Alert
February 6, 2023

EU Technology Regulation: Watch List for 2023 and Beyond

An overview of new and upcoming EU legislation on technology — and why it matters to businesses. 

Last year, the European Union passed a number of important EU legislative acts relating to the regulation of technology. Further legislative acts and proposals affecting technology are on the agenda for 2023, including the EU’s landmark AI Act. This client alert outlines these developments and is important reading for any business operating or interested in the European market. Over the coming months, Goodwin’s Technology and Life Sciences teams will prepare a series of client alerts that analyse specific aspects of these regulations and their impact on clients.

In force

In force since 16 November 2022.

Overview

The Digital Services Act (DSA) sets out new rules to address the challenges posed by digital transformation and new digital business models in the EU. It has three main aims:

  • Protect consumers and their fundamental rights online
  • Keep online platforms transparent and accountable
  • Foster innovation, growth, and competition within the EU

For digital services providers, it aims to provide greater legal certainty and make it easier to launch and scale across Europe. For consumers of digital services, it aims to encourage greater choice, lower prices, wider access to EU-wide markets through digital platforms, and a safe digital environment that is free from illegal content.

The DSA applies to all intermediary services offered to recipients in the EU, including “mere conduit” services (such as internet service providers and communications service providers), hosting services, and caching services. Online search engines and online platforms are subject to specific obligations, including particularly onerous obligations for very large online platforms and very large online search engines.

The DSA introduces obligations concerning, inter alia, how platforms moderate content, communicate with users, advertise, respond to crises, and maintain accountability to regulators and users.

Highlights

The new obligations in the DSA include:

  • Safeguards for users. Service providers must adopt rules on admissible content and content moderation and provide the ability to challenge content moderation decisions. The DSA also establishes a ban on targeting advertisements to children and profiling individuals on the basis of sensitive traits (such as religious affiliation or sexual orientation).
  • Transparency. Intermediaries will be required to produce public annual reports detailing their content moderation efforts (including statistics), and providers will be required to specify — in their terms of service — how their recommender algorithms work.
  • Obligations on very large online platforms. Very large online platforms will be required to take risk-based measures to prevent misuse of their platforms and undertake independent audits of their risk-management systems. The resultant findings will then be scrutinised by independent auditors, EU and member state authorities, and researchers from academia or civil society.

Milestones

  • 17 February 2023: Platforms and search engines to publish user numbers, allowing the commission to assess which service providers fall into which categories.
  • 17 February 2024: DSA to become fully applicable across the EU for all entities in scope.

In force since 1 November 2022.

Overview

The Digital Markets Act (DMA) established new rules to regulate large, systemic online platforms (gatekeepers) such as online search engines, social networking services, messaging services, and app stores. Its four main aims are to:

  • Ensure a fair business environment in which business users who depend on gatekeepers can offer their services
  • Enable innovators to compete in the online platform environment without being subject to unfair terms and conditions
  • Give consumers more choices and fairer prices
  • Enable gatekeepers to innovate and offer new services while limiting their ability to use unfair practices against business users and customers who depend on them

Highlights

We highlight a few important rules:

  • Data-sharing. Gatekeepers must allow business users to access the data generated in their use of the gatekeepers’ platforms.
  • Advertising accountability. Gatekeepers must provide advertisers with detailed information on the use of, and payment for, its advertising services (for example, information relating to fees paid and the metrics used to calculate those fees).
  • Product ranking. Gatekeepers can no longer treat their own products or services more favourably in rankings than similar products or services offered by third parties.

Milestones

  • 2 May 2023: DMA rules start to apply.
  • Six months from a company’s date of designation as gatekeeper but no later than 6 March 2024: Gatekeeper must comply with DMA requirements.

In force since 23 June 2022.

Overview

The Data Governance Act (DGA) aims to improve data-sharing across sectors and EU countries, particularly by facilitating wider reuse of data held by public sector bodies. For example, it contemplates supporting data-driven innovation using health data, mobility data, environmental data, agricultural data, and public administration data. To achieve this aim, it introduces four types of measures:

  • Facilitating the reuse of public sector data that is not currently accessible to third parties
  • Ensuring trust in data intermediaries
  • Supporting individuals and businesses in making their data available for the benefit of society
  • Facilitating data-sharing across sectors and borders, and ensuring the right data is found for the right purpose

Highlights

Key points from the DGA include:

  • Limitations on exclusive data reuse agreements. Agreements between a public sector body and a company for exclusive rights to reuse the public data are now limited to specific cases of public interest.
  • Notification and supervisory framework. The DGA provides for a notification and supervisory framework for the provision of data intermediation services.
  • Single access points. There will be a “single information point” for data held by public authorities in each member state, and a searchable European register containing the information compiled by national single information points.
  • Establishment of European Data Innovation Board. Comprising stakeholders from various EU bodies, this board will seek to ensure that data-sharing occurs in line with best practices.

Milestones

  • 24 September 2023: DGA rules start to apply.

Pending

Proposal adopted by the European Commission on 23 February 2022.

For detailed analysis, see our article “New EU Rules for Data Access and Sharing: What You Need to Know.

Overview

The Data Act is a proposed EU regulation focused on data generated by Internet of Things (IoT) devices. It aims to create a single data market in which data is more accessible and can be shared without legal obstacles among European businesses and the public sector. In particular, it aims to enable consumers and businesses to take full advantage of the digital data they create when using IoT devices.

Highlights

  • Accessibility and transparency. Products and services must be designed in a way that makes data accessible to users by default. Users also need to be provided with certain transparency information around data before purchase.
  • Data portability. Users of products are granted a right to request that data holders make all data generated by products available to third parties of their choice.
  • Data-sharing agreements with small and medium-size enterprises (SMEs). The Data Act includes protections for SMEs against unfair contract clauses included in data-sharing agreements with more powerful market players.
  • Switching cloud services. Cloud services providers must remove obstacles that restrict customers from entering into contracts with new providers and porting over data, applications, and other digital assets to the new provider.
  • Rules for international transfer of non-personal data. The Data Act proposes new restrictions, similar to those found in the General Data Protection Regulation and Schrems, applicable to international transfers of non-personal data held in the EU.
  • Exclusion for database rights. The Data Act specifies that the database right created by the EU Database Directive does not apply to databases containing data from, or generated by, the use of a connected device.

Milestones

  • The trilogue negotiations over the Data Act are not expected to be completed before spring 2023.

Overview

The Artificial Intelligence Act (AI Act) is a proposed EU regulation targeted at regulating AI systems in the EU and across the EU’s single market. It has two key aims: to maintain trust in the AI systems used in the EU and in the EU market, and to create an ecosystem of excellence for AI in the EU. It proposes to achieve these aims by addressing risks of specific uses of AI, categorising them into four risk levels — unacceptable risk, high risk, limited risk, and minimal risk — and regulating systems that fall into each category accordingly.

Status

On 7 November 2022, the Council of Europe adopted a common position on the AI Act, allowing it to negotiate with the European Parliament with a view to concluding a final agreement. The act is unlikely to become binding law until late 2023.

Overview

The AI Liability Directive is a proposed legal framework for the targeted harmonisation of product liability rules for AI. By enabling victims of AI-related damage to obtain compensation without burdensome evidentiary hurdles, the directive aims to boost consumer confidence in interacting with emerging technologies. It achieves this by alleviating the burden of proof in relation to damage caused by AI systems, establishing broader protection for victims, and fostering the AI sector by increasing guarantees. It complements the Product Liability Directive, which covers a producer’s strict liability for defective products, and the AI Act.

Highlights

The AI Liability Directive has two key features:

  • Presumption of causation. It creates a rebuttable presumption of causation when certain criteria are met.
  • Preservation of evidence. In relation to high-risk AI systems, it empowers courts to order specific measures to preserve — or enable access to — evidence that could prove a causal link.

Status

The proposal was adopted by the European Commission on 28 September 2022. Its next step is to be adopted by the European Parliament and European Council. It is also proposed that five years after the AI Liability Directive enters into force, the Commission assess the need for no-fault liability rules for AI-related claims, if necessary.

Overview

The Cyber Resilience Act (CRA) is a proposed EU regulation that would establish cybersecurity requirements for products with digital elements. Its focus is on countering cyberthreats, and it has two main objectives: to create conditions for the development of secure digital products, and to create conditions allowing users to take cybersecurity into account when selecting or using products with digital elements.

Highlights

The regulation would place obligations on manufacturers of digital devices, including:

  • Essential cybersecurity requirements, applicable to all products with digital elements
  • Vulnerability handling requirements
  • Extra requirements for “critical” products
  • Conformity requirements for manufacturers of products in scope
  • Reporting obligations

Status

The proposal was published on 15 September 2022.

Overview

The European Health Data Space (EHDS) is an expansive proposed EU regulation that would establish a health-specific ecosystem of rules, common standards and practices, infrastructures, and a governance framework.

Highlights

The two key aims of the EHDS are:

  • To increase digital access to and control of electronic personal health data, to support its free movement, and to foster a genuine single market for electronic health record systems
  • To provide a setup for the use of health data for research, innovation, policymaking, and regulatory activities

The EHDS aims to empower individuals, health professionals, healthcare providers, researchers, and regulators through freer movement of health data.

Status

The proposal was published on 3 May 2022.

* The authors wish to thank Arjun Dhar for contributing to this article.