In November 2022, the European Union adopted the Digital Services Act (DSA), intended as a “gold standard” for content and platform governance in the EU. Since then, the European Commission and EU Member States have been working relentlessly to build an effective enforcement mechanism. The essential benchmark in this process is the recent designation of 17 tech companies as Very Large Online Platforms (VLOPs) and another two as Very Large Online Search Engines (VLOSEs), based on their size and number of users. Under the DSA, the companies in question will have specific obligations and face heightened scrutiny.
To arrive at this point, the European Commission asked all online platforms and search engines operating in the EU to declare their average number of monthly active users, before the deadline of 17 February 2023. This was to help the Commission decide which online platforms met the required threshold to qualify as a VLOP, defined by the DSA as having an average of 45 million monthly users.
But did all companies disclose their user numbers accurately? We’ve compared the figures that each company declared to the Commission with the figures included in their marketing materials or financial reports. And the numbers don’t add up. In fact, it looks like several companies have deflated their numbers in order to avoid the additional scrutiny and obligations that come with being a VLOP.
What is a “VLOP” and why does it matter?
For the DSA to effectively protect freedom of expression and access to information while combatting illegal online content, it is critical that the right companies are designated as VLOPs and VLOSEs. The DSA’s main power lies in its ability to tame Big Tech by regulating their systems and processes, such as their content recommender systems or content moderation algorithms.
The DSA has the scope to regulate a large number of online players, from infrastructure services and hosting service providers, to social media apps and online marketplaces. Each player has specific obligations, determined by their main technical functionalities, their size, and overall number of average monthly users in the EU. Given their potential impact on human rights and the societal risks their systems and processes can create, VLOPs have the most extensive and advanced obligations.
Why has it been hard to size up the companies?
Only the companies themselves know exactly how many users they have in the EU. This means that, as of today, the European Commission is depending on them to disclose accurate figures. So far, the Commission hasn’t provided any guidelines or methodologies on how the companies were expected to count their users. As a result we’ve already seen disparities and a lack of transparency in the designation process.
Some companies did not disclose their actual numbers, only indicating if they thought they fell under the threshold of the DSA or not, and few of them published their methodologies. The European Commission must learn from this experience and provide clear instructions for future designations, to ensure that all VLOPs operating in the EU are captured in the DSA’s scope.
It doesn’t help that counting users isn’t necessarily straightforward. The Commission is asking for the number of monthly active users, which is linked to technical functionality of a platform regulated by the DSA; usually related to storing and disseminating their own content. This might be the main purpose of the platform, such as social media, or it may be embodied in a platform’s wider service; as is the case, for instance, with Google Maps. The primary functionality of this tool is navigation, but users can also post reviews of nearby hotels, restaurants, or attractions. This additional functionality, embedded in Google Maps’ overall services, involves storing and disseminating user-generated content to the public – bringing Google Maps into the scope of the DSA.
If a platform can distinguish its DSA-regulated technical functionality from the rest of its service, it can choose to disclose the number of active users for that functionality only. However, while it may give platforms additional oversight of who is using what parts of their service, they can also use this to lower their numbers – we’ve already seen pornographic content websites, for instance, use it to deflate the actual size of their services in order to escape regulation and public scrutiny.
Who isn’t on the VLOP list?
Before the Commission released their official designations, Access Now conducted our own mapping of VLOPs and VLOSEs, and we correctly identified 18 of the 19 designated VLOPs. But we also identified several additional frontrunners that, according to our analysis, may also qualify as VLOPs and would warrant further attention:
- Discord declared its total number of monthly average users to be “well below 45 million”. But according to our estimates, Discord has around 33 million users in France and Germany, which would surely bring the EU-wide total close to or above 45 million.
- In a one line statement to the Commission, Pornhub claimed to have 33 million monthly average users. Considering that in March 2023 alone, global website visits reached 2.5 billion, this seems unlikely.
- Telegram reported over 38 million monthly average users. However, our own calculations show that in 2021, Telegram already had at least 135 million users in the EU.
- Vinted disclosed over 37 million monthly average users but we found that in 2021, it had already reached the threshold of 45 million users required for VLOP status.
You can see our complete mapping of the user numbers for VLOPs and VLOSEs here.
The final deadline for the designation of VLOPs and VLOSEs in the EU is 17 May – barely two weeks away. Given the lack of transparency and inconsistent methodologies seen in the first round of designation, we urge the European Commission to provide clear guidelines and to follow up with the companies we’ve listed above regarding the numbers they’ve disclosed so far, to determine their accuracy.
Getting this list right isn’t just a tick-box exercise. It is a foundational step in ensuring the long-term success and effectiveness of the DSA as a vital tool to protect people online.