Gen-AI risk management under Digital Services Act scrutiny

Facebook, Instagram, Snapchat, TikTok, YouTube, and X, which are designated as ‘very large online platforms’ (VLOPs) under the DSA, and Bing and Google Search, which have been classed as ‘very large online search engines’ (VLOSEs) under the DSA, have been given until 5 April 2024 to answer questions that the European Commission has posed in respect of gen-AI that relate to the protection of elections. The services have until 26 April 2024 to respond to the other questions the Commission has posed.

The Commission said it is seeking information on the “mitigation measures” each of the services have in place “for risks linked to generative AI, such as so-called ‘hallucinations' where AI provides false information, the viral dissemination of deepfakes, as well as the automated manipulation of services that can mislead voters”.

It added that it is also “requesting information and internal documents on the risk assessments and mitigation measures linked to the impact of generative AI on electoral processes, dissemination of illegal content, protection of fundamental rights, gender-based violence, protection of minors, mental well-being, protection of personal data, consumer protection and intellectual property”. The Commission said the questions “relate to both the dissemination and the creation of generative AI content.”

“Clearly, the Commission is reliant on the service providers disclosing information the Commission cannot access otherwise,” said Nils Rauer of Pinsent Masons. “The law principally provides for such right of inquiry, however, the type, scope and level of detail of information to be provided to the Commission are determined by and limited to the legitimate purpose of the inquiry as defined in the DSA.”

“VLOPs and VLOSEs were already under extra scrutiny from regulators even before the introduction of the DSA, due to the public profile of the companies and the global reach of the platforms,” said Gijs van Mansfeld of Pinsent Masons. “However, the DSA has transformed this reactive scrutiny into proactive legal obligations for online platforms to combat systemic risks and provide information to disclose such efforts.”

“Interestingly, on 8 February 2024, the European Commission published draft guidelines for consultation on mitigation of systemic risks relating to the election process,” said van Mansfeld. “In this draft guidance, the Commission also hints at some general measures to mitigate risks associated with gen-AI, for the first time. Such mitigation measures include: implementation, and increased enforcement of, a stricter regime towards use of gen-AI; provision of easy access to labelling, or otherwise distinguishing AI generated audiovisual content, and; promotion of “media literacy” among users to help to increase understanding and awareness of gen-AI.”

In a separate exercise of its information gathering powers under the DSA, the Commission has asked LinkedIn – another VLOP under the regulation – to provide more details on how its service “complies with the prohibition of presenting advertisements based on profiling using special categories of personal data”.

The Commission emphasised that its exercise of information gathering powers in the two cases “is an investigatory act that does not prejudge potential further steps [it] may or may not decide to take”. Businesses can face fines if the information they provide to the Commission in response to information requests is  incorrect, incomplete, or misleading.

The Commission has separately announced the opening of a formal investigation, under the DSA, into another VLOP, AliExpress. The action follows a Commission assessment of information the service disclosed in its risk assessment report, its transparency report, and in response to formal requests for information sent by the Commission.

The Commission concluded that it wants “to assess whether AliExpress may have breached the Digital Services Act (DSA) in areas linked to the management and mitigation of risks, to content moderation and the internal complaint handling mechanism, to the transparency of advertising and recommender systems, to the traceability of traders and to data access for researchers”.

The rules applicable to VLOPs and VLOSEs under the DSA began to apply from 25 August 2023, with a much wider range of online intermediaries also falling subject to regulation under the DSA as of 17 February 2024.