Making the DSA Work: Data Access for Researchers
Main takeaways
- Big online platforms and search engines are reviewing long-awaited draft rules that set out in detail how researchers can access their data
- More safeguards are needed to ensure data access requests are safe and proportionate
- This highlights yet another example of how DSA implementation is hindered by resource constraints
Habemus Delegated Act! After 16 months of suspense, the European Commission finally published its draft rules outlining the process and conditions required for researchers to access the data of so-called Very Large Online Platforms and Search Engines (VLOPs and VLOSEs). That’s a mouthful indeed, but this delegated act will be instrumental to the proper implementation of the Digital Services Act (DSA).
The main idea behind granting researchers access to platform data is to support the identification, understanding and mitigation of ‘systemic risks’ from the dissemination of illegal or harmful content online. This new possibility for third-party researchers to access company data is no small feat – it is the very first time this will be possible in the EU, and perhaps even worldwide. No other industry has ever been asked to provide so many data points to researchers before. This is also why it is extremely important to get this data-access framework right since it might set a lasting precedent for the future.
With this draft delegated act, many concerns persist about balancing researchers’ data access prerogatives with fundamental rights, such as users’ privacy and the trade secrets of companies.
1. More resources are needed for effective DSA implementation
While the process of approving the DSA legislation was incredibly swift, its implementation is taking more time than expected. Even though the DSA is live in the EU since last February, several technical rules necessary for proper implementation are still missing. Beyond the long-awaited draft delegated act on data access, we are also waiting for guidelines on trusted flaggers and online interface design or codes of conduct.
This is not to say that the Commission is purposely withholding key elements needed by companies to comply optimally with the DSA. Even though the Commission announced doubling its staff dedicated to the DSA next year, it’s a consequence of insufficient resources allocated to DSA implementation so far. In addition, the national enforcement authorities in charge of implementing the DSA – the so-called Digital Services Coordinators – have not been designated in all 27 EU Member States so far, while others haven’t even received an official mandate to start their work.
That brings us back to data access for researchers because the delay in the publication of the necessary secondary legislation is likely a consequence of this overall lack of resources available for DSA implementation. It is also worrying as the process for researchers to request and obtain access to data – along with other elements of the DSA – relies heavily on national enforcement authorities.
Previous technical regulations also raise concerns about whether authorities can effectively consider and address feedback from companies. This is crucial to make DSA provisions become actionable and ensure they’re operational.
Technical regulations should focus on fleshing out the Digital Services Act and translating its principles into practice, not on creating additional new rules. Hopefully, the delegated act on data access for researchers will take into account the recommendations of companies and stakeholders at large, because there’s certainly room for improvement and stronger safeguards are needed.
2. With great data access (should) come great safeguards
In order to safeguard the fundamental rights of everyone involved, which the DSA really intends to protect, this unprecedented level of data access should also come with equally great responsibilities.
The draft delegated act for data access is silent on the researchers’ vetting process. The total discretion left to DSCs may lead to inconsistent vetting and vulnerability to misuse by bad actors. Stricter guidelines on researcher affiliation and capabilities would go a long way to mitigate the risks of data breaches. Clearer rules around liability in case of breaches would foster greater legal certainty and enhance security across the data-sharing process.
There is also a noticeable lack of adequate safeguards for user privacy and trade secrets throughout the entire review process. Certain requirements – such as publishing an overview of data inventories – go beyond the letter of the law and may compromise data protection and place significant burdens on platforms. An alignment with existing data protection and cybersecurity rules would ensure that safeguards like anonymisation, data aggregation, and secure processing environments are in place. Furthermore, national authorities should first and foremost evaluate privacy implications during application reviews to protect user rights.
The draft act’s ambiguous data-access procedures and documentation requirements are another point of contention. The requirement to provide detailed documentation could strain resources if it mandates the creation of new materials for each request. To simplify processes, more proactive consultation between enforcement authorities and companies on data access methods could minimise the need to adjust the requests in a tight timeframe. Finally, extending the very short timelines to issue and amend data requests would help all parties involved to uphold the highest level of privacy and avoid security breaches.
Let’s not forget that insufficient safeguards could also end up invalidating the entire delegated act. As a reminder, that’s exactly why the EU Court of Justice was forced to invalidate a law in the past already.
Conclusion
Let’s hope that the European Commission will take the time to improve the delegated act on data access for researchers by adding robust safeguards to uphold fundamental rights, to ensure that it is workable in practice, and, ultimately, to contribute to a safer online user experience. Raise your concerns in the consultation closing on 10 December and watch this space!
