Incoming EU data and digital legislation
There's a lot going on in the data and digital space in terms of incoming EU legislation. Here is a summary of key EU proposals which will impact the use of data (personal and non-personal), and an overview of the UK position.
17 May 2022
European Strategy for Data
Data Governance Act
The Data Governance Act sets out processes and structures to facilitate protected personal and non-personal data sharing among public bodies across the EU and between sectors.
It places obligations on data intermediaries and sets up other measures to strengthen public trust, including by creating a regime for "data altruism" organisations and a European Data Innovation Board.
It complements the Open Data Directive which regulates and encourages the re-use and publication of public sector information held or funded by public institutions (such as governments, libraries and archives).
2020
Proposed by the European Commission in
December 2020.
2021
Provisional political agreement reached
in November 2021.
Data Act
The Data Act aims to remove barriers to data sharing, give businesses access to data they contribute to creating and individuals more control over all their data (not just personal data).
It will empower users of connected devices to access and share data they generate with third parties, as well as switch cloud and edge service providers. It also aims to protect SMEs by providing a harmonised framework in which data can be shared, equalising access to data across the market. It will apply to relevant UK businesses operating in EU markets.
UK Position The UK government has expressed similar aims around data sharing and exploitation, including in its December 2020 National Data Strategy and its `Benefits of Brexit' White Paper published in January 2022. A Data Reform Bill is likely to be published in the next few months.
2022
Proposed by the European Commission in February
2022. There was a feedback period for stakeholders until
mid-May 2022.
2024
Expected to enter into force by
mid-2024.
2023
Expected to enter into force by mid-2023.
Artificial Intelligence Package
Artificial Intelligence (AI) Act
The AI Act will regulate the development and use of AI by providing a framework of requirements and obligations for its developers, deployers and users, together with regulatory oversight. The framework will be underpinned by a risk-categorisation system for AI, with "high risk" systems subject to the most stringent obligations, and a ban on "unacceptable risk" AI systems. UK businesses placing AI systems on the market or putting them into service or whose systems produce output used in the EU will be caught.
2021
Proposed by the European Commission
in April 2021.
2022
European Parliament expected to adopt position imminently.
2023
Originally expected to enter into force late 2022, the end of 2023 seems more likely. There will be a two year implementation period before applying to operators.
Incoming EU data and digital legislation
Digital Services Package
Digital Markets Act
The Digital Markets Act will regulate digital markets to address concerns raised about the market power of large online players.
The focus is on large platform service providers (including social media, search engines and operating systems) designated as "gatekeepers", although it will also impact the wider market. Gatekeepers will be subject to a number of requirements and restrictions.
2020
Proposed by the European Commission
in December 2020.
2022
Expected to come into force in late 2022.Provisional
political agreement reached in March 2022.
2023
The DMA will apply for the most part six months after its entry into force. Some provisions (relating mostly to the designation process)
will apply immediately. Articles 42&43 will apply from 25 June 2023, or on
application if later.
Digital Services Act
The Digital Services Act (DSA) will regulate the obligations and accountability of online intermediaries and platforms in order to tackle illegal content, products and services, while promoting transparent advertising. Its purpose is to create a safe digital space in which users' rights are protected and businesses can compete on an equal footing.
It will apply to network infrastructure intermediaries, hosting services, online platforms and marketplaces. Obligations differ according to the size and impact of the organisation and the nature of the service, with the most stringent provisions applying to services designated as" Very Large Online Platforms" (VLOPs) and "Very Large Online Search Engines" (VLOSEs). This initiative will have extra-territorial reach.
2020
Proposed by the European Commission
in December 2020.
2022
Provisional political agreement reached
in April 2022.
2024
It will apply fifteen months from adoption or from 1 January 2024, whichever is later.
However, it will apply to VLOPs and VLOSEs four months after
their designation as such.
UK Position The UK is proposing to regulate market power of digital service providers with "Strategic Market Status". Provision for this is expected in the Digital Markets, Competition and Consumer Bill announced in the May 2022 Queen's Speech.
The DSA is similar but not identical in scope to the UK's Online Safety Bill (OSB) which is currently progressing through the UK Parliament. The OSB is intended to protect users, particularly children, from online harm. It will mainly focus on user generated content, covering both illegal and harmful content. It will apply to userto-user search services. As with the EU initiative, this will have extra-territorial reach.
Updating existing data privacy and cybersecurity law
NIS2 Directive
The current NIS Directive (implemented in the UK as the NIS Regulations 2018) co-ordinates EU Member States' approach to cybersecurity. It places requirements on Member States to be appropriately and sufficiently prepared for cybersecurity incidents and guides their response to them.
It also imposes cybersecurity and breach reporting obligations on operators of essential services and Digital Service Providers (online marketplaces, search engines and cloud computing services).
The European Commission proposed the NIS2 Directive to update and expand the remit of the NIS Directive. It expands the sectors inscope to include (among other areas) certain digital services, introduces stricter enforcement, and revises incident reporting requirements.
2020
Proposed by the European Commission
in December 2020.
2022
Provisional political agreement reached in May 2022. Expected to be adopted before the
end of 2022.
2024
EU Member States will have 21 months
to transpose the Directive after it comes into force.
UK Position NIS2 will not be adopted in the UK. The UK government announced a review of the UK cybersecurity regime and published two consultations in January 2022. This could see the scope of the NIS Regulations widened to increase the level of supervision of relevant digital service providers and bring managed (outsourced) services within scope for the first time. The government is also legislating to tackle (among other things) the security of Internet of Things devices.
Incoming EU data and diHgeaidteral legislation
Updating existing data privacy and cybersecurity law
ePrivacy
The ePrivacy Regulation will replace the ePrivacy Directive (implemented in the UK as the Privacy and Electronic Communications Regulations (PECR)). Intended to come in alongside the GDPR, the legislation has proved highly controversial, which has delayed the process. The ePrivacy Directive is concerned with the protection of privacy in the electronic communications sector. The majority of businesses need to comply with its rules on cookies and electronic marketing. The ePrivacy Regulation will, among other things, update the rules on cookies and the processing of electronic communications data (including metadata).
UK Position The UK government is planning an overhaul of the UK's data protection regime which is likely to result in changes to PECR, as well as to the UK GDPR and Data Protection Act 2018. Publication of a Data Reform Bill is expected in Summer 2022.
2017
Proposed by the European Commission in January 2017.
2021
Trilogues began in May 2021.
2022
The progress of this legislation has been slow and painful. It is unclear whether the path to adoption will now become smoother, although the Commission has
prioritised completion.
Taylor Wessing contacts
Vinod Bange Partner, London
+44 20 7300 4600 [email protected]
3
Victoria Hordern Partner, London
+44 207 300 7096 [email protected]
Christopher Jeffery Partner, London
+44 20 7300 4230 [email protected]
2000+ people 1100+ lawyers 300+ partners 29 offices 17 jurisdictions
Header
Austria
Klagenfurt | Vienna
BelgiumBrussels
China
Beijing | Hong Kong | Shanghai
Czech Republic
Brno | Prague
FranceParis
Germany
Berlin | Dsseldorf | Frankfurt | Hamburg | Munich
HungaryBudapest
Netherlands
Amsterdam | Eindhoven
PolandWarsaw
Republic of IrelandDublin
SlovakiaBratislava
South KoreaSeoul*
UAEDubai
UkraineKyiv
United Kingdom
Cambridge | Liverpool | London | London TechFocus
USA
New York | Silicon Valley
* In association with DR & AJU LLC
Taylor Wessing LLP 2022 | 2205-002239-7 Taylor Wessing statistics published are correct as of 1 September 2021.
This publication is not intended to constitute legal advice. Taylor Wessing entities operate under one brand but are legally distinct, either being or affiliated to a member of Taylor Wessing Verein. Taylor Wessing Verein does not itself provide legal or other services. Further information can be found on our regulatory page at:
taylorwessing.com
4
