The digital services act and vulnerability: How vulnerability is defined by digital regulations in the EU

Any discussion on legislation relating to digital services and data management is incomplete without an understanding of vulnerability, and vulnerable individuals. It appears to have been the case that a new vernacular is taking hold to define vulnerability within laws, one that is often governed by power imbalances between service providers and users in question. Previously, our understanding of vulnerability was informed by philosophy, wherein vulnerability was defined along the lines of an enlarged sense of self and selfinterest. Vulnerability has now come to embody a variety of different definitions, informed by multiple disciplines such as ethics, sociology, law, and politics to name a few.

Technologies, today, are being adopted at an unprecedented rate. This unguarded proliferation presents tremendous opportunities for the growth and development of humanity on the one hand, but on the other, mar to human rights, and the general understanding of the rule of law. The General Data Protection Regulation (GDPR) astutely recognised the need to protect individuals against the changing modalities of human interactions. However, it faced some difficulty in choosing a definition for vulnerability that would be equally applicable to all individuals in society. Although, through the course of its existence, courts and other interpreters of the law have adopted what is known as “vulnerability- aware interpretation” for its application.

With the aforementioned issues in mind, the key aim of this article is to highlight the lacuna in the safety net afforded by the adopted approach to defining vulnerabilities by legislation collectively concerning protections for users and their fundamental rights, to then assess areas for improvement. The article aims to ultimately identify the most appropriate vernacular for digital regulations such as the GDPR, and the Digital Services Act (DSA), to enhance the levels of protection offered in relation to vulnerability in users. The article will do so by first exploring the different theories for describing vulnerable groups that have been put forward by scholars from a variety of disciplines. The article will then situate vulnerable groups in the context of digital regulation by discussing how the GDPR, and EU Law, in general, have defined vulnerability. The article will then analyse whether a similar interpretation can be applied when discussing the DSA to identify vulnerable groups and the extent of the protections that will be offered to the same.