected, the intentional or negligent character of the infringement and whether the provider is active in several Member States. This will no doubt be true for Commission fines as well.

It should be noted that there are many ways in which the Commission might seek to reflect the gravity of the infringement. Its current practice when enforcing EU competition law is to apply a ‘gravity percentage’ of up to 30% to the value of sales associated with the infringement. But there is nothing inevitable about such a granular approach. The Commission’s previous competition law policy was to categorise all infringements as ‘minor’, ‘serious’ or ‘very serious’, and to publish a range of likely fines associated with each category. Its practice under the DSA will no doubt evolve over time. 

‘Duration’ refers literally to the period of time for which the infringement has been established, with the expectation being that longer duration infringements merit higher fines than shorter ones. 

This might be done in an approximate way, or by means of a very granular calculation. The Commission's current competition law approach is to increase a basic amount by reference to the number of days involved. 

‘Recurrence’ of the infringement. In the context of fines imposed at national level, the DSA explains that penalties should take into account whether the provider concerned has systematically or recurrently failed to comply with its obligations. Thus the notion of ‘recurrence’ distinguishes between recurrent activity that regularly occurs on the platform and isolated one-off actions that might take place over the same period. Systemic or recurrent infringements will attract higher fines.

‘Effective, proportionate and dissuasive’. Lastly, the DSA makes clear that Member State fines must be ‘effective, proportionate and dissuasive’, and take into account ‘the economic capacity of the infringer’. The same no doubt applies to Commission fines. This is a mandate to ensure that the fine is set at a level that is sufficiently dissuasive both for the specific undertaking involved and for similarly large undertakings. 

In competition cases involving online platforms, this consideration has led to the imposition of very large amounts – in one case, almost €2 billion – in addition to the amount resulting from the infringement-specific assessment of gravity and duration. It will be a key consideration determining the level of VLOP fines under the DSA.

Remedies and enhanced supervision

Failure to comply with VLOP obligations brings into play an elaborate system of ongoing ‘enhanced supervision’, in which the Commission closely scrutinises the efforts of the provider concerned to ensure compliance.

Commission decisions finding non-compliance with the DSA will always set a time limit for the provider concerned to take the necessary measures to ensure compliance. They expressly require the provider concerned to explain to the Commission the measures that it intends to take. In some cases, those measures will be obvious, for example, where the infringement concerns a failure to comply with an obligation to carry out a specific action. The Commission may also set out its expectations in the decision, possibly in quite detailed terms. 

The ‘enhanced supervision’ foreseen for non-compliance with VLOP obligations requires the provider concerned to include an independent audit in its action plan reported to the Commission, specifying the identity of the auditor, as well as the methodology, timing and follow-up envisaged. The action plan may also include a commitment to participate in a relevant code of conduct. This action plan is reviewed by the European Board for Digital Services (composed of the Member States’ various Digital Services Coordinators), which adopts an opinion, and the Commission then decides whether the action plan is sufficient to terminate or remedy the infringement and sets a ‘reasonable period’ for its implementation. The Commission will subsequently monitor the implementation of the action plan, which will include scrutiny of the audit report and possible requests for information throughout the implementation of the plan. 

If the provider fails to produce an action plan to remedy its non-compliance, or if the plan is rejected by the Commission as insufficient, the Commission can pressure the provider to come up with a better plan by imposing daily penalties. The legal maximum for such penalties is 5% of the provider’s worldwide average daily turnover. The same applies if the Commission subsequently considers that the provider’s implementation of the plan is insufficient to terminate or remedy the infringement. The Commission will no doubt be tempted to remind the provider of this possibility from time to time as the plan is implemented.

Possible challenges to non-compliance decisions, fines and remedies

The finding of non-compliance, the fine and any remedies specified in the decision are all subject to challenge by the provider concerned before the General Court of the EU.

In principle, this is not a full review on the merits. Rather, EU law prescribes specific grounds on the basis of which a decision can be challenged, enabling full debate on questions of law and putting the burden of proof on the Commission for the basic facts of the infringement. For more substantive assessments – such as whether the requisite diligence has been shown by the provider concerned – a successful challenge is likely to focus on the evidential basis for the Commission's conclusions, or on inconsistencies in its reasoning. The Court will not simply impose its own assessment in preference to that of the Commission.

Fines can be challenged using the same approach, but here it is also possible to argue simply that the fine is inappropriately high in the circumstances. The Court has ‘unlimited jurisdiction’ to reset the fine. It might be noted, however, that this unlimited jurisdiction includes the possibility to increase the fine, albeit that the EU Courts have historically used that possibility only in very specific circumstances.

Restricting access to the service

If the Commission is unable to force a VLOP provider to adopt measures effectively terminating an infringement, it has one final option available. It can ask the Digital Services Coordinator in the country in which the provider is established to apply to a national court for an order temporarily restricting the access of recipients to the service concerned. That is, it can try to block access to the VLOP in the EU. This is an exceptionally intrusive power, especially since it is aimed at parties other than the infringing VLOP provider. Such orders will in principle be addressed to the cloud provider hosting the VLOP concerned, to the internet service providers through which users access the VLOP, or to the domain registries handling the various domain names used by the VLOP. 

The process for internet blocking orders in principle revolves around the DSC in the provider’s country of establishment, and the national courts in that country. However, where the original non-compliance finding is made by the Commission against a VLOP, the procedure always begins with the Commission. It is thus a three-stage process.

Step 1 – Commission’s request to the relevant DSC. The Commission can only make such a request to the DSC in the country of establishment of the VLOP concerned. It must have exhausted all its powers to bring about the cessation of the infringement, and the infringement must be causing serious harm which cannot be avoided through the exercise of other powers available under Union or national law. 

• Thus the Commission cannot initiate the process to block access to a VLOP without first having adopted a formal decision finding non-compliance with the DSA, and moreover it must have tried to secure compliance with daily penalties. 
• The DSA provides that an application can ultimately be made to a national court only if the DSC concerned considers that the infringement entails a criminal offence involving a threat to the life or safety of persons. This is much more specific than the possibility of ‘serious harm’ that the Commission is expressly required to assess. Since it is a prerequisite to the grant of a blocking order, the Commission would be prudent to consider this higher standard in any event.
• The Commission must invite interested parties to submit written observations within a period of at least 14 working days, describing the measures it intends to request and identifying the intended addressee or addressees thereof. 
  • This is a very short period of time, especially for third parties who may be surprised to find themselves identified as the potential addresses of a blocking order. 
  • The VLOP provider will presumably argue that it is in fact in full compliance, or that no ‘serious harm’ has been established. #
  • ISPs or other third parties caught up in the process might for example argue that alternative powers could be used at EU or national level, or that the measures concerned are disproportionate in the circumstances. Indeed, it might be expected that all arguments that could later be put to the court deciding whether to grant the measures requested may initially be made to the Commission.

Step 2 – DSC. As mentioned earlier, the DSA provides a substantive safeguard at national level, namely that the DSC can apply to its national court only if it considers that the infringement entails a criminal offence involving a threat to the life or safety of persons. 

• The DSA does not expressly state whether the DSC must go through the normal preliminaries at national level, given that these could duplicate the ‘enhanced supervision’ that has already occurred at the Commission level. 
• The ordinary process would be for the DSC to order the management body of the provider concerned to examine the situation, adopt and submit an action plan setting out the necessary measures to terminate the infringement, ensure that the provider takes those measures, and report to the DSC on the measures taken. In a VLOP situation, this would tend to duplicate the process that has already happened at EU level. It is therefore possible that the DSC may give the provider only a very short deadline, or indeed argue that this step is not required before the application is made to the court. 

Step 3 – Before the national court. The process following the application of the DSC will largely be governed by the procedural law of the Member State concerned. 

• The DSA provides that the VLOP provider, the intended addressees of the blocking order, and any other third party demonstrating a legitimate interest shall be entitled to participate. If granted, the order will be for four weeks, and will give the DSC a limited power to extend the restriction of access for further periods of four weeks. 
• The scope and content of the order will in part depend on the nature of the service provided by the addressee of the order. Orders against hosting providers, ISPs and domain registries would logically need to be rather different. The DSA lays down an important requirement that an order to restrict access should not go beyond what is necessary to achieve its objective, and must not ‘unduly restrict’ access to lawful information by recipients of the service concerned. A key focus for the national court proceedings will therefore be on limiting the restrictions imposed to those that are absolutely necessary, and preserving users’ access to the service to the extent possible consistent with addressing the infringement previously found by the Commission. A distinct aspect of the ‘necessity’ requirement is that the blocking order might not be needed because alternative powers under national law are reasonably available and could be used instead. The DSA also requires that any order be proportionate to the nature, gravity, recurrence and duration of the infringement. This principle establishes that only certain infringements of the DSA merit blocking access to the VLOP concerned. It will be recalled that the Commission is allowed to act only to prevent ‘serious harm’ and the DSC must determine that the infringement entails a criminal offence involving a threat to the life or safety of persons. It seems likely that national courts should take such considerations into account and only grant blocking orders that are justified by a need to protect life and safety. 
• In any event, the national court will no doubt be asked to address the fundamental rights of those involved, including the freedom of users to receive information and ideas, protected by Article 11 of the Charter of Fundamental Rights of the EU. Indeed, the DSA expressly declares that it should be interpreted and applied in accordance with the fundamental rights protected by the Charter, including the freedom of expression and of information, as well as the freedom and pluralism of the media. 
• In contrast, the national court cannot take a decision which contradicts a decision already adopted by the Commission on the same subject-matter, and it must also avoid taking decisions which could conflict with a decision contemplated by the Commission in proceedings it has initiated. Thus the proceedings before the national court will not re-examine the existence of the infringement found in the Commission's non-compliance decision. 

The DSA envisages orders restricting access to online providers as a last resort, a nuclear option. Nonetheless they may be deployed by the Commission as a threat, and they may emerge as reality as well.

Authored by Christopher Thomas and Alexandra Bray.