Hostname: page-component-cd9895bd7-lnqnp Total loading time: 0 Render date: 2024-12-23T06:14:36.188Z Has data issue: false hasContentIssue false

The Legal Significance of Independent Research based on Article 40 DSA for the Management of Systemic Risks in the Digital Services Act

Published online by Cambridge University Press:  14 October 2024

Anna Liesenfeld*
Affiliation:
University of Freiburg, Germany
Rights & Permissions [Opens in a new window]

Abstract

As part of its risk management system, aiming at the mitigation of so-called systemic risks on very large online platforms and very large online search engines (VLOPSEs), the DSA introduces data access rights for independent researchers. With this instrument, the legislator hopes to enable the production of evidence concerning possible threats to society and democracy that might be linked to these platforms or search engines. After an overview of the functioning of the risk management system in the DSA that is characterised by a collaborative governance framework and a learning-based approach, the article will explore the role of the researchers inside this framework. It thereby focuses on the legal significance the researchers’ evidence could have for the risk mitigation obligations imposed on the VLOPSEs in the DSA by interpreting the provisions of the DSA.

Type
Articles
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2024. Published by Cambridge University Press

I. Introduction

The data access rights for researchers in Article 40(4) and (12), of the Digital Services Act (DSA)Footnote 1 are widely regarded as pivotal provisions of the regulation.Footnote 2 This is because the empirical research facilitated by the data access is expected to provide significant insights into the possible negative impacts of very large online platforms and very large online search engines (VLOPSEs)Footnote 3 and their algorithmic recommender and content moderation systems on democracy and society.

Due to the absence of a legal basis in the past, VLOPSEs as private companies, that can invoke fundamental rights, were not obliged to share any information they wished to withhold. Therefore, information about the relationship between their algorithmic design choices and effects on society and democracy has been very scarce. The VLOPSEs decided themselves which information they wanted to share with the public in voluntary transparency reports,Footnote 4 through the publication of in-house researchFootnote 5 or in very few cases by cooperating with external researchersFootnote 6. Possibilities to look into the inner workings of platforms and search engines, especially regarding algorithmic decision-making or content moderation processes, were thus very limited for outsiders.Footnote 7 Because of the resulting opaqueness platforms and search engines have been referred to as “black boxes.”Footnote 8

This “black box” character has become increasingly problematic in recent years. Since the adoption of the E-Commerce-Directive (2000/31/EC),Footnote 9 the first take on platform regulation in the EU, the role of platforms and search engines has significantly evolved.Footnote 10 With the majority of European users adhering only to a few platforms and even fewer search engines, these online services have turned into “public spaces” for expression and information.Footnote 11 The EU has thus acknowledged their “systemic role in amplifying and shaping information flows online and for the largest part of EU citizens, businesses and other organisations.”Footnote 12 With the growing importance of some platforms and search engines, negative effects for society and democracy that appear to be linked to the design, functioning or (mis-)use of platforms/search engines, like the spread of dis- and misinformation or illegal content, have increased in recent years.Footnote 13 As a result, the EU legislator has recognised the necessity for new regulation and enacted the DSA. Part of the provisions is the establishment of a risk management system that aims at the mitigation of so-called “systemic risks.”Footnote 14 In order to ensure its effectiveness, the legislator had to address the lack of knowledge about VLOPSEs. Therefore, a significant part of risk management involves the introduction of knowledge-generating procedures. Among these provisions are the data access rights for independent researchers in Article 40(4), (12) DSA. According to recital 96, the purpose of the research facilitated through these provisions is to contribute to “bridging information asymmetries and establishing a resilient system of risk mitigation, informing providers of online platforms, providers of online search engines, Digital Services Coordinators, other competent authorities, the Commission and the public.” The purpose of the independent research is thus twofold: First, it shall address the problem that VLOPSEs are “black boxes” for outsiders. Research based on VLOPSE data could reduce the existing information asymmetries – between the VLOPSEs on one side and the authorities and the public on the other – and thereby create more transparency and accountability of the VLOPSEs. Second, by generating new knowledge on systemic risks on these platforms and search engines, the researchers could provide valuable information for the relevant actors of the risk management system through their studies.Footnote 15

This paper wants to answer the question, in how far the independent research facilitated by Article 40 DSA has a legal significance for the management of systemic risks in the DSA. Is it only providing additional information for the actors, that other than the creation of more transparency serves no concrete purpose for risk management? Or can the research results have a concrete legal effect for the risk management obligations of the VLOPSEs? If, for example, a researcher finds evidence for the existence of a systemic risk on a platform or a search engine, that a VLOPSE in its own risk assessment (so far) did not, does it have to comply and mitigate the risk or at least explain why it does not see a reason to do so?

After an overview of the functioning of the risk management system in the DSA (II.), this article examines the research question by interpreting the provisions of the DSA (III.).

II. Overview of the risk management system in the DSA

The risk management system as stipulated in Chapter 3, Section V of the DSA (esp. Articles 34–37, 40–42) introduces a risk-based regulatory approach to platform regulation.Footnote 16 This means that regulatory tools are used proportionately to the risk posed by an online service provider.Footnote 17 The obligations of the addressees of the DSA vary accordingly, depending on the type and size of the online service providers, which results in asymmetric obligations. The risk management rules aiming at addressing not individual but societal risks emanating mainly from algorithmic systems are considered as the most extensive obligations for online service providers by the DSA legislator. They are only applicable to VLOPSEs, ie, online platforms and search engines with more than 45 million monthly users in the EU (Article 33 (1) DSA).

The functioning of the risk management system is characterised by a collaborative governance architecture,Footnote 18 centred around the supervised self-regulation of VLOPSEs (1.) and a focus on the generation of knowledge (2.). Although information by researchers has already played an important role for the generation of knowledge in risk regulation law in the past, independent researchers are legally attributed an active role for the first time (3.).

1. Functioning of the risk management system

The core of the risk management system is the diligent identification and mitigation of systemic risks by the VLOPSEs at least once a year (Articles 34, 35(1) DSA). In Article 34 (1)2 the DSA legislator identified four categories of risks as a guideline of what is encompassed by the term “systemic risks,” which itself is not defined in the DSA’s general definitions in Article 3. Article 34(2) DSA prescribes which factors the VLOPSEs particularly have to take into account in their risk assessment, eg, the design of their algorithmic systems, the applicable terms and conditions and also the influence of intentional manipulation of their services. If the addressed online service providers come to the conclusion that a systemic risk exists on their service, they are obliged to take “proportionate and effective mitigation measures, tailored to the specific systemic risks identified” (Article 35(1) DSA). In principle, the VLOPSEs are free to decide which measures they consider appropriate for the mitigation of the respective detected risk. Article 35(1) DSA provides a catalogue with examples of possible risk mitigation measures. To ensure the diligent execution of the risk management by the VLOPSEs, they shall establish an internal compliance function (Article 41 DSA).

Furthermore, the VLOPSEs are subject to annual independent audits at their own expense with the purpose to assess whether the VLOPSEs diligently fulfilled their due diligence obligations under the DSA, including the risk management obligations (Article 37 (1) DSA). The auditors give an opinion on the compliance with the regulation and in case a violation is detected, prescribe “operational measures to achieve compliance with the DSA” that in principle have to be respected (Article 37(4)(g), (h), (6) DSA).

The risk management system is therefore generally focused on the initiation of self-monitoring by the VLOPSEsFootnote 19 by conferring public policy functions on them.Footnote 20 Nonetheless, public authorities have a surveillance function in the risk management system and are granted influence on the risk mitigation by the VLOPSEs. Pursuant to Article 35(2) DSA the Digital Services BoardFootnote 21 and the EU Commission publish an annual report including the “most prominent and recurring systemic risks” as well as “best practices concerning the mitigation of identified risks.” Moreover, the EU Commission and the Digital Services CoordinatorsFootnote 22 can issue guidelines on best practices of risk management as stipulated in Article 35(3) DSA. In case of the emergence of “significant systemic risks” on several VLOPSEs, the Commission can invite the providers to participate in the drawing up of Codes of Conduct (Article 45(2) DSA). To monitor the compliance with the obligations in the DSA, including the risk management obligations, the EU Commission and the Digital Services Coordinator of establishment have an access right to all data necessary to fulfil this task (Article 40(1) DSA). If the EU Commission suspects an infringement of the obligations of the VLOPSEs, including the risk management obligations, it can, as the assigned supervisory authority for VLOPSEs, initiate a proceeding (Article 66(1) DSA). If an infringement is confirmed, the Commission may adopt a non-compliance decision based on Article 73 DSA and can impose a fine of up to 6% of the total worldwide annual turnover of a VLOPSE (Article 74 DSA). Pursuant to Article 75 an infringement can also trigger a period of enhanced supervision.

Another element of the risk management system, introducing independent researchers as a new actor in risk regulation, are the data access provisions in Article 40(4) and (12) DSA. Article 40(4) DSA provides access for researchers who have been granted the status of “vetted researchers” by the DSC of establishment upon meeting the conditions set out in Article 40(8) DSA. Article 40(12) DSA provides access for other independent researchers who have to fulfil only part of the criteria set out in Article 40(8) DSA and do not have to go through a vetting process by the public authorities. Article 40(12) in turn limits data access to “publicly available” data.

By putting the risk mitigation in the hands of the VLOPSEs controlled by independent auditors and supervised by public authorities, the DSA legislator has created a collaborative governance framework.Footnote 23 This concept is situated between a command-and-control approach and pure self-regulation,Footnote 24 and suitable for areas where the legislator as well as the public authorities are confronted with information deficits.Footnote 25 The use of the knowledge of private companies promises a higher problem-solving capacity and improved implementation prospects through increased acceptance of the regulation by the regulatees.Footnote 26

2. The generation of knowledge as a key element of the risk management system

A key element of the functioning of the risk management system is its focus on the generation of knowledge.Footnote 27 This does not only show in the continuous obligation of VLOPSEs to generate knowledge on systemic risks.Footnote 28 The generation of new knowledge also plays a role for the development of the risk management system. It is not static but designed to allow for improvement and the development of more resiliency over time. This can be seen in recital 90 which states that the VLOPSEs shall in their approach to risk assessment and mitigation always resort to the “best available information and scientific insights” and “test their assumptions with the groups most impacted by the risks and the measures they take.” It is also reflected in Article 35(2), (3) DSA stating that the public authorities can publish best practices and issue guidelines concerning effective risk mitigation measures. Underlying the risk management system is thus a reflexive, learning-based approach. To enable this dynamic learning environment, the relevant actors are in need of information, or – in its contextualised form – knowledge.Footnote 29

As the VLOPSEs are monitored by independent auditors and supervised by public authorities (notably the EU Commission), knowledge is also required by the regulators in order to fulfil their tasks of examining the compliance of the VLOPSEs with the DSA. To address the problem of the existing information asymmetries between the VLOPSEs and the regulators and to allow for an effective supervision, the DSA grants them extensive data access rights (in Article 40(1) DSA for the authorities and in Article 37(1) DSA with consideration of recital 92 for the auditors).

Knowledge thus plays a role on three levels in the risk management system: for the actual management of systemic risks, the improvement of the risk management system and the control of compliance with the regulation.

It thereby serves two distinct functions aligned with the objectives of independent research as articulated in recital 96. First, the acquisition of new knowledge is essential for effective risk management. Second, regulatory knowledge is important to bridge existing information asymmetries. The introduction of data access provisions for independent researchers that shall provide information for the risk management system thus integrates well in this knowledge-generating approach.

3. Independent researchers as new player in the risk management system

With the integration of data access provisions for independent researchers in Article 40(4) and (12), the DSA introduces a regulatory novelty to risk regulation. While regulatory regimes in European risk regulation law that leverage the regulatees’ expertise and introduce private external oversight are familiar in this domain,Footnote 30 researchers have so far only been involved indirectly. They have served as possible expert witnesses, their knowledge was integrated into the application of risk regulation law by referring to scientific knowledge or they played a role in scientific committees that can be consulted by the EU Commission in certain fields.Footnote 31 The DSA, by contrast, grants researchers the autonomy to engage directly in research activities at their own initiative, either upon being accepted as vetted researchers or meeting the criteria outlined in Article 40(12) DSA. The legislator has thus assigned the researchers an active participatory role and thereby created a flexible instrument that matches with the continuous risk assessment and the learning-based approach in the DSA.

A reason for the integration of this instrument can be found in a major difficulty, the DSA legislator was confronted with, when drafting the risk management system. Even though the challenge of VLOPSEs being “black boxes” can in principle be overcome through data access rights for supervisory authorities and external auditors, they also need the expertise to interpret the data they receive. While for the external auditors “proven expertise in the area of risk management, technical competence and capabilities” are a requirement to perform their tasks,Footnote 32 the DSA legislator acknowledged in Article 64(1), that the EU Commission has yet to develop the necessary expertise as well as the capabilities to perform the assigned role as a supervisory authority in the DSA.Footnote 33 Since regulation of systemic risks is introduced long after the market access of the VLOPSEs, there is no legal provision in the DSA for the prior admission of VLOPSEs to operate on the market of online services by regulatory authorities. Instead there is a continuous risk assessment, involving the consideration of a vast amount of data. The inclusion of independent individuals or entities that are presumed to possess expertise in the field can thus be seen as a beneficial approach to bolster external oversight. The actual relevance of this expertise for the management of systemic risks will now be analysed.

III. The significance of independent research for the risk management in the DSA

Research results generally serve the purpose to generate knowledge and provide information on their respective research topic. In case of the data access provisions for independent researchers in Article 40(4) and (12) DSA, the research must contribute to “the detection, identification and understanding of systemic risks in the Union, as set out pursuant to Article 34(1)”. In case of Article 40(4) DSA it can also be the assessment of “the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35.” By the obligation to conduct research on systemic risks, the DSA legislator thus tied the research subject to the risk management system. Nonetheless, the term “systemic risks” encompasses a wide range of possible harms allowing for many possible research objects. The findings could in turn prove pertinent to all identified levels where knowledge generation contributes to the risk management system: the detection of systemic risks, information on risk mitigation measures that could be useful for the improvement of the risk management system and information that could be valuable evidence needed for the supervision of the compliance with the obligations in the risk management system by the regulatory authorities.

This paper will concentrate on the importance of research for the risk management by the VLOPSEs. Given that regulatory authorities oversee this risk management, the relevance of research for supervision – by providing contrasting informationFootnote 34 to those in the risk assessments by the VLOPSEs – will be duly considered. Due to the different scope of the data access rights, it has to be differentiated between the results based on Article 40(4) (1.) and Article 40(12) DSA (2.).

1. The research results based on Article 40(4) DSA

Concerning the significance of these research results, the DSA does not contain an explicit legal obligation for VLOPSEs to “comply or explain” (a.) However, it could contain an implicit obligation either through the reception of independent research in the auditing reports (b.) or through the obligation of the VLOPSEs’ to conduct a diligent risk assessment (c.).

a. No explicit legal obligation for VLOPSEs to “comply or explain”

The DSA does not explicitly oblige VLOPSEs to consider research results based on Article 40(4) DSA, if they provide evidence for a systemic risk on a VLOPSE. Other than the absence of a respective provision, this can be seen in Article 35(1) DSA. It states that VLOPSEs have to mitigate “the specific systemic risks identified pursuant to Article 34,” thus only risks identified on the basis of their own risk assessments. Article 41 DSA obliging the VLOPSEs to create a compliance function does not refer to the consideration of research results either. It is questionable whether this interpretation is modified by recital 90, that states that VLOPSEs “should ensure that their approach to risk assessment and mitigation is based on the best available information and scientific insights.” This means that the VLOPSEs should consider the best possible methods on how to conduct their risk assessment, which could also stem from research results based on Article 40 DSA. An extensive interpretation of the wording does, however, not exclude that it could also refer to information on specific systemic risks that should be taken into account in each risk assessment.

Furthermore, recital 90 states that the VLOPSEs “should, where appropriate, conduct their risk assessments and design their risk mitigation measures with the involvement of […] independent experts and civil society organisations.” The DSA thus promotes a dialogue between VLOPSEs and other stakeholders including independent researchers that could be consulted as independent experts by the VLOPSEs to ensure the best possible risk assessment. This dialogue could in practice also stretch to exchanges about systemic risks,Footnote 35 but remains on a voluntary basis since notwithstanding the normative formulation of recital 90, a recital is not part of the normative text of a legislative act of the EU.Footnote 36 Recitals can therefore not be used to defer from the normative text of the regulation,Footnote 37 not to mention create a legal obligation that is not provided for in the text.Footnote 38

This means that if researchers find evidence for a risk that a VLOPSE did not consider in their risk assessment, the VLOPSE is not explicitly obliged to concern itself with the findings.

b. Implicit legal obligation to “comply or explain” through consideration of the research results by the auditors?

There could, however, be an implicit obligation for the VLOPSEs to consider the researchers’ findings in the DSA. The DSA does not contain details on the auditing process other than requirements the auditing bodies have to fulfil (Article 37(3) DSA) and the contents of the audit reports (Article 37(4) DSA). These reports shall, pursuant to Article 37(4) DSA, also contain a list of consulted third parties, which could be anyone able to provide valuable information for the audits, hence also vetted researchers. Moreover, recital 92 stipulates that auditors should be able to “make use of other sources of objective information, including studies by vetted researchers” for their compliance assessments. If the researchers found evidence for a systemic risk that the VLOPSEs did (so far) not identify, the auditors could in consequence issue a negative opinion on the compliance with the obligations of the risk management system in their report. They could then propose operational recommendations to the VLOPSEs to achieve compliance, including risk mitigation measures. Yet, the consideration of the research results by the auditors is only voluntary as it is not part of the legal text. The voluntariness is also reinforced in Articles 13 and 14 of the Delegated Act on independent audits.Footnote 39 Articles 13(3) and 14(3) provide a list with all the information, the auditors “shall” consider regarding the compliance of the VLOPSEs with their obligations in Articles 34 and 35 DSA. Research results, however, are only mentioned in Articles 13(4) and 14(4) in a list of information that “may” be included in the audits “as appropriate.” Ideally, as the research results based on Article 40(4) DSA have to be made publicly available free of charge (Article 40(8)(g) DSA), the auditors take notice of them. If they contain relevant information, eg, evidence on systemic risks, they should consider them for their audit reports. It remains yet to be seen in how far the audits will live up to the expectations put on them. Although the Delegated Act concretises Article 37 DSA, including the auditing process, the VLOPSEs can choose the auditing bodies on their own. The formal requirements of independence are not very concrete and there are no safeguards if an auditor is too lenient in his assessment except for an obligation of the VLOPSEs to change the auditor every ten years.Footnote 40

In summary, there is thus also no implicit legal obligation for the VLOPSEs to consider the research results based on Article 40(4) DSA through the auditing results. If the auditors effectively perform their duties and consider relevant findings of vetted researchers, the prospect of receiving a negative audit report does not suffice to create an incentivizing effect for the VLOPSEs to consider the research results themselves in the first place. They still have the possibility to comply with the recommended operational measures without having to fear supervisory measures yet.

c. Implicit legal obligation to “comply or explain” as part of a “diligent” risk assessment?

That said, the DSA could contain an implicit legal obligation for the VLOPSEs to consider the findings of researchers through the requirement of performing a “diligent” risk assessment as set out in Article 34(1)1 DSA. In case a VLOPSE does not assess a risk, despite the availability of independent research based on Article 40(4) DSA that provides evidence for its existence, it could be in breach of its obligation to “diligently identify, analyse and assess any systemic risks in the Union.” On that basis the EU Commission could at its own discretion start a proceeding pursuant to Article 66 DSA, which could entail the adoption of a non-compliance decision (Article 73 DSA) and eventually a fine (Article 74 DSA) and thus create an incentive to consider the research results. To determine whether this is the case, it is necessary to analyse several factors: whether external information by independent researchers can generally be part of the obligation to conduct a diligent risk assessment (aa.), the requirements this information must satisfy to create this obligation (bb.), the scope of the obligation (cc.), the timeframe within which the VLOPSEs have to take the results into account (dd.) and lastly under which conditions the EU Commission can legitimately take supervisory measures (ee.).

aa. The relevance of external information by independent researchers for a diligent risk assessment

The DSA does not provide a definition of the term “diligent.” The benchmark for the interpretation has yet to be developed.Footnote 41 This paper does not wish to give an opinion on what the benchmark for diligence should generally be in the DSA. It will focus solely on the question if and when the non-consideration of relevant external information can infringe this obligation.

The wording does not exclude that external information could be relevant for a diligent risk assessment and its inclusion is also conducive to the purpose of assessing “any” systemic risks in the European Union. Moreover, it is precisely the purpose of Article 40(4) DSA to provide information also to the VLOPSEs. However, the risk assessment obligations interfere with the fundamental rights of the VLOPSEs, notably their right to free business pursuant to Article 16 CFR, as the DSA imposes obligations on how the VLOPSEs have to conduct their business in the future. Therefore, these obligations have to be proportionate. The obligation to conduct a diligent risk assessment generally serves the legitimate purpose of protecting the fundamental rights and public interests mentioned in Article 34(1)2 DSA with the aim to detect as many risks as possible. It is not a priori excluded that the consideration of external information could significantly contribute to this objective.

bb. Requirements regarding the external information provided by independent researchers

In order to proportionately ascertain a non-compliance of the VLOPSEs with the requirement to conduct a diligent risk assessment, the information provided by independent researchers should meet two conditions: First, it should be adequately accessible for a VLOPSE (i). Second, the research should provide sufficient evidence for the existence of a systemic risk to suspect that a VLOPSE has overlooked it (ii).

(i) Adequate accessibility of independent research

A prerequisite of the obligation to consider external information as part of a diligent risk assessment is the accessibility of this information. An accusation of overlooking external information can only be made on sufficient grounds if a VLOPSE had an adequate possibility to find it.

To be granted data access, the researchers have to go through a vetting process. They have to send their research proposal aiming at the investigation of systemic risks on VLOPSEs to the DSC of establishmentFootnote 42 that decides whether the applying researchers will be granted the status of “vetted researchers.” If that decision is positive, the DSC will send a “reasoned request” to the VLOPSE addressed by the proposal of the vetted researchers demanding access to the data necessary for the research. The VLOPSEs then have to decide whether they are willing to grant access to the data or if they see a reason mentioned in Article 40(5) DSA to deny the access. In this latter case, they may request the DSC of establishment to amend the request by the researchers. This process of requesting data access shows that the VLOPSEs can in principle know which researchers are conducting research on systemic risks on their services.

Moreover, the vetted researchers are obliged to make their research results publicly available as stipulated in Article 40(8)(g) DSA. The VLOPSEs thus have a possibility to access the research results based on Article 40(4) DSA.

With regard to proportionality, it has to be considered that the risk management obligations already interfere with the fundamental rights of the VLOPSEs. The obligation to consider external information by researchers therefore may not ignore the VLOPSEs’ interests. In this regard, it could be argued that the mere knowledge that researchers are working with data of the respective VLOPSE does not suffice for a reasonable possibility to take notice of research results. It would entail that VLOPSEs had to track the whole research process to learn about its outcome. Also, while the research has to be made publicly available, the DSA does not further specify where and how this has to happen. Research on the basis of Article 40(4) DSA could therefore be published in innumerable places all over the world. This should not result in a disadvantage for VLOPSEs, as they would be compelled to conduct extensive and time-consuming research to locate research results, that might not even be of relevance.

What can reasonably be expected from VLOPSEs, and what will probably develop in practice, given that their complete disinterest in research results is unlikely, is a dialogue with the researchers who have access to their data. In this scenario, researchers would take on an active role in facilitating the transmission of pertinent research to the VLOPSEs, thereby distributing the responsibility more equitably between the parties involved. Furthermore, should one or more journals gradually emerge as primary references for platform research, it would be appropriate for VLOPSEs to consult them regularly. Additionally, risks identified by vetted researchers could be included in the report on the most prominent and recurring systemic risks mentioned in Article 35(2) DSA which can be expected to be considered by the VLOPSEs. Moreover, if the EU Commission or the DSCs of establishment of a VLOPSE were to create a database with all relevant publications, it could be expected of the VLOPSEs to routinely check them for any relevant information.

(ii) Sufficient evidence for the existence of a systemic risk

Second, the external information provided by researchers should contain sufficient evidence for the existence of a systemic risk in order to suspect a VLOPSE of neglecting the identification of a risk on their online service. A prerequisite to determine the benchmark of when a research result contains sufficient evidence is to know, when a systemic risk in the sense of Article 34(1) DSA actually exists. As for now, there are still many open questions on what threshold has to be met.Footnote 43 This paper does not intend to delve into these intricate questions but rather to outline which research could become pertinent. As a risk does not require the proof of existence of actual negative consequences for society that are linked to a VLOPSE but is defined as the product of the probability of occurrence and the extent of damage,Footnote 44 research can become relevant when it discovers a probable link between the functioning of a VLOPSE and negative effects on society. When this is the case, has to be determined by taking into account the specific scientific standards applicable in computational social science. The more concrete the information is regarding the possible connection and the more severe the investigated risk, the more relevant the consideration of a research result should be for the VLOPSEs.

Another question is whether one research result can already suffice or whether it can only be considered relevant in case there is a prevailing view or consensus in the scientific community. From a scientific theoretical perspective, one could say that science is a process that lives from verification or falsification of research.Footnote 45 More than one paper would thus be necessary to provide sufficient evidence. However, regarding the purpose of the risk management obligations which is to mitigate and to investigate as many risks as possible (cf. Article 34(1)1 DSA: “any” systemic risks), the obligation to at least consider a result in the sense that it is a starting point for further investigation by the VLOPSE itself is not inappropriate. It would be different if the research results had a binding effect and the VLOPSEs were obliged to mitigate the risk without further consideration. If the VLOPSEs, however, have the discretion to consider the result in a manner they find appropriate, the obligation does not overly disregard their interests. Nonetheless, the more papers confirm the existence of a specific risk or if a risk is included in the reports pursuant to Article 35(2) DSA, the more important its consideration should be for a diligent risk assessment.

cc. Extent of the obligation to consider research results as part of a diligent risk assessment

If the VLOPSEs become aware of sufficient evidence for a systemic risk in a research result, the question arises as to how the consideration might look like in practice. A VLOPSE could either use the evidence as a starting point for its own investigations or incorporate the research result into its further risk analysis, provided they acknowledge its potential relevance. If the VLOPSE provides reasons as to why it disagrees with the researchers’ findings and its approach to risk assessment meets the current standard, the EU Commission cannot automatically assume a VLOPSEs non-diligent behaviour. Generally, the risk assessment has to meet the criteria outlined in Article 34(1)2 DSA. It has to be “specific to the [VLOPSE’s] services and proportionate to the systemic risks, taking into consideration their severity and probability.”

dd. Timeframe for the consideration of research results

Moreover, it has to be considered when a VLOPSE has to comply or explain if sufficient evidence for a systemic risk by researchers is found. Can it wait until its next regular yearly risk assessment or does it have to address the risk before? Article 34(1)2 DSA stipulates that the risk management has to take place “at least once a year […], and in any event prior to deploying functionalities that are likely to have a critical impact on the risks identified pursuant to this Article.” This implies that risk management may also be necessary in events other than those mentioned and underlines the continuity of the risk management obligations. Like the obligation itself, its timeframe must, however, also be proportionate with regard to the fundamental rights of the VLOPSEs. Generally, they have to be given a reasonable period of time to take the research result into account. In individual cases this will depend on the nature of the risk in question. In this context, it can be referred to the above-mentioned benchmark for the risk assessment. The higher the severity and probability of the systemic risk, the more urgently the VLOPSE can be expected to assess it.

ee. Incentivizing effect through the prospect of enforcement by the EU Commission

If researchers find sufficient evidence for a systemic risk and this information was sufficiently available for the VLOPSEs, it thus has to be considered within a reasonable timeframe. Another aspect to consider is the enforcement of this obligation by the EU Commission as the supervisory authority. While the obligation to conduct a diligent risk assessment is commendable, if VLOPSEs do not face any legal repercussions for non-compliance, they lack the incentive to actually take research based on Article 40(4) DSA into account. Article 66 DSA stipulates that the EU Commission can start a proceeding at its own discretion, if it has an initial suspicion concerning the violation of the regulation.Footnote 46 Mere speculations or vague suspicions are not sufficient.Footnote 47 In parallel to EU Competition law, investigations without grounds are not permitted.Footnote 48 If there is a research result that contains sufficient evidence for a systemic risk, that has not been identified in the risk assessment of the VLOPSE, the EU Commission has an initial suspicion to further investigate the matter. While the adoption of a non-compliance decision or a fine pursuant to Articles 73 and 74 will depend on the result of further investigation by the EU Commission, the prospect of legal consequences can have an incentivizing effect for the VLOPSEs to actually consider research results as part of a diligent risk assessment. To facilitate the initiation of proceedings by the EU Commission based on research results, establishing a dialogue with vetted researchers or the implementation of a database with a list of all published research results based on Article 40(4) DSA could be beneficial.

2. The research results based on Article 40(12) DSA

The legal significance of the research results based on Article 40(12) DSA is less clear. While a VLOPSE may have knowledge of the researchers currently working with its data, as researchers are required to submit their applications directly to the VLOPSE, indications within the DSA suggest that research conducted under this Article is inherently viewed as less promising compared to that conducted under Article 40(4) DSA.

First, the data access is limited in comparison to that on the basis of Article 40(4) DSA, as it pertains only to “publicly available data.” Whether researchers will be able to identify sufficient evidence on the existence of systemic risks on this basis remains uncertain. Second, Article 40(12) DSA does not reference Article 40(8)(g) DSA. This means that the research results based on Article 40(12) DSA do not have to be made publicly available free of charge. It also means that there is generally no obligation to publish a research result. Third, the Delegated Act on independent audits does also not refer to studies by non-vetted independent researchers as other relevant information, that may be considered as appropriate by the auditors.

Nonetheless, the benchmarks for when a research result can be considered as relevant information for the VLOPSEs and when its negligence is infringing the obligation for a diligent risk assessment can generally also be applied here. If non-vetted independent researchers provide sufficient evidence and the concerned VLOPSE can reasonably take notice of it, there is no reason not to consider the result. However, whether the non-consideration of this research will lead to legal consequences will ultimately depend on the discretion of the EU Commission to initiate a proceeding.

IV. Conclusion

In conclusion, the evidence in the research results can thus have legal relevance for the risk management by the VLOPSEs. Although the DSA does not contain an explicit obligation to consider them, disregarding relevant research may contravene the obligation of VLOPSEs to conduct diligent risk assessments. Whether this will actually be the case remains to be seen. As for now, no research results based on Article 40(4) or (12) DSA exist. In practice, the legal significance of the research results depends on two factors: First, it requires that researchers are actually able to find sufficient evidence for the existence of systemic risks. This relies heavily on the implementation of the provisions and the existence of suspected connections between the functioning of the VLOPSEs and negative effects on democracy and society. Furthermore, while some researchers are confident to even find causal evidence on the basis of Article 40(4) DSA others have argued during the public consultation on the Delegated Act on data access for researchers that some linkages could only be uncovered through A/B-testing,Footnote 49 that might stretch beyond the scope of Article 40(4) DSA.

Second, the legal relevance of research for the risk management by the VLOPSEs will depend on the discretion of the EU Commission to actually initiate proceedings based on relevant research results against the VLOPSEs. Without such enforcement, there is no incentive to consider the results as part of a diligent risk assessment. Ideally, however, the risk management system will foster an ongoing dialogue among the relevant actors, reducing the necessity for legal enforcement by the EU Commission. The prospect of enforcement will nonetheless play a non-negligible role for the VLOPSEs to actually collaborate with researchers.

References

1 Regulation (EU) 2022/2265 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) [2022] OJ L277/1 (DSA).

2 Cf. among others A Engler, “Platform data access is a lynchpin of the EU’s Digital Services Act”, 15 January 2021, <http://brookings.edu/articles/platform-data-access-is-a-lynchpin-of-the-eus-digital-services-act/> (accessed 13 July 2024); M Vermeulen, “The Keys to the Kingdom”, Knight First Amendment Institute, 27.07.2021, <http://knightcolumbia.tierradev.com/content/the-keys-to-the-kingdom> (accessed 13 July 2024).

3 DSA, Art. 33.

4 Transparency reports already existed before the DSA. Many platforms therefore provided some level of transparency into their policies and practices, although the extent of this transparency varies widely among platforms and across different areas of operation, cf. R Gorwa/T Garton Ash, “Democratic Transparency in the Platform Society” in N Persily/J A Tucker (eds), Social Media and Democracy (Cambridge University Press 2020), § 12, pp. 295 et sqq.; cf. for the opacity of recommender systems P Leerssen, “The soap box as a black box: Regulating transparency in social media recommender systems” (2020) 11(2) European Journal of Law and Technology 1, 17 et sqq.

5 N Persily/J A Tucker, “Conclusion: The Challenges and Opportunities for Social Media Research” in N Persily/J A Tucker (eds), Social Media And Democracy (Cambridge University Press 2020), § 13, p. 324.

6 Ibid, pp. 314 et sqq.; B Nonnecke/C Carlton, “EU and US legislation seek to open up digital platform data” (2022) [375] Science 610; cf. notably the studies conducted in cooperation with Meta on the 2020 elections: S González-Bailón et al., “Asymmetric ideological segregation in exposure to political news on Facebook” (2023) [381] Science 392; A Guess et al., “How do social media feed algorithms affect attitudes and behavior in an election campaign?” (2023) [381] Science 398; A Guess et al., “Reshares on social media amplify political news but do not detectably affect beliefs or opinions” (2023) [381] Science 404; B Nyhan et al., “Like-minded sources on Facebook are prevalent but not polarizing” (2023) Nature, 27 July, 1; criticising the „independence by permission“ granted by Meta: M W Wagner, “Independence by permission” (2023) [381] Science 389.

7 Cf. for the opacity of recommender systems P Leerssen, supra, n 4, 1, 12 et sqq.

8 R Gorwa/T Garton Ash, supra, note 4, p. 293; P Leerssen, supra, n 4, 1, 15 et sqq.

9 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (E-commerce Directive), [2000] OJ L178/1.

10 COM (2020) 825 final, “Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC”, Explanatory Memorandum, 1; COM (2020) 348 final, “Commission Staff Working Document – Impact Assessment accompanying the document Proposal for a Regulation of the European Parliament and of the Council on a Single Market for Digital Services (Digital Services Act) and amending Directive 2000/31/EC”, para. 10; for a global perspective cf. R Gorwa/T Garton Ash, supra, n 4, p. 293.

11 COM (2020) 348 final, supra, n 10, paras. 85, 86.

12 Ibid, para. 40.

13 Ibid, paras. 33 et sqq.

14 DSA, Art. 34 et sqq.; K Siegrist, Systemische Risiken im Digital Services Act, PhD thesis, forthcoming.

15 The auditors (DSA, Art. 37) are not explicitly mentioned in recital 96. That the researchers can also provide information for them follows from recital 92.

16 Z Efroni, “The Digital Services Act: risk-based regulation of online platforms” (2021) Internet Policy Review, available at <http://policyreview.info/articles/news/digital-services-act-risk-based-regulation-online-platforms/1606> (accessed 13 July 2024); G De Gregorio/P Dunn, “The European Risk-Based Approaches: Connecting Constitutional Dots in the Digital Age” (2022) [59] CMLR 473, 483 et sqq.

17 Ibid, 473, 475.

18 J-P Schneider/K Siegrist/S Oles, “Collaborative Governance of the EU Digital Single Market established by the Digital Services Act” in H Hofmann/F Pflücke (eds), Governance of Automated Decision-Making and EU Law (Oxford University Press 2024), p. 102 et sqq.

19 C Krönke, “Die Europäische Kommission als Aufsichtsbehörde für digitale Dienste” (2023) EuR 136, 141.

20 J-P Schneider/K Siegrist/S Oles, supra, n 18, p. 83.

21 DSA, Art. 61 et sqq.

22 DSA, Art. 49 et sqq.

23 In detail, distinguishing the concept from “co-regulation” and “multi-stakeholder governance”: J-P Schneider/K Siegrist/S Oles, supra, n 18, p. 84 et sqq. with reference to M E Kaminski, “Binary governance: Lessons from the GDPR’s approach to algorithmic accountability” (2019) [92] Southern California Law Review 1529, 1559 et sqq.

24 J-P Schneider/K Siegrist/S Oles, supra, n 18, p. 83; G De Gregorio/P Dunn, supra, note 16, 473, 481; M Eifert, “Regulierungsstrategien” in A Voßkuhle/M Eifert/C Möllers (eds), Grundlagen des Verwaltungsrechts (Vol. 1, 3rd edn., C.H. Beck 2022), § 19, paras. 52–60.

25 Ibid, para. 55.

26 M Eifert, supra, n 24, para. 59.

27 J-P Schneider/K Siegrist/S Oles, supra, n 18, p. 102.

28 K Kaesling in F Hoffmann/B Raue, Digital Services Act (Nomos 2023), Art. 34 DSA, para. 45.

29 On the legal concept of knowledge: H-H Trute, “Wissen – Einleitende Bemerkungen” in H C Röhl (ed.), Wissen - Zur kognitiven Dimension des Rechts (Duncker & Humblot 2010), p. 15.

30 H Voss, Unternehmenswissen als Regulierungsressource (Mohr Siebeck 2019), pp. 28 et sqq.

31 Cf. eg, Regulation (EC) No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), [2006] OJ L396/1, Art. 76(3), 85(4), 86(1); Regulation (EC) No 852/2004 of the European Parliament and of the council of 29 April 2004 on the hygiene of foodstuffs, [2004] OJ L139/1, Art 1(1)(f), 4(5), 9(4)2; Directive 2001/18/EC of the European Parliament and of the Council of 12 March 2001 on the deliberate release into the environment of genetically modified organisms, [2001] OJ L106/1, Art 16(2), 18(1)2, 23(1) (2), 24(2), 28(1). Scientific Committees play a role eg, in the field of consumer health and food safety (Commission Decision of 23 July 1997 setting up Scientific Committees in the field of consumer health and food safety (97/579/EC), [1997] OJ L237/18).

32 DSA, Art. 37(3)(b).

33 As part of the measures to develop more expertise and capacities was the EU Commission established the Centre for Algorithmic Transparency (ECAT) (cf. for more information <http://algorithmic-transparency.ec.europa.eu/about_en> (accessed 13 July 2024); for an analysis of the problems the EU Commission is facing: C Krönke, supra, n 19, p. 156.

34 The concept of contrasting information describes information based on additional information sources than that of the regulatee. Information from different sources allows the authority to form a differentiated overall picture and might help to reduce information asymmetries. On the concept of contrasting information: R M Linßer, Informationsprobleme und Schutz von Unternehmensgeheimnissen im Telekommunikationsregulierungsrecht (Nomos 2011), pp. 66 et sqq.

35 In this sense K Kaesling, supra, n 28, paras. 33–34.

36 T Klimas/J Vaiciukaite, “The Law of Recitals in European Community Legislation” (2008) [15] ILSA Journal of International & Comparative Law 63, 83 et sqq.

37 ECJ Case C-345/13, Karen Millen Fashions, EU:C:2014:2013, para. 31; Case C-136/04, Deutsches Milchkontor, EU:C:2005:716, para. 32.

38 T Klimas/J Vaiciukaite, supra, n 36, 63, 83 et sqq.

39 Commission Delegated Regulation (EU) 2024/436 of 20 October 2023 supplementing Regulation (EU) 2022/2065 of the European Parliament and of the Council, by laying down rules on the performance of audits for very large online platforms and very large online search engines, [2024] OJ L, 2024/436, 2.2.2024.

40 DSA, Art. 37(3)(a)(ii).

41 K Kaesling, supra, n 28, Art. 34 DSA, para. 26.

42 Or the DSC of the Member State of the research organisation to which they are affiliated, that then transfers the proposal including a preliminary opinion to the DSC of establishment.

43 The EU has published a study containing a baseline framework on the risk assessment and risk mitigation, that gives a first idea on how a risk assessment could take place and how systemic risks could be measured: EU Commission, Digital Services Act: Application of the Risk Management Framework to Russian disinformation campaigns (Publications Office of the European Union 2023). This is, however, not a binding document for the risk assessments of the VLOPSEs.

44 B Arndt, Das Vorsorgeprinzip im EU-Recht (Mohr Siebeck 2009), p. 105.

45 N Luhmann, Die Wissenschaft der Gesellschaft (Suhrkamp 1990), p. 325; A Meier, “In Science We Trust: Überlegungen zum Wissen der Wissenschaften” in A M Horatschek (ed.), Competing Knowledges – Wissen im Widerstreit (De Gruyter 2020), p. 79 et sqq.

46 K Krönke in F Hoffmann/B Raue, Digital Services Act (Nomos 2023), Art. 66 DSA, para. 8; T Nägele in R Müller-Terpitz/M Kohler, Digital Services Act (C.H. Beck 2024), Art. 66 DSA, para. 12.

47 T Nägele in R Müller-Terpitz/M Kohler, Digital Services Act (C.H. Beck 2024), Art. 66, para. 12.

48 Ibid.

49 P Leerssen, “Call for evidence on the Delegated Regulation on data access provided for in the Digital Services Act - Summary & Analysis”, pp. 7, 11, available at <http://digital-strategy.ec.europa.eu/en/library/digital-services-act-summary-report-call-evidence-delegated-regulation-data-access> (accessed 13 July 2024).