The Digital Services Act (DSA) came into force on 16 November 2022. Its comprehensive obligations will predominantly apply as of 17 February 2024. However, certain obligations will apply earlier, especially the ones addressing very large online platforms (VLOPs) and very large online search engines (VLOSEs), comprising at least 45 million average monthly active recipients in the EU (AMARs). To this end, the DSA initially requires the designation of the respective service providers as VLOPs or VLOSEs by the European Commission (EC), which will likely take place in Spring 2023. In order to create the basis for enabling the EC to do so, the DSA stipulates transparency obligations (a) to make the number of AMARs publicly available by 17 February 2023 (Art. 24 para. 2 DSA) and (b) from that point on, to provide competent authorities (upon request) with such information at any time (Art. 24 para. 3 DSA).
We take such upcoming transparency obligations and the EC services’ recently released guidance (Q&A paper) on the requirement to publish user numbers (dated 1 February 2023) as an opportunity to provide an overview of the key points.
Addressees of the transparency obligations set out in Art. 24 para. 2 and 3 DSA are providers of online platforms (OPs) and online search engines (OSEs).
From a territorial standpoint, addressees include providers of OPs and OSEs that have (a) an establishment in the EU or (b) otherwise a so-called substantial connection to the EU (Art. 3 lit. e DSA). A substantial connection in that sense is inter alia given, when the respective service provider has (i) a significant number of recipients in one or more EU Member States in relation to their population or (ii) targets activities in one or more EU Member States. Indicators can be language, currency, top level domain of an EU Member State or the delivery of products/services to the EU. In contrast, the mere accessibility of a website alone does not suffice. It is likely that the so-called substantial connection will be extended to the EEA (i.e. Iceland, Liechtenstein and Norway) in the near future.
Providers of OPs or OSEs must publish the information on the AMARs by 17 February 2023 and at least once every six months thereafter. However, affected service providers that (a) fall below the relevant VLOP/VLOSE threshold of 45 million AMARs and (b) are potentially prone to exponential growth, could be required to provide such information on a more frequent basis, considering their potential for abrupt changes within the number of AMARs.
Unless being designated as a VLOP due to the number of their recipients, providers of OPs that qualify as micro or small enterprises (Art. 2 para. 2 EC Recommendation 2003/361/EC) are exempt from publishing their AMARs. They must only provide information on the AMARs upon request as described below (Art. 19 para. 1 and 2 in conjunction with Art. 33 para. 1 and 4 DSA).
Additionally, competent authorities are entitled to request information on the number of AMARs at any time, including information on the data and the methodology used for their calculation (Art. 24 para. 3 DSA). Competent authorities in this context are in particular the Digital Services Coordinators (DSCs) and the EC. Initially, such requests will likely only come from the EC, as the DSCs do not yet exist and the individual EU Member States still have time until 16 February 2024 to appoint the DSC. More information on the DSC developments can be found in our separate article here.
In this context, it was not sufficiently clear whether providers of OPs and OSEs would also be required to submit the number of AMARs to the EC without cause. Neither the DSA’s provisions nor its recitals provided any clear information on this. That being said, in the EC services’ recent guidance, the EC services confirmed that providers of OPs and OSEs are generally not required to communicate the AMARs to the EC under the DSA without cause. Still, the EC welcomes any self-initiated AMAR notifications “in the interest of transparency and in order to facilitate the monitoring of compliance with the DSA”.
Before voluntarily submitting the AMARs, affected providers of OPs and OSEs should consider that such notification likely increases the risk of accelerating the process of being designated as a VLOP/VLOSE, triggering the applicability of the extensive obligations for VLOPs and VLOSEs. Therefore, service providers that are close to the relevant VLOP/VLOSE threshold are advised to refrain from doing so, as this could potentially buy them more time for the necessary compliance and implementation processes.
It is obvious that the calculation of the number of AMARs in practice is a highly complex undertaking. The reason for this is two-fold: On the one hand, the DSA’s vague and wide wording in this regard does not provide a clear and conclusive understanding of the required methodology of calculation due to the lack of respective details. Rec. 77 DSA may outline a first general framework for the calculation, as laid out below, but it misses further more specific information, such as provided for in the EU Digital Markets Act (DMA). On the other hand, the calculation significantly depends on the nature and the business model of the respective OP or OSE as well as the specific way how recipients interact with it. That being said, the question of appropriate calculation can only be assessed and answered based on the circumstances of the single case.
Based on the overall objective, the particular aim of such transparency obligations is (a) to identity recipients that actually engage (i.e. active) with the OP or OSE at least once in a given period and, where possible, (b) to identify only the number of unique recipients, so that they are not counted more than once.
The DSA defines active recipients for OPs and OSEs differently. Generally, a recipient of the service is defined as any natural or legal person who uses an intermediary service, in particular for the purposes of seeking information or making it accessible (Art. 3 lit. b DSA). An active recipient for an OP is a recipient of the service that has engaged with an OP by either requesting to host information or being exposed to information hosted by the OP (Art. 3 lit. p DSA). For OSEs, this includes a recipient of the service that has submitted a query to an OSE (Art. 3 lit. q DSA).
In light of the above, an active recipient of an OP is a (natural or legal) person, who (a) actively requests the OP to host its information, for instance, by clicking on, commenting, linking, framing, sharing information or performing other forms of interactions, such as carrying out transactions on the OP or (b) is passively exposed to information on the OP, for instance, by viewing it or listening to it. Therefore, an interaction with the information is not required to be counted as an active recipient under the DSA.
As recently confirmed by the EC services’ guidance, the notion of actual engagement (active) does not necessarily align with that of registered recipients of an OP or OSE (user). Due to the DSA’s respective broad wording, such understanding is too narrow. Rather, a person who, for example, visits – but immediately leaves – a profile page of a social network or a product page of an online marketplace is usually not considered a user of such OPs. However, under the DSA, they are arguably an active recipient of such services. As a result, providers of OPs and OSEs must consider that the number of active recipients of their services may be considerably higher than the number of their registered users and closer to their number of unique visitors. That being said, for services that can only be accessed through an account, providers of OPs and OSEs may solely rely on the number of their registered users.
Further, the EC services’ guidance proposes, by way of reciting the DSA’s provisions, that the definition of “recipient” as mentioned above also includes traders of OPs that offer products/services on such OPs. In particular, traders will be considered to engage with such services, where they request the service provider to store their listings or offers in the service provider’s online interface. Similar applies to third-party advertisers using the OPs to advertise products/services.
Altogether, this casts a broad net for calculating the number of AMARs. At the same time, it creates a degree of uncertainty in practice in determining how and by what means active recipients must be counted in accordance with the DSA. Considering the DSA’s overall objective (i.e. the aim to designate VLOPs and VLOSEs), its extensive impact and the EU’s principle of proportionality, any such exposure by recipients must presumably be meaningful. Having said this and even in light of the recent EC services’ guidance, it will be very difficult for many affected service providers to determine whether or not a brief viewing of information by a recipient qualifies as actual engagement and therefore must be counted in the OP’s or OSE’s number of AMARs. From a practical point of view, the current lay of the land (in particular, the given uncertainty) bears a considerable risk that affected service providers will accidently over- or under-count the number of AMARs. Therefore, it is conceivable that providers of OPs and OSEs may start relying extensively on their tracking technologies to come up with an accurate number of AMARs to avoid being exposed to the DSA’s extensive obligations for VLOPs or VLOSEs.
According to Rec. 77 DSA, affected service providers are allowed to discount two types of visits by recipients from the number of AMARs:
With this in mind, identifying unique recipients will also inevitably present issues to affected service providers. In particular, it is often simply not possible to account for situations where a single recipient utilizes more than one end device / online interface or account to access an OP or OSE in a given period. Such aspect bears the risk that affected service providers will over-count the number of AMARs. Considering the drastic implications of being qualified as a VLOP or VLOSE and the corresponding desire to avoid an inappropriate designation as such based on poor or inaccurate data, providers of OPs and OSEs will most likely and understandably conduct enhanced tracking of recipients to ensure accurate data (to the best extent possible), which determines their position below the relevant VLOP/VLOSE threshold. Particularly considering that the DSA expresses that no further processing of personal data should take place, this creates a certain dilemma for providers of OPs and OSEs, which only the EC can resolve by adopting a delegated act that lays down the specific methodology for calculating the number of AMARs.
The EC services’ recent guidance is certainly a first step in the right direction. However, it does not provide the necessary and desired clarity, as it is predominantly limited to the recitation of the DSA’s provisions and recitals without giving any further insights. In principle, the EC is entitled to provide comprehensive guidance on the methodology for calculating the number of AMARs by way of a delegate act (Art. 24 para. 2 in conjunction with Art. 33 para. 3 DSA). For the reasons laid out above, this is essential and necessary to create the required clarity and to eliminate uncertainties. However, so far there is no sign that the EC will do so until the end of 2023 at the earliest, which is obviously far from ideal.
Against this background and despite the EC services’ recent guidance, providers of OPs and OSEs should still consider reaching out to the EC to start a dialogue and obtain individual input on the methodology if possible. Apart from that, we recommend to carefully review and document the datasets and methodology used to calculate AMARs, so that the respective service providers are able to explain and (if required) justify their approach in case of a competent authority’s inquiry. In particular, they should clearly document the reasons for the criteria they have applied to include or exclude recipients from the calculation of AMARs.
1 of 19 Insights
2 of 19 Insights
Philipp Koehler and Thomas Walter look at the issues faced by many media companies when deciding whether or not they fall within scope of the EU’s Digital Services Act.
3 of 19 Insights
4 of 19 Insights
5 of 19 Insights
7 of 19 Insights
8 of 19 Insights
9 of 19 Insights
10 of 19 Insights
Gregor Schmid and Philipp Koehler highlight the key elements of the incoming EU Digital Services Act.
11 of 19 Insights
Adam Rendle looks at the differences and similarities in the approach of the EU and UK to online safety under incoming legislation.
12 of 19 Insights
Alexander Schmalenberger looks at the scope of the Digital Services Act, what it covers and who is caught.
13 of 19 Insights
Johanna Götz looks at the DSA's approach to online intermediary responsibility for illegal content.
14 of 19 Insights
Alexander Schmalenberger looks at the main obligations on intermediaries (other than those relating to illegal content).
15 of 19 Insights
Maarten Rijks and Annemijn Schipper look at the impact of the DSA on targeted advertising and the use of dark patterns and recommender systems.
16 of 19 Insights
Sasun Sepoyan and Otto Sleeking look at the impact of Article 24c of the DSA.
17 of 19 Insights
Elisa-Marlen Eschborn looks at the Member State enforcement provisions of the DSA.
18 of 19 Insights
19 of 19 Insights