Time To Deliver: Stakeholder Roles in the EU’s Delegated Act on Data Access

The European Commission has adopted the Delegated Act (DA) on data access under Article 40 of the Digital Services Act (DSA) on July 2. The DA specifies a number of important processes, details, and rules for researcher access to non-publicly available platform data. The DA is the last piece in the puzzle that is missing for researchers to be able to request data access from Very Large Online Platforms or Search Engines (VLOPSEs), many of which, such as Meta, X, or Google, reside in the US.

It is thereby noteworthy that the DA was published right before the deadline in the US-EU trade negotiations on August 1. It thereby heralds the beginning of a completely new paradigm in research data access. Gone are the days when access was dependent on platforms’ goodwill or personal relationships. With the DA in force, researchers have the right to access platform data, whether publicly available or not, as long as they meet the relevant criteria set out in the DSA.

While not answering all open questions, the adoption of the Delegated Act puts an end to much speculation and clarifies the Commission’s envisioned process, a simplified version of which is depicted below. It also marks the end of the period in which researchers, regulators, and platforms could avoid commitments or definitive answers by Delegated Act.

Given the DA adoption in June, it will likely come into force in Q4 of 2025, which means it's time to deliver on all sides. The DA is a unique blueprint that outlines rights and duties to all parties involved: The Digital Service Coordinators (DSCs), who will sit in the driver's seat; the researchers, who have to meet strict requirements; and the platforms, which have to follow the regulations and show that they are acting in good faith.

Regulatory and enforcement bodies: Ensuring smooth and fair processes

The European Commission has already delivered by setting up a pipeline for researchers to apply for data access. The Commission has already opened the DSA data access portal, which provides a central point for information and exchange, the link to which was published alongside the DA. Based on Art. 56(2) DSA, it also has exclusive powers to supervise and enforce all provisions applying to VLOPSEs and will thus need to continue keeping a close eye on the implementation of research data access.

With the Delegated Act, the Commission definitively strengthens the role of the Digital Service Coordinators. Most responsibility will fall onto Coimisiún na Meán, the Irish DSC and DSC of establishment (DSC-E) for most VLOPSEs in the EU, including Meta, X, TikTok, and Google. Once researchers have filed a request, the DA sets a clear timeframe that DSCs will have to adhere to. DSCs now have 80 working days to both verify whether all necessary elements are included in the data access applications, and formulate a reasoned request to the data providers — this is where harmonized procedures between national DSCs will be key for swift researcher vetting, something the European Board for Digital Services is already working on. The DSC-E will also have to handle potential amendment requests submitted by data providers (a process with a maximum duration of 30 days as specified in Art. 40(5-6) DSA) and may engage in a mediation in case it is requested by data providers, during which they can additionally involve the DSC of the member state as well as the principal researcher (which could again add 65 working days to the tally at most).

Therefore, the DA establishes a maximum duration of data access processes of 175 working days. This would mean that, at most, researchers may have to wait close to 9 months for access to be granted, with a response on the application arriving after 4 months at the latest. While this does seem like a long time and definitely means that people will have to wait some time until the first research based on privileged data access becomes available, researchers can now plan when and how to submit access requests when preparing research projects and funding applications. As part of this process, the DSC-E will also need to determine access modalities relative to the sensitivity of the data to be accessed. Throughout the text, the DA emphasizes that any legal, technical, or organizational conditions tied to these modes of access must be proportionate to the risks, both to users' data protection and to the platform’s security and trade secrets.

Hence, it is the regulators, who set the thresholds researchers have to meet for data access — from submitting a CSV file to the use of a data cleanroom — and if they want to make the DSA’s researcher data access a success, they will need to deliver by striking a balance between data security and thresholds of data sharing.

Researchers: Responsible research on systemic risks & mitigation measures

Researchers will also have to deliver in multiple ways: First, of course, by applying for data access. This system is new; it will not work flawlessly, but it needs to be tested, and this can only be done under real-world conditions. Now is the time for research teams to stick their heads together, discuss which systemic risks and mitigation strategies they want to study and how, and get to work drafting access requests.

Another point researchers, their institutions, and funding agencies need to deliver on is to provide the conditions for the responsible handling of the data they apply for. The DA specifies range of data security and protection measures that DSCs should consider when defining access modalities — such as DPIAs, encryption, access controls, storage limits, incident response and destruction plans, NDAs, data agreements, and mandatory training, all of which outline the space of legal, technical, and organizational requirements researchers must navigate to formulate reasonable access applications. While responsible research must rise to these standards to maintain public trust, it may pose significant challenges for researchers lacking the necessary expertise or institutional support.

Notably, the DA does not restrict the possibility of requesting data under the DSA to a specific region of the world. This becomes especially clear considering that it explicitly mentions safeguards for international data transfer to third countries or international organizations. As long as individuals and groups of researchers fulfil the requirements for privileged data access, set out DSA Art. 40(8) — and use the data solely for research on systemic risks inside the EU and the platforms’ mitigation measures, they are allowed to apply. In other words, studying systemic risk will unlock the reward of platform data for researchers. This is good news for an open research paradigm, as the EU avoids being a silo of platform research, as we have known previously from hand-picked platform cooperations within the US. But it also urges research from the EU to be open and even facilitate international collaborations. For many researchers in different parts of the world, this access will not be possible without strong European partner institutions. It is time for European researchers to expand their research networks.

Platforms: Productive engagement

Lastly, the platforms will need to deliver. It is likely that the duties that VLOPSEs will have under the DSA and the specifications of the DA are seen as a burden by platforms. While the atmosphere between CSOs and researchers with platforms can be tense at times, and has even led to court decisions regarding DSA 40, the ultimate and common goal should still be to jointly work towards platforms that protect, rather than expose, their users, as well as democracies within the Union, to harm.

To give researchers an idea of what data can be accessed and how, data providers will have to meet extensive transparency obligations foundational to meaningful data access. Compared to the DDA, the adopted version has kept the core obligations for platforms to provide an overview of accessible data alongside documentation (such as codebooks, changelogs and architectural documentation) and has only opted to adopt language closer to common practice in the industry (likely to avoid confusion) by referring to “data catalogues” instead of “data inventories”. Opening their black boxes in a meaningful way to researchers will be an important step to show that platforms act in good faith and take this process seriously.

The Delegated Act also specifically gives VLOPSEs the right to request amendments to reasoned requests and put in a request for mediation after receiving the decision on the amendment request. A mediator needs to be “impartial and independent and possess the relevant expertise related to the subject matter,” and VLOPSEs will be the bearers of all costs of the mediation procedure. The DA also specifies that if a mediation fails, the reasoned request resulting from the decision on the amendment request remains valid. It remains to be seen how such a process works, as neither the DSCs nor the researcher is obliged to be part of this process.

While this looks like an opportunity to for data providers to extent the process to the maximum duration, a way to deliver for them is also to not respond to any reasoned request by requesting amendments or a mediation, not only to avoid the costs on their end, but also to support researchers in doing their work which ultimately might help them to offer better and safer products.

Coming soon: Access in action

The Delegated Act on data access under the DSA provides much-needed clarity about both the access process and expectations towards the actors involved in it. It seems to centre mutual trust as the overarching paradigm: trust that platforms provide helpful documentation and high-quality data, trust that researchers protect the interests of platform users and ultimately the platforms themselves, and trust that the DSCs live up to their role as independent overseers.

Given all this, the Delegated Act sets out a good basis to continue to evolve existing structures, at best through cooperation and communication, and at worst in front of European courts.