The European Commission designates SHEIN as a VLOP under the DSA

Reading Time: 4 minutes


Valeria Quadranti | Data Protection Advisor

Date: 28 May 2024

On 26 April 2024, the European Commission designated SHEIN as a very large online platform under the Digital Services Act (DSA). 

In the words of the Commission, a VLOP must comply with stringent rules of the DSA ‘that tackle the particular risks such services may pose to Europeans and society when it comes to illegal content, and their impact on fundamental rights, public security, and wellbeing’ 

This article outlines the requirements under the DSA to be designated as very large online platforms (VLOP) and very large online search engines (VLOSEs), along with an overview of the specific rules the designated providers have to comply with.  

Designation as VLOPs/VLOSEs under the DSA

As already presented in one of our previous posts, the DSA came into force on 17 February 2024 with the Digital Markets Act (DMA), forming a single set of rules to be applied across the whole of the EU to create a safer digital space where the fundamental rights of all users of digital services are protected. 

All online platforms (i.e., online marketplaces) have to comply with the general obligations under the DSA aimed at reinforcing transparency, interoperability and accountability.  

The DSA includes specific rules for services designated by the Commission as VLOPs and VLOSEs. These are platforms/services with over 45 million users in the EU, based on the information published by these providers for each online platform or online search engine in application of Article 24(2) DSA. In fact, by 17 February 2023 and at least once every six months thereafter, providers ‘shall publish, in a publicly available section of their online interface, information on the average monthly active recipients of the service in the Union’ calculated on the basis outlined by Article 24(2) DSA.  

In particular, pursuant to Recital 77 DSA, the number of average monthly active recipients of an online platform should reflect all the recipients actually engaging with the service at least once in a given period of time, by:  

  • being exposed to information disseminated on the online interface of the online platform, such as viewing it or listening to it; or by 
  • providing information, such as traders on an online platforms allowing consumers to conclude distance contracts with traders. 

Designation of SHEIN as VLOP and consequent obligations

Born as a fashion online retailer, SHEIN rapidly turned into a far broader marketplace, covering a growing range of lifestyle and further categories such as supplies for pets, home accessories etc., as a result of the launch of its SHEIN Marketplace in August 2023. 

On 5 February 2024, the Singapore-headquartered marketplace published its average monthly active recipients in Europe including a calculated estimation of 108 million monthly active users in EU Member States from 01 August 2023 to 31 January 2024. The Commission has subsequently formally designated SHEIN as a VLOP, thus joining tech companies such as Amazon Store, Meta, TikTok and YouTube.  

Following such designation, SHEIN has now to comply with most stringent rules under the DSA with the aim to ensure content moderation, user privacy and safety, as summarised below. 

Systemic risks assessment and implementation of mitigation measures (Articles 34-35 DSA). SHEIN is now required to identify, analyse and assess systemic risks stemming from the design or functioning of its service and its related systems – including algorithmic systems – or from the use made of their services.  

Risk assessment reports must be provided to the Commission within four months after the notification to the provider, and at least once every year thereafter. 

Once the risks are identified and reported to the Commission for oversight, the VLOP should then implement reasonable, proportionate and effective mitigation measures, tailored to the specific systemic risks identified.  

The obligations on assessment and mitigation of risks should trigger, on a case-by-case basis, the need for providers of such platforms to assess and, where necessary, adjust the design of their recommender systems, for example by taking measures: 

  • To reinforce internal processes, resources, testing, documentation, and supervision of any of the activities linked to the detection of systemic risks; 
  • To prevent the sale of counterfeit or illegal goods or other types of content which could pose harms to consumers’ safety and well-being, with an emphasis on the physical and mental well-being of underage users; 
  • To prevent or minimise biases that lead to the discrimination of persons in vulnerable situations, in particular where such adjustment is related to data protection law and when the information is personalised on the basis of special categories of personal data referred to in Article 9 GDPR; 
  • To ensure that recipients of their service enjoy alternative options which are not based on profiling, within the meaning of GDPR, for the main parameters of their recommender systems.  

Reinforcement of transparency and accountability. Further rules set out by the DSA to be followed by a VLOP aim to attain a high level of consumer protection, such as:  

  • Under the Commission’s requirement, activation of a Crisis Response Mechanism when a crisis occurs (Article 36 DSA); 
  • Ensuring external and independent audits of risk assessments and compliance with the DSA (Article 37 DSA); 
  • Publishing repositories of all ads (Article 39 DSA); 
  • Giving Digital Services Coordinator of establishment or the Commission access to publicly available data (Article 40 DSA); 
  • Establishing a compliance function (Article 41 DSA). 
  • Complying with transparency requirements, including the publication of transparency reports on content moderation decisions (Article 42 DSA).

So far, the Commission has designated 23 VLOPs and VLOSEs under the DSA. This number will certainly increase, as new and innovative business models and services are increasingly allowing business users and consumers to impart and access information and engage in transactions in novel ways. The stringent rules to be applied by VLOPs/VLOSEs aim to further protect individual recipients of the service from new risks and challenges.  

In this regard, the Commission plays a key role in carefully monitoring the application of the DSA rules and obligations by the platform in cooperation with the Digital Services Coordinators.  

The main challenge to the providers is to identify these new risks and clarify the suitable measures to prevent them and this process is even more complex considering that such operations shall be assessed against a broader regulatory landscape, including the GDPR and ePrivacy Directive requirements. Based on what is set out in Article 35(3) DSA, the Commission, in cooperation with Digital Services Coordinators, may issue guidelines with best practices and recommended measures to mitigate systemic risks, having due regard to the possible consequences of the measures on fundamental rights. As an example, the Guidelines for providers of VLOPs and VLOSEs on the mitigation of systemic risks for electoral processes were formally adopted by the Commission on 26 April 2024. 

Trilateral have longstanding expertise in data protection and cyber risk advisory services (DCS). Our Team offers support as well as compliance management solutions with an adaptable approach to digital service providers, among others. This includes our recently announced end-to-end compliance tool STRIAD:AI Assurance. If you would like to find out more, please get in touch. 

Related posts

Let's discuss your career