As part of its data strategy, the European Commission has presented a number of legislative instruments, including the Digital Markets Act (DMA), the Digital Services Act (DSA), the Data Governance Act (DGA) and the Data Act.
This publication focuses on these four new instruments in more detail - in particular, who these legal instruments apply to and who may benefit from them.
For more general information on these instruments, we refer to our previous blog posts on the Privacy Matters blog - “EU Regulatory Data Protection: Many pieces to the regulatory framework puzzle” and “EU Regulatory Data Protection: A first appraisal of the European Commission’s proposal for a ‘Data Act’”.
The European legislator has created a complex framework: each instrument introduces new actors; similar actors are defined differently under the various acts; and, except for the data subject, the well-known actors - controllers and processors - under the GDPR do not play any role.
Therefore, it will be important for organizations to duly identify their role and corresponding rights and obligations.
Digital Markets Act (adopted)
- The DMA introduces the concept of gatekeeper which means “an undertaking providing core platform services designated pursuant to article 3” of the DMA. A gatekeeper will therefore only be subject to the DMA and its obligations once it has been designated as such by the European Commission.
- Core platform services include online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communication services, operating systems, web browsers, virtual assistants, cloud computing services and online advertising services.
- The purpose of the DMA is to contribute to the proper functioning of the internal market by laying down harmonised rules ensuring, for all businesses, contestable and fair markets where gatekeepers are present to the benefit of business users and end users.
- End user means any natural or legal person using core platform services other than as a business user.
- Business user means any natural or legal person acting in a commercial or professional capacity using core platform services for the purpose of, or in the course of, providing goods or services to end users.
- It follows from the foregoing that any end user or business user (as defined above) using any of the core platform services will benefit from the obligations and restrictions that are imposed upon gatekeepers by the DMA.
Digital Services Act (close to adoption)
- The DSA applies to providers of intermediary services who provide those services to recipients having their place of establishment or residence in the European Union.
- An intermediary service means one of the following:
- a ‘mere conduit’ service that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network;
- a ‘caching’ service that consists of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, for the sole purpose of making more efficient the information's onward transmission to other recipients upon their request;
- a ‘hosting’ service that consists of the storage of information provided by, and at the request of, a recipient of the service.
- Where services meet the conditions of ‘mere conduit’, ‘caching’ or ‘hosting’, providers of those services can benefit from an exemption of liability.
- Recital 27 clarifies that providers of services establishing and facilitating the underlying logical architecture and proper functioning of the internet, including technical auxiliary functions, can also benefit from the exemptions from liability set out in the DSA, to the extent that their services qualify as ‘mere conduit’, ‘caching’ or hosting services. Such services include wireless local area networks, domain name system (DNS) services, top–level domain name registries, certificate authorities that issue digital certificates, or content delivery networks, that enable or improve the functions of other providers of intermediary services. Likewise, services used for communications purposes, and the technical means of their delivery, have also evolved considerably, giving rise to online services such as Voice over IP, messaging services and web-based e-mail services, where the communication is delivered via an internet access service. Those services, too, can benefit from the exemptions from liability to the extent that they qualify as ‘mere conduit’, ‘caching’ or hosting service.
- Providers of hosting services include online platforms which are defined as “providers of a hosting service which, at the request of a recipient of the service, stores and disseminates to the public information, unless that activity is a minor and purely ancillary feature of another service and, for objective and technical reasons cannot be used without that other service, and the integration of the feature into the other service is not a means to circumvent the applicability of the DSA”.
- Online platforms are subject to additional rules unless they qualify as a micro or small enterprise. Additional rules also apply to very large online platforms, i.e. platforms providing services to a number of average monthly active recipients of the service in the European Union equal to or higher than 45 million.
- Indirectly, the DSA applies to traders on online platforms by obliging online platforms to take measures to ensure traceability of traders. A trader is defined as any natural person, or any legal person irrespective of whether privately or publicly owned, who is acting, including through any person acting in his or her name or on his or her behalf, for purposes relating to his or her trade, business, craft or profession. It comes within the scope of the DSA where it concludes distance contracts with consumers.
- The DSA aims at contributing to the proper functioning of the internal market for intermediary services and to set out uniform rules for a safe, predictable and trusted online environment to the benefit of recipients of intermediary services (e.g. by means of enhanced transparency obligations, by granting them the right to lodge a complaint). Recipient of the service means any natural or legal person who uses the relevant service.
- Finally, the DSA introduces the trusted flagger (undefined term). When a person meets certain conditions, it can be granted the status of trusted flagger. Notices by trusted flaggers must be handled by online platforms.
Comparison of certain actors under the Digital Markets Act and the Digital Services Act
- The above overview has shown that the actors under the DMA and DSA have substantially different names. However, when looking at the definitions of certain actors, there are some similarities.
- Indeed, the below table shows that the end user and business user under the DMA are similar to the recipient of the service and the trader under the DSA.
- The end user and recipient of the service are both natural and legal persons using a certain service. However, the recipient of the service can be a person acting in a personal or commercial/professional capacity whereas the end user can only be a person acting in a personal capacity.
- The trader is similar to the business user as they both act in a professional capacity and both engage with another person (consumer and end user respectively) via a platform service.
Re-use of data held by public sector bodies
- The DGA aims at fostering data sharing in order to reap the benefits of the data economy.
- To that end, it creates a framework for the re-use of data held by public sector bodies.
- A public sector body means the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities, or one or more such bodies governed by public law.
- Bodies governed by public law are bodies having the following characteristics:
- they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;
- they have legal personality;
- they are financed, for the most part, by the State, regional or local authorities, or other bodies governed by public law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies governed by public law.
- Recital 12 clarifies that public undertakings are not covered by the definition of public sector body. Therefore, public undertakings are not subject to the rules on re-use of data held by them.
- A public undertaking means any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purposes of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:
(a) hold the majority of the undertaking’s subscribed capital;
(b) control the majority of the votes attaching to shares issued by the undertaking;
(c) can appoint more than half of the undertaking’s administrative, management or supervisory body.
- Public undertakings may of course by caught by the DGA where they would perform data intermediation services or wish to register as a data altruism organisation.
- The DGA does not impose an obligation upon public sector bodies to share data but lays down a set of rules that must be complied with if they choose to share data with a re-user.
- The re-user is not defined under the DGA but it follows from the text of the DGA that – unsurprisingly – it is the person re-using data held by public sector bodies. The re-user has both rights and obligations (e.g. regarding confidentiality) under the DGA.
Data Intermediation Services
- Secondly, the DGA creates a framework for providers of data intermediation services.
- Providers of data intermediation services that comply with the requirements of article 10 of the DGA are subject to a notification and supervisory framework.
- A data intermediation service means a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:
(a) services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;
(b) services that focus on the intermediation of copyright-protected content;
(c) services that are exclusively used by one data holder, in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;
(d) data sharing services offered by public sector bodies that do not aim to establish commercial relationships.
- The following data intermediation services are covered by article 10 of the DGA:
(a) intermediation services between data holders and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint use of data, as well as the establishment of other specific infrastructure for the interconnection of data holders with data users;
(b) intermediation services between data subjects that seek to make their personal data available or natural persons that seek to make non-personal data available, and potential data users, including making available the technical or other means to enable such services, and in particular enabling the exercise of the data subjects’ rights provided in Regulation (EU) 2016/679;
(c) services of data cooperatives.
- Data cooperatives as such are not defined but services of data cooperatives mean data intermediation services offered by an organisational structure constituted by data subjects, one-person undertakings or SMEs who are members of that structure, having as its main objective to support its members in the exercise of their rights with respect to certain data, including with regard to making informed choices before they consent to data processing, to exchange views on data processing purposes and conditions that would best represent the interests of its members in relation to their data, and to negotiate terms and conditions for data processing on behalf of its members before giving permission to the processing of non-personal data or before they consent to the processing of personal data.
- It is important to note that only data intermediation services that meet the requirements of article 10 of the DGA will come within the scope of the DGA.
- As indicated above, data intermediation services seek to enable data sharing between data subjects and data holders on the one hand, and data users on the other hand.
- A data subject under the DGA has the same meaning as under the GDPR.
- A data holder means a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data.
- A data user means a natural or legal person who has lawful access to certain personal or non-personal data and has the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non-commercial purposes.
- While the ‘data flow’ in the context of data intermediation services is rather clear in the sense that it goes from the data subject/data holder over the provider of data intermediation services to the data user, the definitions are probably not the soundest. Most data holders will, strictly speaking, also meet the requirements of a data user. The right to grant access or share certain personal or non-personal data inevitably requires lawful access to the data and the right to use the data (i.e. sharing) for commercial or non-commercial purposes.
- Furthermore, article 12.c, of the DGA refers to “the person who uses the data intermediation service”. It is unclear whether this could be a person other than the data subject, data holder or data user. This is probably not the case but it is unfortunate that this article does not use any of the defined terms.
- Thirdly, the DGA provides a framework for the recognition of data altruism organisations. Data altruism means the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest.
The proposed Data Act contains a variety of rules to foster B2C, B2B and B2G data sharing including rules on data generated by IoT products or services, unfair terms, smart contracts and switching between data processing services. This instrument is at an ‘early-stage’ and – as will be shown hereafter – would benefit from a thorough review of the definitions to ensure better alignment with other legislative instruments.
B2C and B2B sharing
- The Data Act imposes, to the benefit of the users of such products or services, data accessibility and sharing obligations upon manufacturers of products and suppliers of related services placed on the market in the Union, whereby:
- product means a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data.
- related service means a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions.
- Manufacturers of products and suppliers of related services that qualify as micro or small enterprises are exempted from certain obligations.
- A user is any natural or legal person that owns, rents or leases a product or receives a service. The user can be a data subject. However, the Data Act does not (yet) include a definition of data subject.
- The manufacturers of products and suppliers of related services may qualify as data holders. A data holder means a legal or natural person who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, to make available certain data.
- Data holders are subject to several obligations, including obligations with regard to contractual terms and the use of smart contracts.
- Users may ask data holders to make available data generated by a product or a service to a third party. Undertakings designated as gatekeepers under the DMA are not an eligible third party.
- There is no definition of third party in the Data Act. However, a third party may qualify as a data recipient which means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law.
- Data recipients are granted certain contractual and other protections under the Data Act but are also subject to a number of obligations in case of e.g. unauthorised use of data.
- While the DGA provides rules for G2B sharing, the Data Act covers the opposite data flow (B2G).
- In the event of an exceptional need, data holders may be required to make data available to a public sector body or a European Union institution, agency or body.
- A public sector body means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies.
Data processing services
- Under the Data Act, providers of data processing services are subject to a number of obligations which aim at removing obstacles to effective switching between providers of data processing services.
- A data processing service means a digital service, other than an online content service, as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature.
- Vendors of applications using smart contracts or, in the absence thereof, persons whose trade, business or profession involves the deployment of smart contracts for other in the context of an agreement to make data available must meet essential requirements including requirements on robustness and access control.
Comparison of certain actors under the Data Governance Act and the Data Act
The above overview has shown that the DGA and Data Act use certain identical concepts. However, as shown below, these are not defined in the same way.
- Indeed, the below table shows that the end user and business user under the DMA are similar to the recipient of the service and the trader under the DSA.
- It would be helpful to align the definition of public sector body under the Data Act with the definition of the Data Governance Act. There does not seem to be any objective reason to use different definitions.
- As to the data holder, although the difference in the definitions follows from the differences in scope of both Acts, it would be sensible to try and align the definitions as much as possible, given the already considerable complex interplay between the personal field of application of the various legal instruments.
- Finally, it may also be worthwhile for the legislator to assess the interplay between the definitions of data holders, data users, data recipients and re-users.