DSA tracker #3

Developments in enforcing the Digital Services Act

Jul 17, 2025

More than a year has passed since the DSA came into force, so there is more and more news about the implementation and enforcement of the DSA and more resources are available regarding the application of this Regulation. In this newsletter, I summarize the most important events and news related to the application of the DSA.

Regulatory & enforcement actions

The European Commission has taken two major steps in its investigation concerning the compliance of AliExpress with the Digital Services Act. First, the Commission has accepted and made binding a series of commitments offered by AliExpress to settle a number of concerns, such as the platform's transparency on advertising and recommender systems. Second, following its in-depth investigation, the Commission preliminarily found AliExpress in breach of its obligation to assess and mitigate risks related to the dissemination of illegal products under the DSA.
- What does this mean? “The Commission has accepted and made binding a series of wide-ranging commitments that address concerns raised by the Commission in related to: (i) The platform's systems to monitor and detect illegal products, such as medicines, food supplements, and adult material, spread also through hidden links and affiliate programmes, and which could affect users' health and minors' well-being; (ii) The platform's notice and action mechanism to flag illegal products; (iii) The internal complaint handling system; (iv) The transparency of AliExpress' advertising and recommender systems, including the ads repository and options to personalise recommender systems; (v) The traceability of traders on AliExpress' services; (vi) Access to public data for researchers.”
  “Following its in-depth investigation, the Commission preliminarily found AliExpress in breach of its obligation to assess and mitigate risks related to the dissemination of illegal products under the DSA. In particular, preliminary findings show: (i) In its risk assessment, AliExpress does not take into account the limited resources devoted to its moderation systems to avoid the dissemination of illegal products, thereby underestimating such risk. (ii) AliExpress fails to appropriately enforce its penalty policy concerning traders that repeatedly post illegal content. (iii) AliExpress' pro-active content moderation systems show systemic failures, making the systems less effective and allowing manipulation by malicious traders.”
- What is the background to this? “On 14 March 2024, the Commission opened formal proceedings to assess whether AliExpress may have breached the Digital Services Act in areas linked to the management and mitigation of risks, to content moderation and the internal complaint handling mechanism, the transparency of advertising and recommender systems, the traceability of traders and data access for researchers.”
- What are the next steps? “The preliminary findings sent today by the Commission are without prejudice to the final outcome of the investigation, as AliExpress now has the possibility to exercise its rights of defence by examining the documents in the Commission's investigation file and by replying in writing to the Commission's preliminary findings. If the Commission's preliminary view were to be ultimately confirmed, the Commission would adopt a non-compliance decision finding that AliExpress does not comply with articles 34 and 35 of the DSA, and impose a fine. In addition, such a non-compliance decision would oblige the provider of AliExpress to submit an action plan to remedy the infringement within a specified timeframe, to be approved by the Commission upon opinion of the Board of Digital Services Coordinators.”
The Berlin Commissioner for Data Protection and Freedom of Information has notified Google and Apple in Germany of the AI app DeepSeek as illegal content under Art. 16 of the Digital Services Act.
- What does this mean? Apple and Google “must now review the notice promptly and decide whether to block the app in Germany. The reason for this is the unlawful transfer of personal data from users of the app to China.”
- What is the background to this? “Hangzhou DeepSeek Artificial Intelligence Co., Ltd. violates Article 46(1) of the GDPR with its DeepSeek service. The Berlin Data Protection Commissioner had therefore requested the company on 6 May 2025 to remove its apps from the app stores for Germany on its own initiative, to stop the illegal transfer of personal data to China, or to fulfil the legal requirements for lawful third country transfers. As the company has not complied, the Berlin Data Protection Commissioner has made use of the right under Article 16 of the Digital Services Act (DSA) to report illegal content on platforms to the respective providers.”
- What are the next steps? “A corresponding notice was sent on 27 June 2025 to Apple Distribution International Ltd. as the operator of the Apple App Store and Google Ireland Ltd. as the operator of the Google Play Store. The two companies must now review the notice in a timely manner and decide on how to respond.”
Share
Poland formally requested the EU to investigate Grok AI chatbot under the DSA.
- What does this mean? “The Polish deputy prime minister has written to Tech Commissioner Henna Virkkunen asking the EU to launch an investigation into Grok, the AI chatbot integrated into Elon Musk's social media platform X, under the Digital Services Act (DSA).”
The European Commission adopted a delegated act on data access under the Digital Services Act.
- What is the background to this? “…. the Commission published a delegated act outlining rules granting access to data for qualified researchers under the Digital Services Act (DSA). This delegated act enables access to the internal data of very large online platforms (VLOPs) and search engines (VLOSEs) to research the systemic risks and on the mitigation measures in the European Union.
  The delegated act on data access clarifies the procedures for VLOPs and VLOSEs to share data with vetted researchers, including data formats and requirements for data documentation. Moreover, the delegated act sets out which information Digital Services Coordinators (DSCs), VLOPs and VLOSEs must make public to facilitate vetted researchers' applications to access relevant datasets.
  With the adoption of the delegated act, the Commission will launch the DSA data access portal where researchers interested in accessing data under the new mechanism can find information and exchange with VLOPs, VLOSEs and DSCs on their data access applications.
  Before accessing internal data, researchers must be vetted by a DSC. […]”

Thanks for reading Datalawgy! This post is public so feel free to share it.

Guidelines, opinions, reports & more

The European Commission published its guidelines on the protection of minors under the Digital Services Act.
- What is the background to this? “The guidelines will apply to all online platforms accessible to minors, with the exception of micro and small enterprises. Key recommendations include the following:
  - Setting minors' accounts to private by default.
  - Modifying the platforms’ recommender systems to lower the risk of children encountering harmful content or getting stuck in rabbit holes of specific content.
  - Empowering children to be able to block and mute any user and ensuring they can't be added to groups without their explicit consent.
  - Prohibiting accounts from downloading or taking screenshots of content posted by minors.
  - Disabling by default features that contribute to excessive use.
  - Ensuring that children’s lack of commercial literacy is not exploited.
  - Introducing measures to improve moderation and reporting tools.
  “The guidelines also recommend the use of effective age assurance methods provided that they are accurate, reliable, robust, non-intrusive, and non-discriminatory. In particular, the guidelines recommend age verification methods to restrict access to adult content such as pornography and gambling, or when national rules set a minimum age to access certain services such as defined categories of online social media services. […]
  The Commission will use these guidelines to assess compliance with Article 28(1) of the DSA. They will serve as a reference point for checking if online platforms that allow minors to use them meet the necessary standards and may inform national regulators in their enforcement actions. However, following these guidelines is voluntary and does not automatically guarantee compliance.”
The European Data Protection Board (EDPB) commented on the draft guidelines on protection of minors online under the Digital Services Act. (Regarding the publication of the final version of the guidelines, see the link above.)
- What is the background to this? “On 13 May 2025, the European Commission launched a Public Consultation concerning the guidelines on protection of minors online under the Digital Services Act (‘DSA’). The guidelines aim to support platforms accessible by minors in ensuring a high level of privacy, safety, and security for children, as required by DSA. The Commission invited the European Data Protection Board (‘EDPB’) to provide feedback to the public consultation. […] the present contribution constitutes solely a preliminary assessment and is without prejudice to future guidance issued by the EDPB on the application of the GDPR. […]”
The DSA Observatory published an analysis by Daniel Holznagel on “Shortcomings of the first DSA Audits — and how to do better”.
- What is the background to this? “At the end of 2024, the first audit reports under the Digital Services Act were published. Most were produced by Big Four accounting firms, and were, in many ways, not very ambitious. This post collects impressions from digesting most (not all) of these reports — focusing on five structural shortcomings that severely limit their usefulness: from illegitimate audit gaps to auditors’ apparent reluctance to interpret the law or meaningfully assess systemic risks (especially around recommender systems). The post also highlights a few useful disclosures — including platform-defined compliance benchmarks — and outlines where auditors, regulators, and civil society should push for improvements in future rounds.”