
Trump Administration Executive Order (EO) Tracker
The European Commission is currently engaged in a number of high-profile investigations of Very Large Online Platforms under the Digital Services Act. Its powers to enforce compliance are designed specifically for the DSA, although they also borrow from experience in other areas. They are intended to address the unique challenges presented by the scale and complexity of the leading online marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms. They are aimed, importantly, not only at VLOP providers but also at hosting services, internet service providers and domain registries. This paper explains the Commission's powers and offers guidance on how they might be used.
The European Commission has the power to impose fines on VLOP providers not exceeding 6% of their total worldwide annual turnover in the previous financial year, where the provider intentionally or negligently infringes obligations imposed under the DSA, fails to comply with interim measures, or fails to comply with legally-binding commitments it has made.
The Commission interprets ‘the provider’ as a reference to the undertaking involved, and not merely the entity legally responsible for the service. The ‘undertaking’ is a well established EU law concept and it includes the parent entity and the entire group. Thus the 6% maximum applies to the worldwide turnover of the group, and not merely to that of any individual legal entity. Moreover, the competition law precedents would suggest that the Commission can impose the fine jointly and severally on the parent company of the group as well as the entities directly involved in the infringement.
The notion of ‘intentionally or negligently’ is also not an original concept. In the competition law context, it is satisfied by the deliberate commission of an act designed to achieve anti-competitive ends or in the knowledge that anti-competitive effects would result, or where the undertaking concerned could reasonably foresee that the conduct would have anti-competitive effects. In short, it is a relatively low threshold. It can be expected that a similar approach will be followed when applying the DSA.
The legal maximum’ is just that – a maximum. It says nothing about how the Commission will actually exercise its fining power. For this, the DSA requires the Commission to have regard to the nature, gravity, duration and recurrence of the infringement.
‘Nature’. The DSA involves an extensive variety of obligations, ranging from some that are essentially technical, to others that involve systemic conduct, and yet others that concern critical fundamental rights of individuals. It is thus unsurprising that the DSA seems to envisage that the Commission will apply some form of categorisation before assessing gravity in the context of the category concerned.
‘Gravity’ refers to the seriousness of the infringement, by reference to the values protected by the legislation in question. The DSA is intended to advance a variety of important public interests, for example ensuring a safe, predictable and trusted online environment, especially for consumers, minors and users at particular risk of being subject to hate speech, sexual harassment or other discriminatory actions; addressing the dissemination of illegal content online and the societal risks that the dissemination of disinformation or other content may generate; and protecting fundamental rights. It is against this context that the Commission will assess the gravity of the infringement. The DSA expressly envisages that Member State fines will take into account the number of recipients of the service affected, the intentional or negligent character of the infringement and whether the provider is active in several Member States. This will no doubt be true for Commission fines as well.
It should be noted that there are many ways in which the Commission might seek to reflect the gravity of the infringement. Its current practice when enforcing EU competition law is to apply a ‘gravity percentage’ of up to 30% to the value of sales associated with the infringement. But there is nothing inevitable about such a granular approach. The Commission’s previous competition law policy was to categorise all infringements as ‘minor’, ‘serious’ or ‘very serious’, and to publish a range of likely fines associated with each category. Its practice under the DSA will no doubt evolve over time.
‘Duration’ refers literally to the period of time for which the infringement has been established, with the expectation being that longer duration infringements merit higher fines than shorter ones.
This might be done in an approximate way, or by means of a very granular calculation. The Commission's current competition law approach is to increase a basic amount by reference to the number of days involved.
‘Recurrence’ of the infringement. In the context of fines imposed at national level, the DSA explains that penalties should take into account whether the provider concerned has systematically or recurrently failed to comply with its obligations. Thus the notion of ‘recurrence’ distinguishes between recurrent activity that regularly occurs on the platform and isolated one-off actions that might take place over the same period. Systemic or recurrent infringements will attract higher fines.
‘Effective, proportionate and dissuasive’. Lastly, the DSA makes clear that Member State fines must be ‘effective, proportionate and dissuasive’, and take into account ‘the economic capacity of the infringer’. The same no doubt applies to Commission fines. This is a mandate to ensure that the fine is set at a level that is sufficiently dissuasive both for the specific undertaking involved and for similarly large undertakings.
In competition cases involving online platforms, this consideration has led to the imposition of very large amounts – in one case, almost €2 billion – in addition to the amount resulting from the infringement-specific assessment of gravity and duration. It will be a key consideration determining the level of VLOP fines under the DSA.
Failure to comply with VLOP obligations brings into play an elaborate system of ongoing ‘enhanced supervision’, in which the Commission closely scrutinises the efforts of the provider concerned to ensure compliance.
Commission decisions finding non-compliance with the DSA will always set a time limit for the provider concerned to take the necessary measures to ensure compliance. They expressly require the provider concerned to explain to the Commission the measures that it intends to take. In some cases, those measures will be obvious, for example, where the infringement concerns a failure to comply with an obligation to carry out a specific action. The Commission may also set out its expectations in the decision, possibly in quite detailed terms.
The ‘enhanced supervision’ foreseen for non-compliance with VLOP obligations requires the provider concerned to include an independent audit in its action plan reported to the Commission, specifying the identity of the auditor, as well as the methodology, timing and follow-up envisaged. The action plan may also include a commitment to participate in a relevant code of conduct. This action plan is reviewed by the European Board for Digital Services (composed of the Member States’ various Digital Services Coordinators), which adopts an opinion, and the Commission then decides whether the action plan is sufficient to terminate or remedy the infringement and sets a ‘reasonable period’ for its implementation. The Commission will subsequently monitor the implementation of the action plan, which will include scrutiny of the audit report and possible requests for information throughout the implementation of the plan.
If the provider fails to produce an action plan to remedy its non-compliance, or if the plan is rejected by the Commission as insufficient, the Commission can pressure the provider to come up with a better plan by imposing daily penalties. The legal maximum for such penalties is 5% of the provider’s worldwide average daily turnover. The same applies if the Commission subsequently considers that the provider’s implementation of the plan is insufficient to terminate or remedy the infringement. The Commission will no doubt be tempted to remind the provider of this possibility from time to time as the plan is implemented.
The finding of non-compliance, the fine and any remedies specified in the decision are all subject to challenge by the provider concerned before the General Court of the EU.
In principle, this is not a full review on the merits. Rather, EU law prescribes specific grounds on the basis of which a decision can be challenged, enabling full debate on questions of law and putting the burden of proof on the Commission for the basic facts of the infringement. For more substantive assessments – such as whether the requisite diligence has been shown by the provider concerned – a successful challenge is likely to focus on the evidential basis for the Commission's conclusions, or on inconsistencies in its reasoning. The Court will not simply impose its own assessment in preference to that of the Commission.
Fines can be challenged using the same approach, but here it is also possible to argue simply that the fine is inappropriately high in the circumstances. The Court has ‘unlimited jurisdiction’ to reset the fine. It might be noted, however, that this unlimited jurisdiction includes the possibility to increase the fine, albeit that the EU Courts have historically used that possibility only in very specific circumstances.
If the Commission is unable to force a VLOP provider to adopt measures effectively terminating an infringement, it has one final option available. It can ask the Digital Services Coordinator in the country in which the provider is established to apply to a national court for an order temporarily restricting the access of recipients to the service concerned. That is, it can try to block access to the VLOP in the EU. This is an exceptionally intrusive power, especially since it is aimed at parties other than the infringing VLOP provider. Such orders will in principle be addressed to the cloud provider hosting the VLOP concerned, to the internet service providers through which users access the VLOP, or to the domain registries handling the various domain names used by the VLOP.
The process for internet blocking orders in principle revolves around the DSC in the provider’s country of establishment, and the national courts in that country. However, where the original non-compliance finding is made by the Commission against a VLOP, the procedure always begins with the Commission. It is thus a three-stage process.
Step 1 – Commission’s request to the relevant DSC. The Commission can only make such a request to the DSC in the country of establishment of the VLOP concerned. It must have exhausted all its powers to bring about the cessation of the infringement, and the infringement must be causing serious harm which cannot be avoided through the exercise of other powers available under Union or national law.
Step 2 – DSC. As mentioned earlier, the DSA provides a substantive safeguard at national level, namely that the DSC can apply to its national court only if it considers that the infringement entails a criminal offence involving a threat to the life or safety of persons.
Step 3 – Before the national court. The process following the application of the DSC will largely be governed by the procedural law of the Member State concerned.
The DSA envisages orders restricting access to online providers as a last resort, a nuclear option. Nonetheless they may be deployed by the Commission as a threat, and they may emerge as reality as well.
Authored by Christopher Thomas and Alexandra Bray.