We have reviewed the confidentiality and non-disclosure obligations throughout the DSA both in recitals and in specific Articles to find an answer or source for the statement that ‘enforcement measures against individual companies are subject to confidentiality requirements’. Our view, based on this review, is that this statement is a misinterpretation, and there is no basis in the DSA that the enforcement action against Service Providers could be ‘confidential’ and not public.
The main Article that refers to confidentiality obligations is Article 40 on Data access and Scrutiny. Specifically, Article 40(2), (5), (8) and (13) all refer to confidentiality obligations. Other Articles that refer to confidentiality obligations are Article 47 on Transparency of reporting requirements, Article 55 Activity reports, Article 79(4) on the Right to be heard and access to the file, and Article 80(2) on Publication of documents.
We’ve reviewed all of the Articles and Recitals in the DSA referencing confidentiality/non-disclosure but none unambiguously support the statement that ‘enforcement measures against individual companies are subject to confidentiality requirements’.
- The possible sections in the DSA that are relevant with reference to confidentiality and potentially the source of this statement are Article 40 and Article 79. However neither of these Articles can be interpreted to mean that enforcement measures against Service Providers are confidential, only that certain information gathered in the course of monitoring Service Providers or investigating Service Providers is subject to confidentiality obligations.
- There is no suggestion in any part of the DSA that enforcement action against Service Providers is not to be made public. On the contrary, there are explicit obligations on publication of enforcement decisions.
- The other provision that might be relevant is in relation to enforcement against illegal content, there is a specific mention in Recital 34 of investigations by law enforcement and ‘confidentiality requests by law enforcement authorities related to the non- disclosure of information’. This non-disclosure is in the context of investigation and enforcement against illegal content. This is not about enforcement action against the Service Provider, but this may be the source of the misunderstanding.
We’ve set out more in detail on each of the relevant DSA articles and recitals below.
1. Obligations on Data access and confidentiality (Article 40 and Recital 97)
Service Providers of large online platforms and search engines (the Service Providers) have an obligation to provide information to the Digital Services Coordinator of establishment (DSC), or the European Commission following a request for data ‘necessary to monitor and assess compliance with this Regulation’ in Article 40(1). The DSC and the Commission are under a duty in using this data to respect the rights and interests of the Service Providers including ‘the protection of confidential information including trade secrets’ Article 40(2).
There is also a provision in Article 40 for the DSC to request that Service Providers provide access to vetted researchers to data to assess ‘detection, identification and understanding’ of systemic risk. Service Providers can ask for the request to be amended where they consider that they are not able to give access to data for reasons that include ‘the protection of confidential information’ (Article 40(5) (b).
Institute’s analysis on the Assessment of these Article 40 obligations
Neither of the data access requests in Article 40 are about enforcement actions as such, but they are about monitoring compliance by the Service Providers with the DSA. Therefore, it would be a bit of a stretch to call these ‘enforcement measures’.
There are confidentiality requirements related to these data access requests. However, the confidentiality obligation does not mean that these data requests are confidential. The confidentiality relates to the content of the responses, and whether it contains confidential information and how this should be dealt with by the Commission, the DSC or the researchers to respect the rights and interests of Service Providers.
Therefore, this does not seem a good basis for the claim that ‘enforcement measures are subject to confidentiality requirements’ unless this has been misquoted or misunderstood by the Commission.
2. Procedural rights in enforcement actions (Article 79, Recital 116, Recital 146)
The Chapter in the DSA on enforcement does not provide that an enforcement action should be confidential, but it does mention confidentiality in relation to procedural rights in investigations.
In Recital 116 it provides that ‘A prior, fair and impartial procedure should be guaranteed before taking any final decision, including the right to be heard of the persons concerned, and the right to have access to the file, while respecting confidentiality and professional and business secrecy, as well as the obligation to give meaningful reasons for the decisions.’
Recital 146 ‘The Service Provider of the very large online platform or of the very large online search engine concerned and other persons subject to the exercise of the Commission’s powers whose interests may be affected by a decision should be given the opportunity of submitting their observations beforehand, and the decisions taken should be widely publicised. While ensuring the rights of defence of the parties concerned, in particular, the right of access to the file, it is essential that confidential information be protected. Furthermore, while respecting the confidentiality of the information, the Commission should ensure that any information relied on for the purpose of its decision is disclosed to an extent that allows the addressee of the decision to understand the facts and considerations that led up to the decision.’
Investigations against Service Providers to enforce the DSA are covered by Article 65 on ‘Enforcement of obligations of Service Providers of very large online platforms and of very large online search engines’ which provides how and when the Commission can exercise its investigatory powers and Article 66 on ‘Initiation of proceedings by the Commission and cooperation in investigation’. Neither article contains any provisions about confidentiality.
Confidentiality is referred to in enforcement in relation to Article 79 (4) on ‘Right to be heard and access to the file’. This article concerns the rights of defence and the confidentiality in respect of information provided of the various parties involved in the investigation, the Service Provider, third parties and the Commission and DSC and other competent authorities in the Member States. This gives a limited right of confidentiality for certain information.
The rights of defence of the parties concerned shall be fully respected in the proceedings. They shall be entitled to have access to the Commission’s file under the terms of a negotiated disclosure, subject to the legitimate interest of the Service Provider of the very large online platform or of the very large online search engine or other person concerned in the protection of their business secrets. The Commission shall have the power to adopt decisions setting out such terms of disclosure in case of disagreement between the parties. The right of access to the file of the Commission shall not extend to confidential information and internal documents of the Commission, the Board, Digital Service Coordinators, other competent authorities or other public authorities of the Member States. In particular, the right of access shall not extend to correspondence between the Commission and those authorities. Nothing in this paragraph shall prevent the Commission from disclosing and using information necessary to prove an infringement.’
Institute’s analysis on the Assessment of this confidentiality obligation
There is a right to maintain confidentiality as part of the procedural rights in investigation and this could explain statement that ‘enforcement measures against individual companies are subject to confidentiality requirements’. However it does not mean that enforcement actions by public authorities against Service Providers are confidential. On the contrary the decisions are required to be public. Instead, the confidential obligation requires that certain documents in the file, and the right of access to the documents in the file, are subject to requirements on confidentiality, including maintaining business secrets.
3. Orders to act against illegal content
The only reference to confidentiality in enforcement is in relation to national authorities’ enforcement against illegal content under applicable national criminal procedural law and Union law.
Recital 34 makes reference to ‘‘The conditions and requirements laid down in this Regulation which apply to orders to act against illegal content are without prejudice to other Union acts providing for similar systems for acting against specific types of illegal content. Those conditions and requirements should be without prejudice to retention and preservation rules under applicable national law, in compliance with Union law and confidentiality requests by law enforcement authorities related to the non- disclosure of information. Those conditions and requirements should not affect the possibility for Member States to require a Service Provider of intermediary services to prevent an infringement, in compliance with Union law including this Regulation, and in particular with the prohibition of general monitoring obligations. ‘
Institute’s analysis on the Assessment of this obligation
This Recital indicates that certain enforcement actions against individual companies are confidential. However, this is limited in scope to investigation against illegal content, rather than to have a confidential investigation of the Service Provider’s compliance with the DSA.
4. Other provisions in the DSA referencing confidentiality
The other provisions on confidentiality and non-disclosure do not relate to not revealing that a Service Provider is being investigated. The other provisions on confidentiality and non-disclosure are about auditing, reports, publications. There is nothing suggesting that any investigation of a Service Provider is confidential.
Conclusion of the Institute
The Institute is concerned about this position, because if the commission already invokes a necessary confidentiality when it is only a question of deciding which platforms are VLOPs, what will happen when it applies the provisions of the DSA to them.
Président de l’iDFrights
Secrétaire Générale de l’iDFrights