Reading the European Commission's Proposed Implementation of DSA Article 40: Six Initial Observations on a New Framework for Research Data Access

Mathias Vermeulen is a director at AWO in Brussels.

Today, the European Commission proposed detailed guidelines for implementing Article 40 of the Digital Services Act (DSA), marking a groundbreaking development in platform transparency. This article, a worldwide first, mandates that very large platforms (VLOPs) must provide researchers access to data to conduct scientific analyses. The proposed Delegated Act sets out some of the procedural steps and technical conditions that are needed to ensure that data is shared securely and efficiently.

This contribution will highlight six initial observations on this proposal, which is still subject to public consultation for another 4 weeks (until the 26th of November).

1. Data Inventory and Scope

According to Article 6.4 of the Delegated Act, every VLOP (referred to as "data providers") must establish a "data inventory," essentially a codebook that includes examples of available datasets and suggested modalities to access them.

This new requirement mitigates a common barrier in doing research on the societal implications of large platforms — what former US Secretary of Defense Donald Rumsfeld dubbed "unknown unknowns." It is harder to formulate a research proposal if you don’t know what data is out there to use. With a clear record of what data exists, researchers can devote more energy to proposals that rely on existing data sets. (Keep in mind that the DSA permits VLOPs to ask a Digital Service Coordinator to modify a data access request if 'the data doesn’t exist'—a provision specified in Article 40.5 for amending such requests.)

While these inventories will help researchers develop research questions, they don't represent the full scope of potentially accessible data. In Recital 12, the EU acknowledges that data that can be used to study systemic risks can “vary over time,” and it outlines that independent from what is made available in a data inventory. The following types are deemed to be within scope:

Current examples of such data include data related to users such as profile information, relationship networks, individual-level content exposure and engagement histories; interaction data such as comments or other engagements; data related to content recommendations, including data used to personalise recommendations; data related to ad targeting and profiling, including cost per click data and other measures of advertising prices; data related to the testing of new features prior to their deployment, including the results of A/B tests; data related to content moderation and governance, such as data on algorithmic or other content moderation systems and processes, archives or repositories documenting moderated content, including accounts as well as data related to prices, quantities and characteristics of goods or services provided by the data provider.”

The access modes that researchers can suggest in their applications are flexible, per Recital 16:

Such modalities may be, among others, a data transmission to the vetted researchers via an appropriate interface and appropriate data storage; transmission of the data to and storage in a secure processing environment operated by the data provider or by a certified third party provider to which vetted researchers have access but where no data transmission to the vetted researchers takes place, or other access modalities to be set up or facilitated by the data provider.

Notably, in a marked departure from a number of current practices, Article 15.3 of the Delegated Act prohibits VLOPs from imposing archiving, storage, refresh, and deletion requirements that could impede research referenced in reasoned requests.

2. The DSA Data Access Portal

A central innovation of the Delegated Act is the creation of the 'DSA Data Access Portal,’ which basically will act as a 'one-stop shop' for researchers, platforms, national regulators, and the European Commission.

The Portal should make the whole process of accessing data more streamlined as it avoids creating very different procedures (and timeframes) at the national level.

But importantly, it also creates a public overview of data access applications that reach "reasoned request" status. This request often came back during the consultation procedure, as it enables researchers to quickly understand which types of proposals are likely to be accepted and what previous research they can build upon.

While the portal facilitates the application process, platform data will be shared through separate channels.

3. Research Eligibility and Vetting

It was anticipated that the Commission would further elaborate on Article 40.8 of the DSA, which outlines the criteria researchers must meet to qualify. Article 40.8 specifies broad requirements, such as affiliation with a recognized research organization, independence from commercial interests, disclosure of funding sources, and adequate data security and confidentiality measures.

There are a small number of extra details that the European Commission has included as to how these criteria must be interpreted in articles 8 and 9 of the proposal, but the bulk of the work will still be up for national Digital Services Coordinators to interpret for instance what amount of safeguards would be necessary from a data protection perspective, or how key concepts such as “independent from commercial interests” need to be interpreted.

Given the complexity of this task, the Delegated Act explicitly allows the DSC to consult with “independent advisory mechanisms” and request their opinions of specific elements of the data access process. This may include guidance on the determination of the access modalities, including appropriate interfaces, the formulation of the reasoned request and any amendment requests by the data provider. Such a mechanism was already foreseen by article 40.13 DSA, and for instance, the influential report of the EDMO Working Group on Access to Data.

4. Extraterritorial scope of the proposal

The Delegated Act makes it clear that organizations from outside the EU can use the new procedure. The only geographical limitation that applies concerns the eligible research questions, which specify that the research must primarily study “systemic risks in the European Union.” As Martin Husovec has noted:

“...Article 40 DSA is not personally or institutionally limited to researchers based in the EU. Nothing in the DSA suggests such a limitation. According to the law, what is required is affiliation with an entity anywhere in the world devoted to scientific research that operates on a not-for-profit basis or reinvests all the profits in its research.”

The Delegated Act confirms this interpretation but introduces a potentially significant practical challenge. If a platform needs to send data to a researcher affiliated with a non-European research organization, the GDPR's rules for international data transfers apply. In such cases, the national Digital Services Coordinator must "consult" with their national data protection supervisory authority unless the transfer is covered by an “adequacy decision.” This is good news if a research organization is based in a country like Argentina, Canada, Japan, New Zealand, South Korea, Switzerland, Uruguay, the UK, or the US, where the EU has determined an adequate level of protection exists.

For other countries, the eligibility of a data access request may be determined in practice by the national data protection authority. The text does not clarify the consequences if a Data Protection Authority (DPA) issues a negative opinion on the data transfer, but it is likely that national DSCs would be reluctant to proceed with a data access request under such circumstances.

5. Introducing mediators

The Delegated Act includes several mechanisms for handling disagreements and protecting the interests of large platforms as well. If a platform disagrees with the Digital Services Coordinator’s decision on a data access request, they can ask to settle the issue through mediation (paid for by the platform). The mediator's job will be to help both sides reach an agreement that (a) allows approved researchers access to the data and (b) protects the rights and interests of both the data provider and the researchers.

6. A significantly different approach between the EU and the US

Many questions remain about how this framework will operate in practice, yet amid an era where, particularly in the US, attacks on researchers have become a defining issue for freedom of speech, it is encouraging to see a legal structure that enables researchers to fulfill their work. The significance of this structured access framework for vetted researchers is immense: it comes as global data access mechanisms are being dismantled, certain platforms are pursuing lawsuits against researchers, and even parliamentary committees are issuing subpoenas to intimidate research efforts.