Feedback to the European Commission on DSA Delegated Regulation – conducting independent audits.
Summary
In addition to Article 37 of the Digital Services Act (DSA), Delegated Regulation (DR) sets out procedures, methodologies and templates for third-party auditing of Very Large Open Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs). The DR builds upon established sector-specific risk management frameworks to provide procedural guidance for AI audits. However, the regulation lacks provisions to disclose normative methodological choices that underlie AI systems (e.g., recommender systems), which is crucial for evaluating associated risks in a meaningful way (as mandated by DSA Article 34). To illustrate this limitation, we elaborate on methodological crossroads that determine the performance of recommender systems and its downstream risks. We make concrete suggestions how the definition of ‘inherent risk’ (Article 2), audit methodologies of risk assessments (Section IV) and the audit report template (Annex I) set out by the DR should be amended to incorporate normative dimension of AI auditing in a meaningful way. Only if both the technical and normative dimension of AI systems are thoroughly examined, risk assessed under the DSA will empower the European Union and its citizens to determine what public values should to be safeguarded in the digital world.