Digital Services Act
- Current status: awaiting formal adoption by the Council of the EU, expected in September 2022, after which it will be published in the Official Journal.
The Digital Services Act (“DSA”) supplements the 2000 e-Commerce Directive and targets online intermediaries (such as online marketplaces, cloud companies, and large search engines). Some of the key provisions include:
- a ban on advertising to minors and using special categories of data;
- a ban on dark patterns;
- obligations on identifying and removing illegal content; and
- additional transparency requirements.
Obligations scale up depending on size and risk of the activities; very large online platforms will have additional reporting and audit requirements.
Certain DSA provisions, such as the prohibition of certain advertising and dark patterns and additional transparency requirements, mean that affected businesses will likely need to look to each of the GDPR, e-Privacy Regulation (once adopted) and the DSA to understand their obligations.
Digital Markets Act
- Current status: officially adopted and awaiting publication in the Official Journal.
While the DSA focuses on the relationship between services and their users, the Digital Markets Act (“DMA”) aims to govern competition between “gatekeeper” businesses (identified in terms of revenue and number of users, although smaller companies can be designated as such by the EU Commission) that provide core platform services (such as online search engines, social networking services, and virtual assistants). The regulation contains a series of “do’s” and “don’ts” designed to prevent certain business practices and to protect smaller businesses, such as:
- allowing interoperability with smaller platforms;
- allowing businesses access to data generated in use of the gatekeeper platform;
- prohibitions on self-preferencing; and
- limiting combination and cross-use of personal data and use of personal data for targeted advertising without consent.
Again, there is overlap with the GDPR, in particular with respect to the personal data processing provisions in the DMA, requiring those affected to look to multiple pieces of legislation to establish their obligations.
Data Governance Act
- Current status: published in the Official Journal on 3 June 2022 with rules to apply from September 2023.
The Data Governance Act (“DGA”) aims to encourage the sharing and re-use of data while respecting data privacy, confidentiality and intellectual property rights.
It covers key three areas:
- Access to data held by public sector bodies.
- Regulation of data intermediation services.
- Encouraging ‘data altruism’ – donating data for the common good (e.g. for scientific research).
While the regulation will primarily apply to public sector bodies, businesses should review whether their activities could fall within the DGA’s data intermediation services (and, if so, familiarise themselves with the required conditions which are principally driven at ensuring independence). The DGA recitals specifically mention data marketplaces and data pools, which may be particularly relevant in the ad-tech sector.
- Current status: European Commission proposal published in February 2022 with Committee readings ongoing.
The Data Act proposes to regulate all personal and non-personal digital data and will be applicable to various parties including data holders, cloud services providers, manufacturers of connected devices (such as internet of things devices) and providers of related services.
Supporting the DGA, the Data Act also aims to increase data sharing and use of available data. The European Commission comments that while the DGA “creates the processes and structures to facilitate data sharing by companies, individuals and the public sector, the Data Act clarifies who can create value from data and under which conditions”.2 Some of the key provisions include:
- obligations of ‘access by design’ (i.e. designing connected products and related services to allow easy access by users) and associated rights of access as well as portability;
- additional transparency requirements;
- contractual protections for users; and
- a means for the public sector to access private sector data (the opposite, in some respects, of the DGA) but only for public interest purposes.
The sprawling remit of this regulation, which spans all sectors and covers both personal and non-personal data, could present challenges to those dealing with mixed data sets as they look to apply both GDPR rules and the requirements of the Data Act. The regulation also notably specifically excludes “gatekeepers” under the DMA from being able to benefit from data access rights.
- Current status: political agreement reached, with the European Parliament expected to formally adopt in October 2022, followed by adoption by the Council of the EU, and finally publication in the Official Journal.
The European Commission has proposed a Directive on measures for a high common level of cybersecurity across the EU (known as “NIS2”, as it would repeal the prior “NIS” Directive) to try to address new challenges that have emerged and with a view to future-proofing as much as possible. As a Directive, EU member states will be required to transpose its requirements into their national law. The proposed Directive:
- expands scope by adding new sectors (such as telecoms, food, social-networking platforms) and the types of organisations that fall within them;
- imposes stricter cybersecurity requirements; and
- expands reporting requirements.
- Current status: Trialogue discussions ongoing.
First slated to be implemented alongside the GDPR, the e-Privacy Regulation has been significantly delayed by difficult negotiations. A replacement for the 2002 e-Privacy Directive, the proposed regulation’s remit remains privacy in electronic communications, supplementing GDPR requirements with specific rules on cookies and electronic marketing. The e-Privacy Regulation seeks to expand the scope of rules to encompass electronic communications and directory providers, including personal assistant digital services and other emerging tools.
Trialogue discussions remain ongoing, with clashes over data retention, exemptions for national security and child pornography, and the use of legitimate interests as a legal basis for the processing of data.
* The authors would like to thank trainees Jennifer Hutchings and Anita Hodea for their contributions to this OnPoint.