Navigating the Digital Regulatory Landscape: 2023

Most predictions fail. On the other hand, the ability to anticipate the unknown is an invaluable skill. What is certain is that next year will require attention and quick learning from anyone affected by European #digitalregulation. Let’s have a look at what’s coming up or will have significant importance in 2023.

The coming year will be a crucial one for online advertising service providers and all businesses that rely heavily on #adtech online advertising. ?Here are some of the regulations to watch:

• The Digital Markets Act (DMA) regulation will be applied from May 2, 2023. The regulation bans the combining of data from different sources by major players in the digital market. The effect of this could be a reduction in the depth of profiling of individuals, and therefore less effective online targeting for advertising. However, the ability to combine data will be preserved if the user will give their consent. The big question is whether these changes will help the leading platforms or alternatives to the market leaders.?Will the changes create opportunities for alternative advertising methods, such as contextual advertising?
• The Digital Services Act (DSA) regulation will partially apply as of February 17, 2023, and will fully come into force a year later. The regulation imposes a ban on the use of sensitive data, such as health data, as well as data on children, by online platforms for profiling purposes for advertising. Organizations operating in the #healthcare field may be particularly affected.
• Also relevant will be the preliminary questions to the Court of Justice of the European Union included in the appeal that IAB Europe has filed against the decision 21/2022 of the Belgian Data Protection authority. This case before the CJEU could be crucial for the rules on the use of #cookies and similar technologies, while at the same time affecting the definitions of ?basic institutions (key concepts in the sphere of personal data protection, such as ?"data controller", the concept of "consent" or the question whether the TC String (a digital signal containing user preferences) can be considered as "personal data" under the GDPR. However, this crucial ruling may not even be issued until 2024.

Very significant impact may be felt from ?regulations in the areas of #consumer and #antitrust law for digital markets.

• The DMA and DSA will impose a ban on "forcing" users to use certain very large online platforms services, including user logins and authentication. In addition, there will be a ban on "cybergiants" giving preferential treatment to their own services or applications, such as the use of a particular web browser. Another change intended to improve consumer rights is the ?change to the opt-out of services (applications), which will have to be as easy and intuitive as setting them up or installing them.

Another area to watch are new rules for content moderation under the DSA: rules for ?banning users, rules for protection against manipulative practices, #darkpatterns and content selection.

• Most notably it will be necessary for online platforms to implement an internal complaint-handling system and out-of-court dispute settlement process. In other words, removing users or banning specific content will require the implementation of policies based on which content moderation decisions will be made. Each decision will require proper justification. There will need to be a procedure for lodging ?complaints against the decisions taken by the online platform on the ground that the information provided by the recipients is illegal content or incompatible with the platform’s terms and conditions. Platforms will need to allow complaints to be lodged electronically and free of charge.

Very large online platforms shall identify, analyse and assess the risk of intentional manipulation of their service, including by means of inauthentic use or automated exploitation of the service, with an actual or foreseeable negative effect on the protection of public health, minors, civic discourse, or actual or foreseeable effects related to electoral processes and public security.

One more regulation to watch will be the EU-US Data Privacy Framework for transfers of personal data to third countries or international organisations.?Will there be a ?EC adequacy decision in 2023?

• In December 2022, the European Commission launched the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework, which is intended to foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020. This is a result of the past two years of work carried out to develop mechanisms for data transfers to the United States. This time, unlike the former Safe Harbour or Privacy Shield, the draft directly incorporates GDPR provisions. The significant milestone for transatlantic data transfers was Executive Order 14086 "Enhancing Safeguards for United States Signals Intelligence Activities" signed on October 7, 2022 by President Biden, which introduced new safeguards for U.S. signals intelligence activities. My attention will certainly be drawn to the extent to which decision-makers will bend to the issue of US intelligence activities in practice and how it will be evaluated.

Finally we need to recognize an urgent need for legal regulation for artificial intelligence: will a legal framework for AI be developed in 2023?

• Machine-learning generated content has major implications for the whole digital and creative industries. 2022 ?closed with #DALLE2 and #ChatGPT demonstrating the extraordinary abilities of #AI using natural language models. Fascinating developments, but ?some concerns are clearly justified. These developments ?may affect the increase in the pace of work on #AIACT. In turn, this regulation may soon have more significance than it is given at the moment.
• Germany's Constitutional Court (Karlsruhe) will rule in 2023 on an interesting case involving the use by German police in Hesse and Hamburg of "Gotham" software developed by Palantir, which uses artificial intelligence. It is argued that it can be used to search vast amounts of social media data to create profiles of suspected criminals before any crimes have actually been committed. The case mainly concerns the grounds for using a certain range of data, including data of people who are not suspects, are unrelated people or even victims of crimes. Nevertheless, the case points to the frequent interface between personal data protection regulation, human rights and artificial intelligence.

Data sharing across Europe: another stage for the data economy?

• The Data Governance Act (DGA), which came into force in 2022, will be applied from September 23, 2023. The regulation facilitates the reuse of public sector data, introduces mechanisms for secure processing environments and anonymization techniques such as differential privacy and creation of synthetic data. It is intended to enhace data-driven innovation and bring benefits for companies and individuals through e.g. sharing mobility or health data stored by public sector bodies.
• The much-discussed #DataAct is also on the horizon in the perspective of 2023. While it is likely that this regulation will not be adopted in 2023, we will certainly take note of it in the coming months. The regulation is a very important development for all entities that operate in the IoT market, as well as entities that would like to obtain data generated by IoT devices in the future. At the end of 2022, the EC presented another proposal of the Data Act and - taking into account the sceptical response of the market – this likely not the last draft. In addition, it is a very interesting regulation sometimes referred to as the "civil code" for data or even the first specific regulation laying the groundwork for mergers and acquisitions of personal and non-personal data.

The regulatory challenges faced in the digital age are numerous and complex. It will be important for businesses, consumers, and regulators to work together to find solutions that balance the need for innovation and consumer protection in the constantly evolving digital landscape.