On 19 February 2020 the European Commission announced its ‘European Strategy for Data’1 which outlined the EU’s five year plan to shape its data economy. As part of this strategy a number of new legislative measures have been proposed, some of which have now been adopted:
- EU Data Governance Act (DGA) – entered into force 23 June 2022
- EU Data Act (EUDA) – adopted by the European Commission 23 February 2022
- EU Digital Services Act (DSA) – enters into force 16 November 2022
- EU Digital Markets Act (DMA) – entered into force 1 November 2022
- Artificial Intelligence (AI) Act – still in proposal form
- The e-Privacy Regulation – still in proposal from
There appear to be some key themes running throughout this package of legislation (‘the Data Package’), which has been termed as the ‘second generation’ of data legislation. Specifically, the Commission has emphasised their aim for economic growth and innovation, by ‘creating a single market for data that will ensure Europe’s global competitiveness and data sovereignty’2.
It is clear that the Data Package is conscious of the key role SMEs will play in achieving this aim and several parts of these pieces of legislation are directed at levelling the playing field for smaller businesses within the data market – for example:
- Increasing data availability: The Data Package represents a clear shift in the EU legislators focus away from exclusively focussing on the privacy concerns of the GDPR and towards unlocking the true value of data.
For example, a main aim of the DGA is to enable the safe re-use of certain categories of public sector data. A lack of data, especially for smaller or start-up organisations, is a common roadblock on the path to meaningful technological developments. Therefore, the hope is that the effect of the DGA will reduce barriers to data availability and fuel further advancements in areas such as Artificial Intelligence and Machine Learning – ultimately stimulating economic growth
The EUDA also aims to implement an ‘access-by-design’ approach, obligating certain organisations to make data generated by the use of products or related services accessible to users and requiring them to share data with third parties on request.
- Greater regulation and accountability of dominant market participants: For example, the DMA specifically targets ‘gatekeepers’, which are essentially the ‘giants’ of the digital market, who provide ‘core platform services’ (e.g. online search engines or online social networking services – such as Google or Facebook) and have the ability to impact the internal market. The DMA subjects these ‘gatekeepers’ to further regulation – much of which aims to reduce their ability to abuse their market power to the disadvantage of smaller businesses. For instance, gatekeepers will be required to ensure the interoperability of third party apps and are prevented from ranking their own products or services in a more favourable manner to those of third parties. Such rules, should help to stimulate opportunities and room for innovation for these smaller businesses. For this reason the DMA has been described as a new competition tool, to address structural competition issues, that could not be addressed using existing competition regulation.
The DSA has also tried to demonstrate an approach which is proportionate to a company’s size and activities, by requiring companies to undertake different levels of due diligence based on a tier system.
- Reducing the fragmentation of data law and reducing the cost of compliance for SMEs: The EU has also stated that the package intends to provide a more comprehensive set of data laws, in the hope that this will reduce the cost of compliance and also provide companies with greater confidence in their ability to share data.
Despite the intention of EU legislators, it will be interesting to observe the effect of the Data Package in practice, as questions have been raised as to whether further regulation is necessary to realise the EU’s aims for innovation and growth – or does this just add another form of red tape?
In particular, organisations should be aware that the Data Package’s scope goes beyond the regulation of just personal data, to encompass “data” which is defined broadly in both the DGA, EUDA and DMA as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording”. Prior to the Data Package, personal data was the only data to be thoroughly regulated by the EU.
Specifically, the introduction of the regulation of international transfers of non-personal data by the DGA may generate confusion amongst many organisations as to what will amount to sufficient ‘technical, legal and organisational measures’ in order to carry out an international transfer of non-personal data in compliance with the DGA, especially given that no adequacy decisions exist in relation to such transfers.