European Union: An Overview Of The European Union Laws And Policies For The Digital Age

EU Policies. The European Union is a wonderful and unique geopolitical experiment that allows countries who fought for centuries against each other to live in peace, strengthen their economies by participating in a single European market and harmonize their respective laws. The grand idea of the European Union is sometimes lost in a myriad of detailed regulations in areas where the Member States have limited their sovereignty. On the other hand, at times European Union policies soar again, pointing at principles that describe the core of European values and shape its future. This is exactly what the European Union is doing in the area of digital rights and data governance.

The Brussels Effect. "The Commission is determined to make this Europe's "Digital Decade". Europe must now strengthen its digital sovereignty and set standards, rather than following those of others – with a clear focus on data, technology, and infrastructure"¹. The European Union aspires to a worldwide leadership role in the governance of digital phenomena. This is sometimes called the "Brussels effect" referring to the "EU's unilateral power to regulate global markets [...], elevating market standards worldwide and leading to a notable Europeanization of many important aspects of the global commerce"².

This Overview. Various pieces of legislation have been enacted in the past, and more will come. This article aims at giving an overview of such legislation to better understand where this will lead the European Union (and, perhaps, the world) in the digital realm.

Digital Rights and Principles for the Digital Decade

Let us start from the document that best summarizes the policies of the European Union in the digital space: the Declaration on Digital Rights and Principles for the Digital Decade, on which the vision of the European Commission for our digital future is based.

On January 26, 2022 the European Commission has issued a solemn Declaration on Digital Rights and Principles for the Digital Decade aimed at promoting "a European way for the digital transition, putting people at the centre"³, which follows a March 9, 2021 Communication⁴, building on the Commission's digital strategy of February 2020, and summarizing the EU vision for the digital era in the most concise and clear terms. The principles affirmed include:

• Putting People at the Centre of the Digital Transformation, which also entails "strengthening the democratic framework for a digital transformation that benefits everyone and improves the lives of all Europeans" and "fostering responsible and diligent action by all digital actors, public and private for a safe and secure digital environment";
• Solidarity and Inclusion, with the aim of contributing to a "fair society and economy in the Union" through access to connectivity to everyone, promoting digital education and skills, ensuring the right to disconnect, and facilitating seamless access to digital healthcare services throughout the Union;
• Freedom of Choice, which means transparency about the use of algorithms and artificial intelligence avoiding unlawful discrimination;
• Participation in the Digital Public Space, ensuring that everyone has access to a diverse and multilingual online environment with pluralistic public debates on the basis of the right to freedom of expression. Very large platforms should both allow a free democratic online debate, but also mitigate the risk of disinformation campaigns or harmful content;
• Safety, Security and Empowerment: digital technologies should be safe, secure and privacy-protective by design, allowing the data subject to control how data are used (including their digital legacy after their death), with a special emphasis on protection of children and young people;
• Sustainability: technology products must be designed, produced and disposed in a way that minimizes their environmental impact.

General Data Protection Legislation ("GDPR")

An overview of EU data policies necessarily needs to start from the GDPR,⁵ which – from its entry into force in 2018 - fundamentally changed the responsibilities of those who process personal data.⁶

Privacy as a Fundamental Right. The General Data Protection Regulation 2016/679, enacted on April 27, 2016 and entered into force on May 25, 2018, stems from the principle that "The protection of natural persons in relation to the processing of personal data is a fundamental right".⁷

What is Personal Data. Personal data is broadly defined as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".

Applicable Principles. Personal data must be processed with lawfulness, fairness and transparency, must have a purpose limitation, must be "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed" (principle of 'data minimization'), accurate, stored for a limited term, processed with security and protected through appropriate technical or organizational measures. Under the GDPR, the data controller, i.e., the entity that "alone or jointly with others, determines the purposes and means of the processing of personal data", is responsible for compliance with all such principles. Key principles of the GDPR are also "privacy by design" and "privacy by default", requiring that the data controller designs and sets up the use of personal data by minimizing them, pseudonymising them when possible and enabling the data subject to control her/his data processed.

Control over Data. The data subject, who must be transparently informed about the processing of her/his personal data, is granted several rights in relation to her/his data, including the much discussed, and almost romantically framed, "right to be forgotten".⁸ These set of rights empower individuals to exercise greater control on personal data.

Scope of Application. Provisions of the GDPR apply to data controllers or data processors established in the EU, but also to the processing of personal data of data subjects who are in the EU by entities not established in the EU when the processing activities aim at offering goods or services to EU data subjects, or to monitoring their behavior in the EU. As a result of the territorial application of the GDPR, many non-EU companies are deeply impacted by it. No company wants to lack compliance as sanctions for GDPR breaches are staggering (up to 4% of the yearly worldwide turnover).

Enforcement of the GDPR. While the record of sanctions under the GDPR is impressive,⁹ data protection authorities in various EU States have adopted different approaches¹⁰ and the EU Commission has signaled that, while acknowledging progress in compliance culture and efforts by businesses,¹¹ it is unhappy about enforcement of GDPR against tech giants.¹² In light of such disappointment, it is possible that the GDPR will move from localized to centralized enforcement. A EU Commissioner recently stated: "I think it is high time for those companies to take protection of personal data seriously. I want to see full compliance, not legal tricks. It's time not to hide behind small print, but tackle the challenges head on.¹³"

The EU Approach to Artificial Intelligence ("AI")

A Human-Centric AI. On April 21, 2021 the EU Commission has published a proposal for a Regulation laying down harmonised rules on AI (known as the "Artificial Intelligence Act"),¹⁴ which follows a 2020 White Paper on Artificial Intelligence.¹⁵ The EU Commission strives to govern the AI phenomenon by ensuring it is human centric, so that it can be trusted by users and may develop its full potential. Trustworthy AI must be safe, respective on fundamental rights and non-discriminatory.

A Risk-Based Approach. Certain AI systems are prohibited altogether¹⁶. With regard to the other AI systems, the proposed regulation follows a risk approach and differentiates between AI that creates an unacceptable risk, a high risk, or a low/minimal risk. AI falling in the first category must undergo an ex-ante conformity assessment ensuring that the principles of data governance, technical documentation, record keeping, transparency and information to users, human oversight, accuracy, robustness and cybersecurity. Notified bodies are involved in the conformity assessment process.

Transparency. In order to avoid risks of manipulation, the use of AI in systems that "(i) interact with humans, (ii) are used to detect emotions or determine association with (social) categories based on biometric data, or (iii) generate or manipulate content ('deep fakes')" must be transparently disclosed to the users, who should be allowed to make informed choices about the use of the system.

The Digital Services Act ("DSA") and the Digital Markets Act ("DMA")

The European Union intends to end the era of self-regulation of social media platforms and "address social media's societal harms by requiring companies to more aggressively police their platforms"¹⁷. On December 15, 2020 the European Commission presented the Digital Service Act¹⁸ (hereinafter, the "DSA") and the Digital Markets Act¹⁹ (hereinafter, the "DMA") to that end.

1. The DSA. On April 23, 2022 the European Commission and the European Parliament reached a provisional agreement upon the content of the DSA, which is expected to enter into force in 2024. The DSA shall apply to intermediary services provided to recipients of the service that have their place of establishment or residence in the Union.²⁰ In particular, the DSA aims at stopping all online misconduct, such as the illicit sale of products, the spreading of fake news, as well as the so-called "hate speech". Recognizing the impact of very large online platforms on our economy and society, the DSA sets forth a higher standard of transparency and accountability on how the providers of such platforms moderate content, on advertising and on algorithmic processes.²¹ In short, self-regulation of online platforms will be replaced by external regulation. In particular, the DSA provides for:
   1. Duty to Intervene. The DSA requires intermediary services to actively intervene by removing social content, or by blocking or suspending accounts that incite hatred and to set up reporting templates that can be used by users to report prohibited conduct.
   2. No Unfair Practices. Unfair practices are prohibited and the switch by consumers to a different platform must be made easy.
   3. Sanctions. The Commission may impose fines ranging from 1 to 6% of the annual total turnover on very large online platforms in case of breaches of the DSA.
2. The DMA. On March 24, 2022 the European Commission and the European Parliament reached an agreement on the DMA, which only applies to so called "gatekeepers", i.e., "companies that create bottlenecks between businesses and consumers and have an entrenched position in digital markets".²² The thresholds above which companies are considered "gatekeepers" are very high and it is expected that only a handful of them will qualify (Meta, Apple, Alphabet and Amazon and a few more). The DMA bans or restricts specific business practices blacklisted as unfair or discriminatory. Some of the DMA provisions are summarized below:
   1. Limitation to Combining Data from Different Services. The DMA "prohibits gatekeepers from using personal data mined from one of their services to benefit a separate service they offer—for example, Meta using data collected on Facebook for targeted ads on Instagram."²³
   2. No Discrimination. The DMA prohibits discrimination by gatekeepers in favor of their own services.
   3. Interoperability. Gatekeepers must ensure interoperability between their platform and other competing platforms and must share data that are provided or generated through the interactions of business users and their customers on the gatekeeper platform.
   4. Users Empowerment. Users will more easily be able to choose their browser or search engine and should be able to unsubscribe to core platform services as easy as it was to subscribe to them.
   5. Sanctions. Fines provided by the DMA may be up to 10% of a total turnover and up to 20% for repeated violations.

While there is a basic transatlantic consensus that some degree of regulation on large online platforms is necessary, concerns that the DMA is going too far have emerged: "Some private sector stakeholders and independent analysts have raised concerns about the DMA. In addition to criticism for its arguably subjective thresholds, some have cautioned it may have deleterious economic side effects that dilute the good it does for competition. These concerns have come from not only U.S. companies but also European analysts and industry groups."²⁴

The Data Governance Act ("DGA") and the Data Act

1. The DGA. The purpose of the GDPR was not only to protect the rights of individuals on their personal data, but also to ensure free movement of data within the Union, a goal that has only been partially accomplished and which various pieces of legislation are now addressing. On April 6, 2022 the European Parliament approved the regulation named Data Governance Act,²⁵ which is expected to enter into force in mid-2023. The goal of the DGA is to set out conditions to facilitate the re-use of data by public sector bodies, which are not subject to protection due to their nature of intellectual property (including trade secrets) or personal data, as well as for the creation of a regime of data altruism.
   1. Re-use of Public Sector Bodies Data. The DGA intends to make public sector data available for reuse. However, public sector bodies are not subject to the obligation to allow data for reuse. If they do so, public sector bodies may charge fees and apply terms conditions for allowing the re-use of the relevant data, provided that they are non-discriminatory, proportionate and objectively justified. They may also impose obligations to re-use data in order to protect the integrity of the data.
   2. B2B Data Sharing. Businesses may also share data among each other, subject to compensation in any form. Such reuse will be facilitated by a personal data sharing intermediary.
   3. Data Altruism. The DGA promotes the data altruism by setting up a public record of entities that use data for public interest non-profit purposes. Data altruism is subject to transparency of the use of data.
   4. European Data Innovation Board. A European Data Innovation Board, in charge of facilitating exchanges of data, developing practices for the re-use of data, enhancing interoperability of data and prioritizing cross-sector standards Board, will be set up.²⁶
2. The Data Act. Another proposed regulation, the Data Act,²⁷ aims at addressing the legal, economic and technical issues that lead to data being under-used in ways that surpass the DGA²⁸: "While the Data Governance Regulation creates the processes and structures to facilitate data, the Data Act clarifies who can create value from data and under which conditions."²⁹ The Data Act introduces binding requirements for the manufacturer of connected devices and related services to provide user access to the data³⁰ they create. Under the Data Act business users and consumers will be able to access, manage and share the data they help create when using a connected device or service, such as virtual assistants. While the DGA merely nudged governments and businesses to share data, several rights and obligations arise from the Data Act:
   1. Obligation to Render Products Generated Data Accessible: products shall be designed and manufactured, and the related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user.³¹
   2. The Right of Users to Access and Use Product Generated Data: where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service based on a simple request through electronic means where technically feasible.
   3. Right to Share Data with Third Parties: upon request by a user, the data holder shall make available the data generated by the use of a product or related service to a third party for the purposes and under the conditions agreed with the user. If the generated data are personal data, the GDPR applies.
   4. Obligations for Data Holders to Make Data Available: when a data holder must make data available to a data recipient, it shall do so under fair, reasonable and non-discriminatory terms and in a transparent manner (no trade secrets shall be mandatorily disclosed). Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable.³²
   5. Making Data Available to Public Bodies Based on Exceptional Needs: upon request, a data holder shall make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested.
   6. Data Portability: providers of a data processing services shall ensure that customers can switch to another data processing service.

Conclusions

As digital instruments shape the lives of citizens and business, the European Union wants to dictate rules and principles that will ensure that the full potential of a digital economy is reached, but where humans and their rights are at the centre. This is a very ambitious project and there will certainly be many challenges in its enforcement (technological advancement should not be strangled by bureaucracy in the process).

1 https://ec.europa.eu/info/strategy/priorities-2019-2024/europe-fit-digital-age_en

2 "The Brussels Effect – How the European Union Rules the World" by Anu Bradford, 2019 Oxford University Press.

3 "European Declaration on Digital Rights and Principles for the Digital Decade" dated January 26, 2022.

4 "The 2030 Digital Compass: the European way for the Digital Decade" dated March 9, 2021 outlining the policy program named "Path to the Digital Decade".

5https://eur-lex.europa.eu/eli/reg/2016/679/oj

6 Although data protection was introduced by EU Directive 95/46/CE, the GDPR represents a leap forward for EU legislation in this area. See https://edps.europa.eu/data-protection/data-protection/legislation/history-general-data-protection-regulation_en.

7 GDPR, first preamble.

8 Paragraph 1 of Article 17, Right to erasure ('right to be forgotten'). "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)."

9 See, for example, the source https://www.enforcementtracker.com/.

10 https://www.complianceweek.com/gdpr/spain-italy-setting-new-standard-for-gdpr-enforcement/29984.article

11 https://ec.europa.eu/commission/presscorner/detail/en/IP_19_4449

12 https://tcrn.ch/3ocJP4J

13 https://techcrunch.com/2021/12/02/gdpr-centralized-enforcement/

14 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0206&from=EN

15 European Commission, White Paper on Artificial Intelligence - A European approach to excellence and trust, COM(2020) 65 final, 2020.

16 See article 5 of the Proposal.

17 Adam Satriano's article on the New York Times of April 22, 2022 "E.U. Takes Aim at Social Media's Harms With Landmark New Law".

18 2020/0361 (COD) Proposal for a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC.

19 2020/0374 (COD) Proposal for a Regulation of the European Parliament and of the Council on contestable and fair markets in the digital sector (Digital Markets Act).

20 Section 2 of the DGA.

21 Council Conclusions on Shaping Europe's Digital Future, 8711/20 of 9 June 2020, https://www.consilium.europa.eu/media/44389/st08711-en20.pdf

22 https://www.eff.org/deeplinks/2022/04/eu-digital-markets-act-places-new-obligations-gatekeeper-platforms#:~:text=The%20DMA%20only%20places%20obligations,entrenched%20position%20in%20digital%20markets. Further, in the same article: "The DMA's threshold is very high: companies will only be hit by the rules if they have an annual turnover of €7.5 billion within the EU or a worldwide market valuation of €75 billion. Gatekeepers must also have at least 45 million monthly individual end-users and 100,000 business users. Finally, gatekeepers must control one or more "core platform services" such as "marketplaces and app stores, search engines, social networking, cloud services, advertising services, voice assistants and web browsers." In practice, this will almost certainly include Meta (Facebook), Apple, Alphabet (Google), Amazon, and possibly a few others."

23 https://www.csis.org/analysis/european-unions-digital-markets-act-primer

24 https://www.csis.org/analysis/european-unions-digital-markets-act-primer

25 Proposal for a Regulation of European Parliament and of the Council on European data governance (Data Governance Act) COM/2020/767 https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX%3A52020PC0767.

26 Section 26.

27 Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act) COM/2020/767 https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0767. As part of the European Strategy for Data of February 2020, on February 23, 2022 the European Commission published a proposal for a regulation named Data Act, which is expected to enter into force by mid-2023.

28 The new rules will make more data available for reuse and are expected to create €270 billion of additional GDP by 2028, according to the Commission https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1113.

29 https://digital-strategy.ec.europa.eu/it/node/10725

30 According to the Data Act, "data" means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording. The Data Act thus creates a new category of data other than personal data under the GDPR.

31 See: https://www.dataguidance.com/opinion/eu-unpacking-eus-suite-new-era-digital-legislation

32 See: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52022PC0068

Gitti & Partners is a member of Ally Law, a global law firm network providing sophisticated legal services to major corporations with a sharp focus on value. Its 72 firms include nearly 3,000 lawyers in 100 business centers worldwide. For more information, visit www.ally-law.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.