Data and AI

Digital Services Act

The Digital Services Act (DSA) entered into force on November 16th 2022 with an aim to create a safer digital space. The DSA has the ambition to tackle digital challenges that have exploded in the past years such as the spread of counterfeit goods, hate speech, or disinformation, while preserving the fundamental rights of users, such as freedom of expression and the right to information. In the words of Margrethe Vestager, Executive Vice President of the European Commission “what is illegal offline is equally illegal online”.

Who is in the scope of the DSA?

The DSA imposes new obligations on providers of intermediary services operating in the European Union. The service providers that fall within the scope of the DSA are mere conduit services providers, caching services providers, and hosting services providers, including online platforms and online search engines.

What obligations are created by the DSA?

The obligations imposed on providers of intermediary services will vary depending on the size of the online intermediary and on the nature of the services provided. The obligations relate to transparency, information, compliance with administrative requirements, such as the obligation to set up an internal complaint-handling system, or to publish an annual transparency report on content moderation. There are also some restrictions regarding advertisement based on profiling. The DSA distinguishes two sub-categories of hosting services providers, online platforms and online search engines. Platforms and search engines recording a number of users per month superior to 45 million will be labelled as very large online platforms (VLOPs) and very large online search engines (VLOSEs).

What can Lawist help you with?

We support our customers in determining if and to what extent the DSA applies to them and figuring out what concrete obligations and opportunities arise from it. You can rely on us to help you with any needs related to the DSA, for example:

• Social media watch services and filing takedown notices;

• Drafting T&Cs compliant with the DSA (article 14);

• Drafting moderation guidelines taking into account users’ fundamental rights and the need to remove illegal content;

• Help in assessing whether some alleged infringing content needs to be removed, giving trainings/workshops on moderation practices;

• Assistance in filing the annual transparency reports;

• Setting up a compliant complaint-handling system;

• Review of online advertising practices to ensure compliance with the DSA (especially advertising based on profiling);

• Helping providers offering services accessible to minors put in place specific measures for their safety.

  
  Feel free to reach out to one of our experts if you want to discuss any DSA -related question in more detail!

Digital Markets Act

The Digital Markets Act (DMA) applies from May 2023. The Commission is designating the so called “Gatekeepers” during 2023 and the obligations foreseen in the DMA start to apply to these Gatekeepers early 2024. The purpose of the DMA is to ensure a level playing field for all digital companies, regardless of their size. The regulation will lay down clear rules for big platforms - a list of “dos” and “don’ts” - which aim to stop them from imposing unfair conditions on businesses and consumers.

Who is in scope of the DMA?

To be considered as a Gatekeeper the service provider needs to fulfil a set of requirements. In practice, this means only the very largest tech companies providing the so-called Core Platform Services will be designated as Gatekeepers. In Europe, the estimation is that there are only approximately 10 to 20 Gatekeepers. Companies like Google, Facebook and Apple will most probably be among the designated ones.

What opportunities arise from the provisions of the DMA?

Come DMA, the designated Gatekeepers are going to need to adhere to a wide variety of obligations. These obligations will create new business opportunities for Gatekeepers’ customers and competitors and enable digital services providers to widen their existing offerings. Data previously only available to the Gatekeepers becomes more available and portable from the big platforms and service providers. Up-and-coming apps will be able to better compete with the Gatekeepers’ own apps by increased freedom of choice for the end user and through optional app distribution channels becoming available on Gatekeeper’s platforms. Alternative in-app payment channels besides the Gatekeeper-imposed standard options must be allowed. The interoperability of connected services will be improved, allowing for more widespread adoption of services. Information on pricing and effectiveness of online advertising will be made more readily available. The foregoing are examples of the restrictions and obligations to the Gatekeepers introduced by the DMA to level the playing field for smaller players.

What can Lawist help you with?

Obligations for Gatekeepers often translate to opportunities for their customers. We can help you understand what new avenues to develop or expand your business you might have after the DMA’s obligations become applicable for the Gatekeepers.

Please contact our team of experts if you are interested in learning more!

Data Governance Act

The Data Governance Act (DGA) entered into force on 23 June 2022 and will be applicable from 24 September 2023. DGA aims to create a single market for data within the European Union. It seeks to improve data accessibility, sharing, and usage across various sectors while ensuring data protection and privacy. It establishes a comprehensive set of rules and guidelines for data intermediaries, data altruism, and data sharing across both public and private entities. It also encourages data-driven innovation and competitiveness by creating trustworthy data spaces and promoting data sharing through a more transparent and secure environment. Furthermore, DGA includes provisions for voluntary sharing of data by individuals or organizations for the public good, without seeking direct monetary or commercial benefits.

Who is in the scope of the DGA?

The DGA imposes new obligations on the public sector regarding data not already shared based on the Open Data Directive. It allows data re-users access to previously unavailable public sector data through secure data spaces set up by the public sector. The regulation introduces a framework for data intermediaries, such as data brokers and -marketplaces, to facilitate data sharing and exchange.

What obligations are created by the DGA?

Obligations mostly concern the public sector and relate to the technical requirements for data sharing. This can include a range of tools, from technical solutions or accessing data in secure processing environments (data rooms) supervised by public sector actors, to contractual means. In addition, assistance obligations to allow seeking data subject consents are placed on the public sector if the data cannot be shared for re-use for privacy reasons. Data intermediaries are required to register with EU authorities, ensure transparency and neutrality, separate data-sharing services from other commercial activities, and implement robust security measures in compliance with GDPR for data protection and privacy.

What can Lawist help you with?

Lawist can help you assess what benefits you might gain from having access to previously unavailable public sector data and the practicalities of accessing it, including contractual frameworks and re-use limitations.

Background and current status on the AI Act

The Artificial Intelligence Act (AI Act) is currently in the preparation stage and the involved EU institutions are expected to finalise the details of the regulation in early 2024. Being the first comprehensive attempt to regulate AI technology, the AI Act will potentially have major ramifications on the AI landscape globally.

The AI act will start to apply approximately two years after the European Parliament and the European Council agree on a final version of the Act. But the implications of the Act are already relevant to consider for any company which is working with or planning to work with AI.

Who will be affected by the AI Act?

The Act will affect providers and users of AI systems within the EU. The Act will also affect providers and users in third countries if the output produced by the AI system is used in the EU. Anyone importing and/or distributing AI systems may also be affected. Obligations will be placed on each actor with consideration to their sphere of control. Providers will bear far more extensive obligations, such as establishing risk management systems, designing the system to enable human oversight and training the AI in accordance with certain principles. Users will for example need to monitor their own use of the AI system and notify providers if they identify that their use of the AI system presents a risk, if they identify serious incidents or if they identify malfunctioning.

Obligations will pertain mainly to high-risk AI systems, but special obligations will also pertain to AI systems intended to interact with natural persons, emotion recognition systems and biometric categorisation systems, and AI systems used to generate or manipulate image, audio or video content. Some AI systems will be prohibited altogether.

What can you do in anticipation of the AI Act?

Preparation is key to ensuring compliance with the AI Act. We have some tips on what we think is important to do in anticipation of the AI Act.

• Familiarize yourself with the text of the Act. This is key to prepare for the effects of it and for understanding any news on it.

• Find a source of updates on the topic. You can follow the official information on the process

here

, or find a news source which reports on developments. We naturally recommend the Fondia newsletter, which reports on all major developments of the process together with other legal news.

• Assess how the AI systems you use, provide or develop fit into the proposed text of the Act. Would they be considered high-risk, prohibited or otherwise in scope of the Act?

• Consider the different legal obligations which already apply to AI and ensure compliance with those. For example obligations relating to privacy (GDPR) or intellectual property.

• In both new and ongoing development projects relating to AI, consider the impact of the Act on the project and make sure to prepare for compliance with the Act already at the development stage. For example by ensuring the AI is designed to enable compliance with requirements on transparency, human oversight and log-keeping.

Background and current status on the Data Act

Access to data and the ability to use it are essential for innovation and growth. The European Union (EU) is taking significant steps to create single market for data. The European Data Act aims to establish a consistent framework for fair and equitable access to and use of data across the EU. It aims to foster innovation, drive economic growth, and protect individuals’ rights in the digital economy.

The regulation applies to a wide range of data, both personal and non-personal, and covers data holders, data intermediaries, and data users operating within EU. the Data Act will have implications of data sharing, interoperability standards and cloud switching for many industries and sectors of the society.

What are the obligations and how can your business benefit from them?

From a business point of view, the European Data Act represents both obligations and opportunities. The act imposes new obligations and responsibilities for businesses to share the data generated by the products manufactured by them, which may increase compliance costs and legal risks. However, it also allows businesses to utilize the opportunities to have access to new types of data and generate new business based on those opportunities.

One of the main legal challenges for clients under the European Data Act is obligation to share data that the devices manufactured by them generate. The act introduces new requirements for data sharing, such as sharing-by-design requirements and restrictions on charging and contractual terms for data sharing. Failure to comply with these requirements may result in fines, legal liability, and damage to the company's reputation.

However, compliance with the European Data Act may also present opportunities. By utilizing the opportunities to have wider access to data of the devices, companies can optimize the operations related to their devices or machines. Also the companies who manufacture devices applicable to Data Act can generate new services adding value to the data they are to share to their clients.

Another opportunity for businesses under the European Data Act is that third-party companies can generate new business, such as maintenance work, when having the device data available. They can also differentiate themselves from competitors who may not utilize the opportunity of having access to data.

The Data Act aims to address the challenges associated with data access and use in the digital age, recognizing data as a valuable asset and a driver of innovation, economic growth, and social progress. It acknowledges the need for a level playing field, ensuring that all market participants have equal access to data resources, regardless of their size or market power.

The Data Act entered into force at the beginning of 2024 and will become applicable in late 2025.

What can Lawist help you with?

Obligations for the Data Holders will translate to opportunities for device users or third parties providing ancillary services. Lawist continues to follow the development and will gladly help you e.g. in preparing for compliance with the requirements related to data sharing, drafting and adopting contractual clauses for data transfers and configuring product design guidelines to ensure built-in compliance with the Data Act. If you have any questions regarding the Data Act and how it might become relevant for you, please reach out to us.