Download the PDF
Data trends 2024
Data trends 2024
Chapter 8: GDPR reloaded: The EU’s comprehensive approach to regulating data-driven industries
By Rachael Annear, Richard Bird, Elena Brandt, Mark Egeler, Theresa Ehlen, Christine Lyon, Christina Möllnitz-Dimick, Jérôme Philippe, Julia Utzerath and Christoph Werkmeister
IN BRIEF
In the ever-evolving landscape of digital data regulation, the EU has been at the forefront of establishing a legal framework to protect individuals’ personal data, in particular with the introduction of the General Data Protection Regulation (GDPR). Now, under the EU Digital Strategy, the EU intends to supplement the existing data and digital framework with a new set of rules that are not limited to personal data or even to data, for that matter.
The EU Digital Strategy introduces new rules to foster data flow, data access and the data economy—introduced by the Data Act and the Data Governance Act—which will apply to both personal and non-personal data, including machine and product data. The EU is also introducing enhanced obligations and user protections for online platform services, online hosting services, search engines, online marketplaces and social networking services under the Digital Markets Act (DMA) and the Digital Services Act (DSA). Artificial intelligence (AI) is another focus of the new regulation coming out of Brussels (see Chapter 1 on AI for more details). In addition, companies offering IT-based services must keep an eye on the proposed e-Privacy Regulation.
Some of the new rules aim to create a single market for data—making it easier for companies to share and get access to data—while the key goal of other newly introduced rules is to create a safe digital environment for the users of the relevant services.
Below we explain what changes businesses can expect and how they should respond.
The EU wants businesses to take the reforms seriously: fines for non-compliance with the new regulations can range from 4% up to 20% of global annual turnover.
Theresa Ehlen
Partner
The DSA aims to improve user safety and to protect fundamental rights in digital environments. The scope of services that the DSA covers is broad, capturing a wide range of ‘intermediary service providers’ such as hosting services, online platforms and online marketplaces. For example, every B2B online platform which showcases third party content, products or services is captured by the DSA, even if the product or service itself cannot be bought on the platform. The DSA applies regardless of the relevant provider’s place of establishment as long as their services are offered to recipients that have their place of establishment or are located in the EU.
The DSA creates a layered set of obligations tailored to the different categories of digital services; it introduces a set of baseline obligations which apply to all online intermediaries and requires, for example, the designation of single points of contacts for authorities and users, annual transparency reporting, and transparent terms and conditions. Increased obligations apply to online platforms connecting customers with goods, services and content; those obligations require providers to implement a notice and action mechanism, adopt adequate measures to combat the dissemination of illegal content online, and increase the transparency of their platforms for users.
Additional specific obligations apply for online marketplaces and look to ensure the traceability of traders and safeguarding of users’ rights. The most stringent rules apply to ‘very large online platforms’ (VLOP) and ‘very large online search engines’ (VLOSE), which are designated by the European Commission depending on whether their monthly average user numbers in the EU are above 45m. For most companies, the majority of the obligations under the DSA will start to apply in March 2024. In addition, for those VLOPs and VLOSEs initially designated by the Commission, the key obligations started to apply on 25 August 2023. Enforcement rules under the DSA are severe with, for example, fines of up to 6% of total worldwide annual turnover.
In a nutshell, all companies covered by the DSA—and not only the largest online platforms and search engines—will face comprehensive compliance tasks. Companies should therefore start with reviewing online business models and potentially adapting and redesigning those to comply with the new set of rules (eg, to design interfaces in ways which omit dark patterns). Their compliance work may need to continue and require additional resources, including for the implementation of complaints systems and changes to T&Cs.
Last but not least, companies are well-advised to set up a solid strategy for dealing with transparency and compliance requests from national authorities and, in case of VLOPs and VLOSEs, the Commission.
The DMA is intended to promote fair competition and to address certain practices of so-called gatekeepers (ie, providers of very large digital services) which are potentially harmful to the overall EU digital market. Most of the DMA’s obligations will start to apply in March 2024.
The DMA introduces a framework which defines certain practices that are inherently considered as anti-competitive and which can be addressed by the regulator without the need to conduct a lengthy investigation into the relevant practices. It is presumed that this will significantly speed up competition enforcement in the digital space.
The set of potentially harmful practices addressed by the DMA includes certain data practices (ie, certain cross-service processing of personal data) which may now require consent under the DMA.
The DMA will also impose obligations on gatekeepers to facilitate access to end user and business user data, and impact the extent to which gatekeepers may use business user data in competition with those business users. As such, the DMA will not only impact the relevant gatekeepers, which will need to review their current practices, but will also have an impact on the end users and business users of the relevant services who may be provided with broader access to their data. Other obligations relate to bundling, self-preferencing, interoperability of services, and transparency (eg, in relation to advertising services).
Fines for DMA infringement are up to 10% of the gatekeeper’s worldwide turnover in case of non-compliance, and up to 20% in case of repeated infringements.
While the European Commission is the sole authority responsible for DMA enforcement, the DMA framework provides various ways in which EU Member States, and their respective laws, can become involved in those investigations. In particular, the DMA explicitly provides that national competition authorities—after having informed the European Commission—may conduct investigations into possible non-compliance. Therefore, despite the DMA’s aim of avoiding regulatory fragmentation across the EU, it remains to be seen how the relationship between the European Commission and Member States and the consistent enforcement of the DMA across the EU will play out in the future.
Jérôme Philippe
Partner
The Data Act aims to introduce rules for the Internet of Things and for enabling users to easily switch between cloud providers. It is designed to improve access, exchange and use of valuable data generated by connected devices so that more public and private stakeholders can benefit from big data and machine learning.
The Data Act applies to personal and non-personal data and introduces data sharing obligations to companies that manufacture or offer connected products or related services in the EU. Users of a connected product or a related service will be entitled to access data generated by the connected product or service and can even ask the product’s manufacturer or seller to transfer this data to a third party. These rules will apply in B2B, B2C and B2G contexts. There are some exceptions which limit data sharing; for example, if the relevant data includes trade secrets then those shall be preserved and only be disclosed where technical and organisational measures necessary to preserve the confidentiality of the shared data have been agreed in advance.
Implementing these new rules will come with a variety of challenges and considerable compliance work for companies. For example, the data access and data portability rights will require companies to include into the design of their products interfaces that make data easily retrievable. In practice, companies must not only put in place stringent governance and procedures to comply with the data sharing obligations, but also implement the limitations regarding trade secrets and track any infringements of these by their customers or competitors.
Data processing services, like cloud services providers, infrastructure as a service providers, or platform as a service providers must allow users to easily switch their services and to improve portability between different data processing services providers. The scope of interoperability obligations is not completely clear, and it is yet to be determined how the requirements will function regarding the practical challenges of IT migration. Likewise, the obligation to limit switching charges is not clear cut, with uncertainties about which costs will be in scope.
Where the GDPR has sparked numerous consumer class actions and individual litigation, the Data Act may cause B2B actions where companies request access to non-personal data. This will make the competition and privacy legal teams quite nervous; without proper data mapping, companies can find themselves caught between a rock and a hard place.
Mark Egeler
Senior Associate
Service providers will also have to cope with another compliance burden by being subject to safeguards for the international transfer of non-personal data, similar to those from the so-called Schrems II ruling of the EU’s Court of Justice for personal data.
Infringement of the Data Act may lead to GDPR-level fines of up to €20m or 4% of the company’s annual turnover—whichever is higher.
To prepare for the different compliance tasks that will come with the Data Act, especially for connected products, companies should start data mapping to gain an overview of the types of data their products generate. In addition, starting to plan the technical elements for data sharing/data portability into products will help to minimise the amount of rework required if product design subsequently changes.
The Data Governance Act (DGA) is a cross-sectoral regulation designed to enhance trust in and facilitate voluntary data sharing for the benefit of businesses and citizens.
While the aim of the Data Act is to determine who is entitled to generate economic value from data and under which conditions, the DGA sets up the process and framework to enable data sharing.
The DGA applies to public sector bodies, providers of data intermediation services (ie, companies which do not sell data themselves but bring together other companies interested in monetising and reusing data), and data altruism organisations which facilitate data sharing for public benefit purposes.
Among other things, the DGA aims to:
Non-compliance with these obligations may lead to fines which are yet to be determined by national law.
The EU’s e-Privacy framework, which primarily aims to address the confidentiality of communications and the online privacy of individuals, currently consists of the ePrivacy Directive and its national implementations. The result is a broad set of regulations which also require businesses to consider variations in EU member state laws when introducing new features to their services.
Besides the fragmentation issue, the main challenge is that the current ePrivacy Directive (introduced in 2002 and last updated in 2009) was originally meant to address traditional telecoms operators; it was never meant to capture so-called over-the-top (OTT) communication service providers. This has changed with the EU Electronic Communications Code (the EECC) which has altered the definition of ‘electronic communications services’ so that it also covers OTT messaging services. However, the original ePrivacy framework has not been updated, creating legal uncertainty as to which of the obligations also apply to OTT services. In the absence of an updated EU-level framework, some national regulators have adjusted their national ePrivacy rules to account for OTT, at the same time creating an even more fragmented legal framework.
The ePrivacy Regulation is supposed to account for the broader set of players which are now covered by the ePrivacy framework and to keep up with the fast pace at which IT-based services are developing and evolving. Furthermore, the updated framework will impose a more harmonised approach across the EU.
That said, at the time of writing, the proposed ePrivacy Regulation is still under negotiation, and it remains uncertain if, or when, it will be finalised given that initially it was intended to enter into force in parallel to the GDPR in 2018.
Businesses should check whether they are captured by the new laws under the EU Digital Strategy and start to prepare for it, especially as some of the major laws are already in force and come with hefty fines.
This will require a careful assessment of the applicability of the new regulations to specific services and business models, and a detailed evaluation of how this will impact current practices. Businesses in scope of the relevant framework will have to develop a comprehensive compliance strategy which allows them to continue operating in compliance with the new requirements.
‘It will be interesting to see to what extent the EU’s approach to digital regulation is copied by other jurisdictions, and whether it becomes globally influential in a similar manner to the EU’s data protection laws. The UK is progressing various reforms that cover similar ground to the EU Digital Strategy, such as an Online Safety Act (the UK’s equivalent to the DSA) and a Digital Markets, Competition, and Consumer Bill (the UK equivalent to the DMA)—although there are significant divergences in the UK’s approach as compared to the EU.
Rachael Annear
Partner
One of the legal challenges in that context is to figure out how the interplay between the GDPR and the relevant piece of the EU Digital Strategy, as well as the interplay between the new laws themselves, works. This is because the relationship between the different EU frameworks is still unclear, both in terms of the scope of the relevant obligation and enforcement.
Similar to the approach that was required following adoption of the GDPR, companies will need to set up compliance programmes for the new digital regulations to ensure their products and processes align with the multi-layered rules, some of which will start to apply already early next year. This may require the implementation of new principles in the very early stages of product development (‘compliance by design’), akin to the approach that already exists under the GDPR. Generally, companies can benefit from reviewing their GDPR compliance programmes and considering how the new requirements can fit in or complement the existing programmes.
Due to the high complexity of the new laws, in addition to their overlaps with each other and with existing regulations, we recommend a holistic approach to the upcoming compliance exercise. Thinking in silos fails to recognise the complexity and interlocking nature of the new regulations that are already in force and will come into force in the coming months and years.
Elena Brandt
Principal Associate
The new frameworks are likely to undergo further refinements and adjustments, as implementing acts and delegated acts of the Commission, as well as related national legislation, are still on their way. Businesses should closely monitor these developments to ensure compliance, and leverage opportunities for growth in the digital marketplace.
We will keep you up to date with the latest developments on our Freshfields EU Digital Strategy Hub.