EU Data Reforms

Provision of DA

Position under the DA

Effect on GDPR

The GDPR will continue to apply alongside it, where any personal data is involved.​

Purpose

The DA is set to introduce new rules on who can use and access data generated in the EU across all economic sectors. The intention is to unlock the value and benefits in data by facilitating broader uses and sharing of data.

What data will the DA apply to?

All digital data, including both personal and non-personal data.

Who will the DA apply to?

​

The DA will apply mainly to private sector participants providing IoT products and related services as well as other "data holders". More specifically the provisions will apply to:

• manufacturers and providers of connected products;
• businesses that make their data available to recipients in the EU;
• data processing services with customers in the EU; and
• public sector bodies in the EU

​Some SMEs and micro enterprises will be exempt from the DA.

What territories does the DA apply to?

In a similar way to the GDPR (and as set out above) the rules in the DA have extraterritorial effect and are likely to be adopted as global standards beyond the EU.

Key Provisions and Proposals

• Data Sharing and Access – The DA will introduce common rules governing the sharing of data generated by connected products or related services to ensure fairness in data sharing contracts. It will also require manufacturers and service providers of connected products will need to make the data generated by such products accessible to end users on request.
• Contribution to Technology – The provisions of the DA will provide for the development of new technology relying on algorithms.
• Fair Pricing – The DA introduces provisions to allow for better trained algorithms designed to ensure better prices for after-sales services and repairs of connected devices.
• Trade secrets – The DA introduces provisions aimed at protecting trade secrets so as to avoid a situation where increased access to data is used by competitors to retro-engineer services or devices.
• Cloud Service Providers – The DA facilitates switching between providers of cloud services, and other data processing services.
• Public Body Data Sharing: Under the DA, data holders will have to make data available to public bodies in the EU without undue delay where there is an exceptional need for the public body to use the requested data
• Restrictions on Data Access and Sharing: non-personal data held in the EU by cloud service providers must not be accessed by non-EU governmental entities or transferred internationally.

Penalties

The DA states that infringements will be sanctioned by “proportionate, and dissuasive fines".

​Member States must appoint the national competent authorities for application and enforcement of the DA and to establish the penalties framework for infringements of the DA. Penalties, therefore, may differ from country to country.

In addition, complaints of violations of the DA may be lodged with competent authorities in other Member States.

Current Status

DA was passed by European Parliament on 14 March 2023. The next step is to finalise the DA with European Council. There is then likely to be a grace period before its provisions are enforceable.

Provision of DGA

Position under the DGA

Effect on GDPR

The GDPR will continue to apply alongside it, where any personal data is involved. Importantly, the DGA does not create any new legal basis for processing under the GDPR is not intended to prevent cross-border transfer of personal data in accordance with the GDPR. Whenever personal data is concerned, if there is any inconsistency between the DGA and the GDPR, the GDPR prevails.​

Purpose

The DGA aims to boost data sharing in the EU, by giving start-ups and other businesses better access to big data, which they can use to develop new products and services. In particular, the DGA introduces a framework for increased data availability and re-use of public sector data

What data will the DGA apply to?

• Chapter 1 - Public Sector bodies: applies to personal and non-personal data held by public sector bodies that are usually protected for reasons of the data including business secrets; statistical confidentiality; or the intellectual property rights of third parties.​
• Chapter 2 - Data intermediation services providers: applies to all personal data and companies’ non-personal data held by data intermediaries.​
• Chapter 3 - Data altruism organisations: applies to personal and non-personal data.

Who will the DGA apply to?

​

• Chapter 1 - Public Sector bodies: The DGA will regulate how public sector bodies share DGA data, as well as the intermediaries that facilitate data sharing. Public sector bodies are broadly defines as institutions that are government-financed, government-managed or exist to serve the needs of the public interest.
• Chapter 2 - Data intermediation services providers: The DGA defines intermediation service provides as entities that broker the flow of data from an undetermined number of data subjects and data holders to data users.
• Chapter 3 – Data altruism organisations: The DGA applies to organisations that collect data voluntarily shared for the purposes of public benefit, including improved health outcomes, combating climate change or scientific research.

What territories does the DGA apply to?

Organisations and data handling within the EU.

Key Provisions and Proposals

• Reuse of Public Sector Data: Under the DGA, public sector bodies will be encouraged to share data through "European data spaces", and new rules will make it easier for organisations and individuals to share data for the benefit of society.A creation of a single data marketplace in EU aims to increase global competitiveness and data sovereignty.
• Restriction on exclusivity: Public bodies will be restricted in their ability to grant exclusive arrangements for sharing DGA data. This should make more data available to SMEs and start-ups.
• Territorial Transfer Restrictions: DGA restricts transferring DGA data to recipients outside of Europe (with a similar adequacy regime for DGA data to that under the GDPR).
• Supervision: Member States will be required to establish supervisory authorities to act as information points, providing assistance to government bodies.
• Trusted data-sharing services – The DGA introduces a new business model for data intermediary services, including provisions around increasing visibility and use a common European logo certifying their compliance with the DGA.

Penalties

The penalty structure is the same as under the DA above.

Current Status

The DGA entered into force 23 June 2022 and will apply to organizations beginning 24 September 2023.

Provision of DMA

Position under the DMA

Effect on GDPR

The GDPR will continue to apply alongside it, where any personal data is involved.

Purpose

The DMA is set to regulate the main services provided by the biggest online platforms operating in the EU covering the likes of Google, Apple, Amazon and Microsoft. Its purpose is to create a fairer environment for users that rely on these platforms and to ensure consumers have better access to

What data will the DMA apply to?

The DMA applies to personal and non-personal data processed as part of specific online services as follows:

• Online intermediation services
• Search engines
• Social media platforms
• Video-sharing platforms
• Communications platforms
• Operating systems
• Web browsers
• Virtual assistants
• Cloud services
• Online advertising services

Who will the DMA apply to?

​

Applies to companies that:

• provide core platform services with 45 million monthly active users in the EU and 10,000 active business users established in the EU;

• meet certain market capitalisation (EUR 75 billion)/annual turnover thresholds (EUR 7.5 billion euros); and
• have a vast reach to users across the EU.

Any in scope companies will be known as the "gatekeepers."

What territories does the DMA apply to?

In a similar way to the GDPR (and as set out above) the rules in the DMA have extraterritorial effect and are likely to be adopted as global standards beyond the EU.

Key Provisions and Proposals

Obligations and prohibitions will be placed on the gatekeepers in their daily operations to ensure fair and open digital markets including:​

• Giving businesses access to data generated through their use of Big Tech platforms.
• Allowing businesses to end contracts with customers acquired through Big Tech platforms on third party platforms.
• Making platforms interoperable with smaller platforms.
• Prohibiting gatekeeps from prevent users from raising issues of non-compliance with EU or national law.
• Providing users with a right to use third-party applications on devices.
• Preventing the combination of data obtained from the gatekeeper's subsidiaries.

Penalties

Fines of up to 10% of a gatekeeper’s global turnover for any intentional or negligent non-compliance (which may increase to 20% if a gatekeeper commits a second violation in less than eight years following the first).​

For smaller infractions, gatekeepers could be subject to fine the equivalent of 1% of global turnover.

Current Status

The DMA entered into force on 1 November 2022 with the majority of provisions affecting the gatekeepers becoming applicable after six months on 2 May 2023. Once designated, gatekeepers will have six months to comply with the DMA's requirements.

Provision of DSA

Position under the DSA

Effect on GDPR

The GDPR will continue to apply alongside it, where any personal data is involved.

Purpose

The DSA is set to regulate how online platforms with EU users handle illegal or potentially harmful online content by establishing a powerful transparency and accountability framework. It establishes comprehensive protection for users' online rights and harmonises the regulation of online intermediary services in the EU.

What data will the DSA apply to?

All digital data, including both personal and non-personal data processed in providing mere conduit services, catching services and hosting services.

Who will the DSA apply to?

​

Companies caught by the DSA will include intermediary services, hosting services and online platforms. These providers include:

• Internet access providers
• Domain name registrars
• Cloud and webhosting service providers
• Online marketplaces
• App stores
• Social networks
• Platforms reaching more than 10% of EU consumers.​

The obligations placed on different online companies will be proportionate to their role, size and impact in the online ecosystem.

What territories does the DSA apply to?

In a similar way to the GDPR (and as set out above) the rules in the DSA have extraterritorial effect and are likely to be adopted as global standards beyond the EU.

Key Provisions and Proposals

• Obligations to identify and remove illegal content will replace voluntary action by gatekeepers to prevent illegal content.
• Reporting obligations for gatekeepers to ensure regulators are made aware of serious crimes.
• Transparency obligations on steps taken to combat illegal information and in relation to online advertisements.
• Special protection measures where platforms are accessible by minors, to ensure their online safety. These include banning targeted advertising for minors.
• A ban on the use of dark patterns and on targeting advertising at minors using their personal data.
• Products sold online must meet EU safety standards. Users will have better knowledge of the real identity of sellers of products bought online.
• The use of sensitive data won't be allowed for targeted advertising.

Penalties

Fines of up to 6 of annual global income/turnover on platforms and search engines that fail to comply.

Current Status

The DSA came into force on 16 November 2022 and will apply from 17 February 2024 following a 15-month lead in period.

Provision of AI Act

Position under the AI Act

Effect on GDPR

The GDPR will continue to apply alongside it, where any personal data is involved.

Purpose

The EU is proposing to introduce legislation that will address fundamental rights and safety risks specific to AI systems. The AI Act adopts a risk-based approach intended to apply a balanced and proportionate approach to AI regulation.

What data will the AI Act apply to?

All digital data, including both personal and non-personal data processed using AI.

Who will the AI Act apply to?

​

The AI Act will apply to all providers, users, importers and distributors of AI systems in all sectors.

What territories does the AI Act apply to?

The AI Act will apply to organisations using or putting AI systems in the EU market, or where the output of that AI system is used in the EU, regardless of whether they are based in the EU.

Key Provisions and Proposals

• Will introduce a four-tiered risk framework being "minimal or no risk," "limited risk," "high risk," and "unacceptable risk". Each tier will be governed by proportionate rules for providers and users of AI systems.
• Banning certain unacceptable risk AI practices, such as certain social scoring and real time facial recognition by law enforcement in public spaces.
• Requiring providers of high-risk AI systems to take extra steps, such as (i) implementing risk and quality management systems; and (ii) keeping relevant records and technical documentation.
• Requiring organisations to be transparent with users about the fact that they will be using AI.
• Establishing an EU AI Board to oversee national EU regulators.

Penalties

There are potential fines of up to 6% of global turnover or EUR 30 million for non-compliance.

Current Status

The AI Act is currently going through a detailed legislative process but could enter into force by the end of 2023. Organisations would then have a grace period of approximately two years until it would come into effect.