Blogs | Privacy and data protection | Alternatives to dominant digital services | Artificial intelligence (AI)

EU alphabet soup of digital acts: DSA, DMA and DGA

Members of the European Commission appointed in 2019 agreed to put digital policies as one of the cornerstones of EU legislation between 2019-2023. These include the Digital Services Act (DSA), the Digital Markets Act (DMA) and the Data Governance Act (DGA). So, what are the differences between these acts?

By EDRi · November 25, 2020

Designed by vectorpocket & macrovector/ Freepik

Members of the European Commission appointed in 2019 agreed to put digital policies as one of the cornerstones of EU legislation between 2019-2023. In the Commission’s political agenda, Commission President Ursula Von der Leyen said that “digital technologies should enrich the lives of us all and respect European values”. Among the policies being drafted, ranging from derogations of the ePrivacy Directive, Artificial Intelligence (AI) and others, there are a few “acts” that touch specifically on various aspects of surveillance capitalism. These include the Digital Services Act (DSA), the Digital Markets Act (DMA) and the Data Governance Act (DGA). So, what are the differences between these acts and how can civil society act to improve our digital reality now and in the future?

Digital Services Act (DSA)

The EDRi network has been working actively to help mould the DSA. The DSA aims to re-shape the internet by altering the power imbalances between big dominant platforms and people using them. It is an update of the eCommerce Directive.

Why is this important?

The DSA includes key concepts that would give back control to the people using these Big Tech services. It would also help ensure an open environment where  the likes of Google and Facebook are made accountable and where credible alternatives to their services that respect fundamental rights and are people-centric exist and are interoperable. The DSA could also ensure access to justice when people seek remedy for unjust situations (for example, wrongful take-downs of legal content).

What should you look at specifically?

Ideally, an additional tool to kill surveillance capitalism. Specifically, for a meaningful DSA to come to fruition, general rules such as a ban on general monitoring of content obligations towards platforms must remain, while at the same time bringing systemic changes to the current business models based on absorbing people’s data and experiences, making them addictive to their services, and instead enabling de-centralised, local, user/workers owned, and privacy-friendly alternatives allowing people to escape from the data-hungry digital silos where they are now stuck. The DSA is being finalised and the proposal will be published before the end of 2020. If you want your voice to be heard in drafting the DSA  you might want to talk to them on what is important for you (cheat sheet here) or wait until it is published (scheduled for 9 December) and then stay tuned to engage with your elected Members of the European Parliament and your national representatives in Brussels (see our Brussels activist guide here!)

Digital Markets Act (DMA)

The DMA aims at opening digital market by establishing limits to current digital gatekeepers (aka big tech monopolies). This is an initiative by European Commissioner Vestagger. The DMA is, as the DSA, also expected to be published on 9 December.

Why is this important?

Because of the power imbalance between individuals and companies and the impact this has on freedom of expression, association, etc.., the Commission is aiming at also considering the structural problems of such a concentrated industry. Competition law is often referred to as one of the tools that could address this power imbalance, because it controls and regulates market power, including in the digital economy. For a better overview on the relevance of competition law and digital rights, read our series of competition law blogposts here.

What should you look at specifically?

The DMA will be based on two pillars: (1) “a clear list of dos and don’ts for giant digital gatekeepers” and (2) a harmonised market investigation framework across the single market to tackle market failures and prevent future gatekeeping threats from happening. This will be done by, for example, letting users move between interoperable services and by harmonising rules so that the application of competition polices are coherent throughout the European Union.

Data Governance Act (DGA)

Perhaps the least well known of these acts is the DGA. The DGA allegedly aims at “foster[ing] the availability of data for use by increasing trust in data intermediaries and by strengthening data sharing mechanisms across the EU”. The DGA builds on the consultations for the European strategy for data. See EDRi’s response to the consultation here. The DGA is expected to be presented on 25 November but published only on 2 December.

Why is this important?

The main goal of the DGA is to “benefit” from the expected “economic value” (for companies, we assume) of sharing personal data and to build “alternatives to the current business model for Big Tech platforms”. Framing everything in terms of theoretical economic benefits, this puts aside the civil society’s goals of walking towards a people’s centric internet, all in favour of private companies. However, the DGA may end up undermining protections ensured by the General Data Protection Regulation (GDPR) by creating a “lex specialis” which private entities and public institutions could use to avoid protections in place for personal data. The DGA (in the leaked document) requires the creation of an expert group called the “European Data Innovation Board” consisting of Member States representatives and the European Commission.

What should you look at specifically?

The draft DGA proposal includes proposals to make sensitive data in the hands of public sector data available for re-use, allow the re-use of personal data with the help of a data-sharing intermediary, allow sharing data among businesses, and making data reusable on “altruistic” grounds that as Estelle Massé from Access Now says “threaten people’s ability to control how their personal information is being used”. The leaked document states that the re-use of personal data will need to be based on one of the GDPR’s legal basis and in general be compliant with the GDPR. However, it should be emphasised that the GDPR does not permit public authorities to rely on the legal basis of “legitimate interests”, and the data user shall also not be permitted to rely on it. A potential but resource-intensive to look at this problem could be to closely scrutinise each of these re-uses and require the competent authorities monitoring the DGA to supervise these re-uses case by case before they occur. However, given the existing problems with the implementation of the GDPR this is not likely to work too well. And regarding these competent authorities, it seems coherent with the GDPR that data protection authorities should be the competent authorities monitoring its enforcement, rather than leaving up Member States the freedom to designate “one or more competent authorities” as the draft proposal suggests.


Contribution by:

Diego Naranjo

Head of Policy

Twitter: @DNBSevilla