Who’s who under the DMA, DSA, DGA and Data Act?

Introduction

As part of its data strategy, the European Commission has presented a number of legislative instruments, in particular the Digital Markets Act (DMA), the Digital Services Act (DSA), the Data Governance Act (DGA) and the Data Act.

In this publication we will take a look at who the actors are under these new instruments. In particular, we will discuss for each of the four instruments, the relevant actors, i.e. to whom the legal instrument applies and who may benefit from it.

For more general information on these instruments, we refer to our previous blogs “EU Regulatory Data Protection: Many pieces to the regulatory framework puzzle” and “EU Regulatory Data Protection: A first appraisal of the European Commission’s proposal for a "Data Act".

Key takeaway

The overview will show that the European legislator has created a complex framework: each instrument introduces new actors, similar actors are defined differently under the various acts and, except for the data subject, the well-known controllers and processors under the GDPR do not play any role.

Therefore, it will be important for organizations to duly identify their role and corresponding rights and obligations.

Digital Markets Act (Regulation 2022/1925 – adopted and published)

The DMA introduces the concept of gatekeeper which means “an undertaking providing core platform services designated pursuant to article 3 of the DMA. A gatekeeper will thus only be subject to the DMA and its obligations once it has been designated as such by the European Commission.

Core platform services include online intermediation services, online search engines, online social networking services, video-sharing platform services, number-independent interpersonal communication services, operating systems, web browsers, virtual assistants, cloud computing services and online advertising services.

In the meantime, the European Commission has designated six gatekeepers: Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft.

The purpose of the DMA is to contribute to the proper functioning of the internal market by laying down harmonised rules ensuring for all businesses contestable and fair markets where gatekeepers are present to the benefit of business users and end users.

End user means any natural or legal person using core platform services other than as a business user.

Business user means any natural or legal person acting in a commercial or professional capacity using core platform services for the purpose of or in the course of providing goods or services to end users.

It follows from the foregoing that any end user or business user (as defined above) using any of the core platform services will benefit from the obligations and restrictions that are imposed upon gatekeepers by the DMA.

Digital Services Act (Regulation 2022/2065 – adopted and published)

The DSA applies to providers of intermediary services offered to recipients of the service that have their place of establishment or are located in the European Union, irrespective of where the providers of those intermediary services have their place of establishment.

An intermediary service means one of the following:

• a "mere conduit" service that consists of the transmission in a communication network of information provided by a recipient of the service, or the provision of access to a communication network;
• a "caching" service that consists of the transmission in a communication network of information provided by a recipient of the service, involving the automatic, intermediate and temporary storage of that information, for the sole purpose of making more efficient the information's onward transmission to other recipients upon their request;
• a "hosting" service that consists of the storage of information provided by, and at the request of, a recipient of the service.

Where services meet the conditions of "mere conduit", "hosting", providers of those services can benefit from an exemption of liability.

Recital 28 clarifies that providers of services establishing and facilitating the underlying logical architecture and proper functioning of the internet, including technical auxiliary functions, can also benefit from the exemptions from liability set out in the DSA, to the extent that their services qualify as "mere conduit", "caching" or hosting services. Such services include, as the case may be, wireless local area networks, domain name system (DNS) services, top–level domain name registries, certificate authorities that issue digital certificates, or content delivery networks, that enable or improve the functions of other providers of intermediary services. Likewise, services used for communications purposes, and the technical means of their delivery, have also evolved considerably, giving rise to online services such as Voice over IP, messaging services and web-based e-mail services, where the communication is delivered via an internet access service. Those services, too, can benefit from the exemptions from liability, to the extent that they qualify as "mere conduit", "caching" or hosting service.

Providers of hosting services include online platforms which are defined as “a hosting service which, at the request of a recipient of the service, stores and disseminates information to the public, unless that activity is a minor and purely ancillary feature of another service or a minor functionality of the principal service and, for objective and technical reasons cannot be used without that other service, and the integration of the feature or functionality into the other service is not a means to circumvent the applicability of the DSA”.

Online platforms are subject to additional rules unless they qualify as a micro or small enterprise. Additional rules also apply to very large online platforms, i.e. platforms providing services to a number of average monthly active recipients of the service in the European Union equal to or higher than 45 million.

Indirectly, the DSA applies to traders on online platforms by obliging online platforms to take measures to ensure traceability of traders. A trader is defined as any natural person, or any legal person irrespective of whether privately or publicly owned, who is acting, including through any person acting in his or her name or on his or her behalf, for purposes relating to his or her trade, business, craft or profession. It comes within the scope of the DSA where it concludes distance contracts with consumers.

The DSA aims at contributing to the proper functioning of the internal market for intermediary services and to set out uniform rules for a safe, predictable and trusted online environment to the benefit of recipients of intermediary services (eg. by means of enhanced transparency obligations, by granting them the right to lodge a complaint). Recipient of the service means any natural or legal person who uses the relevant service, in particular for the purposes of seeking information or making it accessible.

Finally, the DSA introduces the trusted flagger (undefined term). When a person meets certain conditions, it can be granted the status of trusted flagger. Notices by trusted flaggers must be prioritized and handled promptly by online platforms.

Comparison of certain actors under the Digital Markets Act and the Digital Services Act

The above overview has shown that the actors under the DMA and DSA have substantially different names. However, when looking at the definitions of certain actors, there are some similarities.

Indeed, the below table shows that the end user and business user under the DMA are similar to the recipient of the service and the trader under the DSA.

The end user and recipient of the service are both natural and legal persons using a certain service. However, the recipient of the service can be a person acting in a personal or commercial/professional capacity whereas the end user can only be a person acting in a personal capacity.

The trader is similar to the business user as they both act in a professional capacity and both engage with another person (consumer and end user respectively) via a platform service.

Data Governance Act (Regulation 2022/868 – adopted and published)

Re-use of data held by public sector bodies

The DGA aims at fostering data sharing in order to reap the benefits of the data economy.

To that end, it creates first of all a framework for the re-use of data held by public sector bodies.

A public sector body means the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities, or one or more such bodies governed by public law.

Bodies governed by public law are bodies having the following characteristics:

1. they are established for the specific purpose of meeting needs in the general interest, and do not have an industrial or commercial character;
2. they have legal personality;
3. they are financed, for the most part, by the State, regional or local authorities, or other bodies governed by public law, are subject to management supervision by those authorities or bodies, or have an administrative, managerial or supervisory board, more than half of whose members are appointed by the State, regional or local authorities, or by other bodies governed by public law.

Recital 12 clarifies that public undertakings are not covered by the definition of public sector body. Therefore, public undertakings are not subject to the rules on re-use of data held by them.

A public undertaking means any undertaking over which the public sector bodies may exercise directly or indirectly a dominant influence by virtue of their ownership of it, their financial participation therein, or the rules which govern it; for the purposes of this definition, a dominant influence on the part of the public sector bodies shall be presumed in any of the following cases in which those bodies, directly or indirectly:

1. hold the majority of the undertaking’s subscribed capital;
2. control the majority of the votes attaching to shares issued by the undertaking;
3. can appoint more than half of the undertaking’s administrative, management or supervisory body.

Public undertakings may of course by caught by the DGA where they would perform data intermediation services or wish to register as a data altruism organisation.

The DGA does not impose an obligation upon public sector bodies to share data but lays down a set of rules that must be complied with if they choose to share data with a re-user.

The re-user is not defined under the DGA but if follows from the text of the DGA that – unsurprisingly – it is the person re-using data held by public sector bodies. The re-user has both rights and obligations (e.g. regarding confidentiality) under the DGA.

Data Intermediation Services

Secondly, the DGA creates a framework for providers of data intermediation services.

Providers of data intermediation services that comply with the requirements of article 10 are subject to a notification and supervisory framework.

A data intermediation service means a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data, excluding at least the following:

1. services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users;
2. services that focus on the intermediation of copyright-protected content;
3. services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things;
4. data sharing services offered by public sector bodies that do not aim to establish commercial relationships.

The following data intermediation services are covered by article 10:

1. intermediation services between data holders and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint use of data, as well as the establishment of other specific infrastructure for the interconnection of data holders with data users;
2. intermediation services between data subjects that seek to make their personal data available or natural persons that seek to make non-personal data available, and potential data users, including making available the technical or other means to enable such services, and in particular enabling the exercise of the data subjects’ rights provided in Regulation (EU) 2016/679;
3. services of data cooperatives.

Data cooperatives as such are not defined but services of data cooperatives mean data intermediation services offered by an organisational structure constituted by data subjects, one-person undertakings or SMEs who are members of that structure, having as its main objectives to support its members in the exercise of their rights with respect to certain data, including with regard to making informed choices before they consent to data processing, to exchange views on data processing purposes and conditions that would best represent the interests of its members in relation to their data, and to negotiate terms and conditions for data processing on behalf of its members before giving permission to the processing of non-personal data or before they consent to the processing of personal data.

It is important to note that only data intermediation services that meet the requirements of article 10 will come within the scope of the DGA.

As indicated above, data intermediation services seek to enable data sharing between data subjects and data holders on the one hand, and data users on the other hand.

A data subject under the DGA has the same meaning as under the GDPR.

A data holder means a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data.

A data user means a natural or legal person who has lawful access to certain personal or non-personal data and has the right, including under Regulation (EU) 2016/679 in the case of personal data, to use that data for commercial or non-commercial purposes.

While the "data flow" in the context of data intermediation services is rather clear in the sense that it goes from the data subject/data holder over the provider of data intermediation services to the data user, the definitions are probably not the soundest. Most data holders will strictly speaking also meet the requirements of a data user. The right to grant access or share certain personal or non-personal data inevitably requires lawful access to the data and the right to use the data (i.e. sharing) for commercial or non-commercial purposes.

Furthermore, in article 12.c, the DGA refers to “the person who uses the data intermediation service”. It is unclear whether this could be a person other than the data subject, data holder or data user. This is probably not the case but it is unfortunate that this article does not use any of the defined terms.

Data altruism

Thirdly, the DGA provides a framework for the recognition of data altruism organisations. Data altruism means the voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest.

Data Act (Regulation 2023/2854 – adopted and published)

The Data Act contains a variety of rules to foster B2C, B2B and B2G data sharing including rules on data generated by IoT products or related services, unfair terms, smart contracts and switching between data processing services.

B2C and B2B sharing

The Data Act imposes, to the benefit of the users of such products or services, data accessibility and sharing obligations upon manufacturers of connected products and suppliers of related services placed on the market in the Union, whereby:

• connected product means an item that obtains, generates or collects, data concerning its use or environment, and that is able to communicate product data via an electronic communications service, physical connection or on-device access, and whose primary function is not the storing, processing or transmission of data on behalf of any party other than the user.
• related service means a digital service, other than an electronic communications service, including software, which is connected with the product at the time of the purchase, rent or lease in such a way that its absence would prevent the connected product from performing one of its functions, or which is subsequently connected to the product by the manufacturer or a third party to add to, update or adapt the functions of the connected product.

Manufacturers of connected products and suppliers of related services that qualify as micro or small enterprises are exempted from certain obligations.

A user is any natural or legal person that owns a connected product or to whom temporary rights to use that connected product have been contractually transferred, or that receives related services. The user can be a data subject, which is defined in the same way as under the GDPR. While the Data Act mainly grants rights to a user, it also imposes a number of restrictions on it with regard to its use of the obtained data.

The manufacturers of connected products and the suppliers of related services may qualify as data holders. A data holder means a legal or natural person that has the right or obligation, in accordance with the Data Act, applicable Union law or national legislation adopted in accordance with Union law, to use and make available data, including, where contractually agreed, product data or related service data which it has retrieved or generated during the provision of a related service.

Data holders are subject to a number of obligations, including obligations with regard to contractual terms and the use of smart contracts.

Users may ask data holders to make available data generated by a product or a service to a third party. Undertakings designated as gatekeepers under the DMA are not an eligible third party.

There is no definition of third party in the Data Act. However, a third party may qualify as a data recipient which means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation adopted in accordance with Union law.

Data recipients are granted certain contractual and other protections under the Data Act but are also subject to a number of obligations in case of e.g. unauthorised use of data.

B2G sharing

While the DGA provides rules for G2B sharing, the Data Act covers the opposite data flow (B2G).

In the event of an exceptional need, data holders may be required to make data available to a public sector body, the European Commission, the European Central Bank or a Union body.

A public sector body means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies.

Union bodies means the Union bodies, offices and agencies set upby or pursuant to acts adopted on the basis of the Treaty on European Union, the TFEU or the Treaty establishing the European Atomic Energy Community.

Data processing services

Under the Data Act, providers of data processing services are subject to a number of obligations which aim at removing obstacles for customers to effective switching between providers of data processing services.

A data processing service means a digital service that is provided to a customer and that enables ubiquitous and on-demand network access to a shared pool of configurable, scalable and elastic computing resources of a centralised, distributed or highly distributed nature that can be rapidly provisioned and released with minimal management effort or service provider interaction.

A customer means a natural or legal person that has entered into a contractual relationship with a provider of data processing services with the objective of using one or more data processing services.

Smart contracts

Vendors of applications using smart contracts or, in the absence thereof, persons whose trade, business or profession involves the deployment of smart contracts for other in the context of executing an agreement or part of it, to make data available must meet a number of essential requirements including requirements on robustness and access control.

Data spaces

Participants in data spaces that offer data or data services to other participants must meet a number of essential requirements to facilitate interoperability of data, of data sharing mechanisms and services, as well as of common European data spaces.

The Data Act does not include a definition of participant in data spaces but the concept is rather self-explanatory. A data intermediation services provider can qualify as a participant in a data space.

Comparison of certain actors under the Data Governance Act and the Data Act

The above overview has shown that the DGA and Data Act use certain identical concepts. However, as shown below, these are not defined in the same way.

We had previously indicated that it would definitely make sense to align the definition of public sector body under the Data Act with the definition of the Data Governance Act as there does not seem to be any objective reason to use different definitions. However, the European legislator has not done so.

As to the data holder, we had also previously indicated that although the difference in the definitions follows from the differences in scope of both Acts, it would be sensible to try and align the definitions as much as possible, given the already considerable complex interplay between the personal field of application of the various legal instruments. The definition of Data Holder as included in the final version of the Data Act is now indeed more aligned with the definition of Data Holder under the DGA.

The interplay between the definitions of data holders, data users, data recipients and re-users remains complex.