Practical Application

Penalty Calculation Example - Major Social Media Platform: German BNetzA investigates major social media platform (hypothetically €50 billion annual turnover) for systematic Article 16 notice-and-action violations: inadequate Turkish-language moderation, excessively narrow terrorist content policies, 95% of terrorist content notices ignored. Investigation (Article 51(1)) establishes violations occurred over 18 months. BNetzA calculates proportionate fine under Article 52:

(1) Maximum cap: 6% of €50 billion = €3 billion maximum fine. (2) Proportionality assessment factors (Recital 117): Nature - Article 16 notice-and-action is core DSA obligation protecting users from illegal content exposure; violations directly harm public safety by leaving terrorist content accessible. Category: High severity. Gravity - systematic failure affecting hundreds of thousands of illegal content notices over 18 months, including terrorist content posing life/safety threats. Not isolated incidents but deliberate policy choices resulting in widespread non-compliance. Category: Very serious. Recurrence - ongoing systematic pattern, not one-time mistake. Platform repeatedly failed to act on notices despite clear legal obligations. Category: Aggravating factor. Duration - 18 months from first identified violations to investigation completion. Prolonged non-compliance despite BNetzA warnings. Category: Aggravating factor. Public interest - combating terrorism, protecting users from exposure to radicalizing content, maintaining platform accountability for content moderation obligations. Category: Highest public interest. Economic capacity - €50 billion turnover demonstrates substantial capacity to comply; violations not result of resource constraints but policy decisions. Category: No mitigating factor. Systematic/recurrent failure - violations stem from inadequate policies and resource allocation, not isolated errors. Platform capable of compliance but chose not to adequately invest. Category: Aggravating factor.

(3) Calculation: BNetzA determines violations merit fine of 1.5% of annual turnover = €750 million. Rationale: Violations very serious (systematic failure on core obligation affecting public safety), significantly below maximum (6%) reflecting absence of worst aggravating factors (platform cooperated with investigation, implemented some improvements during proceedings, no evidence of deliberate attempt to violate DSA), sufficient to deter future violations by this platform and others (€750M exceeds profit from Turkish market, sends message that non-compliance economically irrational). (4) Comparison alternatives: Too low (€50 million = 0.1%): Platform could view as cost-of-doing-business; insufficient deterrence given violation severity and turnover scale. Proportionate middle (€750 million = 1.5%): Reflects serious systematic violations while recognizing partial mitigation; significant enough to ensure compliance but not existentially threatening. Too high (€2.5 billion = 5%): Approaching maximum for violations that, while serious, don't represent worst DSA breaches (no evidence of deliberately facilitating terrorism, platform responded to some notices, improvements underway); would be disproportionate absent more extreme aggravating factors.

Periodic Penalty Calculation - Ongoing Non-Compliance: Building on above example, assume platform contests €750M fine but also fails to implement required remedial measures (hire Turkish moderators, revise policies). BNetzA issues Article 51(2)(b) cessation order requiring full compliance within 90 days. Platform misses deadline. BNetzA imposes periodic penalties under Article 52(4):

(1) Daily turnover calculation: €50 billion annual ÷ 365 = €137 million average daily. (2) Maximum daily penalty: 5% of €137 million = €6.85 million per day. (3) BNetzA assessment: Given violation severity and platform's financial capacity, impose €3 million per day (below maximum showing proportionality but substantial enough to force action). (4) Accrual: Day 1 (day 91): €3 million; Day 30: €90 million; Day 60: €180 million; Day 90: €270 million; Day 120: €360 million. (5) Platform response: After 35 days and €105 million in accumulated periodic penalties, platform's board intervenes, approves emergency budget for compliance, implements required measures. BNetzA verifies compliance, stops periodic penalties at €105 million accrued. Total penalties: €750M fine (under judicial review) + €105M periodic penalties = €855M. Message: Non-compliance is economically unsustainable; mounting daily penalties forced action where static fine alone might not have.

Procedural Violation Penalties - Obstruction of Investigation: Austrian DSC investigates mid-sized platform (€200 million annual turnover) for suspected Article 30 marketplace violations. Platform response to Article 51(1)(a) information requests demonstrates: initial response omitted 60% of requested trader verification data, follow-up clarification still incomplete and contained demonstrably false statistics, platform repeatedly delayed providing full information over 9 months. DSC considers this 'supply of incorrect, incomplete or misleading information' under Article 52(3) second sentence:

(1) Maximum cap: 1% of €200 million = €2 million. (2) Assessment: Violations serious - platform's obstruction delayed investigation 9 months, false information misled DSC requiring extensive verification, incomplete data prevented full assessment of Article 30 compliance. However, violations procedural not substantive (investigation ultimately succeeded despite obstruction). (3) Fine imposed: €800,000 (0.4% of turnover). Reflects: serious obstruction warranting substantial penalty, but below maximum given procedural nature and eventual cooperation, sends message that investigation obstruction severely punished but not at levels of substantive DSA violations. (4) Separate substantive fine: If investigation confirms Article 30 violations, platform faces additional fine up to 6% for those violations. Total penalties could reach: €800k procedural + up to €12M substantive = significant combined impact.

Small Platform Proportionality - Micro-Enterprise: Lithuanian DSC finds local forum (3 employees, €150,000 annual turnover) violated Article 15 transparency reporting and Article 11 point of contact requirements. Technical violations—forum operator unaware of obligations, immediately remediated upon notification. DSC penalty decision:

(1) Maximum cap: 6% of €150,000 = €9,000. (2) Proportionality assessment: Nature - procedural violations (missing reports/contact), not substantive harms. Gravity - minor; no evidence of user harm, good faith lack of awareness. Duration - 6 months before DSC notice. Recurrence - first offense. Economic capacity - micro-enterprise; €9k fine would be ~6% of annual revenue, severe burden. Mitigating factors - immediate compliance upon notice, good faith, lack of prior violations. (3) Penalty imposed: €500 administrative fine + warning. Rationale: Violations must be penalized (even SMEs must comply), but proportionality requires considering economic capacity and good faith; €500 sufficient to ensure attention to compliance without crushing micro-enterprise; warning puts on notice that future violations face higher penalties. (4) Comparison: Disproportionate: €9k maximum would exceed quarterly revenue, potentially forcing closure for good-faith technical violation. Proportionate: €500 meaningful enough to matter but not devastating; combined with warning creates compliance incentive without destruction. Too lenient: €0 would suggest obligations don't apply to small platforms, undermining DSA.

GDPR Comparison - Cross-Regulatory Penalty Analysis: Article 52's structure closely parallels GDPR Article 83 but with differences: (1) Maximum caps: GDPR - 4% or €20M (whichever higher) for some violations, 2% or €10M for others. DSA - 6% (no alternative floor) for substantive violations, 1% for procedural. DSA's 6% higher than GDPR's 4%, reflecting platforms' often larger revenue bases and need for strong deterrence. (2) Periodic penalties: GDPR - periodic penalties via Article 58(2)(j) but no specific cap in Article 83; Member State law determines. DSA - explicit 5% daily cap in Article 52(4) harmonizing periodic penalty levels EU-wide. (3) Factors: Both require effectiveness, proportionality, dissuasiveness. GDPR Article 83(2) lists detailed factors (intentional vs. negligent, mitigation, prior violations, cooperation, affected data subjects, technical/organizational measures). Recital 117 of DSA mirrors these. (4) In practice: Largest GDPR fines to date (2024): Amazon €746M (2021), Meta €1.2B (2023), Meta €390M (2022). Potential DSA fines: Similar or higher given 6% cap and some platforms' huge turnovers. Major VLOP violations could exceed largest GDPR fines.

National Implementation Examples - Divergent Approaches: (1) Germany - Digital Services Act Implementation Law (TTDSG + amendments): Implements Article 52 granting BNetzA power to impose fines directly (no judicial authority requirement). Detailed calculation methodology published in BNetzA guidelines considering: baseline fine based on violation category, multipliers for aggravating/mitigating factors, transparency in decision publication (anonymized until appeals exhausted). Approach: Administrative efficiency (DSC acts directly), transparent methodology, precedent-building through published decisions. (2) France - DSA transposition into French law: ARCOM can impose certain penalties directly but must request tribunal for fines exceeding €250,000. Judicial involvement for larger penalties ensures fundamental rights protection and judicial expertise in proportionality. Approach: Balances administrative efficiency (ARCOM decides smaller fines) with judicial oversight (court determines major penalties). (3) Ireland - Coimisiún na Meán structure: DSC can impose administrative sanctions up to specified thresholds; larger fines require High Court application. Court assesses proportionality, provider defenses, fundamental rights implications. Approach: Judicial heavy model reflecting Irish constitutional traditions protecting property rights (fines implicate property).

Cumulative Penalties - Multiple Simultaneous Violations: Platform simultaneously violates: Article 15 (transparency reporting), Article 16 (notice-and-action), Article 20 (internal complaints), Article 27 (recommender transparency). Can DSC impose separate fines for each? Legal analysis: (1) Article 52 silent on cumulation. (2) EU law principles: ne bis in idem (double jeopardy) prevents punishing twice for same conduct. But separate violations of different obligations aren't same conduct. (3) Likely approach: DSC can impose separate fines for distinct violations but total must respect proportionality. If violations interconnected (e.g., transparency failures across multiple articles), DSC might impose single fine considering all violations together. If truly separate (Article 16 content moderation failures + unrelated Article 30 trader verification failures), separate fines possible. (4) Practical example: Platform A violates only Article 16: fine €500M. Platform B violates Articles 15, 16, 20, 27 stemming from systematic transparency/accountability failures: probably single fine €700M (higher than Platform A reflecting multiple violations but not 4× separate fines which would be disproportionate for related failures). Platform C violates Article 16 (content moderation) + Article 30 (trader verification) + Article 43 (data access for researchers) in completely unrelated contexts: potentially separate fines up to €500M + €300M + €200M = €1B total, if proportionate to distinct violation patterns.

Fine Collection and Enforcement: (1) Payment terms: DSC decisions typically give 30-90 days to pay fine, extendable if provider demonstrates financial hardship requiring installment plan. (2) Non-payment consequences: Interest accrual on unpaid fines, enforcement through national debt collection procedures (bailiff seizure, asset attachment), in extreme cases criminal prosecution for fine evasion (if national law provides). (3) Cross-border collection: Fines imposed by one Member State's DSC on provider established in another Member State use EU mutual recognition of administrative decisions for collection across borders. German BNetzA fine on Irish-established platform can be enforced in Ireland through administrative cooperation. (4) Insolvency scenarios: If provider enters bankruptcy, DSA fines treated as administrative debts in insolvency proceedings. Questions of priority vs. secured creditors, employee claims, tax debts depend on national insolvency law. (5) Appeals and suspension: Judicial appeals of fines typically don't automatically suspend payment obligation (provider must apply for suspension demonstrating irreparable harm from payment during appeal). Courts may require payment into escrow pending appeal outcome.

For Platforms - Penalty Risk Management: (1) Compliance investment ROI: Platforms should calculate: cost of full DSA compliance (systems, staff, processes) vs. expected value of penalties (probability of violation × potential fine amount). For VLOPs with billions in turnover, compliance costing tens of millions is rational if it reduces probability of €500M-1B fines. (2) Violation assessment: Internal legal teams should continuously assess DSA compliance across obligations, flagging areas of non-compliance for prioritized remediation. Periodic internal audits (supplementing Article 37 external audits for VLOPs) identify issues before DSC investigations. (3) Investigation cooperation: During DSC investigations, cooperation may reduce penalties (Recital 117 considers cooperation as mitigating factor). Stonewalling investigations triggers procedural fines (Article 52(3)) and aggravates substantive penalties. Balance: cooperate with lawful requests while preserving legal challenges to disputed interpretations. (4) Early remediation: Upon discovering violations, voluntarily remediate before DSC investigation may reduce penalties (shows good faith, limits violation duration, reduces harm). Some Member States' penalty frameworks include 'self-reporting' discounts where providers proactively disclose violations. (5) Financial reserves: Platforms operating in regulatory uncertainty should maintain financial reserves or insurance for potential DSA fines, particularly VLOPs facing multi-billion potential penalties.

For Civil Society and Enforcement Monitoring: (1) Penalty publication: Monitor DSC publication of penalty decisions (required by many Member States for transparency). Analyze whether penalties proportionate to violations, identify patterns of over/under-enforcement. (2) Comparative analysis: Compare penalties across Member States for similar violations revealing disparate enforcement. If German DSC fines €10M for Article 16 violations while another DSC fines €100k for comparable violations, raises questions about consistency. (3) Deterrence assessment: Track whether penalties actually deter violations. If platforms repeatedly violate same obligations despite fines, suggests penalties insufficient (not dissuasive). If violations decrease post-penalty, confirms deterrence. (4) Advocacy for adequate penalties: Where DSCs impose inadequate penalties failing effectiveness/dissuasiveness standard, civil society should: publicly criticize weak enforcement, file complaints with Commission about inadequate national penalty frameworks, engage in policy advocacy for stronger national implementation, support affected users in judicial challenges if penalties too low to remedy harms. (5) Celebration of strong enforcement: When DSCs impose appropriately strong penalties, civil society should publicly support, countering platform narratives of excessive regulation, demonstrating public backing for robust enforcement, encouraging other DSCs to follow precedent.