EU Data and Digital Drive: An Overview of Upcoming Legislation | Dechert LLP

Digital Services Act

  • Actual status: awaiting formal adoption by the Council of the EU, expected in September 2022, after which it will be published in the Official Journal.

The Digital Services Act (“DSA”) complements the 2000 e-commerce directive and targets online intermediaries (such as online marketplaces, cloud computing companies and major search engines). Some of the key provisions include:

  • a ban on advertising to minors and on the use of special categories of data;
  • a ban on dark patterns;
  • obligations to identify and remove illegal content; and
  • additional transparency requirements.

The obligations increase with the size and risk of the activities; very large online platforms will have additional reporting and auditing requirements.

Certain provisions of the DSA, such as the prohibition of certain advertisements and dark models and additional transparency requirements, mean that the companies concerned will probably have to consult the GDPR, the e-Privacy Regulation (once adopted) and the DSA to understand their obligations.

Digital Markets Act

  • Actual status: officially adopted and awaiting publication in the Official Journal.

While the DSA focuses on the relationship between services and their users, the Digital Markets Act (“AMD) aims to govern competition between “gatekeeper” companies (identified in terms of revenue and number of users, although smaller companies may be designated as such by the European Commission) that provide platform services. base (such as online search engines, social networking services, and virtual assistants). The regulations contain a series of “do’s” and “don’ts” designed to prevent certain business practices and to protect small businesses, such as:

  • enable interoperability with smaller platforms;
  • allow enterprises to access data generated while using the gatekeeper platform;
  • prohibitions of self-preference; and
  • limit the combination and cross-use of personal data and the use of personal data for targeted advertising without consent.

Here again, there is an overlap with the GDPR, in particular with regard to the provisions relating to the processing of personal data in the DMA, requiring data subjects to consult several pieces of legislation to establish their obligations.

Data Governance Law

  • Actual status: published in the Official Journal on June 3, 2022 with rules applicable from September 2023.

The Data Governance Act (“CEO”) aims to encourage the sharing and reuse of data while respecting data confidentiality and intellectual property rights.

It covers three key areas:

  1. Access to data held by public sector bodies.
  2. Regulation of data intermediation services.
  3. Encourage “data altruism” – donating data for the common good (eg for scientific research).

While the regulation will apply primarily to public sector bodies, companies should consider whether their activities could fall under the DGA’s data intermediation services (and, if so, familiarize themselves with the requirements which are primarily aimed at guarantee independence). The DGA recitals specifically mention data marketplaces and data pools, which may be particularly relevant in the ad tech industry.

Data law

  • Actual status: European Commission proposal published in February 2022 and committee readings in progress.

The Data Act proposes to regulate all personal and non-personal digital data and will be applicable to various parties, including data holders, cloud service providers, manufacturers of connected devices (such as devices from the Internet of Things) and related service providers.

Supporting the DGA, the data law also aims to increase data sharing and the use of available data. The European Commission comments that if the DGA “creates the processes and structures to facilitate the sharing of data by businesses, individuals and the public sector, data law clarifies who can create value from data and under what conditions”.2 Some of the key provisions include:

  • “access by design” obligations (i.e. the design of connected products and associated services to allow easy access to users) and associated access rights and portability;
  • additional transparency requirements;
  • contractual protections for users; and
  • a means for the public sector to access data from the private sector (as opposed, in some respects, to the DGA) but only for purposes of general interest.

The broad mandate of this regulation, which covers all sectors and covers both personal and non-personal data, could present challenges for those dealing with mixed data sets as they seek to apply both the rules of the GDPR and data law requirements. The regulation also specifically excludes “gatekeepers” under the DMA from being able to benefit from data access rights.

Cybersecurity Directive

  • Actual status: political agreement reached, the European Parliament to formally adopt in October 2022, followed by adoption by the Council of the EU, and finally publication in the Official Journal.

The European Commission has proposed a directive on measures to achieve a high common level of cybersecurity in the EU (called ‘NIS2’, as it would repeal the previous ‘NIS’ directive) in an attempt to address the new challenges that have arisen. and with a view to future-proofing as much as possible. As a directive, EU member states will be required to transpose its requirements into their national legislation. The proposed directive:

  • broadens the scope by adding new sectors (such as telecom, food, social media platforms) and the types of organizations that are part of them;
  • imposes more stringent cybersecurity requirements; and
  • expands reporting requirements.

Online Privacy Policy

  • Actual status: Trialogue discussions in progress.

Originally planned to be implemented alongside the GDPR, the e-Privacy Regulation was significantly delayed by difficult negotiations. Replacing the 2002 e-Privacy Directive, the remit of the proposed regulation remains privacy in electronic communications, complementing GDPR requirements with specific rules on cookies and electronic marketing. The e-Privacy Regulation aims to broaden the scope of the rules to encompass electronic communications and directory providers, including digital personal assistant services and other emerging tools.

Trialogue discussions continue, with clashes over data retention, national security and child pornography exemptions, and the use of legitimate interests as a legal basis for data processing.



* The authors would like to thank interns Jennifer Hutchings and Anita Hodea for their contributions to this OnPoint.

Comments are closed.