Preliminary findings from an investigation that began last year allege DSA non-compliance, with substantial penalties possible. The move is a wakeup call for organizations governed by the act.
The European Commission has released the preliminary findings from an investigation launched last year into X (formerly Twitter), and said it believes the company is in breach of the Digital Services Act (DSA), which applies to marketplaces, social networks, content-sharing platforms, app stores, and online travel and accommodation platforms.
Non-compliance in three areas
In a statement, the Commission said X was found non-compliant in three areas:
- The "verified account" mechanism is designed and implemented in a way that deceives users and does not correspond to industry practice. "Since anyone can subscribe to obtain such a 'verified' status, it negatively affects users' ability to make free and informed decisions about the authenticity of the accounts and the content they interact with," the Commission said, adding there is "evidence of motivated malicious actors abusing the 'verified account' to deceive users."
- X does not comply with requirements around transparency in advertising. "In particular, the design does not allow for the required supervision and research into emerging risks brought about by the distribution of advertising online," the Commission argued.
- X does not provide access to its public data to researchers, as specified by conditions in the DSA. Its terms of service prohibit researchers from independently accessing public data, and its process for granting researchers access via its application programming interfaces (APIs) "appears to dissuade researchers from carrying out their research projects or leave them with no other choice than to pay disproportionally high fees."
X now has the right to examine the commission's documentation and prepare a defense.
If the preliminary findings are confirmed, the company faces a non-compliance decision that could result in fines of up to 6% of its global annual revenue, an order to address the issues detailed in the decision, and the potential for a period of enhanced supervision. The commission can also impose periodic penalty payments.
The move could be seen as a warning shot to other companies.
"While the ruling may not have a direct impact on enterprise CIOs, it emphasizes learning from broader implications and the mistakes of others," said Phil Brunkard, executive counselor at Info-Tech Research Group, UK. "It sets a precedent for public trust in online marketplaces or social media, highlighting the importance of integrity and transparency in data privacy. Regulation is not just about ticking the compliance box - it's crucial for customer trust. CIOs must ensure strong governance to protect their brands and maintain customer trust, as trust is the foundation for successful organizations."
Investigations continue
Investigations continue into X's risk management around the dissemination of illegal content and the effectiveness of how it combats information manipulation.
To assist in its investigations, the Commission released a whistleblower tool that allows people to contact it anonymously with information contributing to compliance monitoring of X and other entities designated Very Large Online Platforms (VLOP) under the DSA.
X is not the only organization under scrutiny. The Commission has also initiated formal proceedings against TikTok, Meta (in separate proceedings launched in April and May 2024, respectively), and AliExpress.