The Future for Data: New Legislation in Europe and the UK

Substantial changes to legislation that will impact the use of data is on the horizon. The European Commission announced its digital strategy in 2021 and its intention to introduce a number of different laws, all of which will impact digital technology and data. Although the United Kingdom (‘UK’) has now left the European Union (‘EU’), UK businesses that operate in the digital economy are likely to be impacted as most proposed legislation will have extraterritorial effect. The UK government has also recently announced that it intends to introduce a number of new laws that will impact the future regulation of data.

EUROPE

The Digital Services Act

The Digital Services Act (‘DSA’) will implement new rules for internet service providers, cloud and webhosting services, online marketplaces, mobile application stores, search engines and social networks. The DSA places greater responsibility on hosting providers and platforms to provide notice and takedown mechanisms, to remove illegal content more quickly, to establish a complaints mechanism where users can appeal content moderation decisions and to deal with disputes and repeat infringers of their services. They will also need to be more transparent about their online advertising and the algorithms they use. 

As with the eCommerce Directive, online intermediaries will be exempt for the content that they manage, subject to certain conditions. Like the GDPR, non-EU online intermediaries that operate within the EU will have to appoint EU-based representatives. Online platforms that provide services to 45 million recipients or more will have additional compliance duties, such as independent audits and giving regulators access to their data to verify compliance.

A European Board for Digital Services will also be created, which like the European Data Protection Board, will ensure the consistent application of the rules across the EU. Sanctions for breaches will be fines of up to 6% of annual income or turnover and periodic penalty payments for continuous infringement of up to 5% of average daily turnover. 

Status: Provisional agreement was reached in April 2022 between the European Council and the European Parliament, but the text still needs to be finalised before it can be adopted. It is expected to enter into force in 2024 and will apply 15 months afterwards, or on 1 January 2024, whichever is the later. The largest online platforms will have 4 months to implement its obligations.

The Digital Markets Act

The purpose of the Digital Markets Act (‘DMA’) is to promote competition and regulate the largest technological companies. It will apply to those online platforms who in the preceding 3 years have generated a turnover in the European Economic Area (‘EEA’) of at least 6.5 billion euros, or had a market capitalisation of at least 65 billion euros, and has at least 45 million monthly active users and more than 10,000 yearly active users in the EEA. 

The DMA will prevent such companies from: using preferential ranking of products and services of those they directly promote over third-party traders; preventing customers from linking up to businesses outside the platform and prevent users from uninstalling pre-installed software or applications; imposing exclusivity provisions on traders; requiring access from traders to data generated on the platform.

The European Commission will regulate the DMA and will have similar enforcement powers to national regulators under the DSA. The Commission will be able to impose fines of up to 10% of the company’s total global annual turnover and if there are systemic infringements, it will be able to impose structural remedies such as divestiture of parts of the company. 

Status: The EU institutions have published the final text of the provisional agreement for the DMA. It must next be approved by the European Parliament and the Council and is not expected to be implemented until 2023. Once it becomes law, there will be 6 months before it is implemented.

The Data Governance Act

The Data Governance Act (‘DGA’) provides a legal framework for trading data and provides a mechanism for the re-use of public sector data. The aim of the DGA is to encourage the voluntary sharing of data amongst businesses. It applies to non-personal data only. The Act allows neutral data intermediaries that comply with its requirements to be listed in a public register. Such intermediaries will not be able to tie their intermediation services with other services, such as cloud storage or analytics, which are excluded from the DGA. This provision has been included to foster competition by preventing large technology providers and platforms from dominating intermediation services.

Businesses will not be obliged to share their data, but for those that would like to do so without fear of breaching data protection laws or confidentiality, the DGA is intended to provide a regulated platform to do so. The DGA also establishes the ‘Data Innovation Board’. This will be an advisory body that will develop guidelines, common standards and interoperability requirements to promote Europe’s data economy.

Status: The DGA has been approved by the EU Council and is expected to come into force in 2023. It will apply 15 months afterwards. 

The Data Act

The European Commission has proposed an act that will provide a legal framework for access to data generated across all economic sectors. The aim is to create a more competitive environment for the sharing and re-use of all data, that is, both non-personal and personal data. Any user of a connected product or related service will be able to get access to this data and use it for their own purpose or share it with third parties. The act therefore applies to the ‘internet of things’, but it does not apply to online applications and mobile services. 

The Data Act imposes certain obligations on data holders, including the provision of clear and comprehensive information on the data that will be generated by the product or service, the nature and volume of that data, how the data will be used and most importantly, how to request access to that data, or port the data elsewhere. The Database Directive will not apply to machine-generated data so that intellectual property rights cannot be used to prevent the transfer of data under the act. 

There will be an obligation on manufacturers of the products, or designers of the service, to ensure that they are created with mechanisms that make it possible to easily access the data. Similar to the GDPR, there must also be a legal basis to process non-personal data so that any use of it must be on a contractual basis. 

The proposed act also obliges cloud service providers to make it easier for customers to switch providers. Cloud service providers will have to ensure interoperability between services and charges for switching services will be phased out over a 3-year period.

To ensure competition but at the same time maintain business innovation, the Data Act contains a safeguard that data exported to other companies cannot be used to develop products in direct competition with the original data holder. Further, the largest online platforms will not be eligible to receive data under the Data Act. 

There are also some provisions that oblige data processing services to apply safeguards and take reasonable technical, legal and organisational measures to prevent government access to data, and transfer of that data, unless it is compatible with EU or national law. This would appear to extend the conditions imposed by the Schrems II judgment to non-personal data.

The Data Act also proposes advantageous terms of service for SMEs and free access to data by public bodies in emergency scenarios. Similar to the GDPR, it will have extra-territorial effect.

Status: The Data Act is only at the proposal stage. The draft will be debated in the EU Parliament and the EU Council before proposed amendments are made. It is anticipated that it will be adopted in 2023 and implemented 12 months thereafter.

The Artificial Intelligence Regulation

Europe’s proposed Artificial Intelligence Regulation will regulate artificial intelligence (‘AI’), creating a framework for its development and use. Providers of AI systems in or outside the EU will come within its remit if the users of the AI systems are located in the EU, or if the output produced by the AI system is in the EU. The proposal adopts a risk-based approach and outlines risk categories: prohibited AI, high-risk AI and low-risk AI. The Regulation sets out various requirements for the development of high-risk and low-risk AI.

An AI system is defined in the draft Regulation as ‘a software that is developed with one or more of the techniques and approaches listed in Annex 1 and can, for a given set of human-defined objectives, generate outputs such as content, predictions, recommendations, or decisions influencing the environments they interact with’. The EU Council and the European Parliament have proposed that this definition should be expanded to apply to a machine-based system, rather than just software. There is also debate around how personal data will be addressed and calls for clarification on how it would apply to virtual environments (i.e. the metaverse).

The creation of a European AI Board is proposed, which would issue opinions, recommendations and guidance and facilitate the implementation of the Regulation across the EU Member States. Fines for infringements could be significant. It is proposed that a maximum fine of up to €30 million, or up to 6% of total annual global turnover, whichever is the greater, could be imposed. Like the GDPR, there is a sliding scale for penalties with fines of €20 million or 4% of annual global turnover and €10 million or 2% of annual global turnover for lesser infringements.

Status: It was proposed by the European Commission in April 2021 and has been given a 2-year transition period to take effect once it is approved. The expectation is that the AI Act will be applicable towards the end of 2024 into 2025.

E-Privacy Regulation

The long-awaited e-Privacy Regulation is yet to become law and is still in the trilogue process. For more background to the proposed e-Privacy Regulation, see my previous blog article here.

THE UNITED KINGDOM

The Online Safety Bill

The UK government is intending to impose a new duty of care on companies which offer services for user-generated content or interaction online. It would apply to social media platforms, hosting service providers, online discussion forums and search engines. There will be a new regulatory framework similar to the EU’s proposals in the DSA and will require companies to address illegal content. The largest platforms will also have to take measures to tackle content that is legal but harmful. 

The proposed act does not enable individuals to bring claims, but rather focuses on transparency and accountability mechanisms, obliging companies to undertake various risk assessments and to have processes in place to reduce or eliminate certain types of content. OFCOM will act as regulator and will issue codes of practice and guidance. It will also have the power to investigate companies and impose fines as high as £18 million or 10% of qualifying global revenue, whichever is the greater.

Status: The bill was presented to parliament on 17 March 2022 and is at the committee stage in the House of Commons. The government expects the passage of the bill to take 10 to 12 months, so that royal assent is expected in 2023. Once it is enacted, OFCOM has 6 to 18 months to produce guidance and recommendations for secondary legislation.

The Data Reform Bill

The Data Reform Bill will amend or replace the UK GDPR and Data Protection Act 2018. The draft Bill has not yet been published. The UK Government’s ‘Consultation Paper on Reforms to the UK Data Protection Regime’, published in 2021, indicates the areas that the government is likely to propose changes. For example, the lawful basis of legitimate interest for processing personal data, removing the necessity of human oversight in an automated decision-making process, a new test for anonymity, changing cookie rules, and removing the necessity for a data protection impact assessment and data protection officers. 

However any substantial move away from the UK GDPR is likely to put the UK’s ‘adequacy’ status at risk (see my blog article here). Such a loss is estimated to cost UK companies up to £1.6 billion as they would have to find an alternative legal basis to transfer data and it could make the UK less attractive to international technological companies.[1]

Status: A draft bill is expected later in 2022.

The Digital Markets, Competition and Consumer Bill

The UK government intends to introduce legislation to tackle anti-competitive practices in digital markets that negatively impact consumers and the economy. In April 2021, the Digital Markets Unit (‘DMU’) was established within the Competitions and Markets Authority (‘CMA’) to advise the Government on the promotion and regulation of competition and innovation in the digital markets. A consultation was conducted in 2021. 

In response to the consultation, the Government has stated its intention to give the DMU a greater range of enforcement powers, including the ability to fine a company up to 10% of its global annual turnover for regulatory breaches. The Bill is also likely to propose civil and criminal penalties for persons knowingly or recklessly providing the DMU false information and the ability to disqualify directors. 

The Bill will seek to improve competition by requiring the most powerful technological companies to comply with obligations so that they cannot abuse their dominant position at the expense of the consumer and other businesses. For example, these companies could be required to inform businesses when they adjust their algorithms, where the effect is to steer web traffic away from their sites. It is suggested that news publishers should also be paid fairly for their content and the DMU will be given the power to resolve disputes.

The proposed legislation also aims to prevent subscription ‘traps’ by requiring businesses to provide consumers with clear information and to send reminders before automatically renewing a subscription. Fake reviews will be tackled in the bill, by prohibiting the commission or offer of fake reviews and the hosting of fake reviews without taking reasonable steps to ensure they are genuine. 

The Government’s response to the consultation can be found here.

Status: The CMA has said that the bill will not be introduced in the 2022-2023 parliamentary session and so the proposals are far off from becoming law.

My recent book on biometric data and new technologies considers the law in the UK (and to some extent Europe), best practice and recent cases. Available on Amazon: here.

If you are interested in any further information or advice, please contact my clerks on: 0300 0300 218 or privacylawbarrister@proton.me


[1] See https://neweconomics.org/2020/11/the-cost-of-data-inadequacy