Suchen

The EU’s Data and Digital Acts are revolutionizing the rules of the digital economy. The new regulations in the AI Act, Data Act, Data Governance Act, Digital Services Act, and Digital Markets Act are entering into force in the coming weeks and months, or are already applicable. This presents companies with the significant challenge of understanding complex new legal obligations and implementing them quickly. A proven approach is to first identify areas where implementation deficits are easily recognizable and legal risks are correspondingly high. Fulfilling transparency obligations can be a pragmatic first step on the path to data and digital law compliance.

1. Overview of the EU Digital Laws: What Do the AI Act, Data Act & Co. Regulate?

For the planning and prioritization of measures to achieve data and digital law compliance, it is essential to get an overview of whether and to what extent the individual Data and Digital Acts affect your company.

  • AI Act: The AI Act aims to make the development and use of artificial intelligence (AI) in the EU safe and trustworthy while fostering innovation. It pursues a risk-based approach, subjecting AI systems to different requirements depending on their potential risk to fundamental rights and safety. These include prohibitions on certain AI practices, obligations for high-risk AI systems, and transparency obligations.
  • Data Act: The Data Act aims to create fair conditions for access to and use of data. This particularly concerns data generated by connected products (Internet of Things, IoT) and related services. It aims to better distribute the value of data, promote innovation, and create a competitive data market.
  • Data Governance Act: The Data Governance Act complements the Data Act and aims to increase the availability of data for use and facilitate data sharing within the EU. It establishes a framework for the re-use of certain public sector data.
  • Digital Markets Act: The Digital Markets Act specifically concerns large online platforms, so-called “gatekeepers”. Its objective is to make markets in the digital sector fairer. To this end, the DMA imposes a series of behavioral obligations and prohibitions on gatekeepers.
  • Digital Services Act: The Digital Services Act aims to create a safer, more transparent, and more accountable online environment. It modernizes the rules for digital services, especially for online intermediaries such as social networks, online marketplaces, and search engines. The focus is on dealing with illegal content, protecting fundamental rights, the transparency of algorithms and advertising, and the accountability of online platforms.

These Data and Digital Acts form a complex regulatory ecosystem of sometimes complementary or overlapping legal frameworks. A recurring theme in these legal acts is the strengthening of users’ positions vis-à-vis powerful data holders and platform operators. This manifests itself in rights to data access, data portability, freedom of choice, and indeed, comprehensive transparency.

2. Focus on Transparency: Obligations from the New Digital Laws

The Data and Digital Acts enshrine a multitude of new transparency obligations that companies must address on their path to data and digital law compliance.

Transparency Obligations of the AI Act

The AI Act focuses on transparency to build trust in AI systems and protect users.

  • Interaction with natural persons: Providers of AI systems intended to interact with natural persons (e.g., chatbots) must ensure that these persons are informed that they are interacting with an AI system, unless this is obvious from the circumstances and the context of1 use (Art. 50(1) AI Act).
  • General labeling requirement: Providers of AI systems must ensure that the output of the AI system is labeled in a machine-readable format and is recognizable as artificially generated or manipulated. This particularly applies to audio, image, video, or text content.
  • Emotion recognition and biometric categorization systems: When using such systems, the affected natural persons must be informed by the operator of the system about its operation (Art. 50(3) AI Act).
  • AI-generated or manipulated content (“Deepfakes”): Content (audio, image, video, text) that has been generated or manipulated by an AI system and could falsely appear authentic or truthful must be labeled by the operator as artificially generated or manipulated.
  • High-risk AI systems: For AI systems classified as high-risk, extensive transparency and documentation obligations apply. These include the creation and continuous updating of comprehensive technical documentation (in accordance with Art. 11 AI Act) and the provision of clear and comprehensive instructions for use to users (Art. 13(1) AI Act).
  • General-Purpose AI Models (GPAI): Providers of GPAI models must create and maintain technical documentation, provide information for downstream providers of AI systems who intend to integrate these models, and publish a sufficiently detailed summary of the content used to train the model.

Transparency Obligations of the Data Act

The Data Act aims, among other things, to create transparency regarding data generated by connected products and related services.

  • Pre-contractual information obligations: Manufacturers of connected products and providers of related services must clearly and understandably inform users before concluding a purchase, rental, or leasing contract. This information must include at least: the type, format, estimated volume, and frequency of data collection that the product is expected to generate; whether the data is generated continuously and in real-time; how the user can access, retrieve, and delete the data; whether the provider intends to use the data itself or allow third parties to use it, and for what purposes; the identity of the data holder and contact details (Art. 3(2) and (3) Data Act).
  • Data access for users: Users (owners, tenants, or lessees of a connected product) have the right to access the data generated by their use of the product or related service. Data holders must make this data easily accessible to the user without undue delay, free of charge, and, where technically feasible, in a commonly used, structured, and machine-readable format upon simple electronic request (Art. 4(1) Data Act).

Transparency Obligations of the Data Governance Act

The DGA aims to promote transparency in the context of the re-use of public data and in data intermediation services.

  • Re-use of public sector data: Public sector bodies that permit the re-use of data subject to the protection of third-party rights (e.g., trade secrets, personal data, intellectual property) must make the conditions for this re-use and the application procedure publicly accessible (e.g., via central information points). These conditions must be non-discriminatory, transparent, proportionate, and objectively justified (Art. 5(2), (3) DGA). Any fees must also be transparent, non-discriminatory, proportionate, and objectively justified; the calculation methodology must be disclosed (Art. 6 DGA).
  • Data intermediation services: Providers of data intermediation services must notify their intention to offer such services to the competent national authority. The notification must contain certain information (e.g., name, legal form, address, description of the service), part of which will be kept in a public EU register (Art. 11 DGA). The access procedures to their services and pricing must be fair, transparent, and non-discriminatory (Art. 12(1) DGA). If services are offered to data subjects, they must be informed in a concise, transparent, intelligible, and easily accessible form about the intended data use and the conditions before giving their consent (Art. 12(2) DGA).
  • Data altruism organizations: Organizations that collect and process data for altruistic reasons must fulfill certain transparency obligations. This includes maintaining accurate records of data processing operations and preparing annual activity reports that provide information, among other things, on the public interest objectives pursued, the categories of data processed, the origin of funding, and the results of data processing (Art. 20 DGA).

Transparency Obligations of the Digital Services Act

The DSA contains comprehensive transparency obligations for providers of intermediary services, particularly for online platforms:

  • Terms and Conditions (T&Cs): Providers of intermediary services must provide clear, understandable, easily accessible, and machine-readable information in their T&Cs about their policies, procedures, measures, and tools for content moderation, including information on algorithmic decision-making and human review (Art. 14(1) DSA).
  • Transparency reports of providers of intermediary services: All providers of intermediary services must publish reports on the content moderation they have carried out in the relevant period at least once a year. These reports must include, among other things, information on the number of orders received from authorities, the number of notices of illegal content received, the measures taken, and the use of automated procedures (Art. 15 DSA).
  • Additional transparency reports for online platforms: Providers of online platforms must provide additional information in their reports, e.g., on the number of disputes submitted to out-of-court dispute settlement bodies and on the number of suspensions imposed for misuse. They must also publish the average number of their monthly active users in the EU every six months (Art. 24 DSA).
  • Advertising on online platforms: Online platforms that display advertising must clearly indicate in real-time for each individual advertisement that it is an advertisement, who financed the advertisement (advertiser and payer), and which main parameters were used to target the advertisement to the respective user, and how these parameters can be changed if necessary (Art. 26 DSA).
  • Recommender systems: Online platforms that use recommender systems must clearly and understandably set out in their T&Cs the main parameters of these systems and any options for users to modify or influence these parameters (Art. 27 DSA).
  • Additional transparency obligations for Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs): These actors are subject to even stricter transparency obligations, such as the creation and public availability of advertising archives (Art. 39 DSA) and even more detailed semi-annual transparency reports that provide information, among other things, on human resources for content moderation and risk assessments (Art. 42 DSA).

Transparency Obligations of the Digital Markets Act

The DMA primarily obliges companies designated as gatekeepers to greater transparency, especially towards their business users and end-users:

  • Advertising: Gatekeepers that offer advertising services must provide advertisers and their authorized third parties, upon request, daily and free information on each advertisement placed, including the price paid and fees, the remuneration received by the publisher (subject to their consent), and the metrics used to calculate these amounts (Art. 5(9) DMA). Corresponding information obligations exist towards publishers (Art. 5(10) DMA). In addition, gatekeepers must grant advertisers and publishers free access to their performance measurement tools and the data necessary for an independent verification of the advertising inventory (Art. 6(8) DMA).
  • Data use: Gatekeepers may not use non-publicly available data generated by their business users to compete with these users (Art. 6(2) DMA). Upon request, they must provide free, high-quality, continuous, and real-time access to aggregated and non-aggregated data generated in the context of their use of the platform services (Art. 6(10) DMA).

3. Important First Compliance Steps

To fulfill the transparency obligations of the Data and Digital Acts, companies should check which Data and Digital Acts are relevant to them, as not every company is equally affected. Where the Data and Digital Acts are applicable, these measures are recommended for fulfilling transparency requirements.

AI Act

  • Inventory and risk classification: Create a register of all AI systems used and planned in the company.
  • High-risk AI: For systems identified as high-risk, start establishing risk and quality management systems.
  • User interaction and deepfakes: Review all AI systems that interact with users or generate/manipulate content for compliance with specific information and labeling obligations (Art. 50 AI Act).
  • GPAI models: If you develop or offer general-purpose AI models, prepare documentation on training data and information for downstream providers (Art. 53 AI Act).

Data Act

  • Pre-contractual information: Create or revise your pre-contractual information for customers to meet the requirements of Art. 3(2) Data Act (information on the type, scope, purposes of data use, access rights, etc.).
  • B2B contracts: Review existing and new data licensing agreements with other companies for compliance with the provisions on unfair clauses (Art. 13 Data Act).

Data Governance Act

Clarify whether your company falls within the scope. The Data Governance Act is primarily aimed at public sector bodies, so this will rather be the exception.

Digital Services Act

  • T&Cs adjustment: Review and update your General Terms and Conditions to meet the transparency requirements regarding your content moderation practices (Art. 14 DSA).
  • Transparency reports: Prepare for the creation and publication of transparency reports in accordance with Art. 15 DSA (all intermediary services) or Art. 24 DSA (online platforms). Observe the templates and deadlines issued by the Commission.
  • Advertising transparency: Implement mechanisms for clear labeling of advertising and for informing users about the main parameters of audience targeting (Art. 26 DSA).
  • Recommender systems: If you use recommender systems, ensure that users are informed about their main parameters and possibilities to influence them (Art. 27 DSA).

Digital Markets Act

  • Gatekeepers: Begin building systems to fulfill the detailed transparency obligations, e.g., regarding advertising metrics (Art. 5(9), (10) DMA) and data access for business and end-users (Art. 6(9), (10) DMA).
  • Business partners of gatekeepers: Inform yourself about your new rights and opportunities arising from the gatekeepers’ obligations (e.g., right to data access, prohibition of unjustified preference).

4. Conclusion

The Data and Digital Acts bring a wealth of new obligations for companies. A central and recurring element of all these regulations are the expanded transparency obligations. Violations are relatively easy for users, competitors, and supervisory authorities to identify. It is therefore particularly worthwhile to pay close attention here and prioritize measures in this area.

Feel free to contact us if we can help you with this or if you have any questions.

planit legal dr. bernd schmidt

Dr. Bernd Schmidt

Lawyer

Email: bernd.schmidt@planit.legal
Phone: +49 (0) 40 609 44 190

Search

Categories

Keywords

applicability B2C BGH Binding Corporate Rules Bitcoin ceases and desist orders commercial copying copyright-infring Data Processing data transfer DiGA Digital Health Applications E-Commerce EEA EFTA establishment EU-US-Privacy-Shield exceptions Federal Labour Court fines GDPR German Copyright Act German ID card Iceland ID card identity card Influencer International Data Transfer label Lichtenstein Marketing Media Privilege monitoring Norway photography photojournalists Purchase Ratings Safe-Harbor Sales scanning Social Media third country TMG

Autoren