There's a lot going on in the data and digital space in terms of incoming EU legislation. Here is a summary of key proposals which will impact the use of data (personal and non-personal) and likely timelines, as at 10 May 2022.

European strategy for data

Data Governance Act

The Data Governance Act sets out processes and structures to facilitate protected personal and non-personal data sharing among public bodies across the EU and between sectors. 

It places obligations on data intermediaries and sets up other measures to strengthen public trust, including by creating a regime for "data altruism" organisations and a European Data Innovation Board.

It complements the Open Data Directive which regulates and encourages the re-use and publication of public sector information held or funded by public institutions (such as governments, libraries and archives).

Timeline

  • Proposed by the European Commission in November 2020.  
  • Provisional political agreement reached in December 2021. 
  • Expected to enter into force by mid-2023. 

Data Act

The Data Act aims to remove barriers to data sharing, give businesses access to data they contribute to creating, and individuals more control over all their data (not just personal data).  

It will empower users of connected devices to access and share data they generate with third parties, as well as switch cloud and edge service providers. It also aims to protect SMEs by providing a harmonised framework in which data can be shared, equalising access to data across the market. 

It will apply to relevant UK businesses operating in EU markets.

Once implemented, the Data Act is intended to sit alongside the proposed Data Governance Act.

The UK government has expressed similar aims around data sharing and exploitation, including in its December 2020 National Data Strategy and its 'Benefits of Brexit' White Paper published in January 2022, but has not yet published legislation on these issues.

Timeline

  • Proposed by the European Commission in February 2022.  
  • There was a feedback period for stakeholders until mid-May 2022.
  • Expected to enter into force by mid-2024. 

Artificial Intelligence Package

Artificial Intelligence (AI) Act

The AI Act will regulate the development and use of AI by providing a framework of requirements and obligations for its developers, deployers and users, together with regulatory oversight. 

The framework will be underpinned by a risk-categorisation system for AI, with the AI systems in the highest risk category being prohibited. 

UK businesses placing AI systems on the market or putting them into service or whose systems produce output used in the EU will be caught.

Timeline

  • Proposed by the European Commission in April 2021.
  • European Parliament expected to adopt position imminently.
  • Expected to enter into force in the second half of 2022. However, the regulation would not apply to operators until the until the second half of 2024. 

Digital Services Package

Digital Markets Act

The Digital Markets Act will regulate digital markets to address concerns raised about the market power of large online players.  

The focus is on large platform service providers (including social media, search engines and operating systems) designated as "gatekeepers", though it will also impact the wider market.  Gatekeepers will be subject to a number of requirements and restrictions.

Timeline

  • Proposed by the European Commission in December 2020.
  • Provisional political agreement reached in March 2022. 
  • Expected to come into force around October 2022.

Digital Services Act

The Digital Services Act (DSA) will regulate the obligations and accountability of online intermediaries and platforms in order to tackle illegal content, products and services, while promoting transparent advertising. Its purpose is to create a safe digital space in which users' rights are protected and businesses can compete on an equal footing. 

It will apply to network infrastructure intermediaries, hosting services, online platforms and marketplaces. Obligations differ according to the size and impact of the organisation and the nature of the service, with the most stringent provisions applying to services designated as "Very Large Online Platforms" (VLOPs) and "Very Large Online Search Engines" (VLOSEs).  

This initiative will have extra-territorial reach. 

The DSA is similar but not identical in scope to the UK's Online Safety Bill (OSB) which is currently progressing through the UK Parliament.  The OSB is intended to protect users, particularly children, from online harm. It will mainly focus on user generated content, covering both illegal and harmful content.  It will apply to user-to-user search services.

As with the EU initiative, this will have extra-territorial reach.

The DSA is similar but not identical in scope to the UK's Online Safety Bill (OSB) which is currently progressing through the UK Parliament.  The OSB is intended to protect users, particularly children, from online harm. It will mainly focus on user generated content, covering both illegal and harmful content.  It will apply to user-to-user search services.

As with the EU initiative, this will have extra-territorial reach.

Timeline

  • Proposed by the European Commission in December 2020.
  • Provisional political agreement reached in April 2022. 
  • It will apply fifteen months from adoption or from 1 January 2024, whichever is later.  However, it will apply to VLOPs and VLOSEs four months after their designation as such.

Updating existing data and cybersecurity law

NIS2 Directive

The current NIS Directive (implemented in the UK as the NIS Regulations 2018) co-ordinates EU Member States' approach to cybersecurity. It places requirements on Member States to be appropriately and sufficiently prepared for cybersecurity incidents and guides their response to them. 

It also imposes cybersecurity and breach reporting obligations on operators of essential services and Digital Service Providers (online marketplaces, search engines and cloud computing services).  

The European Commission proposed the NIS2 Directive to update and expand the remit of the NIS Directive.  It expands the sectors in-scope to include (among other areas) certain digital services, introduces stricter enforcement, and revises incident reporting requirements.

NIS2 will not be adopted in the UK.  The UK government announced a review of the UK cybersecurity regime and published two consultations in January 2022.  This could see the scope of the NIS Regulations widened to increase the level of supervision of relevant digital service providers.  It may also bring managed (outsourced) services within scope for the first time.

Timeline

  • Proposed by European Commission in January 2020.
  • Trilogues between the Council and European Parliament ongoing. 
  • Expected to be approved by mid-2022, requiring it to be transposed into national law by EU Member States by mid-2024. 

ePrivacy

The ePrivacy Regulation will replace the ePrivacy Directive (implemented in the UK as the Privacy and Electronic Communications Regulations (PECR)).

Intended to come in alongside the GDPR, the legislation has proved highly controversial, which has delayed the process.  The ePrivacy Directive is concerned with the protection of privacy in the electronic communications sector.  The majority of businesses need to comply with its rules on cookies and electronic marketing.

The ePrivacy Regulation will, among other things, update the rules on cookies and the processing of electronic communications data (including metadata).

The UK government is currently consulting on a proposed overhaul of the UK's data protection regime, which is likely to result in changes to PECR, as well as to the UK GDPR and Data Protection Act 2018.

Timeline

  • Proposed by the European Commission in January 2017.
  • Trilogues began in May 2021.
  • The progress of this legislation has been slow and painful.  It is unclear whether the path to adoption will now become smoother, though the Commission has prioritised completion.