EU: An overview of the European digital strategy
In this Insight Article, Lara White, Miranda Cole, and Polina Maloshchinskaia, from Norton Rose Fulbright LLP, explain the aims and key components of the EU digital strategy, outlining at a high-level key legislation that has been published in this space in the past three years. They highlight the way in which the various legislative instruments interact with each other and with European data privacy rules.
What is the EU Digital Strategy?
In February 2020, the European Commission (Commission) published policy documents setting out its vision for a 'Europe fit for the Digital Age' in response to the rapid expansion of digital technology usage in recent years. These included A European strategy for data (the Data Strategy), which was published alongside a Commission communication on Shaping Europe's digital future (the Digital Strategy), and a White Paper on Artificial Intelligence. Together, they outlined the Commission's ambition for the EU to take on a leading role in the data economy, by acting in a concerted manner to deal with a range of issues, including the availability of, and access to data, computing power, and cybersecurity, while ensuring the privacy rights of individuals and competition among the larger technology organizations are maintained.
The Digital Strategy set out the Commission's overarching digital plan, with the stated aim of delivering technology that works for the people, a fair and competitive economy, and an open, democratic, and sustainable society. The full scope of the Commission's digital ambitions can be found in the various online materials, policies, and legislation set out in the Digital Strategy webpages, which are regularly updated to reflect development in the strategy, such as the recently added strategy on Web 4.0 and virtual worlds.
The Data Strategy is part of the overarching Digital Strategy, and it is intended to set out a comprehensive approach to the data economy in Europe, with a particular focus on increasing access to, and flow of quality data for use and re-use, noting that data is the lifeblood of economic development. In particular, one of its stated aims is to create a single European market for data, recognizing the need to:
- develop legislation and governance to ensure the availability of data;
- deal with the concentration of data; and
- invest in standards, tools, infrastructure, and skills.
To complement the horizontal framework established by the Data Strategy, another core component is the development of common European data spaces in certain strategic sectors, including healthcare, energy, and finance, to help improve the availability, quality, and interoperability of data. General requirements relating to the operation of data spaces are set out in the Data Act and certain sector-specific legislation (e.g., the European Health Data Spaces).
Key legislation implementing the Digital Strategy
While certain key digital laws, perhaps most notably the General Data Protection Regulation (GDPR), the Directive on Privacy and Electronic Communications (the ePrivacy Directive) and the Directive on Certain Legal Aspects of Information Society Services in Particular Electronic Commerce in the Internal Market (the e-Commerce Directive), and various pieces of sector-specific legislation, predate the Digital Strategy, a new package of digital laws has been proposed and, in many cases, adopted to deliver the Digital Strategy, including the key instruments outlined below.
Data Governance Act
The Data Governance Act (DGA) is intended to promote the sharing and re-use of public sector data and to encourage data altruism, focusing on three key areas, namely:
- the reuse of data held by public sector bodies;
- the establishment of data intermediaries, which are third parties who will broker the flow of data to data users; and
- requirements aimed at encouraging data altruism, including the development of forms by the Commission to enable individuals and companies to consent to the use of their data for altruistic purposes and rules facilitating the establishment of third-party data altruism organizations.
The DGA also introduces restrictions on the transfer of non-personal data outside the EU. This regime has similarities to the GDPR data export regime that applies to personal data, including the requirement to assess whether the transfer of or access to, transferred data outside the EU would conflict with EU or Member State law and the development of model contractual clauses for the transfer of non-personal data. However, the DGA and GDPR data transfer regimes are different and so will need to be considered side by side.
The DGA was adopted in May 2022, entered into force on June 23, 2022, and became applicable from September 24, 2023.
The Data Act addresses the use, sharing, and re-use of connected product-generated data (commonly referred to as internet-of-things data), among other things. Agreement has been reached on the Data Act and it looks set to be adopted in autumn 2023. It will come into effect after a 20-month transition period.
The Data Act covers a number of different data-related areas.
First, it sets out a data access regime that will require data holders (e.g. the manufacturers of connected devices) to give users access to the data generated by and about them in connection with the use of connected devices.
Secondly, users will also be able to direct the sharing of data with eligible third-party data recipients (which does not include gatekeepers under the Digital Markets Act (DMA), referred to in the section on the Digital Markets Act below), subject to restrictions on using data to compete with the data holder and rules relating to the contractual terms to be put in place. The Data Act contemplates but does not mandate, that data intermediaries referenced in the DGA may help facilitate the sharing required under the Data Act.
Thirdly, the Data Act includes provisions requiring cloud providers to help customers switch to other providers, setting out various mandatory provisions around termination rights and fees. As with the DGA, the Data Act imposes rules on cloud service providers relating to the transfer of non-personal data outside the EEA.
Finally, the Data Act includes provisions that apply to operators of data spaces and minimum requirements for smart contracts used for data sharing.
Digital Services Act
The Digital Service Act (DSA) is intended to modernize the existing e-Commerce Directive and address illegal content, transparent advertising, and disinformation. It entered into force on November 16, 2022, and will be directly applicable (for the most part) from February 17, 2024, with some of the obligations imposed on very large companies applying earlier.
The DSA places obligations on all digital services that connect consumers to goods, services, and content, including 'intermediary' conduit, caching, and hosting services, which include services ranging from cloud services to large social media platforms.
It also applies incrementally, with different obligations depending on the type of services an organization provides and the organization's user numbers. The obligations range from handling illegal content, and publishing details of the same, due diligence of traders operating on the platform, transparency around advertising and recommender services, and prohibitions on certain design practices.
The most onerous obligations apply to 'very large' online platforms or search engines, whose designation is based on user numbers and will often apply alongside the 'gatekeeper' designation under the DMA. These types of organizations must undertake risk assessments and put in place certain compliance functions. They are also subject to additional transparency obligations.
Digital Markets Act
The DMA has the stated aim of increasing competition and helping smaller companies and start-ups compete with so-called 'gatekeepers' (designated by reference to user numbers - like the criteria in the DSA for very large online platforms - and turnover or average market capitalization). There are various provisions requiring the sharing and disclosure of advertising information, relating to interoperability, prohibiting self-preferencing, and prohibiting the tying of certain services, among other things.
In relation to data, the DMA aims to ensure that consumers have greater choices regarding how gatekeepers use, combine, and cross-share the data they collect, building on requirements in the GDPR and e-Privacy laws. Consumer consent must be GDPR-standard consent, and deceptive design interfaces (or 'dark patterns') are prohibited. The DMA also includes provisions on data portability.
The DMA entered into force on November 1, 2022, and the majority of its provisions apply from May 2023.
Another key component of the Digital Strategy is to make the EU a 'world-class hub' for artificial intelligence (AI), ensuring that AI is human-centric and trustworthy. This has led to the proposed Artificial Intelligence Act (the AI Act), which is currently being negotiated in trialogue.
The proposed AI Act will impose obligations on providers, importers/distributors, and users (deployers) of AI systems in the EU, mainly focusing on AI systems designated as being 'high risk'. These are systems that create health and safety risks (e.g. AI systems intended to be used as safety components of products like medical devices or protective equipment) or risks to fundamental rights (e.g. AI used in asylum and border control or the administration of justice and democratic processes). Providers, and to a lesser extent users, of these high-risk AI systems will be required to undertake various risk management, fundamental rights, and conformity assessments and take action to rectify non-conformity. There will also be requirements relating to the design of, and data used to develop, AI systems.
Alongside high-risk AI, the AI Act will also prohibit certain types of AI, impose obligations on providers of general-purpose AI systems and foundation models (e.g. generative AI), subject certain AI systems, including chatbots, to certain transparency obligations, and introduce general AI principles that will apply to all AI.
The AI Act will be complemented by the Artificial Intelligence Liability Directive, which will address the difficulty of proving causation of harm by AI systems and introduce rebuttable presumptions of causation, particularly for high-risk AI systems.
Additional policies and laws
Alongside the core legislative instruments referred to above, the Digital Strategy also paves the way for various other cross-sectoral legislative instruments. These include the Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555) (NIS2 Directive), which broadens the sectors covered by the network and information security requirements, originally provided for in the Directive on Security Network and Information Systems (Directive (EU) 2016/1148) (the NIS Directive), and changes the scope of some obligations. Additionally, there's the Cyber Resilience Act, which will impose cyber security obligations on suppliers of certain digital products.
In addition, a number of sector-specific policies and legislation are contemplated, including the European Health Data Spaces Regulation, which is designed to create a framework to allow the wider sharing of health data for secondary purposes, such as research, and the Digital Operational Resilience Act (DORA), which imposes cybersecurity-related obligations on financial services institutions.
Interaction with the privacy rules
The Digital and Data Strategies recognize that their roll-out has to be user-centric and that the privacy rights of relevant individuals must be maintained. Accordingly, the GDPR is explicitly referenced and applies in an over-arching horizontal manner across all these laws, so that all the obligations relating to data sharing, interoperability, and transparency about advertising, among other things, apply without prejudice to the requirements under European data protection law (rather than these laws seeking to limit the obligations under the GDPR).
For example, the Data Act specifically notes that the requirement on data holders to share data with users or third parties remains subject to the need to ensure that the data sharing is fair, lawful, and transparent. The Data Act also explicitly states that it does not itself constitute a lawful basis for the collection or use of any personal data by a data holder.
In contrast, the proposed AI Act does, subject to certain safeguards applying, establish a new lawful basis for processing special categories of personal data where it is strictly necessary for the purposes of ensuring negative bias detection and correction, which will need to be read alongside Article 9 of the GDPR.
In other cases, the new laws incorporate concepts from the GDPR. For example:
- under the DMA, the consent that gatekeepers must obtain from users for specific actions, such as combining data across different platforms, is expressly stated to be GDPR-compliant consent;
- both the DMA and DSA prohibit 'dark patterns,' even though the term is not explicitly used. The criteria for identifying what constitutes dark patterns was adopted in February 2023 by the European Data Protection Board (EDPB) in the context of privacy by design and default under the GDPR; and
- in relation to the transfer of data outside the EU, similarly to existing data privacy regulations, both the DGA and the Data Act include restrictions around transferring non-personal data outside the EU. In practice, these similar yet different data export regulations may pose practical challenges for organizations subject to these laws, especially given the frequent intermingling of personal and non-personal data.
While the EU has made rapid progress in implementing its Digital Strategy, it's worth noting that legislation is still being debated and a number of the governance and framework instruments, like the DGA and the AI Act, will require the adoption of subordinate instruments. The applicable standards, codes of conduct, template clauses, and sometimes even regulatory guidance are, for the most part, yet to be drafted.