A delegated act on data access is currently going through consultation. It clarifies the procedures leading to the sharing of data by very large online platforms and search engines (VLOPs and VLOSEs) with vetted researchers. It also specifies conditions for providing such data and establishes a DSA data access portal to serve as a one-stop-shop for researchers, data providers and Digital Services Coordinators (DSCs).
To read the full text of the delegated act, please visit this page. The deadline has been extended and you can now provide feedback until10 December 2024.
What is the Digital Services Act (DSA)?
The Digital Services Act (DSA) is a set of rules that regulate the responsibilities of online intermediaries, including platforms such as social media networks and online marketplaces. The aim of the DSA is to create a safer digital space where the fundamental rights of all users are protected. It sets out clear due diligence obligations for platforms according to their roles, size and impact on the online world. The DSA also establishes mechanisms for the removal of illegal content and the effective protection of users’ fundamental rights online, including freedom of speech.
The transparency and reporting obligations in the DSA create opportunities for stronger public oversight of online intermediaries, with a special set of obligations for those online platforms and search engines that reach an average of more than 45 million monthly users, which corresponds to around 10% of the EU’s population. These intermediaries are formally designated by the Commission as Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs).
Why is the DSA relevant to researchers?
The DSA includes a provision granting researchers unprecedented access to the data of very large online platforms and search engines when certain conditions are met. The aim is to enable a deeper understanding of the way society is shaped by the online world, as well as support effective oversight of DSA compliance.
Before the DSA, this type of data allowing independent research on systemic risks was based on voluntary initiatives by the online platform providers. This resulted in limited research possibilities for third parties to analyse and monitor the impact of platform providers’ choices on the online ecosystem.
Article 40 of the DSA requires providers of VLOPs and VLOSEs to provide access to their data for the purpose of conducting research that contributes to the detection, identification and understanding of systemic risks in the EU. Research can also contribute to the assessment of the adequacy, efficiency and impacts of risk mitigation measures taken by providers of VLOPs and VLOSEs.
Which platforms and search engines does Article 40 apply to?
Data access obligations apply to providers of designated VLOPs and VLOSEs.
What access is provided to researchers under Article 40 of the DSA?
For researchers who want to conduct research that contributes to the detection, identification and understanding of systemic risks in the European Union, Article 40 provides for different access possibilities:
- Pursuant to paragraph 12, researchers, including those affiliated to not-for-profit bodies, organisations and associations, meeting the relevant conditions, can get access to data that is publicly accessible in the VLOPs’ and VLOSEs’ online interfaces.
- Pursuant to paragraph 4, researchers meeting additional conditions, can apply for access to VLOPs’ and VLOSEs’ non-public data, by submitting a data access application to the relevant Digital Services Coordinator.
What is a Digital Services Coordinator (DSC) and what is their role in helping researchers obtain access to data?
Digital Services Coordinators (DSCs) are independent authorities that have been appointed by each EU Member State. The DSCs are responsible for supervising DSA compliance of intermediary services established in their country. Another responsibility is to assess researchers’ applications for data access. They will also act as link between the researchers and the VLOPs/VLOSEs.
Researchers can either submit their application for data access to the DSC of the Member State of the research organisation they are affiliated to or directly to the DSC where the provider of the VLOP or VLOSE whose data they want to access is established. In either case, the decision whether to request data access on behalf of the researcher rests with the DSC of establishment of the respective provider of the VLOP or VLOSE. When a researcher applies to their “local” DSC, that DSC will transmit the application, together with an initial assessment of that application, to the DSC of establishment.
What are the conditions to be fulfilled by researchers to get access to the data?
To access publicly available data, pursuant to Article 40 (12), researchers must:
- Be independent from commercial interests
- Disclose the funding of their research
- Be able to fulfil data security and confidentiality requirements and to protect personal data
- Access only data that is proportionate and necessary to carry out their research for the purposes of the detection, identification and understanding of systemic risks as laid out in Article 34(1) of the DSA
To become a “vetted researcher” and access data pursuant to Article 40(4), in addition to the conditions above, researchers also have to demonstrate also that:
- They are affiliated with a research institution (as defined in Art. 2(1) of Directive 2019/790)
- The planned research activities will be carried out for the purposes of detection, identification and understanding of systemic risks as laid out in Article 34(1) and/or to assess risk mitigation measures as outlined in Article 35 of the DSA
- They commit to making the research results publicly available, free of charge.
The assessment of the fulfilment of the conditions for obtaining the vetted status is done by the Digital Services Coordinators. The Commission is currently preparing a Delegated Act to specify the procedures and conditions for access to data pursuant to paragraph 4 of Article 40 DSA.
What research topics are supported by Article 40 of the DSA?
To gain access to VLOP and VLOSE data as a “vetted researcher”, the research proposed in the application to the DSC must contribute to the detection, identification and understanding of systemic risks in the EU and/or to the assessment of the adequacy, efficiency and impacts of risk mitigation measures.
The systemic risks under consideration, as outlined Article 34(1), are:
- The dissemination of illegal content
- Negative effects for the exercise of fundamental rights, in particular the rights to;
- Human dignity
- Respect for private and family life
- Protection of personal data
- Freedom of expression and information
- Non-discrimination
- Respect for the rights of the child
- A high level of consumer protection
- Negative effects on civic discourse and electoral processes, and public security
- Negative effects in relation to
- Gender-based violence
- Protection of public health and minors
- Serious negative consequences to personal physical and mental well-being.
When will researchers be able to apply for data access?
Researchers will be able to apply for access to data once Member States have appointed their respective Digital Services Coordinators and a forthcoming delegated act which lays down the specific conditions under which VLOPs and VLOSEs are to provide data is adopted. A call for evidence to inform the work on the delegated act took place in spring of 2023, and an analysis of the responses was published in November. The delegated act is currently going through a consultation process and is set to be adopted in 2025.
If I am not a “vetted researcher” what data can I access?
Providers of VLOPs and VLOSEs have to give researchers who meet the following sub-set of conditions of “vetted researchers” access to publicly accessible data without undue delay. If it is technically possible, they should provide real-time data.
For this type of access, the researcher must be independent from commercial interests, disclose the funding of their research, be able to fulfil data security and confidentiality requirements, and explain how access to the data and the indicated timeline is necessary and proportionate to the purposes of the research. The data must also be used solely for performing research that contributes to the detection, identification and understanding of systemic risks in the Union.
What happens if a VLOP or VLOSE does not provide access to publicly accessible data?
On 18 January this year, the Commission sent requests for information to 17 VLOPs and VLOSEs on the measures they have taken to comply with the obligation to give researchers access to publicly accessible data. Since then, formal proceedings have been opened against AliExpress, Meta and TikTok, all of which include suspected shortcomings in giving researchers access to publicly accessible data as mandated by Article 40.
Furthermore, preliminary findings have been released in proceedings against X, which includes findings that X fails to provide access to its public data to researchers. In particular, X prohibits eligible researchers from independently accessing its public data, such as by scraping, as stated in its terms of service. In addition, X's process to grant eligible researchers access to its application programming interface (API) appears to dissuade researchers from carrying out their research projects or leave them with no other choice than to pay disproportionally high fees. If these preliminary findings are ultimately confirmed, a non-compliance decision would entail both a fine and an order for X to take measures to address the breach.
Details
- Publication date
- 13 December 2023 (Last updated on: 21 November 2024)
- Author
- Joint Research Centre