Mozilla Mornings: DSA’s provisions on third-party auditing

On 11 May, EACA participated in the webinar “Mozilla Mornings on the DSA: Setting the standard for third-party platform auditing” organised by Mozilla. Dr Ben Wagner, Assistant Professor at the TU Delft, presented his report “Auditing Big Tech: Combating Disinformation with Reliable Transparency“. This report was drafted during 2020 before the European Digital Services Act (DSA) was published. Now that the DSA was released in December 2020, it was interesting to hear Dr Wagner’s opinion.

Dr Wagner described the DSA as “an innovative piece of legislation that he believes will contribute greatly to combating misinformation and strengthening the European liability regime for online platforms”.  However, there are still many aspects in the DSA that can be further improved. There are significant challenges regarding the independence and impartiality of regulators within the DSA and how the European Commission and the EU Member States jointly govern platforms through the DSA.

Article 28 of the DSA proposes an independent audit mechanism that should be conducted by large online platforms, at least on an annual basis. According to Dr Wagner, transparency data provided by online platforms should be audited, before being published or given to third parties, so that it can be considered ‘verified data’.

This ties in with Article 31 of the DSA, which provides access to data on online platforms for ‘verified researchers’. It raises the need for data provided by online platforms to be checked before they are used by external researchers, regulators, or the public.

Finally, Article 28 of the DSA does not specify whether public or private sector organisation undertakes the independent review. According to Dr Wagner, an independent public sector body should be created for the sole purpose of monitoring confidential information provided by platforms. Such an institution could be established in the context of the DSA but should be a separate legal entity to ensure its independence. This institution would be responsible for collecting and verifying the data, producing verified data, and making it available only to authorities with the legal competence to use it, to a legally specified extent for a lawfully specified purpose. On the one hand, the collection and verification of data (responsibility of independent control intermediaries) and their use for regulatory objectives, on the other hand (obligation of regulators), would be separate processes. This model would further strengthen the institutions’ independence and ensure the security of the data in question.