Chapter 4|Supervision, Investigation, Enforcement and Monitoring of VLOPs and VLOSEs|📖 10 min read
1. The Commission may, by simple request or by decision, require the provider of the very large online platform or of the very large online search engine concerned, as well as any other natural or legal person acting for purposes related to their trade, business, craft or profession that may be reasonably aware of information relating to the suspected infringement, including organisations performing the audits referred to in Article 37 and Article 75(2), to provide such information within a reasonable period.
2. When sending a simple request for information to the provider or other person referred to in paragraph 1, the Commission shall state the legal basis and the purpose of the request, specify what information is required and set the period within which the information is to be provided, and the fines provided for in Article 74 for supplying incorrect, incomplete or misleading information.
3. Where the Commission requires information by decision, it shall state the legal basis and the purpose of the request, specify what information is required and set the period within which it is to be provided. It shall also indicate the fines provided for in Article 74 and indicate or impose the periodic penalty payments provided for in Article 76. It shall further indicate the right to have the decision reviewed by the Court of Justice of the European Union.
4. The providers or their representatives and, in the case of legal persons, companies or firms, or where they have no legal personality, the persons authorised to represent them by law or by their constitution shall supply the information requested. Lawyers duly authorised to act may supply the information on behalf of their clients. The latter shall remain fully responsible if the information supplied is incomplete, incorrect or misleading.
5. At the request of the Commission, the Digital Services Coordinators and other competent authorities shall provide the Commission with all necessary information to carry out the tasks assigned to it under this Section.
6. The Commission shall, without undue delay after sending the simple request or the decision, send a copy thereof to the Digital Services Coordinators, through the information sharing system referred to in Article 85.
Understanding This Article
Article 67 establishes Commission's core investigatory power to compel information provision from VLOPs/VLOSEs and third parties, enabling evidence gathering essential for Articles 65-66 investigations and Articles 73-74 enforcement decisions. Addresses fundamental challenge: regulatory investigations require access to information controlled by regulated entities who may be incentivized to withhold, delay, or misrepresent evidence particularly when facing potential Article 74 fines up to 6% global turnover. Article 67 creates two-tier compulsion mechanism: simple requests encouraging voluntary cooperation with lower procedural burden, and binding decisions with escalated penalties for non-compliance. Information request scope broad: targets VLOPs/VLOSEs directly, third-party entities with relevant knowledge (competitors, business partners, service providers, advertisers), and Article 37/75(2) audit organizations. Penalties framework ensures compliance: Article 74 fines up to 1% turnover for incorrect/incomplete/misleading information or failure to respond, Article 76 periodic penalty payments up to 5% average daily turnover compelling ongoing compliance. Procedural safeguards protect information providers: clear legal basis disclosure, purpose specification, reasonable deadlines, judicial review rights for binding decisions, lawyer representation permission.
Simple Requests vs. Binding Decisions - Paragraphs 1-3: Commission can choose between two information request mechanisms based on case circumstances and cooperation expectations. Simple Requests (paragraph 2): Less formal, encouraging voluntary cooperation, appropriate when provider likely to cooperate, used in early investigation stages or for less sensitive information. Must state: (a) legal basis (Article 67 authority, Article 65/66 investigation context), (b) purpose (what Commission investigating and why information needed), (c) required information specifications (documents, data, explanations sought), (d) provision period (deadline for response, typically 2-4 weeks depending on complexity), (e) Article 74 fines for incorrect/incomplete/misleading information (warning of penalties incentivizing accurate complete responses). Simple request is not legally binding—provider can theoretically refuse—but refusal triggers Commission issuance of binding decision with enhanced penalties. Binding Decisions (paragraph 3): Formal legal instruments compelling information provision, appropriate when provider failed to respond to simple request, provider cooperation doubtful, information critical and time-sensitive, or Commission wants maximum legal enforceability. Must include all simple request elements plus: (a) Article 76 periodic penalty payments specification (daily fines until compliance achieved), (b) judicial review rights notice (providers can challenge decision at Court of Justice). Binding decisions create legal obligation—refusal constitutes infringement triggering penalties.
Information Request Scope - Paragraph 1: Can target: (a) VLOP/VLOSE providers being investigated, (b) 'any other natural or legal person acting for purposes related to their trade, business, craft or profession' who 'may be reasonably aware of information relating to suspected infringement'—extremely broad scope covering competitors (observations about platform practices), business partners (contractual documentation, integration details), advertisers (ad platform functionality, targeting capabilities), content creators (platform policy enforcement experiences), service providers (cloud hosting data, payment processing records), consultants (compliance advice provided to VLOP). 'Reasonably aware' requires connection to information—person likely possesses relevant knowledge based on business relationship or professional activities. Special inclusion: Article 37 audit organizations and Article 75(2) audit organizations—Commission can compel auditors to provide complete audit reports, underlying evidence, methodologies, working papers beyond what VLOPs publicly disclose, preventing VLOPs from sanitizing audit results. Third-party information requests critical for corroborating VLOP representations, identifying misrepresentations, gathering evidence VLOPs won't voluntarily provide.
Response Procedures and Lawyer Representation - Paragraph 4: Information must be supplied by: providers themselves, authorized representatives (corporate officers, compliance teams), legal persons' constitutionally authorized representatives, lawyers duly authorized by clients. Lawyer representation permitted protecting legal professional privilege and ensuring quality responses, but 'clients remain fully responsible if information supplied is incomplete, incorrect or misleading'—legal representation doesn't absolve provider of liability, lawyers acting as conduit not shield. Responsibility allocation ensures providers cannot blame lawyers for deficient responses, incentivizes providers to supervise lawyer compliance closely, maintains deterrent effect of Article 74 fines.
DSC Information Provision - Paragraph 5: Digital Services Coordinators and other competent authorities (national competition authorities, data protection authorities, sector regulators) must provide Commission with 'all necessary information' upon request. Supports Commission investigations by accessing national authority intelligence: DSC enforcement files, user complaints, market monitoring data, previous supervisory correspondence with VLOPs, technical analyses. Cross-institutional cooperation leverages distributed regulatory knowledge enhancing Commission evidence base beyond what direct VLOP requests yield.
Transparency - Paragraph 6: Commission must copy all simple requests and binding decisions to DSCs via Article 85 information sharing system 'without undue delay' (typically same day). Ensures DSC awareness of Commission investigation activities, enables DSC provision of complementary information, maintains transparency in Commission-DSC cooperation, allows DSC monitoring of Commission enforcement priorities and methodologies.
Key Points
Commission can request information by simple request or binding decision
Applies to VLOPs/VLOSEs, auditors, and any person with relevant information
Targets persons acting in trade, business, craft, or profession
Includes Article 37 audit organizations
Simple requests state legal basis, purpose, required information, deadline, and penalties
Binding decisions additionally specify periodic penalty payments and judicial review rights
Providers or authorized representatives must supply requested information
Lawyers can provide information on behalf of clients
Clients remain fully responsible if information incomplete, incorrect, or misleading
Article 74 fines apply for incorrect, incomplete, or misleading information
Article 76 periodic penalties for failure to respond or delayed responses
DSCs must provide Commission with necessary information upon request
Commission copies requests and decisions to DSCs via Article 85 system
Enables evidence gathering for VLOP/VLOSE compliance investigations
Core investigatory tool for Articles 65-66 proceedings
Compels cooperation through financial penalties for non-compliance
Practical Application
TikTok Algorithm Investigation - Simple Request: Commission investigating TikTok Article 27 recommender transparency and Article 35 systemic risk mitigation issues simple request seeking: (1) complete documentation of recommendation algorithm parameters, weighting factors, and ranking criteria, (2) internal analyses of algorithm amplification effects on viral content, (3) risk assessment methodologies and findings for misinformation spread, (4) A/B testing data on algorithm variations and user engagement impacts, (5) content categorization systems and labels, (6) explanations of how Article 27 user choice options affect recommendation behavior. Request specifies 30-day response deadline given documentation volume and technical complexity. States legal basis (Article 67(1) investigation authority under Article 66 proceedings), purpose (assessing Article 27/35 compliance), Article 74 fine warning (up to 1% turnover for incorrect/incomplete/misleading information). TikTok responds within deadline providing voluminous technical documentation but Commission review identifies gaps and potential misrepresentations requiring follow-up.
Meta Data Access - Escalation to Binding Decision: Commission investigating Meta Article 40 researcher data access compliance issues simple request for: researcher request handling procedures, API approval/rejection decision logs, technical API specifications and limitations documentation, internal communications about researcher access policy. Meta response delayed (provided day 45 when deadline was day 30) and incomplete (missing internal communications, API technical specs summary-level not detailed). Commission issues binding decision requiring: (1) complete unredacted internal communications about researcher access decisions for past 2 years, (2) detailed API technical documentation including code-level specifications, (3) database schemas and data dictionaries for researcher-accessible datasets, (4) decision within 15 days (expedited given previous delay). Decision specifies: Article 74 fines for incorrect/incomplete/misleading information (up to €1.3 billion at 1% Meta's turnover), Article 76 periodic penalty payments €6.5 million per day (0.5% daily turnover) for each day of delay beyond 15-day deadline, judicial review rights at Court of Justice. Meta complies within deadline providing comprehensive documentation having received clear penalty escalation.
Third-Party Information - Audit Organization: Commission investigating YouTube Article 35 systemic risk assessment adequacy. YouTube's Article 37 public audit summary claims robust risk mitigation but lacks detail. Commission issues Article 67(1) binding decision to PwC (YouTube's Article 37 auditor) requiring: complete unredacted audit report including all findings and recommendations, audit methodology documentation and testing procedures, evidence supporting audit conclusions (sampled documents, interview notes, technical analyses), communications between PwC and YouTube about audit scope and findings, identification of any YouTube-imposed limitations on audit scope. PwC responds comprehensively (cannot refuse given binding decision). Audit working papers reveal YouTube initially resisted certain audit recommendations that public summary didn't mention, audit scope excluded certain algorithmic risks at YouTube's request, PwC raised concerns about risk assessment methodology adequacy that didn't appear in sanitized public version. Commission uses PwC information as evidence contradicting YouTube's compliance representations, demonstrating value of third-party information access.
Competitor Information - Platform Comparison: Commission investigating X's Article 14 content moderation adequacy. Issues requests to Meta, TikTok, YouTube (X's competitors) seeking: industry standard content moderation staffing levels and ratios, typical notice-and-action response times, standard review quality assurance processes, common illegal content detection technologies and tools, benchmarking data on content moderation performance metrics. Competitors provide information (reasonably aware through own operations, no proprietary advantage to withholding, demonstrating superior practices may favorably contrast with X's deficiencies). Commission uses comparative data establishing industry baselines: if Meta, TikTok, YouTube maintain 10,000+ content moderators while X reduced to 2,000, if competitors respond to notices within 24-48 hours while X takes 7-10 days, demonstrates X's Article 14 obligations not met relative to reasonable industry standards. Competitor information corroborates inadequacy claims without relying solely on X's self-reporting.
DSC Information Provision - Cross-Border Intelligence: Commission investigating TikTok election interference issues Article 67(5) requests from Romanian DSC: all complaints received about TikTok election content, Romanian DSC's investigation files and evidence, technical analyses of algorithm behavior during Romanian election, user impact assessments and harm documentation. Romanian DSC provides comprehensive package within 7 days including forensic algorithm analysis conducted by Romanian cybersecurity experts. Commission additionally requests information from French, German, Polish DSCs about TikTok algorithm behavior during their elections identifying cross-border patterns. DSC information sharing reveals systemic EU-wide issues not visible from single-country perspective strengthening Commission's evidence base for Article 73 non-compliance finding.
For Commission - Strategic Information Requests: Use simple requests initially encouraging voluntary cooperation and preserving binding decision escalation option. Specify information requirements precisely avoiding overly broad requests that burden providers without investigative value. Set reasonable deadlines balancing urgency with provider compliance capacity. Issue binding decisions strategically when cooperation doubtful or delays unacceptable. Target third parties and auditors when VLOP information likely biased or incomplete. Request DSC information supplementing direct provider requests with regulatory intelligence.
For VLOPs/VLOSEs - Responding to Requests: Respond promptly and completely to simple requests avoiding binding decision escalation. Allocate adequate internal resources ensuring quality comprehensive responses. Engage lawyers for complex requests but maintain responsibility for accuracy and completeness. Flag genuinely sensitive information requesting confidential treatment rather than withholding. Avoid incomplete or misleading responses given Article 74 1% fine risk. Document response preparation processes protecting against inadvertent errors. Consider voluntary information provision beyond minimum requested demonstrating cooperation.
For Audit Organizations - Article 37/75(2) Auditors: Recognize Commission can compel complete audit documentation beyond public summaries. Maintain comprehensive audit working papers supporting all findings and conclusions. Document any limitations VLOPs impose on audit scope or methodology. Preserve auditor independence resisting VLOP pressure to sanitize findings. Respond comprehensively to Commission requests given binding decision authority and no client privilege protection. Ensure audit contracts with VLOPs clarify Commission access rights avoiding contractual conflicts.