Following the first designation of Very Large Online Platforms (“VLOPS“) and Very Large Online Search Engines (“VLOSEs”) under the Digital Services Act Regulation (“DSA“) on 25 April 2023, the European Commission has now announced a call for evidence from stakeholders to inform proposed delegated acts on data access mechanisms.
The DSA contains various provisions which seek to better monitor risks and actions taken by VLOPs and VLOSEs to combat disinformation, illegal content and other societal risks. In this regard, Article 40 provides a new legal framework which requires VLOPs and VLOSEs to provide access to their data for the purpose of conducting research which will improve the detection, identification and understanding of systemic risks within the EU.
Article 40 states that data access will be possible for:
- Digital Service Coordinators and the Commission, who may gain access for monitoring purposes and to assess compliance with the DSA,
- Vetted researchers, who may gain access to conduct research to improve the detection, identification and understanding of systemic risks in the EU, and
- Researchers who meet the conditions set out in Article 40(12), who may gain access to publically available data.
Article 40 further grants the Commission power to adopt delegated acts to further specify the technical conditions under which VLOPs and VLOSEs will be required to permit access to such data.
The Commission plan to implement a delegated act which will supplement the framework set out in Article 40, in particular by:
- Setting out procedures for Digital Services Coordinators to manage requests and vet researchers with the possibility of an independent advisory mechanism,
- Further determining the purposes for which data accessed under Article 40 may be used,
- Further determining the conditions under which researchers must be provided with access to data under Article 40, in a manner which is compliance with GDPR and in consideration of the rights and interests of all parties involved, and
- Determining the technical conditions by which VLOPs and VLOSEs are to provide access to the data.
The Commission is now gathering the views and evidence of stakeholders’ to inform the drafting of the delegated act. The Commission aims to design an easy, practical and clear process for data access which will protect the rights and interests of all parties involved and adequately safeguard against abuse.
The Commission have invited stakeholders to submit their views, particularly in relation to the following eleven questions:
- Data access needs: What types of data, metadata, data governance documentation and other information about data and how it is used can be useful to DSC’s for the purpose of monitoring and assessing compliance and for vetted researchers for conducting research related to systemic risks and mitigation measures? What sort of analysis and research might DSC’s and vetted researchers conduct for the purposes of monitoring and assessing compliance and conducting research related to systemic risks and mitigation measures?
- Data access application and procedure: Digital Services Coordinators (DSCs) in the Member States will play a key role in assessing researchers’ applications and they will act as intermediaries with the platforms. How should the application process be designed in practice? How can the vetting process ensure efficient exchanges between researchers and platform providers? Article 40(8) exhaustively defines criteria for vetting researchers. How can a consistent assessment across DSCs be ensured, while still taking into consideration the specificities of each request? What additional provisions or specifications could be useful to help balance the new data access rights and the protection of users’ and business’ rights, e.g. related to data protection, confidential information, including trade secrets, and security? What kind of safeguards can be put in place to assure that data gathered under Article 40 is used for the purposes envisaged and to minimise the risk of abuses? Article 40(13) introduces the possibility of an independent advisory mechanisms to support the management of data access requests and vetting of researchers. What would be the added value of such a mechanism?
- Data access formats and involvement of researchers: What technical specifications could be considered for data access interfaces, which takes into account security, data protection, ease of use, accessibility, and responsiveness (e.g. APIs, data vaults and other machine-readable data exchange formats)? What capacity building measures could be considered for the research community to take advantage of the opportunities provided by Article 40? Would it be desirable and feasible to establish a common and precise language for DSCs, vetted researchers, VLOPs and VLOSEs to use when communicating about data access, e.g. by formulating a standard data dictionary and/or business glossary? How might this be implemented?
- Access to publicly available data: Not only vetted researchers will have greater opportunities for accessing data, all researchers meeting the conditions set out in Article 40(12) will be able to get direct access to publicly available data. What processes and mechanisms could be put in place to facilitate this access in your view?
The Consultation will run until 23 May 2023. The Commission will organise other outreach activities to continue receiving stakeholder feedback during the course of 2023.