Ready For The Upcoming Legislation Tsunami From Europe?
Have you heard about the Data Act? Data Governance Act? Digital Markets Act? Digital Services Act? AI Act? These are all upcoming legislations in the European Union, which will have a deep and long-lasting impact on how companies develop, structure, and position their products and services online. Consequently, our experience as users will also change - in my view, for the better. In this newsletter, we will take a look at the scope of these new laws and the impact they will have.
The General Data Protection Regulation (GDPR), as we know, caused a positive tsunami on how companies around the world dealt with privacy and data protection. Suddenly, perhaps scared of the fines and negative press coverage, privacy tools, privacy compliance, privacy policies, privacy by design, privacy vendors, and privacy laws became day-to-day issues spread over multiple departments beyond legal.
Privacy law became a much more promising career, as everyone wanted a privacy lawyer nearby and possibly a data protection officer to lead the company's privacy efforts. Privacy was not a tangent topic anymore, discussed at the end of the infosec meeting. It now had its own chair in the C-level meeting. It all happened very quickly, right after the GDPR entered into force. We could see how many companies left it to the last minute as, in a period of weeks, one was receiving dozens of email notifications about updated privacy policies.
I would go as far as to say that the GDPR - and the waves of legislative changes it encouraged worldwide - caused a cultural revolution around privacy.
It all started in April 2018, and the GDPR remains strong. We are now four and a half years later, and there are now five upcoming legislations that have the potential to cause similar changes within their scope. They are not only about data protection per see, but they deal with data, and often personal data. Their provisions constantly overlap with the GDPR and other data protection laws, so privacy professionals should be well aware of them.
I will briefly discuss each of these five laws and what they propose to change, and then discuss what I think will be the main consequences of these new legislations:
According to the EU Commission, the Data Governance Act "seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data."
And how will that work in practice? The EU will put in place data-sharing systems through these four types of measures:
"Mechanisms to facilitate the reuse of certain public sector data that cannot be made available as open data. For example, the reuse of health data could advance research to find cures for rare or chronic diseases."
"Measures to ensure that data intermediaries will function as trustworthy organisers of data sharing or pooling within the common European data spaces."
"Measures to make it easier for citizens and businesses to make their data available for the benefit of society."
"Measures to facilitate data sharing, in particular to make it possible for data to be used across sectors and borders, and to enable the right data to be found for the right purpose."
2. Data Act
The Data Act can be seen as a complement of the Data Governance Act. According to the EU Commission: "while the Data Governance Act (...) creates the processes and structures to facilitate data sharing by companies, individuals and the public sector, the Data Act clarifies who can create value from data and under which conditions."
According to the EU Commission, the Data Act includes:
"Measures to allow users of connected devices to gain access to data generated by them, which is often exclusively harvested by manufacturers; and to share such data with third parties to provide aftermarket or other data-driven innovative services. (...)"
"Measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts. (...)"
"Means for public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency, such as floods and wildfires (...)"
"New rules allowing customers to effectively switch between different cloud data-processing services providers and putting in place safeguards against unlawful data transfer."
The EU sees the Digital Market Acts and the Digital Services Act as a reform of the digital space, which will help protect fundamental rights and lead to fairer and more open digital markets for everyone.
According to the EU Commission: "some large online platforms act as 'gatekeepers' in digital markets. The Digital Markets Act aims to ensure that these platforms behave in a fair way online. Together with the Digital Services Act, the Digital Markets Act is one of the centerpieces of the European digital strategy."
The DMA targets large and systemic online platforms, which it calls "gatekeepers." The company will be considered a gatekeeper if it:
has a strong economic position, significant impact on the internal market and is active in multiple EU countries
has a strong intermediation position, meaning that it links a large user base to a large number of businesses
has (or is about to have) an entrenched and durable position in the market, meaning that it is stable over time if the company met the two criteria above in each of the last three financial years
Regarding the goals of the DMA, according to Andreas Schwab, a member of the European Parliament:
"The Digital Markets Act puts an end to the ever-increasing dominance of Big Tech companies. From now on, they must show that they also allow for fair competition on the internet. The new rules will help enforce that basic principle. Europe is thus ensuring more competition, more innovation and more choice for users."
There are EU lawmakers who are calling the DSA "the European constitution for the internet." According to the EU Commission: "the DSA sets out an unprecedented new standard for the accountability of online platforms regarding illegal and harmful content. It will provide better protection for internet users and their fundamental rights, as well as define a single set of rules in the internal market, helping smaller platforms to scale up."
The DSA will impact a large spectrum of entities, including:
Among the concrete rules that the DSA establishes are:
"measures to counter illegal goods, services or content online, such as a mechanism for users to flag such content and for platforms to cooperate with “trusted flaggers”
new obligations on traceability of business users in online marketplaces, to help identify sellers of illegal goods or reasonable efforts by online marketplaces to randomly check whether products or services have been identified as being illegal in any official database
effective safeguards for users, including the possibility to challenge platforms’ content moderation decisions
ban on certain types of targeted adverts on online platforms (when they target children or when they use special categories of personal data, such as ethnicity, political views, sexual orientation)
transparency measures for online platforms on a variety of issues, including on the algorithms used for recommendations
obligations for very large platforms and very large online search engines to prevent the misuse of their systems by taking risk-based action and by independent audits of their risk management systems
access for researchers to key data of the largest platforms and search engines, in order to understand how online risks evolve."
Violation of the DSA may result in fines of up to 6% of the annual worldwide turnover or, in case of repeated serious breaches, possibly a ban on operating in the EU.
"the proposal follows a risk-based approach and lays down a uniform, horizontal legal framework for AI that aims to ensure legal certainty. It promotes investment and innovation in AI, enhances governance and effective enforcement of existing laws on fundamental rights and safety, and facilitates the development of a single market for AI applications. It goes hand in hand with other initiatives, including the Coordinated Plan on Artificial Intelligence which aims to accelerate investment in AI in Europe."
There are multiple articles and analyses of the detailed provisions of each of these laws - which would not fit the scope of this newsletter. I recommend that privacy pros read them carefully and get informed about what will soon become law in the EU. Also, for those who manage tech companies, it would be wise to talk with your legal team regarding the necessary steps to prepare for these laws.
What, in my view, is getting clear is that everything online will be scrutinized and regulated by the EU. Nothing will be left untouched. And this regulatory tsunami will have a global impact, as the internet has much more fluid borders than the offline world.
Additionally, I would say that the legal oversight for these measures of internet regulation will be stronger than in any other offline context. The world is watching the EU promote a legal revolution online and observing every new provision and enforcement action. Countries must decide if and how they will (or will not) replicate these legal provisions within their own internal markets.
The EU is definitely taking a step forward and reaffirming itself as a global leader in internet regulation. The way the internet works offers its own challenges, which make it tricky or impossible to regulate unlawful practices solely using existing regulations applicable offline. In my view, these new legislations are welcome and positive progress, making companies more accountable, transparent, and ready to support people's needs. This a good reminder that the internet should serve, support and empower people.
What do you think the internet will look like in 5 years? What will be the best improvements brought by these legislations? What do you think will be the remaining weaknesses? Privacy needs critical thinkers like you: share this article and start a conversation about the topic.
See you next week. All the best, Luiza Jarovsky