Data Desiderata: On the Proposed EU Digital Services Regulation 2020

The EU Commission has presented three cornerstones of its digital regulation approach in November and December of 2020: the drafts of the Digital Markets Act (DMA), the Digital Services Act (DSA), and the Data Governance Act (DGA). We look at data transactions and focus on four aspects which illustrate much room for advancing the coherence and specificity of the proposed Acts: the specificity of data-related provisions; the role of fair, reasonable and non-discriminatory licensing (‘FRAND’) in the package context; the role of data intermediaries; and the upcoming data act. Our paper not only focuses on diagnosis but also proposes improvements and calls for a more integrated approach.

Lack of Specification of Data-Related Provisions

The proposed DMA assembles a mingle-mangle of data-related obligations which address various regulatory goals. These obligations are of limited responsiveness to differing market contexts and industries, and the Acts leave open many relevant questions which would require further specification. We do not discuss these questions in detail but instead propose a suitable regulatory approach and procedure for specification. Amongst other points, the Commission’s decisions under Art 7(2) DMA, which specifies measures to be implemented by gatekeepers, should not only be limited to violations of Art 6, but also pertain to Art 5. Moreover, measures bilaterally imposed on and implemented by gatekeepers with extensive market power may lead to de facto standards without having taken into account the interests of market participants and the wider public. We favour a bottom-up approach, targeted at a broad range of relevant stakeholders and market contexts. The Commission should pursue a similar approach when drafting implementation orders according to Art 36 DMA, the DMA’s ‘built-in specification provision’. The process of specifying the DMA should be laid out in a sequenced ‘implementation plan’.

FRAND in the Package Context

The Acts’ repeated referral to FRAND demonstrates that the legislator regards the concept as an important cornerstone for various transactional settings. However, FRAND-licensing is no sure-fire success, being haunted by hold-up, excessive global litigation, and other problems in the realm of standard-essential patents (SEP). Therefore, the application of FRAND under the package should try to avoid duplicating earlier flaws, eg by developing early-on sets of model conditions for prototypical access transactions, thereby mitigating uncertainty whilst not preventing market mechanisms from shaping license conditions. Early best-practice guidance on the conduct of parties could mitigate litigation over such conduct as seen in the SEP-FRAND-realm. Moreover, regulators should focus on FRAND-supportive institutions. While the Commission and Member States are not well placed to decree details of FRAND early on, data intermediaries can drive the process of making FRAND work in practice by helping to define what content and conduct qualify as FRAND, as well as by implementing such guidance in data transactions. The appropriate legislative structure for implementing FRAND details cannot be the Acts themselves but supplementary state legislation or stakeholder self-regulation.

The Role of Data Intermediaries

The legislator should further strengthen the role of data intermediaries to safeguard the interests of groups of market participants the Acts wish to protect. The DMA and the DGA should be clarified and delineated in their scopes regarding data sharing services and data intermediaries. The proposed DGA lacks a general definition and categorization of data sharing service providers and data intermediaries. The reference in Recital (22) DGA to the ‘main objective’ of providers could lead to larger companies escaping DGA regulation by offering data sharing services as a side-business. Furthermore, the Acts need to answer the question whether gatekeepers should be entitled to act as DGA data intermediaries. Completely prohibiting such a combined status seems unwarranted since gatekeepers may need to perform data sharing activities as an integral part of their business models and data-driven innovation. Regarding some data intermediation activities, however, the systemic potential for conflicts of interest, for harm to data subjects or data recipients, and for further strengthening gatekeepers’ market power suggest a prohibition for gatekeepers to exercise such activities. Hence, the DGA should prohibit gatekeepers under the DMA from providing Data Intermediary Trustee services. Also, Art 11 DGA should prohibit gatekeepers or players with substantial market power from tying DGA data intermediary services to other business activities. A systematic fostering of the role of data intermediaries could, furthermore, include their cooperation with gatekeepers in the fulfilment of data transfer obligations, eg by providing technical infrastructure, helping to negotiate FRAND conditions, but also by engaging in consent management, anonymization, or differential privacy solutions where personal data is involved. To advance these goals, data intermediaries should be explicitly incorporated in the DMA’s regulatory concept (at least) as an optional tool.

Towards a More Comprehensive Regulatory Framework – the Role of the Envisaged ‘Data Act’

In the development of the digital economy’s regulatory framework, the Acts of the package constitute important and far-reaching steps. But they are not comprehensive enough. We identify several aspects to be considered for additional regulatory measures, inter alia: (i) There are many more companies than (GAFAM-)gatekeepers whose market power may be below dominance but who are in a position to structurally impact digital markets. It may prove advisable to subordinate such companies to regulatory obligations less far-reaching than those pertaining to gatekeepers, but tailored to specific risks, such as market tipping, oligopolization and path dependency; (ii) The legislator needs to strike a balance between data protection and innovation through data processing. Existing data protection rules should be revised to provide more granularity and legal certainty. (iii) The Acts largely turn a blind eye to data-related intellectual property rights. (iv) The potential of private enforcement, especially with a focus on ex-ante conduct remedies, is woefully neglected.

In summary, the envisaged Data Act will not be able to single-handedly remedy all of these shortcomings, but it will become a key component in the regulatory framework for digital markets and must be in close sync with the DMA, DSA, and DGA. We also welcome the re-examination of sui generis database protection in the frame of the upcoming Data Act proposal.

Peter Georg Picht is a professor of law at the University of Zurich.

Heiko Richter is a Senior Research Fellow at the Max Planck Institute for Innovation and Competition.