The Digital Services Act (DSA) came into force on 16 November 2022. Its comprehensive obligations will predominantly apply as of 17 February 2024. However, certain obligations will apply earlier, especially the ones addressing very large online platforms (VLOPs) and very large online search engines (VLOSEs), comprising at least 45 million average monthly active recipients in the EU (AMARs). To this end, the DSA initially requires the designation of the respective service providers as VLOPs or VLOSEs by the European Commission (EC), which will likely take place in Spring 2023. In order to create the basis for enabling the EC to do so, the DSA stipulates transparency obligations (a) to make the number of AMARs publicly available by 17 February 2023 (Art. 24 para. 2 DSA) and (b) from that point on, to provide competent authorities (upon request) with such information at any time (Art. 24 para. 3 DSA).
We take such upcoming transparency obligations and the EC services’ recently released guidance (Q&A paper) on the requirement to publish user numbers (dated 1 February 2023) as an opportunity to provide an overview of the key points.
Who is affected?
Addressees of the transparency obligations set out in Art. 24 para. 2 and 3 DSA are providers of online platforms (OPs) and online search engines (OSEs).
- Online platforms (Art. 3 lit. i DSA)
OPs are defined as hosting services that, at the request of a recipient of the service, store and disseminate information to the public and thus making information available to a potentially unlimited number of individuals. Excluded are services where the dissemination to the public is merely a minor and purely ancillary feature that is linked to another service, such as the comments section in an online newspaper. Examples for OPs include social networks, online marketplaces and content sharing platforms (e.g. public group and open channels).
- Online search engines (Art. 3 lit. j DSA)
OSEs are defined as services that allow users to input queries in order to perform searches of websites by giving a keyword, voice request, phrase or other input and that return results in any format.
From a territorial standpoint, addressees include providers of OPs and OSEs that have (a) an establishment in the EU or (b) otherwise a so-called substantial connection to the EU (Art. 3 lit. e DSA). A substantial connection in that sense is inter alia given, when the respective service provider has (i) a significant number of recipients in one or more EU Member States in relation to their population or (ii) targets activities in one or more EU Member States. Indicators can be language, currency, top level domain of an EU Member State or the delivery of products/services to the EU. In contrast, the mere accessibility of a website alone does not suffice. It is likely that the so-called substantial connection will be extended to the EEA (i.e. Iceland, Liechtenstein and Norway) in the near future.
When does this kick in?
Providers of OPs or OSEs must publish the information on the AMARs by 17 February 2023 and at least once every six months thereafter. However, affected service providers that (a) fall below the relevant VLOP/VLOSE threshold of 45 million AMARs and (b) are potentially prone to exponential growth, could be required to provide such information on a more frequent basis, considering their potential for abrupt changes within the number of AMARs.
Unless being designated as a VLOP due to the number of their recipients, providers of OPs that qualify as micro or small enterprises (Art. 2 para. 2 EC Recommendation 2003/361/EC) are exempt from publishing their AMARs. They must only provide information on the AMARs upon request as described below (Art. 19 para. 1 and 2 in conjunction with Art. 33 para. 1 and 4 DSA).
Additionally, competent authorities are entitled to request information on the number of AMARs at any time, including information on the data and the methodology used for their calculation (Art. 24 para. 3 DSA). Competent authorities in this context are in particular the Digital Services Coordinators (DSCs) and the EC. Initially, such requests will likely only come from the EC, as the DSCs do not yet exist and the individual EU Member States still have time until 16 February 2024 to appoint the DSC. More information on the DSC developments can be found in our separate article here.
Where should the information be published?
The DSA requires providers of OPs and OSEs to publish such information in a publicly available part of their online interface (e.g. website or mobile app). For instance, this could be done by adding a new tab next to the privacy policy and the terms and conditions in the footer of the website. In any case, it should be ensured that the EC and other competent authorities are able to easily find such information in order to avoid any inquiries or other potential issues. This is also recommended in the EC services’ guidance.
In this context, it was not sufficiently clear whether providers of OPs and OSEs would also be required to submit the number of AMARs to the EC without cause. Neither the DSA’s provisions nor its recitals provided any clear information on this. That being said, in the EC services’ recent guidance, the EC services confirmed that providers of OPs and OSEs are generally not required to communicate the AMARs to the EC under the DSA without cause. Still, the EC welcomes any self-initiated AMAR notifications “in the interest of transparency and in order to facilitate the monitoring of compliance with the DSA”.
Before voluntarily submitting the AMARs, affected providers of OPs and OSEs should consider that such notification likely increases the risk of accelerating the process of being designated as a VLOP/VLOSE, triggering the applicability of the extensive obligations for VLOPs and VLOSEs. Therefore, service providers that are close to the relevant VLOP/VLOSE threshold are advised to refrain from doing so, as this could potentially buy them more time for the necessary compliance and implementation processes.
How does the calculation of AMARs take place?
It is obvious that the calculation of the number of AMARs in practice is a highly complex undertaking. The reason for this is two-fold: On the one hand, the DSA’s vague and wide wording in this regard does not provide a clear and conclusive understanding of the required methodology of calculation due to the lack of respective details. Rec. 77 DSA may outline a first general framework for the calculation, as laid out below, but it misses further more specific information, such as provided for in the EU Digital Markets Act (DMA). On the other hand, the calculation significantly depends on the nature and the business model of the respective OP or OSE as well as the specific way how recipients interact with it. That being said, the question of appropriate calculation can only be assessed and answered based on the circumstances of the single case.
Based on the overall objective, the particular aim of such transparency obligations is (a) to identity recipients that actually engage (i.e. active) with the OP or OSE at least once in a given period and, where possible, (b) to identify only the number of unique recipients, so that they are not counted more than once.
Apparent difficulties with identifying recipients’ actual engagement
The DSA defines active recipients for OPs and OSEs differently. Generally, a recipient of the service is defined as any natural or legal person who uses an intermediary service, in particular for the purposes of seeking information or making it accessible (Art. 3 lit. b DSA). An active recipient for an OP is a recipient of the service that has engaged with an OP by either requesting to host information or being exposed to information hosted by the OP (Art. 3 lit. p DSA). For OSEs, this includes a recipient of the service that has submitted a query to an OSE (Art. 3 lit. q DSA).
In light of the above, an active recipient of an OP is a (natural or legal) person, who (a) actively requests the OP to host its information, for instance, by clicking on, commenting, linking, framing, sharing information or performing other forms of interactions, such as carrying out transactions on the OP or (b) is passively exposed to information on the OP, for instance, by viewing it or listening to it. Therefore, an interaction with the information is not required to be counted as an active recipient under the DSA.
As recently confirmed by the EC services’ guidance, the notion of actual engagement (active) does not necessarily align with that of registered recipients of an OP or OSE (user). Due to the DSA’s respective broad wording, such understanding is too narrow. Rather, a person who, for example, visits – but immediately leaves – a profile page of a social network or a product page of an online marketplace is usually not considered a user of such OPs. However, under the DSA, they are arguably an active recipient of such services. As a result, providers of OPs and OSEs must consider that the number of active recipients of their services may be considerably higher than the number of their registered users and closer to their number of unique visitors. That being said, for services that can only be accessed through an account, providers of OPs and OSEs may solely rely on the number of their registered users.
Further, the EC services’ guidance proposes, by way of reciting the DSA’s provisions, that the definition of “recipient” as mentioned above also includes traders of OPs that offer products/services on such OPs. In particular, traders will be considered to engage with such services, where they request the service provider to store their listings or offers in the service provider’s online interface. Similar applies to third-party advertisers using the OPs to advertise products/services.
Altogether, this casts a broad net for calculating the number of AMARs. At the same time, it creates a degree of uncertainty in practice in determining how and by what means active recipients must be counted in accordance with the DSA. Considering the DSA’s overall objective (i.e. the aim to designate VLOPs and VLOSEs), its extensive impact and the EU’s principle of proportionality, any such exposure by recipients must presumably be meaningful. Having said this and even in light of the recent EC services’ guidance, it will be very difficult for many affected service providers to determine whether or not a brief viewing of information by a recipient qualifies as actual engagement and therefore must be counted in the OP’s or OSE’s number of AMARs. From a practical point of view, the current lay of the land (in particular, the given uncertainty) bears a considerable risk that affected service providers will accidently over- or under-count the number of AMARs. Therefore, it is conceivable that providers of OPs and OSEs may start relying extensively on their tracking technologies to come up with an accurate number of AMARs to avoid being exposed to the DSA’s extensive obligations for VLOPs or VLOSEs.
Apparent difficulties with identifying unique recipients
According to Rec. 77 DSA, affected service providers are allowed to discount two types of visits by recipients from the number of AMARs:
- The first type comprises visits by automated recipients, such as bots and scrapers. This generally requires some kind of tracking of recipients (e.g. length of visits or country of origin). Under the DSA, OPs and OSEs may leave such visits out, provided that this is possible “without further processing of personal data and tracking”. However, (again) it is unclear what the EU legislator particularly had in mind when it included this in the DSA. Even the EC services’ guidance does not provide further insights. Instead it only clarifies that “the DSA may not be understood as providing ground to process personal data or track users”. Arguably, the respective service providers’ already existing tracking practices and techniques (i.e. covered by their privacy policy and associated additional measures) may be permissible, whereas new tracking practices and techniques may not begin, before they are sufficiently implemented and unless they have a legal basis under applicable law (e.g. the GDPR).
- The second type of visitors to be disregarded are non-unique recipients. Providers of OPs and OSEs may count the same recipient, who visits them through different online interfaces (e.g. website and mobile app but also different URLs or domain names), as one active recipient. The same should apply to recipients with multiple accounts. This is arguably the case, because the DSA defines “recipients of the service” as any natural or legal person that uses the services (Art. 3 lit. b DSA). Thus, not the number of accounts but rather the person creating the accounts is the conclusive factor.
With this in mind, identifying unique recipients will also inevitably present issues to affected service providers. In particular, it is often simply not possible to account for situations where a single recipient utilizes more than one end device / online interface or account to access an OP or OSE in a given period. Such aspect bears the risk that affected service providers will over-count the number of AMARs. Considering the drastic implications of being qualified as a VLOP or VLOSE and the corresponding desire to avoid an inappropriate designation as such based on poor or inaccurate data, providers of OPs and OSEs will most likely and understandably conduct enhanced tracking of recipients to ensure accurate data (to the best extent possible), which determines their position below the relevant VLOP/VLOSE threshold. Particularly considering that the DSA expresses that no further processing of personal data should take place, this creates a certain dilemma for providers of OPs and OSEs, which only the EC can resolve by adopting a delegated act that lays down the specific methodology for calculating the number of AMARs.
Outlook – guidelines as a potential light at the end of the tunnel?
The EC services’ recent guidance is certainly a first step in the right direction. However, it does not provide the necessary and desired clarity, as it is predominantly limited to the recitation of the DSA’s provisions and recitals without giving any further insights. In principle, the EC is entitled to provide comprehensive guidance on the methodology for calculating the number of AMARs by way of a delegate act (Art. 24 para. 2 in conjunction with Art. 33 para. 3 DSA). For the reasons laid out above, this is essential and necessary to create the required clarity and to eliminate uncertainties. However, so far there is no sign that the EC will do so until the end of 2023 at the earliest, which is obviously far from ideal.
Against this background and despite the EC services’ recent guidance, providers of OPs and OSEs should still consider reaching out to the EC to start a dialogue and obtain individual input on the methodology if possible. Apart from that, we recommend to carefully review and document the datasets and methodology used to calculate AMARs, so that the respective service providers are able to explain and (if required) justify their approach in case of a competent authority’s inquiry. In particular, they should clearly document the reasons for the criteria they have applied to include or exclude recipients from the calculation of AMARs.
