In today’s digital economy, the ability to access and use data effectively is critical for economies to grow and drive innovation. Global data production is expected to increase by 530% between 2018 and 2025. In response to this opportunity, the European Commission (“EC”) outlined the European Data Strategy in 2020, one of its main objectives being to create a single common data market based on a harmonised framework for data exchange. This framework encompasses new layers of legislations to govern data that originate and flow freely within the EU and to do so for the benefit of individuals, businesses, researchers, and public administrations.
This wave of proposed EU laws are anticipated to come into effect before the end of 2023 or soon after, so it is timely to provide an overview of how these key layers of data-centric legislation will usher in stricter regulatory guardrails for data, including a brief overview of the legislation’s objective(s), the stage of each one’s legislative process, and any important considerations to note to aid preparation for when these laws become operative in the near future.
Legislation | Objective | Stage of legislation | Key takeaways |
The Data Governance Act | The objective of the Data Governance Act (DGA) is to create a mechanism which promotes trust and safety in data sharing, to enable data from all member states to be used to benefit the wider economy. The focus of the Act is data innovation and altruism, to enable both individuals and businesses to share their data for wider benefit which then translates organically to data-driven innovation. The DGA proposes to achieve this goal through 4 key mechanisms: – Facilitation of the reuse of public sector data that can’t be used as open data (e.g., reuse of health data); – Ensuring data intermediaries function as efficient organisers of data sharing within the EU; – Facilitating individuals and businesses to make their data available for societal benefit; and – Facilitating data sharing across sectors and borders, enabling the right data to be found for the right purpose. | In force: 23 June 2022 Applicable: 24 September 2023 | – A new European authority ‘the European Data Innovation Board’ will be created to facilitate sharing of best practices among member states. – The DGA introduces a new data altruism process which allows organisations that want to gather data for general interest objectives to register as a “data altruism organisation recognised in the Union”. An organisation that seeks to obtain such a title and register with the relevant register must meet a number of requirements. – The DGA also seeks to introduce and regulate ‘Data Intermediation Services’. These service providers will be subject various criteria for verification, monitoring by supervisory authorities and sanctions in the event of breach. – The Act covers both personal and non-personal data, however, the primary regulation for the handling of personal data will remain under the purview of the GDPR. |
The Data Act | The objective of the Data Act is to remove the current barriers to accessing data in both the public and private sector. It will provide businesses and individuals with more control over their own data, empowering them to be able to make informed decisions about what can be done with the data that is generated about them. The Act proposes to achieve this through implementing the following measures: – Increasing legal certainty for consumers and companies who generate data on how this data can be used and who can use it; – Preventing power imbalances which impede on fair data sharing; – Enabling public sector bodies to access and use data for specific public interest purposes; and – Setting framework conditions for consumers to switch between data processing services. | In force: (projected) Mid 2024 Applicable: TBC | – A political agreement was reached on the Act on 28 June, but is now subject to formal approval. We had extensively covered the key points of the Act and what it means for businesses, you can find this here. |
The Digital Services Act | The objective of the Digital Services Act (DSA) is to bring together legislation on the provision of intermediary services in the EU. It covers intermediary services, hosting services and online platforms (with further restrictions on very large online platforms and very large online search engines). The overarching goals of the DSA are to: – Provide higher levels of protection to consumers and their fundamental rights online; – Ensure transparency and accountability for online platforms; and Augment innovation, growth and positive competition within the EU single market. | In force: 16 November 2022 Applicable: 17 February 2024 | – The Act sets out a regulatory framework under which rules will be imposed on how online platforms moderate their content, advertise, and use algorithms. – Each member state must appoint a Digital Services Coordinator to monitor and enforce compliance with the DSA. – The DSA introduced extensive requirements on intermediaries as well as new user rights, encompassing intermediary liability, illegal content, protection of minors, limits on targeted advertising etc. You can find more on the content of the DSA from our extensive insight publication here. |
The Digital Markets Act | The DMA legislates for large digital players, which it calls “gatekeepers” and, given their great economic power, seeks to prevent them from engaging in unfair practices, thereby complementing competition law. To be designated as a data ‘gatekeeper’, a company must meet the following criteria: – Strong economic position with a significant impact on the internal market and across several EU countries; – Strong intermediary position, linking a large user base to a large number of businesses; and – Entrenched and durable position in the market, being stable for the last 3 financial years. | In force: 1 November 2022 Applicable: 2 May 2023 | – Imposes strict requirements on an information society service provider to be considered as a “gatekeeper” and thus to be covered by the DMA; – Data collection will have tighter restrictions. – The Act will likely become a reference point for anti-trust cases. You can find more on the content of the DMA from our extensive insight publication here. |
The AI Act | The objective of the AI Act is to create a legislative framework that balances the opportunities associated with freedom of innovation with the need to ensure that entities are regulated and are accountable for their AI systems. It is the first major law proposed on AI and assigns AI systems to 4 different levels of risk – unacceptable risk, high risk, and limited risk and minimal risk. The Act aims to strengthen the EU position in the field of AI by: – Enabling the development and innovation on AI in the EU; – Making the EU a regulated hub for AI globally; – Ensuring AI works for the benefit of individuals and for society; and – Building frameworks for leadership in high-impact sectors such as environment, health, home affairs and agriculture. | In force: TBC Applicable: TBC | – The Act will apply to AI systems developed and deployed in the EU, meaning that global firms based outside of the EU who implement their systems within the EU will have to comply with the legislation. – Providers of high-risk AI systems must conduct prior assessments before placing them on the market, complying with the ‘essential requirements’ set out in the Act. – Most of the obligations fall on the party who places the system on the market, however distributors and importers must also be aware of their obligations if placing a high-risk system on the market. Final trilogue negotiations between the Commission, the Council and the Parliament have commenced. This process is being expedited and the European Commission is expecting the end of negotiations by the end of 2023, ahead of elections in 2024. You can find more on what is next for the EU AI Act here. |
The NIS2 Directive | The objective of the NIS2 Directive is to improve cybersecurity across the EU. The updated Directive modernises and replaces the previous framework. It seeks to further cybersecurity measures by introducing new risk management measures and reporting obligations. The key changes brought by the NIS2 are: – New classifications for important and essential entities; – Expanding the list of sectors and entities which fall within the scope of the rules; – Modifying the notification requirements for breaches; and – Introducing voluntary disclosure mechanisms for entities in scope. | In force: 16 January 2023 Applicable: 18 October 2024 | – New in scope entities include digital providers, research entities, waste management entities, manufacture, production and distribution of chemicals, post and courier, manufacturing, and food production, processing and distribution. – The Board of an essential or important entity must ensure that they follow the cybersecurity risk requirements or may be held liable for infringements. |
How can businesses best prepare for these anticipated laws:
Key steps for readiness would include:
- Review of documents, processes and tools: Businesses whose services may come within any of the broad definition of intermediary or other online services should evaluate their services against the various laws and prepare for further guidelines from relevant authorities to further define their obligations and compliance requirements.
- Technical planning for commitments that necessitate changes to the design, presentation, and/or functionality of their online user interfaces.
- Assessment of systemic risks related to the operation and usage of your services, including implementation of any necessary mitigation measures, and readiness to demonstrate compliance to supervisory authorities.
In short, these layers of legislation introduce obligations, requirements and considerations for governance and accountability alongside opportunity. As businesses develop deeper and broader digital models based on a data-centric economy, beware the shifting sands of legislation which not only seek to regulate but also create accountability that must flow through and down from senior leadership. The opportunity landscape is changing and remember the goal is to encourage a new EU territorial eco-system to allow a data economy to flourish in a regulated, protected, opportunity-driven landscape. Time will tell if this vision holds true, but the lines (whatever shade of grey they are) are being drawn!