Chapter 4|Supervision, Investigation, Enforcement and Monitoring of VLOPs and VLOSEs|📖 24 min read
1. The Commission shall adopt a non-compliance decision where it finds that the provider of the very large online platform or of the very large online search engine concerned does not comply with one or more of the following:
(a) its obligations under Section 5 of Chapter III;
(b) an interim measure ordered pursuant to Article 70;
(c) a commitment made binding by a decision pursuant to Article 71;
(d) an obligation to supply information imposed by a decision pursuant to Article 67, to submit to an interview pursuant to Article 68 or to an inspection pursuant to Article 69.
2. Before adopting the decision pursuant to paragraph 1, the Commission shall communicate its preliminary findings to the provider of the very large online platform or of the very large online search engine concerned. In the communication of its preliminary findings, the Commission shall explain the measures that it considers taking or that it considers that the provider of the very large online platform or of the very large online search engine concerned should take in order to effectively address the preliminary findings.
3. In its decision referred to in paragraph 1, the Commission shall order the provider of the very large online platform or of the very large online search engine concerned to take the necessary measures to ensure compliance within a reasonable period of time specified by the Commission and to provide information on the measures that the provider concerned intends to take to comply with the decision.
4. The provider of the very large online platform or of the very large online search engine concerned shall provide the Commission with a description of the measures it has taken to ensure compliance upon their implementation.
5. Where the Commission concludes that the conditions for adopting a decision pursuant to paragraph 1 are not met, it shall close the investigation by a decision. The decision shall apply with immediate effect.
Understanding This Article
Article 73 establishes European Commission's authority to adopt formal non-compliance decisions definitively determining that very large online platform (VLOP) or very large online search engine (VLOSE) violated Digital Services Act obligations. Non-compliance decision represents culmination of Article 66 enforcement proceedings, creating binding legal finding that provider infringed specified DSA provisions and must implement ordered remediation measures within Commission-specified deadline. Decision triggers Article 74 fine authority and Article 75 periodic penalty powers, creates res judicata effect preventing duplicate proceedings, establishes legal basis for future compliance verification, and subjects provider to enhanced ongoing oversight verifying remediation implementation.
Scope of Non-Compliance - Paragraph 1 Categories: Article 73 applies to four distinct violation types reflecting DSA's layered enforcement architecture: (a) Section 5 substantive obligations - Articles 33-43 provisions imposing VLOP/VLOSE-specific requirements beyond general intermediary obligations. These include: Article 34 annual systemic risk assessment identifying illegal content, fundamental rights, electoral process, gender-based violence, mental health, minor protection risks; Article 35 reasonable, proportionate, effective risk mitigation measures addressing identified risks; Article 37 annual independent audit assessing compliance with all VLOP/VLOSE obligations; Article 38 recommender system transparency with meaningful non-personalized alternatives; Article 39 online advertising restrictions prohibiting targeting based on sensitive data categories; Article 40 vetted researcher data access; Article 42 dedicated compliance function with sufficient authority and resources; Article 43 additional public accountability transparency reporting. (b) Article 70 interim measure violations - failure to implement provisional remedies Commission ordered pending investigation to prevent imminent serious harm. Interim measure breach constitutes independent violation even if underlying substantive allegation ultimately unproven - providers must comply with procedurally valid orders regardless of dispute about underlying merits. (c) Article 71 binding commitment violations - breach of undertakings provider offered and Commission accepted as alternative to formal non-compliance proceedings. Commitment violations particularly serious given provider voluntarily proposed measures then failed to implement - demonstrates bad faith undermining regulatory settlement mechanisms. (d) Investigation cooperation failures - non-compliance with Article 67 information requests, Article 68 interview obligations, Article 69 inspection orders. Cooperation violations obstruct enforcement enabling providers to conceal evidence - warrant independent sanctioning beyond underlying substantive violations.
Preliminary Findings Procedure - Paragraph 2: Before adopting final Article 73 decision, Commission must 'communicate its preliminary findings to the provider' - implements fundamental EU law right to be heard (Charter Article 41, general principles of Union law). Preliminary findings serve multiple functions: (1) Factual disclosure - Commission specifies alleged violations including: DSA provisions violated, factual evidence supporting violation finding (database analyses, algorithmic audits, document reviews, interview testimony, inspection findings), legal interpretation of provisions establishing violation, proportionality assessment justifying intervention. (2) Remedial transparency - Commission explains 'measures it considers taking or provider should take to effectively address preliminary findings' - creates clarity about potential compliance requirements enabling provider to propose alternatives or object to disproportionate remedies. Commission may indicate: specific operational changes required (content moderation improvements, algorithmic adjustments, transparency enhancements), structural modifications needed (compliance organizational changes, resource allocations, governance reforms), ongoing monitoring requirements (periodic reporting, external audits, Commission access rights), implementation timeline expectations. (3) Defense opportunity - Provider may respond to preliminary findings through written submissions and oral hearings (if granted) presenting: counterarguments disputing factual findings or legal interpretations, exculpatory evidence explaining conduct or demonstrating good faith compliance efforts, proportionality objections arguing Commission remedies excessive relative to violation severity, alternative remedy proposals addressing compliance concerns through less burdensome means. Response period typically 30-60 days though Commission may extend for complex cases. (4) Commission reconsideration - After receiving provider response, Commission must evaluate arguments and may: confirm preliminary findings proceeding to final non-compliance decision, modify findings addressing provider objections, withdraw findings if defense persuasive, accept alternative remedies provider proposes.
Remediation Orders - Paragraph 3: Final non-compliance decision 'shall order provider to take necessary measures to ensure compliance within reasonable period' - creates binding legal obligation to implement specific remediation. Remediation scope determined by: (1) Violation nature - substantive violations require addressing underlying compliance failures (improving risk assessment methodologies, deploying effective mitigation measures, enhancing transparency features), procedural violations require implementing cooperation mechanisms (providing requested information, facilitating interviews, enabling inspections). (2) Necessity assessment - Commission may only order measures 'necessary to ensure compliance' - proportionality limits prevent requiring changes beyond violation remediation. Provider may challenge remediation scope arguing measures exceed necessity threshold. (3) Specificity requirement - Orders must specify concrete actions not vague aspirations; acceptable: 'deploy natural language processing system detecting hate speech in [specified languages] achieving minimum 85% precision within 180 days with independent testing verification,' unacceptable: 'improve content moderation.' (4) Reasonable period determination - Paragraph 3 requires compliance 'within reasonable period specified by Commission' - timeline varies by remediation complexity. Operational fixes (providing missing transparency information, correcting interface designs) typically 30-90 days. Algorithmic modifications (retraining recommender systems, deploying new content moderation models) typically 90-180 days. Structural changes (establishing compliance functions, conducting comprehensive risk assessments, implementing researcher data access infrastructure) typically 6-12 months. Factors influencing timeline: technical complexity, resource requirements, third-party dependencies, need for testing/validation, potential adverse effects requiring gradual rollout. (5) Implementation plan requirement - Paragraph 3 requires providers disclose 'measures intended to take to comply with decision' - creates public commitment and enables Commission to assess plan adequacy before implementation. Plans typically specify: discrete implementation milestones with target dates, responsibility assignments identifying personnel or units, resource allocations, testing and validation methodologies, contingency measures if initial approach fails, reporting mechanisms enabling Commission to monitor progress.
Implementation Verification - Paragraph 4: 'Upon implementation' providers must furnish 'description of measures taken to ensure compliance' - enables Commission to verify remediation completion and effectiveness. Implementation reports typically include: (1) Measure descriptions - detailed explanation of actions taken including: technical specifications for algorithmic or system modifications, organizational changes to compliance structures, policy and procedural updates, training programs deployed, resource allocations, third-party contracts (auditors, consultants, technical service providers). (2) Evidence documentation - supporting materials demonstrating implementation: screenshots showing interface changes, code repositories with version control documenting algorithmic modifications, audit reports confirming system deployments, training completion records, staffing documentation showing compliance team expansion. (3) Effectiveness assessment - data showing measures achieve compliance objectives: content moderation accuracy improvements, risk mitigation effectiveness metrics, transparency feature usage statistics, researcher data access uptake, user complaint resolution improvements. (4) Timeline documentation - evidence showing measures implemented within reasonable period or justification for delays. Commission evaluates implementation reports assessing whether: remediation measures actually address violations identified in non-compliance decision, implementation quality sufficient to ensure compliance or merely cosmetic, timing complies with specified reasonable period, ongoing monitoring mechanisms ensure sustained compliance. Inadequate implementation triggers Article 75 periodic penalty payments creating escalating daily fines until genuine compliance achieved.
Closure Decisions - Paragraph 5: When Commission 'concludes conditions for adopting non-compliance decision not met, shall close investigation by decision with immediate effect' - creates formal termination preventing indefinite uncertainty. Closure scenarios include: (1) Insufficient evidence - Article 66 investigation fails to substantiate preliminary concerns despite Article 67 information requests, Article 68 interviews, Article 69 inspections, Article 72 monitoring. (2) Provider remediation during investigation - Provider voluntarily implements corrective measures addressing preliminary findings before final decision, mooting non-compliance determination. (3) Legal interpretation clarification - Commission concludes conduct falls outside DSA prohibition scope upon deeper legal analysis. (4) Article 71 commitment acceptance - Provider offers adequate commitments addressing concerns, warranting commitment decision rather than non-compliance finding. (5) Changed circumstances - Facts underlying preliminary findings materially evolve eliminating compliance concerns. Closure decision must specify grounds explaining why non-compliance conditions not met - prevents arbitrary or unexplained investigation terminations. 'Immediate effect' language confirms closure instantly terminates investigation without grace period - creates prompt certainty. However, closure doesn't preclude future investigation if new evidence emerges or circumstances change - res judicata applies only to specific conduct examined, not all potential violations.
Relationship with Article 74 Fines: Article 73 non-compliance decision creates legal predicate for Article 74 financial penalties. Article 74(1) authorizes fines 'where the Commission has adopted a decision of non-compliance pursuant to Article 73(1)' - makes non-compliance finding prerequisite rather than automatic consequence. Commission exercises discretion whether to impose fines considering: violation severity (minor technical failures versus systemic intentional non-compliance), harm caused to users or public interests, violation duration, provider's cooperation during investigation, provider's financial capacity, deterrence necessity to ensure future compliance and signal to other platforms. Fine amounts limited to 6% provider's total worldwide annual turnover, with repeated violations potentially warranting higher percentage within statutory ceiling. Fines imposed through separate Article 74 decision following Article 73 non-compliance decision - creates two-stage procedure ensuring fines justified by both non-compliance finding and proportionate penalty assessment. Providers may challenge both Article 73 non-compliance decision and Article 74 fine decision before EU Courts, though typically consolidated into single judicial proceeding.
Relationship with Article 75 Periodic Penalties: Article 75 empowers Commission to impose daily penalty payments up to 5% average daily worldwide turnover compelling compliance with: Article 73 non-compliance decision remediation orders, Article 67 information requests, Article 68 interview obligations, Article 69 inspection orders, Article 70 interim measures. Periodic penalties differ from Article 74 fines in temporal orientation - fines punish past violations, periodic penalties coerce future compliance. Article 73 decision triggering Article 75 periodic penalties typically involves provider failing to implement paragraph 3 remediation orders within reasonable period specified. Periodic penalties accrue daily until provider achieves compliance, creating escalating financial pressure. For major platforms with hundreds of billions annual turnover, 5% daily rate could exceed €100 million per day - creates powerful compliance incentive. Commission may impose both Article 74 retrospective fines for past violations and Article 75 prospective periodic penalties for ongoing non-compliance in coordinated enforcement strategy.
Judicial Review and Due Process: Article 73 decisions constitute definitive Commission acts challengeable before EU Courts under TFEU Article 263 (annulment actions) within two months of notification. Grounds for judicial review include: (1) Lack of competence - Commission exceeded authority or applied DSA to conduct outside scope. (2) Infringement of essential procedural requirements - Commission violated paragraph 2 preliminary findings procedure, denied adequate right to be heard, based decision on evidence provider couldn't access or rebut, failed to provide reasoning. (3) Infringement of Treaties or implementing rules - Commission misinterpreted DSA provisions, applied incorrect legal standards, violated Charter fundamental rights (freedom of expression, privacy, business freedom), violated proportionality requiring least restrictive means. (4) Misuse of powers - Commission pursued improper objectives (competitive advantage for EU platforms, political retaliation) rather than DSA compliance enforcement. Courts apply plenary review of legal questions but limited review of factual findings and technical assessments given Commission's enforcement expertise - will typically defer to Commission on complex algorithmic or content moderation judgments unless manifestly erroneous. Successful annulment invalidates non-compliance decision retroactively preventing Article 74 fines and Article 75 periodic penalties. Pending judicial review doesn't automatically suspend non-compliance decision, but providers may request interim relief under TFEU Article 278 if immediate implementation causes irreparable harm - Courts balance provider's rights against public interest in DSA enforcement.
Precedential Effects and Regulatory Significance: First Article 73 decisions will establish foundational DSA interpretation precedents shaping future enforcement and platform compliance strategies. Decisions address critical uncertainties including: (1) Article 34 risk assessment adequacy - what methodologies, evidence, comprehensiveness required for 'diligent' risk identification; whether platforms must identify all systemic risks or only reasonably foreseeable risks; how granularly platforms must assess geographic, demographic, cultural risk variations. (2) Article 35 mitigation effectiveness - how Commission evaluates whether measures 'effectively mitigate' systemic risks; whether effectiveness assessed ex ante based on reasonable design or ex post based on actual results; what quantitative thresholds (moderation accuracy, user protection rates) constitute adequate mitigation. (3) Article 38 recommender transparency - how 'meaningful' non-personalized alternatives must be; whether chronological feeds satisfy requirement or more sophisticated non-personalized curation necessary; how transparent 'main parameters' explanations must be to enable user understanding. (4) Article 40 researcher access adequacy - what constitutes 'proportionate' data access request approval processes; how broadly 'public data' defined; what security and privacy protections justify access limitations. (5) Article 42 compliance function independence - how much authority, resources, organizational separation necessary for 'adequate' compliance capacity; whether business unit integration creates impermissible conflicts of interest. Decisions create safe harbor guidance - platforms implementing measures Commission approved in prior decisions can argue comparable approaches satisfy their obligations. Conversely, decisions identifying failures establish minimum compliance baselines - platforms cannot adopt approaches Commission previously rejected.
Mandatory preliminary findings procedure (paragraph 2) - Commission must communicate preliminary assessment before final decision enabling provider defense
Preliminary findings must explain 'measures Commission considers taking or provider should take' - creates transparency about potential remediation requirements
Right to be heard: providers can respond to preliminary findings submitting counterarguments, evidence, proposed alternative remedies before final decision
Final non-compliance decision orders 'necessary measures to ensure compliance within reasonable period' - Commission specifies concrete remediation steps and deadlines
Providers must disclose 'information on measures intended to comply' - creates implementation commitment before execution
Paragraph 4 implementation reporting: providers must describe measures actually taken 'upon implementation' - verifies remediation completion
Closure decision (paragraph 5): when Commission concludes non-compliance conditions not met, must formally close investigation with immediate effect - prevents indefinite uncertainty
Non-compliance decision triggers Article 74 fine authority (up to 6% global turnover) and Article 75 periodic penalties (up to 5% daily turnover) for continued violations
Distinct from preliminary findings which are not definitive determinations - only Article 73 final decision creates legally binding non-compliance finding
Decisions subject to EU Court judicial review under TFEU Article 263 - providers can challenge factual findings, legal interpretations, proportionality, procedural violations
Reasonable period specification (paragraph 3) typically ranges 30 days-12 months depending on remediation complexity - structural changes receive longer deadlines than operational fixes
Decision must be 'reasoned' per EU law general principles - Commission must explain factual basis, legal grounds, remediation necessity, proportionality assessment
First Article 73 decisions expected 2024-2025 for X (Twitter), TikTok, Meta cases - will establish precedential interpretation of DSA substantive obligations
X (Twitter) - First Major Article 73 Non-Compliance Decision Expected: European Commission initiated Article 66 proceedings against X (formerly Twitter) December 18, 2023 investigating potential Article 34 risk assessment failures, Article 35 mitigation inadequacies, and Article 39 advertising transparency violations. July 12, 2024, Commission issued preliminary findings (Article 73 paragraph 2) documenting three violation categories: (1) Deceptive verification system (Article 25 dark patterns) - X's Blue subscription provides 'verified' badge to any paying subscriber without identity verification, creating misleading impression of account authenticity. Commission found badge indistinguishable from legacy verification (celebrities, journalists, government officials confirmed authentic), enabling impersonation and misinformation. Users cannot readily determine whether badge signifies confirmed identity or mere subscription payment - violates Article 25 prohibition on 'interface design that deceives or manipulates recipients.' (2) Advertising transparency deficiencies (Article 39) - X's advertising repository lacks required functionality and accessibility. Commission testing revealed: repository requires account creation and login preventing public access contrary to 'publicly available' requirement; search functionality limited preventing comprehensive ad transparency; missing data fields including targeting parameters and ad spending obscure advertising ecosystem; ad removal from repository after short retention periods violates ongoing transparency requirement. Repository design appears deliberately obfuscatory rather than maximizing transparency per Article 39 objectives. (3) Researcher data access obstruction (Article 40) - X's researcher access application process imposes excessive barriers: requires institutional affiliation excluding independent researchers; demands detailed methodology disclosures enabling X to anticipate and counter research findings; includes non-disparagement clauses prohibiting critical research publication; limits API access preventing comprehensive data collection; charges fees inconsistent with 'reasonable, proportionate and duly justified' cost limitation. Application approval rate below 5% suggests systematic access denial. Commission preliminary findings explained remediation measures required: (a) Verification system redesign - distinguish paid subscription badge from identity verification badge with clear visual and textual differentiation, or eliminate 'verified' terminology for unverified paid subscribers; (b) Ad repository enhancement - remove login requirement enabling public access, expand search functionality, add missing data fields, maintain ad records indefinitely or minimum 2 years; (c) Researcher access reform - broaden eligibility criteria, streamline application process, eliminate content restrictions and non-disparagement clauses, reduce fees to cost recovery only, commit to approval timelines and transparency about denial reasons. X submitted response disputing preliminary findings: argued verification badge clearly explained as subscription feature with disclosure in user interface; claimed advertising repository meets DSA minimum requirements with public access via account creation (free); characterized researcher access limits as necessary to prevent security risks, API abuse, competitive intelligence gathering. Commission rejected X's defense arguments finding: verification badge explanations buried in terms of service inadequate to prevent user deception given visual prominence of badge and historical association with identity verification; public access requires no login per natural reading of 'publicly available'; account creation requirement imposes unnecessary barrier enabling X tracking of repository users; researcher access restrictions exceed legitimate security concerns serving primarily to obstruct accountability research. Commission expected to adopt final Article 73 non-compliance decision before December 2024 ordering remediation within 60-120 days and triggering potential Article 74 fines up to €2.5 billion (6% X's estimated €40B annual revenue). Decision will establish first Article 73 precedent interpreting Article 25 dark patterns, Article 39 ad transparency, Article 40 researcher access - creating benchmark for other platforms' compliance and informing pending Commission investigations of Meta, TikTok, AliExpress.
Meta (Facebook & Instagram) - Preliminary Findings on Researcher Access and Content Moderation: Commission issued Article 73 paragraph 2 preliminary findings October 24, 2024 against Meta for Facebook and Instagram violations across two areas: (1) Article 40 researcher data access failures - Commission found Meta's CrowdTangle and Researcher API tools 'failed to provide effective and real-time access to public data' required under Article 40. CrowdTangle limitations included: two-month delay between content publication and data availability preventing real-time electoral misinformation research; incomplete content coverage excluding Instagram Reels, Stories, private groups despite public visibility; imminent shutdown (Meta announced CrowdTangle retirement August 2024) without adequate replacement creating access gap. Researcher API problems included: application approval delays averaging 4-6 months exceeding reasonable processing; granular methodology requirements enabling Meta to anticipate and counter unfavorable research; approval denials lacking detailed reasoning preventing researchers from correcting applications; access scope limitations preventing comprehensive platform analysis. Commission experts tested researcher access tools finding them inadequate for studying systemic risks (election manipulation, misinformation amplification, youth mental health, coordinated harassment) Article 40 intended to enable. Meta's obstructive approach prevented independent verification of Article 34 risk assessments and Article 35 mitigation effectiveness claims - undermining DSA accountability architecture. (2) Article 16 illegal content reporting failures - Commission found Facebook and Instagram 'notice-and-action mechanisms' impose 'burdensome procedures' violating Article 16(1) 'easy and readily accessible mechanisms' requirement. Specific problems: multi-step reporting processes requiring users navigate complex category hierarchies before submitting reports; mandatory account creation for some reporting functions excluding unregistered users; dark patterns steering users toward less effective reporting categories (e.g., prompting 'hide post' or 'unfollow user' instead of reporting illegal content); language barriers for non-English users with incomplete translations. Testing showed average user requires 7-12 clicks to complete illegal content report versus 2-3 clicks for equivalent competitor platforms - excessive friction discourages reporting undermining Article 16 effectiveness. (3) Article 20 internal complaint-handling deficiencies - Meta's content moderation appeal system violates Article 20 by 'not allowing users to effectively challenge content moderation decisions.' Appeals limited to multiple-choice rationales without free-text explanation field preventing users from providing relevant context (e.g., satire, artistic expression, newsworthy reporting, counter-speech); no evidence upload functionality preventing users from supporting appeals with contextual documentation; decisions rendered without human review for majority of appeals (automated template responses); timing delays averaging 14 days exceeding reasonable processing. Commission testing showed appeal reversal rate below 2% suggesting perfunctory rather than genuine reconsideration - violates Article 20 'diligent and objective' review requirement. Preliminary findings explained required remediation: (a) Researcher access enhancement - provide real-time data access (maximum 24-hour delay), expand content coverage to all public materials including Reels and Stories, streamline application processing with 30-day maximum review periods, provide detailed denial reasons with opportunity to cure deficiencies, eliminate overly intrusive methodology requirements, ensure CrowdTangle replacement maintains equivalent functionality; (b) Reporting simplification - reduce reporting to maximum 3 clicks, eliminate account requirements for initial reports, improve translations covering all EU languages, remove dark patterns steering away from reporting, add prominent reporting buttons on all content; (c) Appeal improvements - add free-text explanation fields, enable evidence uploads, guarantee human review for all appeals, reduce processing to 48-72 hours, increase reversal rates to reasonable levels reflecting genuine reconsideration, provide detailed reasoning for appeal denials. Meta response challenged preliminary findings arguing: CrowdTangle delay necessary to ensure data quality and privacy compliance; Researcher API application rigor prevents API abuse and protects user privacy; reporting processes balance accessibility against false report prevention; appeal limitations prevent gaming by bad actors. Commission rejected defenses finding privacy and abuse prevention arguments pretextual given less restrictive alternatives available. Final Article 73 decision expected Q1 2025 with potential fines approaching €10 billion (6% Meta's ~€165B annual revenue) for multiple violations affecting hundreds of millions EU users.
TikTok - Article 40 Researcher Access Non-Compliance: Commission preliminary findings October 24, 2024 identified TikTok's Article 40 researcher data access program violations mirroring Meta problems: (1) Application process barriers - TikTok requires researchers submit detailed proposals describing research questions, methodologies, expected findings before granting access - enables TikTok to selectively approve favorable research while denying unfavorable investigations. Application review periods exceed 180 days creating untenable delay for time-sensitive research (election studies, emerging misinformation). Approval criteria opaque with denials lacking specific reasoning preventing researchers from understanding requirements. (2) Data scope limitations - TikTok provides only aggregated statistics rather than granular content-level data necessary for systemic risk research. Researchers cannot access recommendation algorithm signals, content virality metrics, user engagement patterns, coordinated behavior indicators - precisely information necessary to evaluate Article 34 systemic risks and Article 35 mitigation effectiveness. Privacy justifications pretextual given public content already visible and appropriate anonymization could protect individual privacy while enabling research. (3) API restrictions - TikTok's Research API rate limits prevent comprehensive data collection limiting researchers to small samples inadequate for statistical significance. Terms of service prohibit certain research purposes (competitive analysis, algorithm reverse engineering) extending beyond legitimate operational security into censorship of unfavorable findings. (4) Non-disclosure requirements - TikTok imposes confidentiality obligations preventing researchers from publicly disclosing certain findings, methodology details, or TikTok communications - contradicts Article 40's transparency objectives enabling public accountability. Commission found TikTok's approach creates 'chilling effect' deterring researchers from applying and constraining approved research to superficial investigations unlikely to threaten TikTok's interests. Systematic access obstruction prevents independent verification that TikTok's Article 34 risk assessments identify actual platform risks (e.g., youth mental health, election manipulation through algorithm amplification, coordinated inauthentic behavior, extremism recruitment) and Article 35 mitigations effectively address risks. Preliminary findings required remediation: streamline application to 30-day maximum processing, provide granular content-level data enabling robust statistical analysis, expand API rate limits to research-adequate levels, eliminate non-disclosure requirements for research findings, broaden eligibility to include independent researchers not solely academics, commit to minimum approval rates (e.g., 75% of eligible applications) preventing systematic denial. TikTok response argued Chinese government restrictions on data exports prevent comprehensive researcher access to global TikTok data - raised complex international law and national security questions about whether third-country legal constraints excuse DSA non-compliance. Commission rejected argument noting TikTok could provide EU-specific data or anonymized global data without triggering Chinese export controls; TikTok's compliance obligations flow from providing services in EU market and cannot be excused by voluntary business model choices creating legal conflicts. Alternative solutions available including data localization, anonymization, restricted researcher facilities enabling access without exports. Final Article 73 decision expected Q1 2025 potentially resulting in €1-2 billion fine (6% TikTok's estimated €23B annual revenue).
AliExpress - Dark Patterns and Recommender Transparency Violations: Commission preliminary findings March 28, 2024 documented AliExpress violations of Article 25 dark patterns prohibition and Article 27 recommender system transparency: (1) Interface manipulation - Product pages employ countdown timers creating false urgency ('Sale ends in 2 hours!') when timers reset daily - misleads users into hasty purchasing decisions believing time-limited availability. Scarcity claims ('Only 3 left!') not reflecting actual inventory - AliExpress database access under Article 72 revealed inventory levels far exceeding displayed scarcity. Pre-checked optional service boxes (extended warranties, insurance) requiring users to actively deselect - reverses informed consent obtaining agreement through inaction. Confusopoly pricing displaying 'original price' substantially inflated above actual market value making 'discounts' appear larger than genuine savings - misleading price comparison. Commission found interface systematically designed to manipulate purchasing behavior rather than enabling informed user choice - violates Article 25. (2) Recommender opacity - Product recommendation feeds lack Article 27-required transparency about ranking logic. Generic explanations ('Recommended for you based on preferences') provide no meaningful information about what 'preferences' considered or how weighting determined. Users cannot understand why specific products recommended enabling algorithmic manipulation (e.g., prioritizing high-commission products, sponsored items, overstocked inventory) disguised as personalized recommendations. Alternative non-personalized view limited to 'Best sellers' without explanation of sales ranking methodology or geographic scope - inadequate Article 38 meaningful alternative. Commission algorithm access under Article 72 revealed recommender system heavily weighted commercial factors (AliExpress commission rates, seller promotional payments, inventory turnover) never disclosed to users - contradicts user understanding of 'personalized recommendations' suggesting preference alignment rather than commercial optimization. Preliminary findings required: (a) Dark pattern elimination - remove false urgency timers or limit to genuine time-limited inventory, verify scarcity claims reflect actual inventory levels with real-time synchronization, eliminate pre-checked optional service boxes requiring affirmative opt-in, display prices honestly without inflated 'original' reference prices; (b) Recommender transparency - disclose main ranking parameters with sufficient specificity enabling user understanding (e.g., 'Products ranked based on: 45% estimated preference match, 30% seller commission rate, 15% promotional payments, 10% inventory availability'), provide genuine non-personalized alternatives with transparent ranking (e.g., price low-to-high, customer ratings, sales volume), enable users to customize ranking weights expressing preferences. AliExpress response challenged findings arguing: urgency timers reflect promotional period expirations not product availability making countdown legitimate; scarcity displays based on promotional allotments not total inventory justifying low counts; pre-checked boxes reflect most popular user choices improving experience; price displays follow e-commerce industry standards; recommender explanations balance informativeness against trade secret protection and user comprehension limits. Commission rejected arguments finding consumer protection and transparency requirements override commercial convenience; users entitled to accurate information enabling informed decisions; industry practice of widespread dark patterns doesn't legitimize deceptive design; trade secrets cannot justify hiding commercial bias in supposedly personalized recommendations. Final Article 73 decision expected Q4 2024-Q1 2025 with moderate fines (~€500M-1B, 6% of estimated €16B revenue) given smaller user base than Meta/X but systematic intentional violations warranting significant deterrence.
Closure Decision - Investigation Terminated After Voluntary Remediation: Commission initiated Article 66 proceedings against medium-sized VLOP (fictional Platform Delta) investigating potential Article 38 recommender system transparency violations. Preliminary Article 72 monitoring revealed Platform Delta provided only generic 'Your personalized recommendations' label without meaningful explanation of ranking logic. Article 67 information requests obtained internal documents showing recommender system weighted: 40% predicted engagement (likes, shares, comments), 30% content recency, 20% creator-user connection strength, 10% content diversity. However, user-facing disclosures provided no substantive information about these parameters or their weighting. Commission prepared Article 73 paragraph 2 preliminary findings documenting inadequate Article 38 transparency. Before issuing preliminary findings, Platform Delta learned of impending enforcement action through industry channels and proactively implemented comprehensive remediation: (1) Enhanced main parameter disclosure - redesigned recommendation interface displaying 'Why recommended' explanations for each item specifying: 'Strong engagement signals from similar users (40% weight), Posted 3 hours ago (30% weight), You follow this creator (20% weight), Diverse content category (10% weight).' (2) User controls - added interface enabling users to adjust ranking weights through slider controls, view recommendations based solely on selected parameters (e.g., only recency, only creator connections), completely disable personalization viewing popularity-ranked content. (3) Transparency documentation - published detailed methodology documentation explaining algorithmic approach, training data, personalization signals, regularly updated quarterly as algorithm evolves. (4) User research - conducted surveys and interviews verifying users understand disclosures and find them helpful for interpreting and controlling recommendations. Platform Delta submitted remediation documentation to Commission with Article 67 information responses demonstrating implemented measures. Commission conducted Article 72 monitoring verification: ECAT tested recommender interface confirming disclosures accurate and user controls functional; user surveys showed 78% comprehension of ranking factors (above 60% adequacy threshold Commission applies); quarterly transparency reports demonstrated sustained disclosure maintenance. Commission concluded Platform Delta achieved full Article 38 compliance through voluntary remediation mooting non-compliance finding. Adopted Article 73 paragraph 5 closure decision explaining: preliminary evidence suggested potential violations but provider's proactive comprehensive remediation eliminated compliance concerns; continued investigation and formal non-compliance finding unnecessary given achieved compliance; voluntary remediation demonstrates good faith compliance commitment; closure decision immediate effect terminates investigation creating regulatory certainty. Closure decision included Commission positive assessment of Platform Delta's approach as model for industry best practices - created reputational benefit offsetting remediation costs and encouraged other platforms to proactively enhance transparency rather than await enforcement. However, closure decision explicitly reserved Commission's right to reopen investigation if Platform Delta degrades transparency features, discontinues user controls, or otherwise retreats from remediation - creates ongoing compliance incentive.