May 25, 2023

New EU regulatory environment for data spaces

The EU Commission published the “European Strategy for Data” in 2020 to create a single market for data that ensures Europe's global competitiveness and data sovereignty.
Dr. Söntje Julia Hilberg

As part of this strategy, the Commission proposed different regulations:

  • AI Act Proposal (AIA-E)
  • Data Act Proposal (DA-E)
  • Data Governance Act (DGA)
  • Digital Markets Act (DMA)
  • Digital Services Act (DSA)

The complexity of the regulatory framework is increasing, but the regulations are not yet aligned, and the interplay with existing legislation such as data protection laws, competition laws, or regulations on intellectual property is not clear. Also, the terminology is not aligned, which causes difficulties in their interpretation and interoperability with existing legislation.

The new regulations differ regarding their subject matter and scope. While the DMA and the DSA are instruments to regulate competition and rights in the digital market, the DA-E and the DGA mainly concern access and use of data. The AI Act can be seen as a separate proposal with little connection to the others. With respect to B2B data spaces, the more general DA-E and DGA will have the greatest impact, while the other regulations are less central in this scope.

Considerations regarding DA-E and DGA

The DA-E concerns the rights to access and use data generated by Internet of Things (IoT) devices. Therefore, it applies to roles related to such data, including manufacturers, data holders, data recipients, and providers of data processing services. As the DA-E covers the whole lifecycle of data processing, it may impact use cases in the data space as the data needs to be handled in compliance (e.g., the grant of access rights).

Due to its broad definitions, the DA-E leaves considerable room for interpretation, creating legal uncertainty. Another uncertainty concerns the interfering with existing contracts and the DA-E impact on the contractual freedom. The freedom to negotiate should be restricted as little as possible to encourage the building of value chains and innovation. Imbalances could instead be addressed through EU competition law or sector-specific legislation. It remains to be seen to what extent the DA-E will undergo adjustments to create legal certainty and practical solutions for data sharing.

The DGA comes also with some concerns, especially regarding the broad definitions for the roles in data sharing (e.g., data holder, data user). Also, how it addresses services provider roles does not cover the complexity of data spaces. The envisioned data governance and the respective roles do not achieve the intended goals of facilitating data sharing. Given the complex roles and services within data spaces, the DGA term “data intermediation services” needs to be aligned with practice as data spaces use different terms for data sharing services.

The DGA defines a number of obligations (such as notification and compliance requirements), especially regarding intermediation service providers, that play a key role in the data economy:

  • Obligation for data sharing service providers to notify competent authority.
  • Conditions for providing data sharing services, such as neutrality, fair, transparent, and non-discriminatory access to services, adequate technical, legal, and organizational measures to prevent transfer or access to non-personal data that is unlawful under Union law.

The European Commission decided to adopt this approach to ensure that data governance within the Union is based on trustworthy sharing of data. A key element in increasing trust and control of data holders, data subjects, and data users is the neutrality of data intermediation service providers concerning the data shared. It is necessary for these providers to act only as intermediaries and not use the data shared for any other purpose.

The approach and key elements of IDS concepts reflect the DGA’s goal of trustworthy data sharing, which involves neutral intermediaries and reliance on reference architecture, connector technology, and certifications.

Challenges and opportunities for EU’s DIB in developing common data spaces

The DGA approach comes with several challenges. It only frames general rules, while the details are subject to national laws and need to be translated into practical solutions. The European Data Innovation Board (EDIB), proposed by the DGA, will play a fundamental role. It will support the EU Commission in issuing guidelines to facilitate the development of common European data spaces, as well as identifying standards and interoperability requirements for cross-sector data sharing.

There might be a link between the DGA and other regulations on the topic of interoperability standards. For example, the DA-E defines that the guidelines for “interoperability specifications for the functioning of common European data spaces, such as architectural models and technical standards implementing legal rules and arrangements between parties that foster data sharing, such as regarding rights to access and technical translation of consent or permission” should come from the EU Commission. Therefore, it is likely that such guidelines will come from the EDIB under the DGA. It will be beneficial to link these tasks to achieve harmonized rules in practice between both regulations.

This task will directly relate to the activities of data space initiatives such as IDSA, which will play a major role, as they have already developed frameworks and reference architectures that can act as blueprints for common standards. The EU strategy should build upon existing data sharing initiatives in the quest for interoperability and the specification of future soft infrastructure agreements (see L. Nagel and D. Lycklama in Designing Data Spaces – The Ecosystem Approach to Competitive Advantage, p. 19;

For the future development of data spaces in light of the new EU regulations, the Data Spaces Support Centre (see DSSC – Data Space Support Centre) will also play a significant role in providing aligned support for common EU data spaces.

In the “European Strategy for Data”, the Commission proposed five regulations

AI Act Proposal (AIA-E): Proposed April 2021, legislative procedure ongoing. EU framework for regulating AI; Applies to providers and users of AI.

Data Act Proposal (DA-E): Proposed February 2022, legislative procedure ongoing Obligations of developers + manufacturers of products to facilitate the user’s access to data generated during the use. Facilitating switching of data processing services, introducing safeguards, and interoperability standards.

Data Governance Act (DGA): Applicable September 24, 2023. Reuse of data by public sector bodies; framework for data intermediation services + voluntary registration of entities that process data made available for altruistic purposes; European Data Innovation Board.

Digital Markets Act (DMA): Entered into force on May 2, 2023. Regulating internet corporations/ gatekeepers (e.g., social media platforms, search engines). Prohibits practices that make it difficult for users to use non-gatekeeper providers.

Digital Services Act (DSA): Will enter into force on February 16, 2024 (some provisions apply earlier). Protection against illegal content + for users’ rights. Applies to intermediary services (e.g., internet access providers, cloud services). Regulations on liability, handling of illegal content, provision of a notice-and-takedown procedure, and regulation of online platforms.

Author: Dr. Söntje Julia Hilberg
Dr. Söntje Julia Hilberg is IDSA’s legal advisor and moderator of the task force legal.

Stay updated with us