X fined €120m for breaches of EU Digital Services Act – including ‘deceptive’ blue ticks

The European Commission has issued its first fine under the Digital Services Act (“DSA”), to X for breaches of transparency obligations under the Act. The breaches relate to X’s use of “deceptive” blue checkmarks, its failure to meet transparency requirements in relation to its advertising repository, and its failure to provide researchers with sufficient access to data. Other potential breaches of the DSA by X are still being investigated by the Commission.  

This announcement comes almost 17 months after the Commission announced its preliminary finding that X was in breach of these obligations (see our blog here), and almost two years after the Commission announced that it had formally launched this investigation into X (see our blog here).

The imposition of the fine contrasts with the Commission’s separate decision not to fine TikTok, and to instead close its investigation into TikTok’s ad library because the company agreed to change the design of its service to ensure compliance. 

How has X breached the DSA?

The Commission found that X had breached the DSA in the following ways: 

• Blue checkmarks violate obligation to prohibit deceptive designs: 
  The Commission found that X’s practice of allowing users to pay for a blue checkmark on their account deceives other users by suggesting that accounts are verified when those accounts have not been meaningfully verified by X. This practice amounts to a breach of the DSA’s requirement on online platforms to prohibit deceptive design practices on their services. The Commission has acknowledged that the DSA does not require platforms to carry out user verification but concluded that it does prohibit online platforms from falsely claiming that users have been verified. It concluded that X’s “deception exposes users to scams, including impersonation frauds, as well as other forms of manipulation by malicious actors”.
   
• Ad repository fails to meet transparency and accessibility requirements:
  The DSA requires platforms to maintain an accessible and searchable repository of the ads running on their services, so that these can be used by researchers and civil society to detect scams, hybrid threat campaigns, coordinated information operations and fake advertisements. The Commission found that X incorporates design features and access barriers, such as excessive delays in processing, which undermine the purpose of ad repositories. X's ad repository was also found to lack critical information, such as the content and topic of the advertisement, and the legal entity paying for it. The Commission warned that this hinders researchers and the public’s ability to independently scrutinise any potential risks in online advertising.
   
• Failure to provide researchers with required access to public data:
  The Commission also concluded that X is failing to comply with its obligations to provide researchers with access to the platform's public data - for example, by including in its terms of service a prohibition on eligible researchers independently accessing its public data, including through scraping. The Commission concluded that this is undermining research into “several systemic risks” in the EU.

What’s next?

This first fine marks a significant milestone in DSA enforcement, particularly in light of sustained criticism of the EU regime from the US, with a US House Judiciary Committee Report in July defining the DSA as a ‘foreign censorship threat’. Unsurprisingly, backlash against the DSA regime has continued following the fine against X, with Elon Musk, the owner of X, calling for the EU to be abolished, and statements from several US Government officials framing the fine as an attack on US tech companies. 

The coming weeks will therefore be a further litmus test for the DSA regime. X must now take measures to bring the platform into compliance. The company has 60 working days to inform the Commission of the measures it intends to take regarding its blue checkmarks, and 90 working days to submit an action plan on how it will remedy the advertising repository and data access-related infringements. Failure to comply with the non-compliance decision may lead to periodic penalty payments.

Online safety enforcement is also ramping up in the UK, with Ofcom recently issuing its largest fine to date for breaches of the UK’s Online Safety Act (broadly equivalent to the DSA). The £1 million fine, announced on 4 December, was levied against adult website operator AVS Group for failing to have robust age checks in place.