Jusletter IT

The digital landscape is evolving rapidly, and businesses are facing growing challenges to remain compliant with the rules shaping the European Market. These changes to regulation are rooted in the European Strategy for Data. One of the main goals of this strategy is to ensure competitiveness of the European market vis-à-vis other global leaders such as the USA and China.¹ Within this approach, taking into account the complex composition of different interests from different stakeholders acting in the digital domain, the European Strategy for data is two-pronged: First, the interests of European citizenry is paramount as is visible in the focus on protection of fundamental rights, the drive towards open government data and the enforcement of data sovereignty principles. Second, there is an attempt to protect and support businesses, and in particular SMEs, by ensuring a healthy and competitive market.

These approaches come with a substantial set of regulation, applicable not only to major market players but any business that engages in the digital domain. The increasing complexity of these requirements imposes significant administrative overhead; this translates into commercial obstacles for businesses. In this paper we provide an overview over of the main administrative hurdles imposed by European data legislation and identify four clusters in which these obstacles can be distinguished. To this end, we consider both existing and upcoming European legislation. Based on these findings we suggest five main implications for businesses and their commercial activities. Finally we briefly contrast these with European initiatives meant to shape the European market in favour of commercial actors.

In this paper we investigate four of the major European data legislation instruments. Each of these complement the legal landscape at large, extending harmonising regulation onto different sectors of the data economy. Most broadly, we can assign different purposes to the particular regulations. The General Data Protection Regulation (GDPR)² deals primarily with the processing of personal data, the rights of the data subjects and the requirements that are imposed on the entities that partake in such processing.³ The Data Governance Act (DGA)⁴ introduces regulation in three distinct areas: re-use of public sector data, supervision of data intermediation services and data altruism collection for disclosing individual personal data for general interest.⁵ In this, the DGA follows the Open Data Directive, aiming to facilitate secondary reuse of personal data voluntary contributed by data subjects for supporting public purposes.⁶ The Digital Service Act (DSA) primarily imposes regulation on the provision of intermediary services, by establishing a liability framework and creating due diligence obligations for certain providers. Lastly, the Data Act (DA)⁷ aims to regulate and harmonizes the availability of data generated by certain products (e.g. IoT-devices), and to ease switching between different providers of data processing services. The DA also create mechanisms for public bodies to access data of (large) businesses in for “exceptional need”. Seen in aggregate, the European Strategy for Data’s approach seems to be both intended to combat dominant market positions of entrenched companies as well as empowering everyone else (including SMEs and public entities) through opening of data silos and enabling re-use of data, accompanied by protective provisions for stakeholders with limited market power.

It is often useful to understand that these instruments exist not in a vacuum but in a complex interplay within each other. The DGA and DA originate from the European Commission’s European Strategy for Data,⁸ while the DSA was announced together with its competition-law counterpart, the Digital Market Act. The GDPR acts almost as a precursor, which, at the time, pioneered the now more common wide-ranging regulation of the digital domain, including significant enforcement mechanisms.⁹ This is relevant in particular as after the introduction of the GDPR, many of these legal instruments were developed in parallel and in explicit knowledge of each other. As the regulations have undergone the processes of European legislation, they have been increasingly harmonised with each other as well. Recognizing this, it is useful to understand the European data legislation as a compound legal instrument in progress. The analysis undertaken in this paper recognizes and confirms this by identifying common regulatory approaches beyond single legal instruments.

Insofar businesses (or their legal personas) use and process data or otherwise engage in the data economy, they invariably fall within the scope of the European data legislation. The general approach of these regulations is to assign a legal status to businesses that engage in certain data-related behaviour (e.g. the status as data processor or data recipient), and then assign legal obligations to those denominations. This section briefly introduces the most important of these legal denominations for clarity through the lens of businesses and their commercial behaviour.¹⁰

Introduced by the GDPR and of utmost practical importance is the status as data controller used for entities that determine the purposes and means of processing¹¹ of personal(!) data,¹² and data processor for their subsequent subcontractors.¹³ The counterpart to these entities within this regime is the data subject. Both the DGA and the DA use the terms data holder and data user. Businesses are data holders if they have the right to grant access to or share (non-)personal data.¹⁴ Conversely, businesses are data users if they have lawful access to certain personal or non-personal data and have the right to use that data for (non-)commercial purposes.¹⁵ Additionally, the DGA also introduces the notion of a data intermediation services provider (DISP), which describes businesses that engage in data intermediation services, i.e. services that aim to establish a commercial relationship for the purposes of data sharing.¹⁶ Conversely, the DA introduces the concept of data processing services provider (DPSP), data recipient,¹⁷ and operators of data spaces (ODS).¹⁸ The first describes businesses that provide services that on-demand administration and broad remote access to a “scalable and elastic pool of shareable computing resources or a centralized, distributed or highly distributed nature (e.g. cloud computing).¹⁹ The second describes entities to which a data holder makes data available for their commercial use.²⁰ This includes businesses that act as third parties, for which the data transfer occurs based on a request of the product or service user. Finally, the DSA creates harmonised rules for the provision of so-called intermediary services, i.e. hosting, caching and mere conduit-services²¹ within the Union market, in part by creating rules on due diligence obligations for such providers of intermediary services (PIMS).²² Certain providers of hosting services are also denoted as online platforms or search engines.²³ Within this regime, additional provisions apply to providers of very large online platforms or online search engines.

Within this paper we analyse the regulations through which the European Data Laws impose commercial obstacles (e.g. due to them imposing additional administrative effort for businesses) in aggregate, i.e. by considering the general motivation and purpose of a given provision. We suggest that there are four clusters (or super-types) of provisions that affect businesses by imposing commercial obstacles and that these types ought to be understood as transcending a single legislative instrument. As a result, this paper proposes a novel grouping of such provisions and their respective obstacles to better formalize the interdependencies and shared purpose behind such regulative attempts. Broadly, we propose understanding the regulatory landscape introduced as a bundle of obligations for businesses that can be divided into the following clusters: information provision requirements, market power balancing requirements, infrastructure and capacity requirements, and governance requirements (including data limitation requirements). Figure 1 provides an overview over these clusters and their subsets of requirements. This section will explore these clusters in turn to highlight their cross-sectoral nature.

Figure 1 – Clusters of Legal Requirements for Businesses in the Data Economy

Generally, businesses can freely decide what type of information they share with a wider audience and may sometimes even be barred from “oversharing” information for the protection of their shareholders’ value. However, this general principle is overruled in cases where private and public entities are (for different reasons) entitled to obtain information from the businesses. Within this cluster of obligations we can differentiate further.

First, we turn to regulations that mandate businesses to report information or interface with the relevant authorities without any investigative probing. These regulations typically relate to disclosure of breaches, compliance with requests of authorities or notifications when ceasing services or acting against illegal content.

Table 1 – Public Reporting, Consultation and Enforcement Requirements

Second, European legislation gives public entities unique privileges that allow them access to a company’s digital information. Companies must be equipped to provide the necessary information in the prescribed modality (or requested modality).

Table 2 – Public Access Requirements

Connected to the rights of entities affected by the data processing by businesses, the European legislator has installed obligations to allow interested parties to access, restrict use or correct the businesses’ data processing operations.

Table 3 – (Private) Access and Corrective Requirements

Sitting between the present cluster and the later outlined cluster of infrastructure and capacity requirements, regulations to combat data silos and ensure competitiveness have been given increased weight in recent legislation. The European legislator has been pushing strongly towards standardization and consequently improved interoperability and data portability for some time and not just for personal data. Many of these obligatory developments were also reflected in the Regulation on a framework for the free flow of non-personal data in the EU.²⁴ For companies, this requires staying abreast of the state-of-the-art and either incorporate data into their workflow in a standard format or develop processes which translate between proprietary formats and an interoperable standard. It is noteworthy that the European Commission is expected to provide guidelines on relevant interoperability standards.²⁵

Table 4 – Interoperability and Data Portability Requirements

In addition, at the precipice between the information provision requirements cluster and the market power balancing requirements cluster outlined below is a grouping of obligations that pertain to transparency and information provision particularly for the purpose of empowering vulnerable parties. This cluster is outlined in the next section.

The data economy as it currently stands arguably displays an asymmetry of power both between service providers and service recipients but also between different businesses themselves. While we do not consider the Digital Markets Act in this paper, a legislative instrument aimed squarely at ensuring competitiveness between actors in the data economy, there are other provisions within our scope that have similar purposes.

First are transparency, disclose and general information-related obligations that directly serve to allow individual service recipients to make valid decisions about data pertaining to them and their activities by equipping them with sufficient information.²⁷ For example, businesses tend to be required to communicate their obligations and the rights of their counterparts as well as the type of data processing operations proactively. European legislation has moved towards minimum standards when it comes to written notices, as exemplified by the privacy notices²⁸ introduced by the GDPR.

Table 5 – Transparency, Disclosure and General Information Requirements

Second, and on the basis of the substantive requirements to establish information parity, data-related legislation relies heavily on the concept of consent. One of the main objectives of the European Data Laws is to empower individuals to decide how and where their data is used. In many cases, the laws foresee an individual to give consent to validate the collection and processing of data. As a result, companies are faced with the challenges of consent management. This includes creating and maintaining an infrastructure in which consent can be queried, stored and demonstrated in case of a dispute or questions, but also to ensure that this infrastructure fulfils certain qualitative requirements. As the European legislator is increasingly explicit in its protection of validity of consent,²⁹ businesses are under similarly increasing pressure to vet their consent management processes accordingly.

Table 6 – Consent Management and User Empowerment Requirements

Third, European legislation also considers market power imbalances between businesses themselves and imposes minimum standards for the contractual relationships between such actors. Companies can generally shape their relationships with customers and other commercial actors as part of their contractual and economic autonomy. However, the present and forthcoming European data-specific legislation lays out certain standards these relationships have to meet from a contractual standpoint.

Table 7 – Contractual Standards Requirements

European legislation imposes restrictions to ensure fair competition. As a result, companies must monitor their contracting behaviour and ensure compliance with these standards that tend to rotate around fair transparent and non-discriminatory access to services or the underlying data.³⁰

Table 8 – Fair Competition Requirements

Finally, some legislative provisions oblige businesses to take particular fairness standards into account that require them to actively balance their interests with the interest of their counterparts or even act in their best interest.

Table 9 – Fairness and Equity Requirements

We group obligations that require directional intent towards internal strategic decision-making into a cluster we denote governance requirements. The aforementioned consent management requirements can be considered as lying between market power and governance requirements. However, there are other imposed obstacles to businesses in this cluster as well.

First and foremost, an essential tenet of data-related legislation is its limitation in certain cases. Data has increasingly become a valuable resource for many companies. Nonetheless, the European legislators remain sceptical towards excessive data collection and processing, in particular when this is not connected with the initially conceived purpose of the data operation. Companies face the challenges of justifying their data intake and subsequent operations vis-à-vis the general principle of data limitation / minimization. In addition certain data may be used for some purposes but not others, meaning that companies have to monitor data usage for purpose.

Table 10 – Data Usage and Limitation Requirements

Second, most of the obstacles identified in this paper come with administrative overhead that may often require additional human resources to manage. In certain cases, European legislation actually imposes the need for certain positions to be established and held by qualified personnel, further compromising the organisational autonomy of companies.

Table 11 – Representational and Staffing Requirements

European data-related legislation imposes particular technical processes or outcomes that businesses must adhere to. We first consider issues of security and risk. Strongly connected to the principles that companies ought to ensure integrity and confidentiality of their data are the requirements to create robust and resilient infrastructure and workflow processes to ensure the security of said data. Hardening data infrastructure encompasses adaptation of physical environments, training of staff and development of internal processes, all of which can require significant investment. Companies face fines and reputation damage in case these requirements are not met. We note that this development is still ongoing; for example, shortly before submission of this article, the European Commission has introduced the Cyber Resilience Act, which creates obligations for product manufacturers to ensure their security throughout their lifecycle.³¹

Table 12 – Security and Risk Mitigation Requirements

Second, we turn to matters of confidentiality. Apart from the general regulations that limit or forbid disclosing or transferring of information, companies must often also adhere to an additional layer of confidentiality, and as a result must take measures to ensure that this confidentiality is guaranteed. In recent legislation, this has been particularly towards the goal of ensuring commercial competition, e.g. with respect to trade secrets. As such, this is closely connected to the Security Requirements outlined above.

Table 13 – Confidentiality and Secrecy Requirements³²

Finally, serving partly as one of the exceptions to the obligations imposed on companies to limit data storage and derivative information as outlined before are certain archival practices that are required by the European legislator. In these cases, companies must develop processes and capabilities to properly store certain information and have it accessible to certain entities.

Table 14 – Documentation and Archiving Requirements

On the basis of the above analysis of the European data legislation, we suggest that these fourteen sets of requirements impose five major obstacles for businesses³³ as they navigate the data economy.

First most of these requirements mandate some form of capacity building for businesses; forcing them to create internal personal and infrastructural knowledge and resources to ensure compliant workflows, increasing costs and need for sufficiently trained personnel.³⁴

Second, we predict an increased reliance on outsourced solutions. As particularly small businesses cannot develop their tools and workflows to ensure compliance themselves, turning to third-party providers may be a (costly, but still economically sound) consequence. Reliant businesses tend to be in a weaker position that the outsourced service provider, incur additional costs and cede control and understanding of their data-related processes.³⁵

A third issue of concern that may affect businesses’ competitiveness and efficiency is the adversarial exercise of rights. As the legislation outlined above aims to create parity between different data economy participants, it equips a large number of actors with powerful tools to engage with other businesses. However, some of these can arguably be weaponized; for example repeated subject access requests can create substantial additional work for smaller businesses that have not yet fully automatized their information request workflows.³⁶

Fourth, in aggregate, and in close connection to the previously outlined obstacles, compliance with these legislative instruments creates a general administrative overhead. The creation of specific positions requires additional efforts of human relation- and legal professionals, just as data management (e.g. archiving, ensuring access, etc.) requires a certain hardware and software infrastructure. While outsourcing is possible (and an obstacle in itself), managing these requirements still increases the administrative strain on businesses which are ultimately responsible for their compliance.

Fifth and finally, we acknowledge that the comparatively advanced and strict regulative environment may disadvantage data-driven businesses in a global competitive landscape. The aggressive posture on data limitation certainly has the potential to limit the development of innovative products and services in the data economy.³⁷

In some contrast to these propositions, the European stakeholders aim to “become the most competitive and dynamic knowledge-based economy in the world”³⁸ and to become “a leader in a data-driven society”.³⁹ Currently, this “European way” seems rather one-sided with the imposition of additional requirements on actors within the digital domain. The European approach, under consequential weighing of fundamental rights, appears to have perceived the digital domain first as a legal vacuum of sorts,⁴⁰ calling for European stakeholders to lead the way in its regulation. But at the same time, businesses are also the intended beneficiaries of this regulatory activity. Balancing-of-interest tests occur in many of the highlighted legal instruments, market power-balancing and data portability rules protect commercial actors, and the imposition of cybersecurity standards is ultimately in favour of the data driven business. Nonetheless, it will be interesting to see how the European legislator will balance the commercial obstacles we identified here with explicit advantages it can provide to offset the cost of compliance. For example, the DGA provides a legal framework for businesses to access information held by public bodies. Similarly, initiatives like the European Alliance for Industrial Data, Edge and Cloud, infrastructure projects like Gaia-X,⁴¹ certification schemes like the European cybersecurity certification scheme for cloud services,⁴² codes of conducts or guidance such as the SWIPO data portability code of conduct or the CSPCERT recommendations,⁴³ and the intended mapping of European data flows all promise to provide a more predictable and fertile environment for commercial activities in the digital domain. At this point, it is too early to say, if this trade-off between substantial compliance requirements for businesses and proactive harmonization of the environment they engage in ultimately favors consumers or commercial actors.

In this paper we have analysed four major European legislative instruments and identified 14 shared sets of obligations that impose obstacles on businesses, which we have grouped in four main clusters. We suggest that these regulations can be grouped into clusters of requirements pertaining to information provision, capacity and infrastructure management, governance, and market power and balancing efforts. We have shown that each cluster consists of subsets of obligations and provisions that are in teleological congruence between the different legislative instruments.

Within this context, we have offered a conjecture about the main resulting obstacles for businesses participating in the data economy. Here we have identified issues of capacity building, third-party reliance, adversarial exercise of rights, administrative overhead, and competitiveness as prominent points of concern. Future research verifying and exploring the connection between these clusters and the resulting obstacles for businesses would be most welcome.

Finally we have highlighted that these compliance requirements are part of an implicit trade-off, in which European stakeholders require businesses to accede to high standards but promise to shape the commercial environment in which they engage in towards a healthy and competitive market. Time will tell, whom this trade-off ultimately favors.

This paper is part of the LAST-JD RioE project that has funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Sklodowska-Curie ITN EJD “Law, Science and Technology Rights of Internet of Everything” grant agreement No 814177. This work was also supported by BitNomos S.r.l.