Understanding This Article

Article 84 establishes comprehensive professional secrecy obligations binding all persons involved in Digital Services Act enforcement, preventing unauthorized disclosure of sensitive information acquired during investigations, regulatory proceedings, and inter-agency cooperation. This provision serves critical functions in the DSA enforcement framework: enabling Commission and Digital Services Coordinators to collect detailed information necessary for effective enforcement by providing credible confidentiality assurances to platforms and third parties; protecting commercially sensitive business information, trade secrets, and strategic plans from disclosure to competitors or the public; preserving investigative effectiveness by preventing premature disclosure of enforcement strategies, preliminary findings, and evidence-gathering activities; facilitating candid inter-agency cooperation and information exchange among Commission, Board, and Member State authorities; and balancing transparency (public has legitimate interest in enforcement activities) with confidentiality (certain information must remain protected to enable effective regulation and respect fundamental rights).

Persons Bound by Professional Secrecy Obligations: Article 84 imposes non-disclosure obligations on an expansive category of persons involved in DSA enforcement, ensuring comprehensive protection regardless of institutional affiliation or role: (1) Commission—All European Commission personnel involved in DSA enforcement including: officials in DG CONNECT (Directorate-General for Communications Networks, Content and Technology) with primary DSA responsibility; attorneys in Legal Service providing legal advice on enforcement actions; economists and data analysts supporting investigations; administrative staff handling enforcement files and correspondence; Commissioners and cabinet members overseeing enforcement strategy; officials in other Directorates-General providing expertise (competition law, consumer protection, fundamental rights analysis). Professional secrecy binds Commission personnel during their tenure and continues after leaving Commission employment—former officials cannot disclose confidential DSA information acquired during their service. (2) European Board for Digital Services—Board members (Digital Services Coordinators' heads or high-level representatives from each Member State); Board secretariat staff supporting Board operations; experts and working groups appointed by Board to analyze specific issues; observers attending Board meetings (European Data Protection Board representatives, civil society observers). Board members and staff acquire substantial confidential information through: Commission briefings on ongoing investigations; Digital Services Coordinator reports on national enforcement actions; cross-border cooperation case materials; deliberations on regulatory guidance and recommendations. Article 84 prevents Board members from disclosing this information to unauthorized persons, even within their own national administrations, beyond what is necessary for their DSA functions.

(3) Member States' Competent Authorities—Digital Services Coordinators and other competent authorities in all 27 Member States; officials, servants, and other persons working under their supervision; personnel in national ministries, regulatory agencies, and judicial authorities involved in DSA implementation; employees of Digital Services Coordinators' offices handling investigations, monitoring, and cross-border cooperation. Particular importance: DSCs frequently exchange sensitive information via Article 85 AGORA information sharing system (investigation files, enforcement strategies, preliminary findings, platform confidential submissions). Article 84 ensures DSC personnel in one Member State cannot disclose information shared by DSC personnel in another Member State, enabling trust and candor in cross-border cooperation. (4) Auditors and Experts Appointed Under Article 72(2)—Independent auditors appointed by Commission to conduct Article 37 audit verifications and Article 72 monitoring actions; technical experts appointed to assist investigations (algorithmic system specialists, content moderation experts, data scientists, economists); accounting and financial experts assessing platform financial condition for penalty calculations. These external appointees gain extensive access to platforms' most sensitive information: proprietary algorithm source code and specifications; user databases and content moderation logs; business strategies and financial projections; trade secrets and competitive intelligence. Article 84 binds auditors and experts to same professional secrecy obligations as Commission officials, preventing disclosure to other clients, professional colleagues, or the public. Auditors and experts typically must sign separate confidentiality agreements with Commission as condition of appointment, with contractual penalties for breaches supplementing Article 84 obligations.

(5) "Any Other Natural or Legal Person Involved"—This catch-all category ensures comprehensive coverage of all persons who may acquire confidential DSA information: contractors providing services to Commission, Board, or DSCs (IT providers managing AGORA system, document management services, translation services); interpreters at confidential hearings; security personnel with access to investigation files; temporary staff and interns; legal counsel representing Commission or DSCs; witnesses interviewed during investigations who acquire confidential information about investigation subjects or strategies. Broad language prevents circumvention of professional secrecy through delegation to external parties.

Information Covered by Professional Secrecy Obligations: Article 84 protects "information acquired or exchanged pursuant to this Regulation and of the kind covered by the obligation of professional secrecy." This two-part test determines which information is protected: Acquired or Exchanged Pursuant to DSA—Information must have nexus to DSA enforcement activities. Covers: information platforms provide in response to Article 67 information requests; documents examined or seized during Article 69 inspections; evidence gathered through Article 68 interviews; third-party submissions (competitor complaints, user reports, civil society analyses); audit reports and monitoring action findings from Article 72 auditors/experts; inter-agency communications via Article 85 AGORA; Commission internal deliberative materials (draft decisions, legal analyses, enforcement strategy discussions); hearing submissions and oral statements under Article 79. Does not cover: information in public domain (published transparency reports, public statements); information authorities acquired through sources independent of DSA proceedings; information platforms voluntarily disclose publicly. "Of the Kind Covered by Obligation of Professional Secrecy"—Not all information acquired during DSA enforcement triggers professional secrecy. Only information meeting traditional professional secrecy criteria receives protection: (a) Business Secrets and Commercially Sensitive Information—Trade secrets (algorithm specifications, source code, proprietary technical innovations); confidential commercial information (business strategies, market analyses, customer data, supplier contracts); financial information (profit margins, cost structures, investment plans); competitive intelligence (planned product launches, pricing strategies, expansion plans). Disclosure could provide competitors with valuable intelligence causing economic harm. (b) Personal Data—Information identifying specific individuals (user names, contact information, behavioral data); employee personal information acquired during investigations; third-party submitter identities when confidentiality requested. Subject to additional GDPR protections. (c) Investigative Materials—Commission's enforcement strategies and investigation plans; preliminary findings and draft decisions not yet finalized; evidence assessment and credibility determinations; legal analyses of enforcement options. Premature disclosure could compromise investigation effectiveness or unfairly prejudice platforms before final decisions. (d) Third-Party Confidential Submissions—Competitor complaints identifying complainant business strategies or market positions; user reports containing personal experiences or identifying information; civil society analyses revealing organizational strategies or funding sources. Third parties more willing to provide information if confidentiality assured.

"Without Prejudice to Exchange and Use of Information"—Authorized Information Sharing: Article 84's opening clause "without prejudice to the exchange and to the use of information referred to in this Chapter" creates critical exception: professional secrecy does not prohibit information sharing and use authorized by the DSA. This preserves: (1) Commission-DSC Information Exchange—Article 56(4) requires Digital Services Coordinators to provide Commission with information upon request for VLOP/VLOSE supervision. Article 62(1) requires cross-border DSC cooperation including information exchange. Article 84 does not prohibit these authorized exchanges. (2) AGORA Information Sharing System—Article 85 requires Commission, DSCs, and Board to use AGORA for communications. Information shared via AGORA for legitimate DSA purposes is authorized exchange not prohibited by Article 84. (3) Commission Information Requests—Article 67 empowers Commission to request information from platforms, DSCs, and third parties. Providing requested information to Commission is authorized exchange. (4) Public Enforcement Decisions—Article 73 non-compliance decisions, Article 74 penalty decisions, and Article 76 periodic penalty decisions are public documents published by Commission. Publication of final enforcement decisions is authorized use not prohibited by Article 84, balancing confidentiality during investigation with transparency regarding outcomes. However, even public decisions must protect certain confidential information (trade secrets, personal data) through redaction. (5) Use of Information in Enforcement Proceedings—Commission may use confidential information acquired during investigations as evidence in Article 73 decisions and subsequent judicial proceedings, subject to Article 79 confidentiality protections for provider's defense rights. (6) Cooperation with Other EU Authorities—Commission may share DSA-related information with European Data Protection Board, national competition authorities, consumer protection agencies, and other regulators when cooperation serves complementary regulatory objectives (e.g., sharing information about platform's data protection practices with relevant data protection authority). Such sharing must be limited to what is necessary for the receiving authority's legitimate functions.

Prohibition on Unauthorized Disclosure: Subject to authorized exchanges and uses, Article 84 absolutely prohibits disclosure of professionally secret information to unauthorized persons. Prohibited disclosures include: (1) Public Disclosure—Commission officials cannot disclose confidential investigation materials to media, academics, civil society organizations, or general public, even if disclosure might serve public interest in transparency or accountability. Exception: final enforcement decisions may be published with appropriate confidentiality redactions. (2) Disclosure to Other Authorities—Commission cannot share platform confidential information with national authorities, international organizations, or non-EU regulators unless specific legal basis authorizes such sharing. (3) Competitive Intelligence—Officials with access to multiple platforms' confidential information cannot selectively disclose one platform's information to competitors or use information to benefit particular market actors. (4) Personal Use—Officials cannot use confidential information acquired through DSA enforcement for personal benefit (e.g., investment decisions based on non-public platform financial information, assistance to private litigation using non-public evidence). (5) Casual Disclosure—Officials cannot disclose confidential information in social settings, professional conferences, or academic publications even if recipients are trusted colleagues or information is anonymized if anonymization is insufficient to prevent identification.

Enforcement of Professional Secrecy Obligations and Sanctions for Breaches: Article 84 creates legal obligation whose enforcement occurs through multiple mechanisms: (1) Administrative Sanctions—Breach of professional secrecy by Commission officials may result in disciplinary proceedings under EU Staff Regulations, with sanctions ranging from written reprimand to dismissal depending on severity. Breach by external auditors/experts may result in contract termination, exclusion from future appointments, and contractual penalties. (2) Criminal Sanctions—Many Member States criminalize breach of professional secrecy by public officials. Unauthorized disclosure of confidential information may constitute criminal offense under national law, with penalties including fines and imprisonment. Commission may refer breaches to national prosecutors. (3) Civil Liability—Platforms or third parties harmed by unauthorized disclosure may bring civil claims seeking damages for economic harm (e.g., disclosure of trade secrets to competitors causing market share loss), reputational harm, or other injuries. (4) Institutional Consequences—Significant breaches may trigger institutional reforms (enhanced information security protocols, restricted access to confidential materials, increased training) and political accountability (Parliamentary inquiries, Commissioners' explanations). (5) Platform Legal Challenges—If Commission breaches professional secrecy, platforms may challenge enforcement decisions arguing procedural violations. Courts may annul decisions or reduce penalties if breaches materially affected proceedings.