EU Regulatory Data Protection: Many pieces to the regulatory framework puzzle

By: Heidi Waem, Simon Verschaeve

Data is at the heart of the EU’s digital and green transformation, which are the two priorities of the European Commission.

With the General Data Protection Regulation (GDPR), adopted in 2016, the EU has created a solid framework for the protection of personal data in line with the EU Charter of Fundamental Rights. Since then, other regulatory data protection initiatives have been taken to foster the development of the EU data economy.

This article provides an overview of the main regulatory data protection initiatives and explores how they all fit together. As discussed here, certain legislation applies either only to personal data or to non-personal data. However, certain recent legislative proposals do not make this clear distinction and apply to both types of data.

GDPR as a baseline for the protection of personal data

The GDPR offers a comprehensive regulatory framework which constitutes the baseline for the protection of personal data. It applies to all processing activities involving personal data by entities qualifying as controllers, and to a lesser extent to processors.

This general horizontal framework is/will be complemented by a number of legislative acts that are – with regard to data protection – focusing on specific processing activities and/or market players, including:

Status overview

The proposed ePrivacy Regulation

The proposed ePrivacy Regulation focuses on the protection of electronic communications (by both natural and legal persons) and provides for additional rules on:

  • consent by end-users in the context of electronic communications, including the retrieval and presentation of information on the internet;
  • the lawfulness of the processing of electronic communications data (including both content and metadata);
  • compatible processing;
  • retention;
  • the processing of end-user equipment information; and
  • the legal basis for direct marketing communications.

Certain obligations have a more general scope of application, whereas others are limited to providers of electronic communications networks and services.

The main differences with the GDPR are that (i) it also protects electronic communications of legal persons and (ii) certain requirements (including on consent) apply to both personal and non-personal data.

The proposed Digital Markets Act and Digital Services Act

The proposed Digital Markets Act (DMA) aims at addressing economic imbalances and unfair business practices by so-called gatekeepers, ie providers of core platform services such as online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent communication services, operating systems, cloud computing services and advertising services.

The proposed Digital Services Act (DSA) on the other hand is a horizontal initiative that focuses on liability of online intermediaries and due diligence obligations tailored to certain specific categories of providers of online intermediary services.

Where the focus of the DMA and DSA is not the protection of (personal) data, both Acts contain important data protection obligations applicable to gatekeepers and providers of intermediary services respectively.

Under the DMA, gatekeepers are subject to certain restrictions and obligations. In particular, gatekeepers must:

  • refrain from combining personal data sourced from their core platform services with personal data from other services offered by the gatekeepers or with personal data from third-party services, and from signing in end-users to other services of the gatekeeper in order to combine personal data, unless the end-user has provided consent;
  • refrain from using, in competition with business users of its core platform services, any data not publicly available which is generated through activities of those business users (or its end-users) of its core platform services or provided by those business users (or its end-users);
  • provide effective portability of data generated through the activity of the business user or end-user, including tools for continuous and real-time access;
  • provide business users, or third parties authorised by the business user, free of charge, with effective, high-quality, continuous and real-time access and use of aggregated or non-aggregated data, that is provided for or generated in the context of the use of the relevant core platform services by those business users and the end-users engaging with products or services provided by those business users (subject to further restrictions with regard to personal data);
  • provide to any third-party providers of online search engines, upon request, with access on fair, reasonable and non-discriminatory terms to ranking, query, click and view data in relation to free and paid search generated by end-users on online search engines of the gatekeeper, subject to anonymisation for the query, click and view data that constitutes personal data; and
  • take the necessary steps to enable business users which need consent to the processing of personal data under the GDPR to directly obtain that consent or to allow compliance with data protection rules in other ways, for example, by providing duly anonymised data.

The DSA imposes increased transparency obligations on online platforms and “very large” online platforms with regard to advertisements as well as additional accountability obligations, in particular reporting obligations, on providers of intermediary services, online platforms and “very large online platforms.”

The proposed Data Governance Act and (expected) Data Act

Where the GDPR, the proposed ePrivacy Regulation, Digital Markets Act and Digital Services Act focus on regulating data processing activities to ensure (personal) data is duly protected, the proposed Data Governance Act (DGA) aims at unleashing and fostering the benefits of the data economy by creating a regulatory framework for re-use and sharing of data. At the same time the DGA aims at enabling the establishment of common European data spaces.

In particular, the DGA creates a framework for:

  • the re-use of categories of “protected” data held by public sector bodies. Protected data means data that is protected on the grounds of commercial confidentiality, statistical confidentiality, third-party intellectual property rights or personal data protection. In this respect, the DGA complements Directive 2019/1024 on open data and the re-use of public sector information which provides a framework to re-use data held by public sector bodies or public undertakings not subject to any confidentiality, IP or personal data protections.
  • the provision of data sharing services. These services will be subject to a notification procedure and certain conditions with regard to the use of and access to the data, and security.
  • the use of data for the greater good, the so-called data altruism. Organisations meeting certain conditions will be able to be recognized as data altruism organisations.

As announced by the European Commission, the framework for re-use and sharing of data created by the DGA will be further complemented by a “Data Act” that would include rules on business-to-government sharing, and B2B data access and use. As the public consultation has been closed, the European Commission is expected to publish a proposal in the coming months.

The proposed Artificial Intelligence Act

The proposed Artificial Intelligence Act (AI Act) offers a comprehensive framework for AI, comparable to the GDPR for personal data, which ties in with the abovementioned regulatory data protection framework by providing:

  • specific rules on data and data governance
  • enhanced transparency obligations
  • specific rules on human oversight

The proposed Political Advertising Regulation

There have been some discussions around targeted advertising and, ultimately, the DMA and DSA proposals do not include a ban. They do, however, comprise horizontal design, transparency and accountability obligations for all types of advertising on online platforms. The proposed Regulation on the transparency and targeting of political advertising (the proposed Political Advertising Regulation) contains a number of additional restrictions to political advertising.

The proposed Political Advertising Regulation provides for transparency obligations for “providers of political advertising” and related services (ie both online and offline) and for rules that apply to all controllers who use “targeting and amplification techniques” (eg micro-targeting) in the context of the publication, dissemination or promotion of political advertising that involve the use of personal data. These data protection obligations would apply on top of the GDPR.

For controllers of personal data used for targeting and amplification techniques in the context of political advertising, the proposal includes:

  • a restriction of the legal bases for processing of special category data and data relating to criminal convictions and offences (within the meaning of the GDPR): only possible when having obtained explicit consent or, under certain conditions, in the course of the legitimate activities of a non-profit;
  • a number of additional data protection compliance obligations: (i) record keeping obligation on the use of targeting or amplification, the mechanisms, techniques and parameters and sources of personal data used, (ii) the obligation to adopt and implement an internal policy describing the use of such techniques and (iii) additional transparency obligations on the main parameters used and the logic involved in the targeting.

Regulation on a framework for the free flow of non-personal data

The last piece of the puzzle discussed here is Regulation 2018/1807, which creates a framework for the free flow of non-personal data in the EU.

Only this Regulation and the GDPR are limited to one type of data, non-personal and personal data respectively. Most legislative initiatives discussed above do not make a clear distinction between non-personal and personal data and may apply to both.

The framework for non-personal data is much less comprehensive than the GDPR. It provides for:

  • a prohibition for data localisation requirements, unless justified on ground of public security or stemming from EU law; and
  • an incentivization to develop codes of conduct with regard to porting of data.

Conclusion

The European Data Strategy is resulting in decisive steps towards the development of an extensive new digital legal framework alongside the GDPR for the EU. Many of these initiatives focus on building trust for B2B and business-to-government data sharing and some are mainly aimed at regulating only particular market players within the EU digital ecosystem.

The emerging framework builds on a considerable number of new legal concepts defining the scope of the legislation and the relevant obligations for a particular organisation. While some are one-on-one aligned with the existing framework (such as the GDPR and the European Electronic Communications Code), the impact of the scope of the proposals for a large number of organisations is less clear to date. Identification of one’s qualification under the new rules will without a doubt be an essential first compliance step to be taken.

As most instruments are currently under negotiation at EU level, it is clear that much work still lies ahead and the adoption of the GDPR was only the start of a larger digital regulatory landscape in the EU. We will continue to monitor the developments in the EU regulatory data protection space and will dedicate a series of publications to these topics.