Martin Müller, Felicitas Rachinger, Meryem Vural & Matthias C. Kettemann

Do the New European Rules on Digital Services Effectively Ensure Human Rights on Platforms?

Assessment Model for States

Abstract

This study is a key output from the GDHRNet (Global Digital Human Rights Network), which is dedicated to the investigation of theoretical and practical challenges of the protection of human rights in the digital context. The study aims to develop an assessment model to evaluate the compliance of online companies with human rights protection obligations. The research utilized a questionnaire focused on national platform oversight structures, sent to GDHRNet members, with responses from nine participants, seven from EU member states and two from non-EU states.

The study's findings revealed that most participating states have appointed a Digital Services Coordinator (DSC) as required under the Digital Services Act (DSA), typically selecting existing telecommunications or media authorities for this role. While most DSCs are reported to be adequately equipped, staffing and financing issues remain. DSCs generally have sufficient authority to request data from service providers, and national legislation aligns closely with DSA requirements, particularly regarding sanctions for non-compliance.

Keywords

Digital Services Act, Digital Services Coordinator, human rights online, EU, digital governance

Contents Read paper

Introduction and Methodology

The GDHRNet (Global Digital Human Rights Network) is dedicated to the investigation of theoretical and practical challenges of the protection of human rights in the digital context. Platforms in particular face the challenge of organizing their services in a way that respects and protects the fundamental rights of their users.

Over recent years, the European legislator has introduced a comprehensive range of legal instruments, including the E-Commerce Directive, the General Data Protection Regulation (GDPR), as well as the Digital Services Act (DSA) and the Digital Markets Act (DMA), to effectively regulate the EU Digital Single Market. The DSA in particular aims to ensure "a safe, predictable and trustworthy online environment" and therefore stipulates in its Article 14 (4) the obligations for platforms to take the fundamental rights of their users into account.

In light of the above-mentioned this study examines the obligations for platforms in 9 GDHRNet-member states, including 7 EU-member states, to ensure the protection of fundamental rights. Based on the responses to a questionnaire by country rapporteurs, and the analysis conducted by the editors, this study has two outcomes which are at the same time the Milestones of the GDHRNet for 2024:

  • The development of guidelines for platforms to offer and carry out their online activities in accordance with fundamental rights (Milestone 1)
  • and secondly, the creation of an assessment model to evaluate the compliance of platform services regarding the protection of human rights (Milestone 2).

This document entails part 2 of the study (Assessment model for states). The aim of the study was to develop the foundations of an assessment model for assessing the compliance of online companies regarding human rights protection obligations. An executive summary recapitulates the main results of the study. The findings of the study have been built into the foundations of an assessment model. The study builds upon a questionnaire focusing on national platform oversight structures that has been sent out to GDHRNet members. To each question, there is a summary entailing the relevant information provided by GDHRNet members. The scope of the study is limited to the GDHRNet members’ responses to the questionnaire. No additional information has been added.

Executive Summary

  • Nine GDHRNet members participated in the survey. Of these participants, seven report on EU member states (Austria, Cyprus, Czechia, Finland, Germany, Italy, Portugal), and two on non-EU member states (Moldova, and Serbia).
  • A Digital Services Coordinator (DSC) – which is the supervisory authority to be established under the DSA – has been appointed in Austria, Czechia, Cyprus, Finland, Germany, Italy and Portugal.
  • Where a DSC has been designated, the state reports indicate that existing authorities overseeing telecommunication and/or media authorities have been chosen to function as DSC.
  • Most reports show that the national DSCsy are sufficiently equipped, but the report on Czechia indicates a lack of staff, while the report on Cyprus indicates limited financial resources.
  • DSCs are granted sufficient power to request data from service providers. The reports show that national legislation is closely oriented on the requirements the DSA sets out.
  • Under the DSA, sanctions are to be imposed by the member states in cases of DSA infringements by service providers. In those states where such legislation is in place, it closely follows DSA requirements (especially regarding the maximum amount).
  • Reports on Finland, Italy, and Austria show that DSCs are required to cooperate with other authorities within their state, but also with other national DSCs. For example, the Austrian DSC is required to regularly interact and exchange their opinions and experiences regarding certain topics with other DSCs.

Foundations for an Assessment Model

For Milestone 2 (Assessment Model) GDHRNet members develop the foundations of an assessment model for assessing the compliance of online companies regarding human rights protection obligations. In the EU, national authorities are required to assess online companies regarding obligations under the Digital Services Act: The DSA contains specific regulatory mandates directed at Member States. Accordingly, a Digital Services Coordinator (DSC) is to be established in each Member State as a new supervisory authority, which is to receive complaints from users from the respective Member State and ensure access to the data of the intermediary services.

The assessment model is built upon a questionnaire which allowed to gather information on the assessment of online companies by these national authorities (DSCs). The analysis of the reports on the questionnaire by GDHRNet members allowed to compile this list of requirements and considerations for a human rights-based assessment of online companies:

Designation of an already existing national authority in the field of media and/or telecommunication regulation.

The report showed that member states rely on already existing authorities to assess online companies. This allows them to draw on preexisting experience and knowledge in the field of media and/or telecommunications as well as preexisting structures within the authority.

Guarantees of independence of the national authority, including the allocation of sufficient resources.

While there were no specific reports about the (lack of) independence of any national authority, the reports showed a common concern about guarantees of independence, proving the independence of national authorities essential for human rights-based assessment of online companies. This goes hand-in-hand with the allocation of sufficient technical, financial, and human resources, which are a prerequisite for the performance of any assessment.

Coordination with other national authorities.

Under the DSA, many GDHRNet member states are required to designate a DSC. This leads to a lot of experience spread across different authorities. Coordination between these authorities is essential in order to share this information and knowledge. This coordination should be legally established.

Involvement of civil society

The assessment of online companies should be carried out with the involvement of civil society. This allows national authorities to draw on the valuable experiences and perspectives of civil society organizations. For example, such involvement can be carried out through an advisory board.

Development of risk assessment mechanism and an information security strategy

The report showed that various GDHRnet member states have implemented cybersecurity frameworks and risk assessment mechanisms to address threats from digital platforms and protect national security. These efforts are complemented by EU-wide regulations like the DSA or the NIS 2 Directive and crisis management structures designed to enhance the resilience of digital services and mitigate cyber risks. The national regulatory bodies of the GDHRnet member states should cooperate and develop guidelines in relation to specific risks.

Access to data

When assessing online companies, access to data is crucial. Only if sufficient information about the rules and processes of online companies is available, an assessment can be performed successfully. Access to data shall be legally established.

Transparency about content moderation and advertising

Besides data access, transparency about content moderation processes and advertising is essential to enable an effective evaluation of the compliance of online companies regarding human rights obligations. The report indicates that a range of GDHRNet member states, also non EU-members, have already implemented transparency requirements for platforms into their legal framework.

Cooperation with Trusted Flaggers

Under the DSA, platforms are allowed to cooperate with trusted flaggers. The Trusted flagger status is granted by the DSC of the member state and the status is designated to organizations which demonstrate expertise in handling illegal content and operate with diligence and objectivity. Platforms benefit from the cooperation with trusted flaggers and therefore can address illegal content more effectively. Platform shall collaborate with trusted entities under legal frameworks to address harmful content.

Contributors by country

Austria/GermanyMartin Müller, Felicitas Rachinger, Meryem Vural
CyprusPhilippe Jougleux, Constantinos Kouroupis
CzechiaFederica Cristani
FinlandJukka Viljanen, Riku Neuvonen
ItalyFederico Costantini, Andrea De Coppi
MoldovaElina Benea-Popușoi, Vitalie Ursachi
PortugalAlexandre Dias Pereira
SerbiaJelena Simic

Questionnaire and summary of responses

How will national law be adapted to the DSA?

Will there be legislative amendments related to the DSA?

Austria was the first European country to pass a law implementing the DSA, which is called DSA-Begleitgesetz (DSA-BegG), and has resulted in several changes to the Austrian law. The national telecommunications authority KommAustria has been designated as national DSC, which required a legislative amendment in the KommAustria-Gesetz. A new Act, the Koordinator-für-digitale-Dienste-Gesetz – KDD-G was enacted and concerns powers and obligations of the national DSC and at the same the KoPl-G is repealed.

In Germany, the DSA will be implemented through the Digitale-Dienste-Gesetz (DDG), which has been passed by the Bundestag recently. The following information is based on the latest public draft of the Digitale-Dienste-Gesetz: Part one of the DDG (Article 1-4 DDG) contains provisions on the necessary legislative amendment which must be made to adapt national law to the terminology of the DSA. Germany designated the Bundesnetzagentur (Federal Network Agency) as the DSC which is included in § 12 (1) DDG. Furthermore, the Telemediengesetz (TMG) and the most part of the NetzDG will be repealed (Article 29 and 35 DDG). Existing requirement of the NetzDG and TMG that are relevant to compliance effort will be then directly enforced by the DSA or by German federal law in form of the DDG. In addition to the Bundesnetzagentur as the DSC in Germany, special responsibilities will be created for the Federal Agency for the Protection of Children and Young Persons in the Media. An office for the enforcement of children’s right in digital services will be established at the Federal Agency for the Protection of Children and Young Persons in the Media, based in Bonn (§ 12 (2) DSA). The main work of the agency will be on the enforcement of Article 14 (3) and Article 28 (1) DSA. Furthermore, the Federal Commissioner for Data Protection and Freedom of Information will be responsible for the enforcement of Article 26 (3) and Article 28 (2), (3) DSA according to Article § 12 (3) DDG. Part 8 of the DDG (Article 33) contains provisions on fines which will complement the ones in the DSA.

Like Germany, Czechia also drafted a proposal for a Digital Economy Act to adapt the national regulatory framework to the DSA.

Finland enacted the Act monitoring digital services Laki (verkonvälityspalvelujen valvonnasta) which came into force in February 2024.

Will there be administrative amendments related to the DSA?

In Finland there will be no administrative amendment besides one about the reform of the Traficoms internal sanctions committee which has been designated as DSC of Finland. For Germany and Austria see above.

Will there be any other measures by your State related to the DSA?

The reports do not indicate so.

What does this supervisory structure look like?

Has your State designated a DSC?

Among responding EU member states, all have designated a DSC and reported to the Commission, pursuant to Article 49(3) DSA. However, the Commission has opened infringement procedures against six EU member states for not (properly) implementing the DSA on national level. The member states have not been part of the questionnaire.

Which authority has been designated? Has the authority been newly established or is it connected to an already existing authority?

The member states have designated the following authorities:

EU member state Designated DSC Existing authority? Type of authority
Austria KommAustria (Communication Authority Austria) Yes Media
Cyprus Cyprus Radiotelevision Authority Yes Media
Czechia Český telekomunikační úřad (Czech Telecommunication Office Yes Telecommunications
Germany Bundesnetzagentur (Federal Network Agency) Yes Telecommunications
Finland TRAFICOM (Finnish Transport and Communications Agency) Yes Media Telecommunications
Italy Autorità per le Garanzie nelle Comunicazioni (Communications Regulatory Authority) Yes Media Telecommunications
Portugal Autoridade Nacional das Comunicações (National Regulatory Authority for Communications) Yes Telecommunications

Source: Homepage of the European Commission

All states reported that authorities overseeing telecommunication and/or media authorities have been designated as DSC. Finland and Germany have indicated that additional authorities in consumer and data protection as well as media regulation will likely take over parts of the DSC’s responsibilities.

What role does this authority take within your broader national context?

Regulation authorities in the telecommunication sectors have been subject to an extensive legal framework on an EU level which has been developed in a harmonizing manner since the late 1980s. As such, differences between them regard rather specific areas. This differs, however, to those authorities serving as media regulators as well. These work together in the European Regulators Group for Audiovisual Media Services (ERGA) but follow various member state laws when it comes to media regulation. However, Austrian KommAustria, Cypriot Radiotelevision Authority and Italian Autorità per le Garanzie nelle Comunicazioni have held various media regulation responsibilities, such as those prescribed by the AVMS directive in the past.

How is the authority structured?

The regulating authorities are structured manner similar to other executive bodies. Terms of office vary from five (Finland) to six years (Austria, Cyprus) as do appointment procedures as they are carried out by the President after a suggestion by the government (Austria) or the government (Cyprus and Finland) itself. Regarding their independence, the authorities have to follow the detailed jurisprudence of the CJEU which ruled several times on the question.

Is the authority equipped to perform its tasks in an impartial, transparent and timely manner?

From responding counties, Czechia noted that its authority lacks staff to perform the tasks prescribed by the DSA. As Czechia hosts a Very Large Online Platform, this might lead to difficulties in the joint enforcement with the Commission.

Does the authority have the necessary resources to carry out its tasks (including sufficient technical, financial and human resources to adequately supervise all providers of intermediary services falling within their competence)?

As noted above, there were staff issues registered for Czechia. Moreover, Cyprus reported financial difficulties for its authority. Other states have indicated that staffing as well as limited financial resources for regulatory authorities in general might hamper effective enforcement for the DSA also.

Does the authority have sufficient autonomy in managing its budget within the budget’s overall limits?

There have not been registered any issues in that regard from responding countries.

Is the authority set to work completely independent? Is there any danger of external influence?

None of the responding countries reported any DSA-specific issues. As all countries follow government approval of the directorial staff at some point as well as financial resources, it was noted that this can lead to external influence on the authorities.

Is the authority to follow instructions by other public authorities/private parties?

There have not been registered any issues in that regard from responding countries.

Is there a possibility of judicial review to control the DSCs activities within the State?

All responding states indicated that there is a possibility of initiating proceedings, mainly before administrative courts.

If no: Why has your State not designated a DSC yet?

All EU-Member states which took part in this study have already designated a DSC.

Has your State set any other preparatory measures in order to designate a DSC by 17 February 2024? Please include all relevant information.

Germany has designated its DSC with the Digitale-Dienste-Gesetz (DDG). Portugal has designated ANACOM as its DSC with Decree-Law n. º 20-B/2024 but has not yet tabled further legislation.

How will the DSC have access to the data of intermediary services?

Competences of the DSC (Please consider the requirements of Article 51 DSA when answering the following questions):

Will the designated DSC have sufficient access to the data of intermediary services to perform its tasks? How is this access to data guaranteed under national law? What is the process of gaining access?

To enable DSCs to carry out their tasks, the DSA includes a list of powers that shall be given to DSCs. This includes the power of DSCs to request relevant information from providers and other persons related to the platform (see Article 51 (1a) DSA). The assignment of these powers to DSCs requires national legislation (Article 51 (6) DSA).

Only a limited number of replies have been provided for this question as several States have not yet adopted a law on this topic.

The report on Finland shows that a law has been adopted that gives the national authorities the power to obtain necessary data from providers or other persons (Article 51 (1a) DSA). To gain access to the information, the national authority has to request it. It has to be handed over without undue delay and free of charge (Section 4).

The Austrian KDD-G („Koordinator-für-digitale-Dienste-Gesetz) as well as the Italian legislation assign the power to request information of service providers and other persons (Article 51 (1a) DSA) to the national DSC.

The German law DDG includes a provision that mirrors the DSA’s requirements. It also states that those obliged to provide information may deny access to data if it would expose them to the risk of criminal prosecution.

Will the designated DSC have sufficient access to the data of organizations performing the audits referred to in Article 37 and Article 75 (2) DSA to perform its tasks? How is this access to data guaranteed under national law? What is the process of gaining access?

Only a limited number of replies indicate such a provision, as many states have not implemented the necessary legislation yet.

Finnish and Austrian legislation allows the National DSCs to request the necessary information from persons performing the audit. The German legislation includes a similar provision.

Does the DSC have the power to accept the commitments offered by those providers in relation to their compliance with this Regulation and to make those commitments binding?

Only limited information is available. Both Finland and Austria allow DSCs to accept commitments and make them binding. The German law includes a similar provision.

Does the DSC have the power to order the cessation of infringements and, where appropriate, to impose remedies proportionate to the infringement and necessary to bring the infringement effectively to an end, or to request a national judicial authority to do so?

The Austrian DSC has been given this power; the German law includes a similar provision. The report on Finland refers to the national DSCs powers to impose fines. The report on Cyprus mentions that no such power has given to the DSC yet, but it is expected that corresponding legislation will be established soon.

Does the DSC have the power to impose fines, or to request a national judicial authority to do so?

The two reports on Austria and Finland show that legislation has been put in place that allows the DSC to impose fines. The German law includes a similar provision. Other reports show that most states have not yet implemented such legislation.

Does the DSC have the power to impose a periodic penalty payment, or to request a national judicial authority to do so?

Under Finnish, German and Austrian legislation: yes. There is no information available on other states.

Does the DSC have the power to adopt interim measures or to request the competent national judicial authority in their Member State to do so, to avoid the risk of serious harm?

Under the Austrian legislation, the DSC has been given this power, the German law includes a similar provision. Other reports do not indicate any national legislation on this topic.

What are the sanctions to be imposed by the Member States in case of infringements of the DSA by the intermediary services providers?

What are the penalties to be imposed by the Member States in case of infringements of the DSA by the providers of intermediary services?

Legislation in Finland, Austria, Germany, Italy, and Cyprus provides for sanctions in the form of monetary fees. There is no further information available on Cyprus. In Finland and Austria, the penalty depends on the form of infringement of DSA provisions. In both legislations, the amount which has to be paid mirrors the requirements of such penalties set out in Article 52 DSA.

Are these penalties effective, proportionate, and dissuasive?

As mentioned before, limited information on national legislation is available. Whether the penalties set out are effective cannot be examined at this time. However, Finland as well as Austria, Germany and Italy implemented detailed provisions on penalties, mentioning the different cases in which penalties are to be imposed and provisions on enforcement.

Do the penalties fulfill the requirements of Article 52 (3) DSA?

As mentioned before, there is only limited information available. The Finnish, German, Italian, and Austrian legislation, which is already in force, fulfill the requirements of the DSA.

Do the penalties fulfill the requirements of Article 52 (4) DSA? (maximum amount of a periodic penalty payment: 5 % of the average daily worldwide turnover or income of the provider of intermediary services concerned in the preceding financial year per day, calculated from the date specified in the decision concerned)

As mentioned before, there is only limited information available. The Finnish, German, Italian, and Austrian legislation, which is already in force, fulfill the requirements of the DSA.

How is cooperation between national authorities structured? Are there any guidelines on cooperation with other national DSCs? If yes, how is such cooperation structured?

In some states, national legislation is in place that requires national authorities to cooperate within their own state. For example, in Finland, the national authority cooperates with the Data Protection Ombudsman and the Consumer Protection Ombudsman. In Austria, cooperation between the KommAustria (appointed DSC) and the public security services is established. In addition, KommAustria is required to regularly interact and exchange their opinions and experiences regarding certain topics with other DSCs. A similar provision is included in § 19 German law DDG. In Italy, the national DSC is authorised to sign cooperation agreements.

What obligations exist for companies not covered by the DSA?

On the EU-Level there are several legal acts besides the DSA which contain obligations for companies: GDPR, Terrorist Content Online Regulation, DSM Directive, Audiovisual Media Services Directive, Platform to Business (P2B) Regulation, DMA etc. The aim of the DMA is to make the digital markets sector fair and more contestable. The DMA applies to gatekeepers, which are defined as large digital platforms providing core platform services, designated pursuant to Article 3 (Article 2 (1) DMA). The DMA contains two lists with dos (Article 5 DMA) and do nots (Article 6) for companies acc. Article 3 DMA. In contrast to the DMA, the aim of the Terrorist Content Online Regulation is to combat and reduce malicious content. Like Article 14 DSA, Article 5 (2) of the Terrorist Content Regulation contains the duty for intermediaries to take the fundamental rights of their users into account.

What are the rules regarding the evaluation of systemic risks (if complementary to those in the DSA)?

On 16 January 2023 the EU-Directive on the Resilience of Critical Entities (CER-Directive) and the EU Directive on measures for a common level of cybersecurity across the Union (NIS2-Directive) came into force. According to the CER Directive every member state shall create a national strategy to enhance the resilience of critical entities. The digital infrastructure which includes intermediary service providers is one of the eleven sectors which is covered by the Directive. According to the EU Directive EU member states must develop a national strategy and conduct regular risk assessments at least every four years. The aim of this risk assessment is to identify entities which are critical for society and economy. The EU member states must support entities which are considered critical. The NIS2-Directive also obliges EU-Member states to develop a national cybersecurity strategy which includes a risk management assessment system. Cypriot government has adopted the CER-Directive in its national legal framework and has created a specific agency on the topic of cybersecurity. The EU Directives must be implemented into national law by the end of 2024. In Germany, Austria, Cyprus and Finland the implementation is not done yet.

How is the integration of civil society structured?

According to Article 45 (2) DSA civil society must support the preparation of the code of conduct. The countries gave no information on the structure of the integration of civil society. The German DDG contains a section (§ 21 DDG) including civil society members in its Beirat (advisory board).

Is there an advisory board to raise the quality of the democratic feedback of the development of rules and practices of the platforms?

Among the surveyed countries Austria, Cyprus, Czechia, Finland and Portugal responded that they do not have such an advisory board. The German DDG contains a section including civil society members in its Beirat (advisory board).

GDHRNet Working Paper Series

The Working Papers of the Global Digital Human Rights Network – edited by Mart Susi and Matthias C. Kettemann – addresses both idealistic as well as practice-oriented dimensions of the field. Scholars working with digital human rights have for some time realized that in the digital domain of human rights theory matters less and technical solutions matter more. The Working Paper series questions this approach and, through empirical studies and dogmatic analysis, provide best practice models for the protection of human rights in times of powerful private actors and digital challenges to individual freedoms and social cohesion.

The publication is based upon work from COST Action GDHRNet – CA19143, supported by COST (European Cooperation in Science and Technology). Our Actions help connect research initiatives across Europe and enable scientists to grow their ideas by sharing them with their peers. This boosts their research, career and innovation.

Global Digital Human Rights Network

The GDHRNet COST Action will systematically explore the theoretical and practical challenges posed by the online context to the protection of human rights. The network will address whether international human rights law is sufficiently detailed to enable governments and private online companies to understand their respective obligations vis-à-vis human rights protection online. It will evaluate how national governments have responded to the task of providing a regulatory framework for online companies and how these companies have transposed the obligation to protect human rights and combat hate speech online into their community standards. The matters of transparency and accountability will be explored, through the lens of corporate social responsibility.

The Action will propose a comprehensive system of human rights protection online, in the form of recommendations of the content assessment obligation by online companies, directed to the companies themselves, European and international policy organs, governments and the general public. The Action will also develop a model which minimizes the risk of arbitrary assessment of online content and instead solidifies standards which are used during content assessment; and maximizes the transparency of the outcome.

The Action will achieve scientific breakthroughs (a) by means of a quantitative and qualitative assessment of whether private Internet companies provide sufficient protection of human rights online in comparison with judicial institutions, (b) in the form of a novel holistic theoretical approach to the potential role of artificial intelligence in protecting human rights online, and (c) by providing policy suggestions for private balancing of fundamental rights online.

COST Actions on COVID-19

GDHRNet is a member of Network of COST Actions on COVID-19 and other pandemics.

Very early on in the COVID-19 pandemic, COST Actions started to collaborate with other Actions on COVID-19 and on the impact of pandemics in general. In order to coordinate these efforts, COST has gathered details of all of the Actions wishing to connect and collaborate. All the information can be found in the booklet “COST Actions against COVID-19 – An interdisciplinary network” .

As the full consequences of the current pandemic are yet unknown and the threat of a future pandemic is always present, the Network of Actions offers considerable potential in mobilising experts and tackling challenges as they arise. The Network is open to other participants and completely bottom-up. Any Actions wishing to join it can do so by contacting the COST Science Officer coordinating this initiative.

Contact: Dominique Vandekerchove