EU Data and Digital Drive: an Overview of Forthcoming Legislation
This OnPoint summarises and draws together the proposals forming part of the EU’s strategies for data, digital and artificial intelligence. This is the first in a series of Dechert OnPoints that will cover these proposals in more detail.
First announced in 2020, the EU’s overarching digital strategy (now known as Europe’s Digital Decade) consists of various initiatives, including legislative proposals under strategies for data, AI, and cybersecurity, as well as the digital services package. The digital strategy recognises that digital technologies have made and continue to make significant changes to people’s lives and seeks to foster digital innovation and commerciality while also safeguarding individuals’ fundamental rights.
Following its pioneering General Data Protection Regulation (“GDPR”), which now forms the basis for data protection laws in many other jurisdictions around the world, the EU is seeking to take a leading and assertive position on other aspects of data and the digital economy. The European Commission states that “Europe must now strengthen its digital sovereignty and set standards, rather than following those of others”.1
The suite of proposed legislation will complicate the regulatory landscape for businesses operating in various online and offline sectors. For example, different supervisory authorities, with overlapping oversight in some areas, are planned. As each will have separate powers to impose meaningful fines, a key challenge will be how well these bodies function together to provide workable and cohesive oversight. Throughout all the proposals, a particular focus on Big Tech is evident, with many of the draft proposals imposing obligations which scale up based on market reach.
Much remains uncertain about many of legislative proposals, and a staggered implementation timeline means that their effectiveness will remain unknown until at least the latter half of the decade. Online service providers with a significant number of users or providing critical services in the EU should pay particular attention to the themes emerging from the strategy such as data sharing, interoperability and greater encouragement of competition.
Summary of key legislation
Digital Services Act
- Current status: awaiting formal adoption by the Council of the EU, expected in September 2022, after which it will be published in the Official Journal.
The Digital Services Act (“DSA”) supplements the 2000 e-Commerce Directive and targets online intermediaries (such as online marketplaces, cloud companies, and large search engines). Some of the key provisions include:
- a ban on advertising to minors and using special categories of data;
- a ban on dark patterns;
- obligations on identifying and removing illegal content; and
- additional transparency requirements.
Obligations scale up depending on size and risk of the activities; very large online platforms will have additional reporting and audit requirements.
Certain DSA provisions, such as the prohibition of certain advertising and dark patterns and additional transparency requirements, mean that affected businesses will likely need to look to each of the GDPR, e-Privacy Regulation (once adopted) and the DSA to understand their obligations.
Digital Markets Act
- Current status: officially adopted and awaiting publication in the Official Journal.
While the DSA focuses on the relationship between services and their users, the Digital Markets Act (“DMA”) aims to govern competition between “gatekeeper” businesses (identified in terms of revenue and number of users, although smaller companies can be designated as such by the EU Commission) that provide core platform services (such as online search engines, social networking services, and virtual assistants). The regulation contains a series of “do’s” and “don’ts” designed to prevent certain business practices and to protect smaller businesses, such as:
- allowing interoperability with smaller platforms;
- allowing businesses access to data generated in use of the gatekeeper platform;
- prohibitions on self-preferencing; and
- limiting combination and cross-use of personal data and use of personal data for targeted advertising without consent.
Again, there is overlap with the GDPR, in particular with respect to the personal data processing provisions in the DMA, requiring those affected to look to multiple pieces of legislation to establish their obligations.
Data Governance Act
- Current status: published in the Official Journal on 3 June 2022 with rules to apply from September 2023.
The Data Governance Act (“DGA”) aims to encourage the sharing and re-use of data while respecting data privacy, confidentiality and intellectual property rights.
It covers key three areas:
- Access to data held by public sector bodies.
- Regulation of data intermediation services.
- Encouraging ‘data altruism’ – donating data for the common good (e.g. for scientific research).
While the regulation will primarily apply to public sector bodies, businesses should review whether their activities could fall within the DGA’s data intermediation services (and, if so, familiarise themselves with the required conditions which are principally driven at ensuring independence). The DGA recitals specifically mention data marketplaces and data pools, which may be particularly relevant in the ad-tech sector.
- Current status: European Commission proposal published in February 2022 with Committee readings ongoing.
The Data Act proposes to regulate all personal and non-personal digital data and will be applicable to various parties including data holders, cloud services providers, manufacturers of connected devices (such as internet of things devices) and providers of related services.
Supporting the DGA, the Data Act also aims to increase data sharing and use of available data. The European Commission comments that while the DGA “creates the processes and structures to facilitate data sharing by companies, individuals and the public sector, the Data Act clarifies who can create value from data and under which conditions”.2 Some of the key provisions include:
- obligations of ‘access by design’ (i.e. designing connected products and related services to allow easy access by users) and associated rights of access as well as portability;
- additional transparency requirements;
- contractual protections for users; and
- a means for the public sector to access private sector data (the opposite, in some respects, of the DGA) but only for public interest purposes.
The sprawling remit of this regulation, which spans all sectors and covers both personal and non-personal data, could present challenges to those dealing with mixed data sets as they look to apply both GDPR rules and the requirements of the Data Act. The regulation also notably specifically excludes “gatekeepers” under the DMA from being able to benefit from data access rights.
- Current status: political agreement reached, with the European Parliament expected to formally adopt in October 2022, followed by adoption by the Council of the EU, and finally publication in the Official Journal.
The European Commission has proposed a Directive on measures for a high common level of cybersecurity across the EU (known as “NIS2”, as it would repeal the prior “NIS” Directive) to try to address new challenges that have emerged and with a view to future-proofing as much as possible. As a Directive, EU member states will be required to transpose its requirements into their national law. The proposed Directive:
- expands scope by adding new sectors (such as telecoms, food, social-networking platforms) and the types of organisations that fall within them;
- imposes stricter cybersecurity requirements; and
- expands reporting requirements.
- Current status: Trialogue discussions ongoing.
First slated to be implemented alongside the GDPR, the e-Privacy Regulation has been significantly delayed by difficult negotiations. A replacement for the 2002 e-Privacy Directive, the proposed regulation’s remit remains privacy in electronic communications, supplementing GDPR requirements with specific rules on cookies and electronic marketing. The e-Privacy Regulation seeks to expand the scope of rules to encompass electronic communications and directory providers, including personal assistant digital services and other emerging tools.
Trialogue discussions remain ongoing, with clashes over data retention, exemptions for national security and child pornography, and the use of legitimate interests as a legal basis for the processing of data.
- Current status: European Commission proposal published in April 2021 with Committee readings ongoing.
We have covered the proposed AI Regulation in more detail in our previous OnPoints.
* The authors would like to thank trainees Jennifer Hutchings and Anita Hodea for their contributions to this OnPoint.