Unpacking the EU’s Digital Services Act Delegated Regulation on Data Access

One of the main features of the European Digital Services Act (DSA) is a toolbox designed to unpack the 'black box' that online platforms present to regulators. Over two years after the DSA’s adoption, researchers can rejoice over the adoption of the delegated regulation on data access (DA) last week.

The delegated act defines how online platforms must share data with vetted researchers and what information they, along with national authorities, must make public to support access requests. As part of the toolbox to unpack online platforms, Article 40 of the DSA sets the rules for data access: authorities can request data under 40(1), and to ‘vetted’ researchers (as defined in Article 40(8), under 40(4)), platforms must give researchers real-time public data under 40(12).

Researcher data access makes a lofty promise: researchers could gain access to previously inaccessible data, creating unprecedented insights into the workings of online platforms and thereby contributing to a better understanding of the risks associated with these platforms. However, data access under the delegated act is a precarious avenue that raises questions on the feasibility of effective data access.

This analysis addresses some of those questions, building on earlier feedback submissions (here and here) and work (here) on Article 40(4) of the DSA. The delegated act has not resolved some concerns that were present in the draft delegated act on three points: (i) the data standoff, (ii) data protection concerns, and (iii) the role of national regulators.

The data standoff

In earlier work, researchers painted a picture of the data standoff. In applying for data access, researchers must indicate the data they wish to access. This may be difficult to define in light of the research question posed, as well as in light of some limitations that the Delegated Act presents. The data requested must be necessary and proportional to the purpose of the envisaged research.

Since the purpose of the envisaged research is to study a specific systemic risk under Article 34 of the DSA, this raises an interpretation question, addressed below. The necessity and proportionality of the request must also be assessed in light of the data’s availability elsewhere (Recital 13 DA). This is especially relevant in the context of discourse around access to and quality of research APIs that platforms currently offer. It can be difficult to acquire access to research APIs, and it is documented that the data available through such APIs can be of poor quality or inconsistent. Under the DSA, the Digital Services Coordinator (DSC) must determine whether this is the case based on the researchers’ application; this could indirectly require the applicant researcher to provide a quality-control evaluation of the available API, which may be a burdensome exercise.

To help researchers specify what data they need, the online platform must provide a data catalog (Article 6(4)(c) DA). This catalog describes the available data, how it's structured, and related information (metadata). By analogy, this is the menu card that allows the researcher to order data from a restaurant. Without it, the researcher is ordering food from the kitchen without knowing what is in store. Data catalogs must be made available with regard to risks to confidentiality, data security, and personal data protection, and need to be updated regularly. However, catalogs are not required to be exhaustive; as such, the researcher may still order ‘off-menu items’ – they may not have an idea what those items are, however. Some data points can be reconstructed by building on previous research or a platform’s user-facing privacy policies; however, it is unlikely that the researcher has a full overview of all the available platform data.

It is unclear whether data access under the Delegated Act also extends to inferred data – information inferred from platform activity rather than directly collected – or even internal policy documents. Furthermore, if the researcher requests such data and the platform objects under Article 40(5) of the DSA, there is little opportunity for either the DSC or the researcher to verify that objection, especially in light of the non-exhaustive nature of the data inventory. As such, the ’data stand-off’ is still a concern under the Delegated Act.

Data protection concerns

For all the virtues that researcher data access may bring, it also raises concerns about the sharing of personal data with researchers. This concern is especially true when such data is shared beyond the borders of the European Union. The definition of a research institution that can be ‘vetted’ as a researcher under Article 40(8) DSA is derived from Article 2(1) of the Copyright in the Digital Single Market Directive (Directive 2019/790, 'CDSM'). There are no geographical requirements for eligible research institutions; universities can request data access from anywhere in the world. This implies that data may be processed in jurisdictions where standards for data protection are inadequate or do not meet the requirements of the EU’s General Data Protection Regulation (Article 45, Regulation 2016/679, ‘GDPR’).

Of course, the DSC may request advice from a Data Protection Authority (DPA) – independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law – on access modalities (Article 9(2)). This is especially pertinent in cases where an adequacy decision under Article 45 of the GDPR may be missing. In the Draft Delegated Act, DSCs were under an obligation to request advice from DPAs, but this was removed in the published Act. Although this provision was critiqued in the evaluation rounds, since DPAs can provide an operational hurdle due to their overburdened caseload, not requiring DPAs' advice in data sharing beyond the borders of the EU is a risk to data protection.

Furthermore, the DSA lacks safeguards for situations where sharing data with institutions, despite their compliance with Article 40(8) DSA and Article 2(1) CDSM, becomes questionable due to dubious allegiances. There are limited safeguards around prevailing practices of political involvement at academic institutions, for example, for universities in Russia. Even in the United States (recently in Florida), there are prevailing trends of political involvement in universities. Sharing data with universities under political pressure can lead to the administration (ab)using that data for their strategic gain, countervailing European practices on data protection. Sharing personal data in such cases presents a data protection risk, as well as a security risk. Recital 10 hints at the possibility of delaying formulating a reasoned request when the security of the Union is at risk, but does not provide any certainty about how such concerns may be weighed in a final decision on the reasoned request. The question, therefore, remains whether DSCs have sufficient means for rejecting such applications under the Delegated Act.

Role of national regulators

Several concerns may arise around the operationalization of data access under Article 40 and the delegated act. These include how systemic risk is interpreted and the role of the Digital Services Coordinator. There is a growing body of literature (e.g., here, here, and here, and even entire PhD theses) attempting to identify and delineate the meaning of this core concept of the DSA.

Researcher data access is entirely contingent on that data being used to study systemic risks arising from the use of intermediary services or the mitigation of those risks. The applicant researcher is required to indicate how they will use the requested data to study those risks. However, data access is then entirely contingent on the interpretation that the DSC of the establishment of the data provider provides regarding the notion of systemic risks. This is ultimately dependent on the priorities and preferences of that national regulator. Recital 10 of the Delegated Act emphasizes that DSCs must develop a consistent and coordinated approach to working, including standard operational criteria. It will be interesting to see what operational criteria are developed for defining and mitigating systemic risks by the Board’s working group on data access, which may foreshadow the beginning of a consistent EU-wide interpretation of systemic risk. The Board is an organ within DSA enforcement, in which all DSCs are represented, primarily tasked with harmonizing DSA enforcement.

Another operational concern is the processing time for researcher data access applications. These applications can be submitted either to the Member State where the research institution is based or to the Member State where the data-providing platform is established. If submitted to the former, it must first conduct a formal check and then forward the request to the latter. This framework presents operational concerns, because most Very Large Online Platforms (VLOPs) – especially social media platforms, which are likely to be the primary focus of data access requests – are located in Ireland. This means that Coimisiún na Meán – Ireland’s digital service coordinator – must review all data access requests and liaise with platforms on possible access modalities, running the risk of being overburdened by requests. The DA expands the original timeframe proposed in the Draft Delegated Act to 80 working days (Article 7) to formulate a reasoned request, presumably to accommodate some of the concerns raised above.

If a DSC of establishment needs more time, it can notify the researcher of a delay and give an undefined new timeframe. This may happen if input from a DPA (Article 9(2) DA) or an independent expert (Article 14 DA) is needed. Once the DSC notifies the data provider of a reasoned request, the data provider has 15 days to respond and request changes (Article 40(5) DSA). The DSC then has another 15 days to decide on those changes (Article 40(6) DSA). If mediation is needed, that process can take up to 40 additional working days (Article 13(9) DA). In total, the process can take up to 150 working days, excluding delays. For researchers on fixed-term funding, such delays may mean receiving data only after their funding has ended.

A final concern about implementing researcher data access is the currently vague nature of how data access is provided. Data must be provided through access modalities. The way data is delivered to the researcher greatly affects its usefulness. At present, the researcher can suggest the most suitable access methods for the requested data, but the DSC makes the final decision. While the DSC can consult with the data provider on the access method, the researcher has no formal role in this discussion. Although it is expected that the DSC will informally communicate with the researcher about the suitability of the proposed methods, this is not legally guaranteed in the Delegated Act.

Looking ahead: implementing the Delegated Act

Researchers likely welcome the adoption of the Delegated Act. In the coming months, they can submit data access requests, which are expected to produce unprecedented insights into the workings of online platforms – insights that could support DSA enforcement efforts and inform academic debate.

While the Delegated Act clarifies certain aspects of the earlier draft, it does not significantly address key concerns raised during the feedback process. How issues such as researcher liability, prioritization of requests, and responsibility for facilitating access will be resolved remains uncertain. Still, both researchers and European regulators share a strong interest in ensuring that data access is implemented effectively to support the enforcement of the Digital Services Act.