Auditing platforms under the DSA: SNV's consultation response on a draft delegated act

According to the EU’s Digital Services Act (DSA), very large online platforms and search engines will have to abide by a host of new transparency and accountability rules. Independent auditors are supposed to check companies' compliance with the rules, in addition to regulatory oversight. The European Commission will spell out the details regarding these independent audits in a "delegated act" and has invited feedback on a first draft. SNV experts Anna-Katharina Meßmer, Martin Degeling and Julian Jaursch respond to the Commission's consultation request. 

 

The summary of the key points can be found below (and also at the beginning of the document submitted to the Commission). 

 

SNV is grateful for the opportunity to provide feedback to the Commission’s draft delegated act on independent audits in the Digital Services Act (DSA). We applaud the Commission for its early work on this draft which shows a willingness to focus strongly on audits for very large online platforms (VLOPs) and very large search engines (VLOSEs), a novel and key aspect of the DSA. At the same time, we would like to express our disappointment regarding the timing of the consultation. It overlapped with the call for evidence on data access under the DSA, targeting similar expert communities with limited resources to respond in-depth to both consultations. 

 

At SNV, we have closely followed platforms and platform regulation, contributing analyses and ideas on risk assessments, data access and oversight structures. We deem it highly important that such due diligence and governance questions are tied together by a sensible, transparent and independent audit mechanism. 

 

Despite our years-long work in the field of platform research, the draft delegated act did remain unclear to us in certain areas. Technical language cannot and should not be avoided in a delegated act, yet it often seemed as if terminology and concepts from disciplines not related to platform oversight were transferred to this draft. While such transfer can be beneficial, our overall feedback is to ensure that the delegated act is tailored to auditing the risks specifically related to online platforms and search engines. 

 

The following additional points summarize some of our major comments on the draft: 

The draft delegated act could offer some more clarity on how platforms are supposed to judge auditors’ independence. 

For risk assessments and their audits, it will be important to include a wide range of information and evidence to check corporate compliance. We recommend making this more explicit in the delegated act. Specifically, “state-of-the-art evidence of risks” should include all types of research, not just studies from “vetted researchers”. 

To facilitate comparative analyses of audits, the systemic risks under scrutiny should be described in a standardized way. Based on our intensive analysis of the DSA’s risk assessment provisions, we suggest using risk scenarios for this. We are critical of benchmarks and metrics to assess the probability and severity of risks. The problematization of numerical metrics should be reflected in the delegated act. 

Independent auditors should at least be encouraged, if not required, to consult with a diverse group of stakeholders such as civil society organizations, representatives of recipients and affected groups of the services and independent experts. 

Having templates for the audit reports and audit implementation is a strength of the draft delegated act. The templates could be improved by requiring: 

• A reference to previous audit results 

• A description of the service and relevant features at the time of the audit 

• Further details as to which organizations performed what tasks, if the audit is done by multiple organizations