European Commission Starts Using Powers Under The Digital Services Act

The European Commission has begun using its powers under the Digital Services Act in earnest. Action ranges from initial information requests, to formal investigative proceedings, including action based on civil society complaints received. I've summarised the scope of the DSA at the end of this note, which is for information purposes only. These investigations would also benefit UK businesses providing services to EU/EEA residents. If you would like advice on any aspects, please let me know.

Following earlier information requests to AliExpress, the Commission has launched a formal investigation into a long list of potential failures and resulting infringements. I don't recommend even clicking on the AliExpress site to check it out.

Ominously, the Commission also wants more information on how some very large online search engines and other platforms mitigate the risks of creating and spreading information using generative AI, such as ‘hallucinations', deepfakes and the automated manipulation of services to mislead voters; as well as questions covering electoral processes, illegal content, protection of fundamental rights, gender-based violence, protection of minors, mental well-being, protection of personal data, consumer protection and intellectual property. Bing, Google Search, Facebook, Instagram, Snapchat, TikTok, YouTube, and X/Twitter have until 5 April 2024 to respond on questions related to elections and 26 April 2024 for the other queries. There were also previous requests to Meta regarding 'pay or consent' models for Facebook and Instagram, as well as 'shadow banning' and the launch of Threads.

And, based on a civil society complaint, the Commission has also fired a shot across the bows of LinkedIn, by asking for more details on how it complies with the prohibition on presenting ads by profiling special categories of personal data, such as sexual orientation, political opinions, or race., how it ensures that all necessary transparency requirements for advertisements are provided to its users, including basic information about the nature and origins of an ad and the ban on presenting advertisements based on profiling using special categories of personal data. LinkedIn also has until 5 April 2024 to respond. 

As explained previously, the DSA establishes a harmonized approach to protecting EU-based users of online communication, e-commerce, hosting and search services across the EU, by granting intermediary service providers (“ISPs”) exemption from certain liability if they perform certain obligations. An ISP will be in scope if it is either based in the EU or has a substantial connection with the EU (a significant number of users as a proportion of the population or by targeting its activities at one or more Member States). There are extra requirements for ISPs with at least 45m average monthly active EU users (designated as ‘very large online’ (VLO) platforms and VLO search engines). There are some exemptions for small enterprises and micro-enterprises.

These investigations would also benefit UK businesses providing services to EU/EEA residents. This post is for information purposes only. If you would like advice on any aspects, please let me know.

Legal Adventures in the Fediverse

Joining the fediverse has jolted my legal brain into gear over some esoteric questions (listed below). These largely turn on the fact that, unlike in Web 2.0 offerings, such as Blogger or Twitter, there is no central service provider hosting/operating the service on its own servers. In the fediverse, separate sites (or 'instances') can interoperate because they are running the same standardised, open software (e.g. Mastodon) which itself relies on the same standardised, open protocol (Activity Pub, in the case of Mastodon):

Mastodon websites are operated by different people or organizations completely independently. Mastodon does not implement any monetization strategies in the software. 

Some server operators choose to offer paid accounts, some server operators are companies who can utilize their existing infrastructure, some server operators rely on crowdfunding from their users via Patreon and similar services, and some server operators are just paying out-of-pocket for a personal server for themselves and maybe some friends. So if you want to support the server hosting your account, check if it offers a way to donate. 

Mastodon development is likewise crowdfunded via Patreon and via OpenCollective. No venture capital is involved.

Perhaps this is no different to independent website owners building their own websites using a standardised website template provider (e.g. Wix), but the interoperability does seem a significant additional factor to consider. That's like email, which again could be provided by a centralised email service provider (e.g. Microsoft's hotmail) or your employer. Equally, the fact that each site or 'instance' could be self-hosted is similar to websites and email, yet most users choose their site to be hosted with the operator of a server or instance that hosts many sites (e.g. mastodon.world or mastodon.social). Some instances are open to anyone, while others are targeted at, say, residents of Glasgow. 

I think this just involves a sense-check against the regulatory regime of where the relevant fediverse instance and any users that it actively solicits are based. Here's a flavour of some of the issues:

• How does a user proceed if the developer of the relevant communication software somehow fails to ensure the software runs as promised in the documentation?

• Who is responsible for the integrity of the protocol on which the software is based?

• Do fediverse instances based in the EU with UK resident users but no offices, branches or other establishments in the UK need to appoint a UK representative under UK GDPR (and vice versa!)?

• Is each 'instance' in the fediverse ready for the EU's Digital Services Act (exemptions for micro/small enterprises will help)?

• If each 'instance' in the fediverse can be an Intermediary service, online platform or e-commerce platform under the Digital Services Act (see prior post), then they could grow to be 'gatekeepers' under the EU Digital Markets Act.

• How are fediverse instances treated for the purposes of  'reverse solicitation' analysis - i.e. whether you are treated as doing business in another jurisdiction where users are based, as opposed to where the instance is based?

If you need assistance with any of these issues, please let me know.