Regulating Data Intermediaries: Manifesting Fundamental Rights or Recasting Public Utilities?

This essay is part of a symposium on the promise and perils of human rights for governing digital platforms. Read more from the series here; new posts will appear between June 18 - June 30, 2024.

In 2022, the European Union (EU) adopted a foundational piece of its 2020 Data Strategy, the Data Governance Act (DGA). Taking effect in September of last year, the DGA seeks to regulate data markets, including actors referred to as data intermediation service providers (DISPs). Examples thereof are referred to as data marketplaces or data exchanges, in contrast to nebulous “data brokers” that typically focus on the trade in personal data. Although the list of registered DISPs is modest to date, the EU hopes that they will become “trustworthy organizers of data sharing” and thereby contribute to the policy goal of increasing trust in data sharing. Closer scrutiny of the DGA reveals that DISPs are located at an important intersection of fundamental rights and the regulation of digital infrastructure as a type of public utility. As the DGA and its enforcement is yet to get into full swing, it remains to be seen whether DISPs can play an instrumental role in advancing and concretising “trust” in the EU’s data economy. As this post highlights, the EU approach to DISPs makes some questionable choices in pursuing these goals.

The definition of a DISP adopted by the DGA is filled with new legal uncertainties, introducing new legal notions itself and providing a selection of exclusions for some platforms regulated elsewhere. At the same time, the legal requirements imposed upon DISPs are mandatory for would-be DISPs, and include a notification mechanism, a list of conditions for providing a data intermediation service and an enforcement mechanism. As a mandatory regime applicable to a variety of data sharing models, including novel types such as data cooperatives, the legal requirements provide indications of the likely implications of the regime.

The EU Approach to Data Intermediaries

The EU is seeking to build its approach to the regulation of data on the idea of “trust,” contrasting it with approaches of the US and China, which the EU sees as driven too strongly by private sector and public sector interest respectively. To that end, the EU is determined to focus regulatory input via the DGA on shaping “data intermediation” separately from data provision and data use. DISPs under the DGA accordingly should be the “neutral” providers separating transactions between data providers and data users. DISPs thereby also contribute to the achievement of greater trust in the EU’s project for the establishment of “common European data spaces.” In effect, the DGA can be understood to regulate DISPs as a new form of “public utility” – a concept that has received greater attention as regulators look for known tools in regulating online platforms and platform power. Simultaneously, DISPs are expected to reflect fundamental rights, especially the rights of data subjects in regard to the protection of personal data, as secured by the General Data Protection Regulation (GDPR).

Through the DGA rules for DISPs, the EU had the opportunity to address the issue of trust at the crucial level of the data economy’s digital infrastructure. From a public utility standpoint, it is important: (1) that the infrastructure – functionally understood as the resources enabling productive activities – is separated from the productive activities (data provision and use) themselves; (2) that adequate public obligations are imposed, and; (3) that a public option that sets a suitable benchmark is retained. Such public-interest tools also provide a framework for integrating fundamental rights. Unfortunately, closer scrutiny of the DISP regime reveals that, while many public obligations (referred to as “conditions” by the DGA) imposed upon DISPs are laudable, they include requirements reflecting propertarian interests in data to the detriment of other fundamental rights and freedoms. Further, no public option is specifically envisioned, creating a gap where a role model would be instructive to demonstrate for data providers and users how trustworthy, fundamental rights-sensitive data sharing via a DISP can occur. Overall, the integration of fundamental rights is unnecessarily selective as relevant aspects, such as the freedom of expression, are presently not considered in the regulatory framework for DISPs.

Insights from the Public Utilities Concept and Fundamental Rights

The key provision regulating DISPs is Article 12 of the DGA, which lists 15 conditions for the provision of data intermediation services. Underscoring the idea of neutrality, this provision takes strides to ensure that anti-competitive conduct of DISPs is restrained. It limits the ability of DISPs to prevent switching to direct competitors and enabling multi-homing (horizontally), while also limiting their ability to integrate with participants in the data value chain (vertically). Additionally, the DGA imposes generally laudable conditions upon the DISP, including requirements regarding transparency, fairness, non-discriminatory access, and interoperability with other DISPs.

However, the DGA also requires DISPs to adopt mechanisms regarding non-personal data that cannot be fully reconciled with other fundamental rights. Specifically, DISPs are required to put in place measures to prevent unlawful transfer of or access to non-personal data. For cases of personal data, this is a logical requirement flowing from the fundamental right to the protection of personal data, but no such right exists regarding non-personal data. Unlike for personal data, the very idea of non-personal data is that it does not relate to an identifiable data subject.

Indeed, as a separate legal category under the Free Flow of Non-Personal Data Regulation (FFDR), the nature of non-personal data is that it should be flowing freely. It thereby contributes also to the fundamental freedom of expression and information and the freedom to conduct a business. In that sense, it is not at all obvious what constitutes an “unlawful” transfer of or access to non-personal data in the first place. Rather, the mandatory regime for DISPs under the DGA negatively impacts these fundamental freedoms and may contribute to property rights in (non-personal) data that enable the exclusive control over such data by “data owners”. This would have the effect of distorting the potential to enjoy other crucial fundamental rights and freedoms. As Cornell Law School professor K. Sabeel Rahman underscores, propertarian interests can in fact necessitate further public action.

There is, moreover, presently no public option for a DISP envisioned by the DGA. This is unfortunate, as a publicly-supported DISP would be a means for the EU and its Member States to realize positive obligations regarding the effective protection of fundamental rights, as well as the above-mentioned public obligations. It should be noted that the definition of DISPs excludes services offered by public sector bodies that do not aim to establish commercial relationships, thus leaving the issue open as to whether the public sector may offer commercial platforms. Complicating this issue, however, there may be an overlap with other public sector rules of the DGA, as well as the Open Data Directive. In the absence of an explicit public option, data providers and data users will not have ready access to a baseline option that complies with the conditions for DISPs to arrange their transactions.

Finally, there are other fundamental rights that could potentially be relevant, that are however not addressed by the DGA or FFDR, such as the freedom of arts and sciences. Academic freedom may, for instance, be especially relevant where researchers exchange data through a DISP. The chief fundamental right that is directly considered is the protection of personal data, which is an important selection. Yet, beyond data protection, further fundamental rights and freedoms implicated by (non-personal) data are left in an uncertain position.

An Early Verdict on Data Intermediaries?

Although Margoni, Ducuing, and Schirru comment that the EU is moving away from an idea of “data property,” imposing conditions on DISPs to prevent (perceived) unlawful transfers and access to non-personal data could be a step backwards and cement forms of propertarian interest in data – a step back that has also been noted in discussions of the DGA’s cousin, the Data Act, which hopes to unlock vast amounts of Internet of Things (IoT) data via novel access rights. Such a propertarian development could stifle the aims of the EU Data Strategy of allowing data to flow more freely.

The regulatory regime for DISPs will need to be closely monitored by regulators and legal researchers, as it can integrate further concerns emerging from the general (public) interest and holistically address EU fundamental rights. In specific cases, actors could be especially vulnerable, such as in initiatives that seek to harness new technologies and rely on balancing intellectual property rights and the freedom of expression. But there is time and space to clarify and highlight these issues. For instance, public data collaborative action can be pursued domestically, whereas the DGA-created European Data Innovation Board will work towards a consistent enforcement practice for DISPs across Member States. Going forward, the EU can achieve more by taking on board critical lessons of public utilities approaches, from legal regimes advancing the general interest elsewhere, and ultimately foster fundamental rights in the data economy.