Podcast | Emerging Regulations in Tech: Understanding the Digital Services Act – with Kaitlin Kirkham-Cooper and Roxanne Miller

Kevin Donahue: A new and dramatic approach to regulating big technology firms has come into force across the European Union and likely is affecting organizations in many other jurisdictions as well. The Digital Services Act, which the European Council signed into law in September 2022, aims to protect the digital space against the spread of illegal content, particularly on social networks, content-sharing platforms and ecommerce sites.

But frankly, that quick rundown only scratches the surface for how this regulation is going to impact technology organizations around the world. This is Kevin Donahue, a senior director with Protiviti, welcoming you to a new edition of Powerful Insights. I recently sat down with Protiviti Managing Director Kaitlin Kirkham-Cooper and Protiviti Associate Director Roxanne Miller to talk about the ins and outs of this new regulation and, most importantly, how technology organizations need to go about setting up their compliance processes for it.

Both Kaitlin and Roxanne are with the Risk and Compliance practice of Protiviti. Caitlin leads the risk and compliance technology sector within this group. She consults with large organizations in managing all types of regulatory and operational risk, with a focus on compliance programs. Roxanne works with technology and financial services organizations on compliance and operational risk management. She has experience in both the United States and the Asia-Pacific region with remediation and project management of complex regulatory issues, complex program build and scale, compliance risk assessment, issue management, and internal audit.

Kaitlin, thanks for joining me today.

Kaitlin Kirkham-Cooper: Hi, Kevin. Thanks for having me.

Kevin Donahue: Roxanne, it is great to speak with you. Thanks for joining us.

Roxanne Miller: Of course. Glad to be here.

Kevin Donahue: Roxanne, understanding the Digital Services Act is a fairly new requirement for technology companies, and it’s probably safe to say many of our listeners may not have heard about it. Given that, can you provide us with a bit of a 1,000-foot view of what this is and the companies to which it applies?

Roxanne Miller: The DSA is a piece of EU regulation, and it’s aimed at technology companies, specifically around understanding and moderating online content on their platforms. The DSA is applicable to any companies with users in the EU, and obligations within the DSA are applicable to different definitions and tiers of these companies.

The largest companies are known as very large online platforms (VLOPs) and very large online search engines (VLOSEs), and these are companies with 45 million users per month in the EU. The most stringent obligations in the regulation apply to these. But even if an online platform or online search engine doesn’t have 45 million users, there are still obligations that apply to it, as well as hosting service providers. These could be companies offering cloud computing and intermediary service providers, and this could be an internet access provider.

In terms of timeline, the very large online search engines and very large online platforms had to comply back in August 2023, and the rest of the companies have to comply by February 2024. They still have a few months before they have to comply, but that is coming up quickly.

Kevin Donahue: Roxanne, this emanated from or was passed by the European Union?

Roxanne Miller: It was passed by the European Commission, aimed at companies with users in the European Union.

Kevin Donahue: This is something that comes up with other regulations. Just because it’s out of Europe doesn’t mean it doesn’t affect companies all over the world, including the United States. In fact, it’s affecting most technology companies — certainly, those that meet the profile you just described.

Roxanne Miller: Exactly. If you are a company and you have a user in the European Union, this impacts you. It’s important to large global technology companies with users in the EU. It applies to pretty much all companies in the world, most likely, if they fit the definition. As long as they have users in the EU, it doesn’t matter that it’s from the European Commission.

Kaitlin Kirkham-Cooper: The GDPR set the precedent for how Europeans’ user data is managed and overseen. It’s very similar, where European users are being protected in a way. If you look at the VLOP and VLOSE list Roxanne just rattled off, a lot of the companies are some of the world’s largest organizations. It’s the Metas of the world. It’s the Amazons of the world. Pinterest is on there. Snap. It’s a lot of these large companies we all work with and use every day.

Kevin Donahue: Roxanne, you mentioned that there are different tiers of companies the requirements apply to, with the VLOPs needing to be in compliance by this past August 25. Can you talk about how we are seeing those solutions come to life? For instance, are there any outward or public things I as a consumer or other users may notice?

Roxanne Miller: Probably the biggest thing users will notice is versions of products without recommender systems. Meta is now giving EU users the option to view content without an algorithm — it’s not ranked by Meta using specific recommendations. Specifically, users will have the option to take a look at content on Instagram, and that content is going to be ranked in chronological order from newest to oldest — how it used to be. For users still choosing to use versions of those products with the recommender systems, they’ll probably notice more transparency around why they’re seeing certain content.

Some products may have already had this option, but users should be able to click a button that says something like “Why am I seeing this?” And then they can understand why certain content was pushed to them, whether it’s age, gender, location, who they followed or any other pieces of metadata.

Kevin Donahue: Roxanne, as a social media user, I’m wondering, how easy is it to find these settings? Are they required to put them up front, or does that matter?

Roxanne Miller: One thing this regulation will do is probably make these settings a lot easier to find. The regulation uses terms like “prominent location.” A big decision these companies will have to make is, where, exactly, do they put these types of settings? Most likely, they’re going to need to be in an area in their product where users can see them easily and they’re not going to be buried in some sort of setting. They should be prominent.

Kaitlin Kirkham-Cooper: One of the things we have found interesting, to piggyback off that, is, I know when we’ve talked to companies about the challenges of implementing these recommender-system solutions, for a lot of these big tech companies, big social media companies, their livelihood is their recommender system. It’s how they push content. It’s how they generate better, more relevant ads for their users, which is how they make their money.

Internally, while the recommender-system requirements aren’t that complex, like what Roxanne just said, they are making sure you’re disclosing how your recommender system works as well as making sure that there’s an option, particularly for the VLOPs and the VLOSEs — they have to provide a generic recommender system. What we’re seeing is, there’s this conflict internally between compliance and products teams: Compliance is saying we need to do what DSA is requiring of us, which is make sure that there’s a prominent option for having a generic solution. The product teams have combated that because they’re very proud of the recommender systems they’ve built, and on top of that, they think the recommender systems they’ve developed are giving the user the best experience.

Kevin Donahue: Kaitlin, what are some of the more complex requirements you see that are causing companies to struggle? Part of it is the tug-of-war between compliance and the product developers, but how are those companies thinking about solutioning through these challenges?

Kaitlin Kirkham-Cooper: Solving for the DSA is dependent on how well these large tech companies already have established what we would call core compliance program elements. For instance, companies that have had strong data mapping and database management, and have those things well-documented, have tended to mobilize much faster on implementing DSA controls. They had a base to work with.

We’re also seeing companies that have historically been subject to heavy litigation or enforcement from even American regulators — the DOJ and FTC have tended to have a leg up in building their programs. This is because these companies have had to build the muscle memory around making their controls auditable because they’ve been under enforcement and/or litigation. They also tend to have a stronger culture of compliance beyond just legal and compliance. They’ve also had a framework for how to document their controls, how to test those controls and how to resolve any issues stemming from that testing or review of controls. That said, those are the types of companies that have been better set up, at least initially, to implement DSA requirements.

We just talked about the recommender systems, which has been a major focus and probably has one of the biggest user impacts. Another interesting one is what’s listed in article 34 of the DSA, which is the requirements specific to the VLOPs and VLOSEs. It requires them to conduct a risk assessment. The concept of risk assessment isn’t a new thing. These companies had to first produce their risk assessment on August 25, but they’re not necessarily visible to us yet, so we can’t necessarily see what the output has been.

Different from risk assessments performed by these companies in the past — operational risk assessments or security and privacy risk assessments — the risk assessment outlined under the DSA contemplates big, systemic, undefined risks. For instance, it requires platforms to be able to measure how harmful their company may be regarding fundamental human rights, or how harmful their platform may be in promoting the spreading of gender-based violence or misinformation — systemic risks that have historically not been quantified. There’s a ton of subjectivity in how to measure the inherent risk of something that big, what data to use, how it actually applies.

Kevin Donahue: Kaitlin, you mentioned these requirements that apply to the VLOPs and the VLOSEs. If someone in our audience is not a VLOP or a VLOSE, but they work for a cloud service provider, maybe as a third-party or fourth-party vendor, or they’re providing another intermediary service, what should they be doing now?

Kaitlin Kirkham-Cooper: The VLOPs and VLOSEs are on an expedited timeline. They’re six months ahead of everyone else. We recommend staying on top of what those companies are doing. There’s a lot of public-facing and available information that competitors can use in trying to get information companies like Google are publicly putting out in terms of their DSA compliance and stance. The transparency reporting those companies produce is a good way to benchmark and measure how the VLOPs and VLOSEs are bringing into fruition those requirements.

Beyond that, there are a handful of steps we think are important and valuable: Try to figure out what articles actually apply to you as an organization. There are different tiers of companies subject to the regulation and, therefore, there are different requirements based on what type of company you are. And it’s not cut-and-dried in terms of how the articles apply to your firm. If you’re a compliance professional or a risk professional, work with your legal team to make sure you understand how the requirements apply to your organization.

Second, once you figure that out, the companies and organizations that do the best are the ones that assign ownership from a DSA perspective. Try to pinpoint and highlight that one person who’s going to own and drive DSA compliance, understanding that that person or role will likely require support from many functions within the organization. We wouldn’t suggest that DSA compliance is centralized in one person. But what we’ve seen as successful is that that person owns the compliance efforts and is able to put their arms into all the product and engineering, sales and marketing teams to make sure they have a view of what compliance looks like.

Finally, do a high-level gap analysis against those obligations that apply to you and try to figure out, what is your current state of compliance? What are the obligations that apply to you? What are the expected controls, and is your company doing anything today that could be considered a control activity against those obligations? This should produce a high-level understanding of where you have gaps in your program and what needs funding or remediation.

February 2024 is the compliance date for all companies that aren’t VLOPs or VLOSEs. We recommend that those remediation plans be developed and actioned through the lens of February 2024 being the end date.

Roxanne Miller: For any company that’s not a VLOP or a VLOSE, it’s important to understand your monthly average number of users. Should you hit the 45 million mark or go over it, that means you’re upgraded to be a VLOP or a VLOSE, which means more obligations apply to you. If you’re underneath that number, it’s important to have a methodology to understand what your number of users is per month. Track that and make sure that you understand, if you’re trending toward that, that you should give yourself a good runway to make sure that you’re compliant with those obligations before you’re over 45 million users.

Similarly, with the types of products or services you offer, if you’re a company that’s considered in a lower tier — not yet an online platform, like you’re an intermediary service provider — it’s important to understand that if you introduce a new product or service, does that mean you’re now in a different tier and more obligations apply to you?

Kevin Donahue: What I’m hearing as a layperson in this topic is, it sounds similar to the ESG compliance we’ve been talking a lot about this year, and even, in the United States, SOX compliance, where you may not need to comply today, but you had better know your roadmap, because you may have to comply soon, either as a company that hits that threshold or you’re working for another company that does need to comply with these requirements and it’s going to require you to comply with them as their partner.

Kaitlin Kirkham-Cooper: The SOX analogy is one we’ve thought about as well. Protiviti got our start in, and felt a lot of the benefit of, the Sarbanes-Oxley movement in the early 2000s, and we’re seeing similar trends by way of what you just said. What Roxanne and I are seeing is that those companies on the cusp are using their position as a non-VLOP in a strategic way. We know they want to grow — they have growth projections that assume a certain number of European users in the future. We’re seeing them look at what those requirements are and starting to prepare early so that next year, when they have to do a risk assessment — they don’t this year, but they will next year — they’re able to have more of a systemic approach to doing it. They’ve got all the right inputs. They can even leverage what they’re seeing their competitors do by attending industry forums and things like that to make sure they’ve got a leg up and are ready to go once those requirements apply to them.

Kevin Donahue: What happens if companies fail to comply with these requirements? What are the prescribed penalties? Beyond that, what are some other penalties they should be aware of?

Kaitlin Kirkham-Cooper: The European Commission came out hot in writing the fines for this one. The DSA itself imposes steep penalties for noncompliance. The maximum penalty for failure to comply is 6% of the provider’s global annual revenue. It’s a European regulation, but the penalty applies to global revenues. Putting that into context, Instagram made $50 billion last fiscal year, which, using the 6% application, would impose a fine of $3 billion if they were found for the maximum penalty.

The largest fine for tech platforms in Europe was $1.3 billion — it’s over double that. But there’s still ambiguity around how the enforcement regime is going to work. There’s something called digital services coordinators, which are appointed by European countries. It’s still unclear how, exactly, those coordinators will work. And similarly, the VLOPs and the VLOSEs have an obligation to be independently audited — again, similar to Sarbanes-Oxley: They have to bring in an independent audit firm to evaluate whether they are meeting the DSA obligations. But it’s unclear how much reliance is going to be placed on those independent audits by the digital services coordinators or the European Commission in general.

Kevin Donahue: Are you aware of any similar regulations or requirements being considered in the United States or other jurisdictions?

Kaitlin Kirkham-Cooper: There is more activity globally for content-moderation regulations than in the U.S. Interestingly enough, because the U.S. has this thing called freedom of speech, it’s been hard to get traction on anything around content moderation and regulation. There’s something called Section 230, which was passed in the early days of the internet and essentially provides protection over internet providers and a lot of these large tech companies. It basically limits their liability for what’s on their platform. I don’t see there being a ton of movement from a U.S. perspective in terms of there being a similar, DSA-type regulation given the noise around that regulation and the bipartisan disagreement in terms of that regulation. I don’t think we’re expecting there to be any movement from the U.S. specifically, but globally, there are definitely other countries that have similar content-moderation regulations coming down the pike.

Kevin Donahue: As we close out our discussion — and again, thank you both for joining me and sharing your insights here — any other, broader regulatory trends you see emerging or affecting the landscape in the near or long term?

Kaitlin Kirkham-Cooper: Hopefully, the conversation today points to how big the Digital Services Act is and how different it is from the existing regulation these tech companies are facing. It’s only one of several coming out of Europe. The Digital Markets Act is what we would call its sister regulation: They started off together, and then the commission decided to split the two since it was so massive. The Digital Markets Act is aimed at providing a more competitive and fairer marketplace. A lot of the obligations there are centered around antitrust and anticompetition, etc.

The Digital Operational Resiliency Act, or DORA, while primarily a financial services regulation, extends to critical information and communication technologies, or ICT, providers that essentially provide support to the financial services industry with an aim to ensure that there are operational resiliency activities and controls. A lot of the large cloud service providers like the AWSes of the world, DORA would apply to them.

I’m sure our listeners have heard of and are aware of the AI Act, another huge regulation coming out of Europe. It’ll start to regulate something that has never been regulated before and is quite fundamental to a lot of these tech companies’ livelihoods and products.

This isn’t a full, comprehensive list of the regulations coming down the pike. It’s obvious that tech companies are seeing a trend in regulation similar to the one financial services did for the past 30 or 40 years. And legal and compliance at these tech companies are already overwhelmed with these heightened standards and increased requirements that their organizations are going to have to adhere to, and it’s only going to get worse.

What we’ve seen is that managing these obligations one by one is death by a thousand cuts. The time and money required to implement these requirements can’t sustain the approach of trying to comply one by one. We recommend that tech companies start to build their compliance strategy and compliance programs so these incoming obligations are connected to a centralized risk taxonomy that will allow and enable leaders to strategically ensure that the right investments are being made to optimize compliance.

Kevin Donahue: Roxanne, any final thoughts from you on these insights, topics and such?

Roxanne Miller: The pace of regulation for the technology industry is quickening. It’s important for companies to start to build their compliance programs and figure out their strategies on how to comply with all these regulations now versus waiting to deal with them once they have to comply and it’s too late and a little harder to try to catch up.

Kevin Donahue: Kaitlin, you referenced the AI Act in the European Union and, of course, in the United States, there’s been an executive order issued around the use and development of artificial intelligence that, while not legally binding, certainly puts a regulatory lens on AI going forward, at least in the long term, that companies need to be mindful of.

Kaitlin Kirkham-Cooper: Absolutely.

Kevin Donahue: My thanks to Kaitlin and Roxanne for joining me to talk about the Digital Services Act and its impact on technology organizations. I have one takeaway from this discussion: This is going to be huge for technology organizations that are going to need to take the right approach, adopt the right discipline and adopt the right mindset in getting it done in the right way. This is going to be both a short- and a long-term challenge for them, and it’s going to affect a lot of organizations, not just those in the VLOP and VLOSE groups.

For more information, I encourage you to go to the Protiviti website and read our white paper “The Global Consequences of Europe’s New Digital Regulatory Regime.” You can also go to our Risk and Compliance page on the site and find more information about Protiviti’s solutions and services in this area, as well as other thought leadership we’re offering on these and related topics. And finally, I encourage you to please subscribe to our Powerful Insights podcast series and review us wherever you get your podcast content.