What the X Fine Reveals About Data Access Under Article 40 of the Digital Services Act

It’s a busy time for misinformation about misinformation.

On January 28, the Republican-led House Judiciary Committee published, on X, a document from the European Commission outlining the reasons behind its December decision to issue a €120 million fine against X for non-compliance with the EU’s digital safety rulebook, the Digital Services Act (DSA). The release of the inconsistently redacted version of the decision was presented by House Republicans as the revelation of “the EU’s full secret censorship decision.” It is the latest attempt in a years-long campaign to attach a censorship narrative to all EU digital regulation. The release of the EU document, which the Republicans said was obtained under subpoena, preceded the release of a 160-page report and a hearing on the same topic, both of which were full of misrepresentations that have been discussed on Tech Policy Press by Dean Jackson and Berin Szóka, amongst others.

The Commission is required to publish a version of its enforcement decision anyway, and will still do so after taking the rights of all the parties named in it into account. Still, the version of the document now in the public domain is worth scrutinizing, as it contains details as to how the Commission is thinking about various aspects of DSA enforcement. Chief among them are the data access provisions for researchers under Article 40 of the DSA, which are key to the law’s mechanism for accountability and public oversight of major technology platforms.

What is Article 40?

Article 40 requires Very Large Online Platforms and Search Engines (VLOPSEs), including X, to provide data access to researchers who meet certain requirements. In particular, researchers must be independent from commercial interests, able to fulfill data protection requirements, and the data they request must be “proportionate and necessary to carry out their research for the purposes of the detection, identification and understanding of systemic risks in the Union.”

Article 40 is subdivided into provisions that concern two forms of data. Article 40.12 requires platforms to provide access “without undue delay to data, including, where technically possible, to real-time data, provided that the data is publicly accessible in their online interface.” This provision has been in effect since 2023, and it is the relevant Article in the decision around X’s non-compliance. A second provision, Article 40.4, allows researchers who meet additional requirements to apply, via national regulators, for access to non-public data. However, this provision only fully came into effect in October 2025 and is not relevant to the fine— although in its decision the Commission notes multiple points at which X confuses 40.4 and 40.12.

So in all the below, the data in question is “publicly accessible in [X’s] online interface” and not the “coveted” back-end data as claimed by the Judiciary Committee report. In fact, as noted by the Commission throughout the decision, the data access offered by X was equivalent to its “Pro” API tier, and thus could be accessed by anyone who pays X $5,000 or more per month. The Commission is not attempting to enforce the creation of new forms of data access, but rather ensuring public interest access to publicly accessible data. This is important, since even if the data is public, blocking automated access to it drastically limits the scale and effectiveness of possible research.

What do we learn from the document?

The Commission’s decision reveals specific details of its preliminary findings against X, issued in July 2024, which were publicized but with little detail. Independent researchers have long been vocal about the shortcomings of X’s offerings for researcher data access, which is seen as overly restrictive procedurally, technically and contractually. However, there has also been criticism of the Commission for providing limited feedback to such complaints. The fact that the Commission’s decision references many of these complaints, drawing on exchanges and interviews with more than 20 researchers and experts, is welcome.

The decision broadly describes four issues with researcher access to public data:

• X had an overly restrictive interpretation of the eligibility requirements for researchers..
• The review processes put in place did not meet the basic standards set out by Article 40.12.
• Any data access granted by X had overly limited quotas and duration.
• X prohibited independent researcher access, including through scraping.

The decision includes a summary of all the relevant issues, the evidence underlying them, X’s response to them, and the final evaluation of the Commission. Except in the case of access duration, X was found to be in breach of Article 40.12 of the DSA, infringements of a serious nature” priced at €40 million, 30% of the overall fine.

While these issues themselves are not surprising, the positions presented by the Commission are mostly reassuring, and it is very helpful to see them in more detail than previously.

Confirmed: No need for costs, affiliation, or being in the EU

Article 40 does not reference costs, and this lack of clarity has been a significant worry plaguing researchers. Elon Musk’s X attempted to capitalize on researchers by dismantling Twitter’s free data access program, steering rejected applicants toward paid API options. However, the decision states clearly that access costs, particularly without dedicated alternatives, unlawfully restrict research use of publicly accessible data under the DSA.

Another point of contention has also been whether researchers need to be affiliated to any institution or organization in order to receive access. However, in the decision the Commission clarifies that this requirement applies only to access to non-public data and that Art. 40.12 prohibits VLOPSEs from denying access to researchers solely based on their (non-)affiliation.

Finally, X rejected applications from non-EU researchers on what it claimed were data protection grounds, even though no such reference to location is made in Article 40.12. The Commission reiterates that Art. 40.12 only imposes a geographical requirement that the research contributes to the detection, identification and understanding of systemic risks in the Union. The law does not say that researchers themselves need to be based in the EU. In fact, it is X that needs to ensure compliance with the EU’s General Data Protection Regulation (GDPR) if data is transferred outside the Union.

Procedural barriers need to be dismantled

Many of the issues raised by the Commission in the document are not about principles of data sharing, but rather generally poor compliance practices. The decision gives insight into just how little X was prepared to process researcher applications, and how the application review process was set up in ways that delayed and discouraged applications.

According to internal documents reviewed by the Commission, for 5 months after Article 40.12 came into effect, X lacked any defined process for the assessment of applications and did not grant a single application. Although the Judiciary Committee (and/or X) redacted most numbers about acceptance and rejection, they, for some reason, left unredacted the acceptance rate in May 2024, which was just 4.7%. X would often demand additional information on particular points of application before rejecting them on a totally different point. There were no details to properly contest a justification, and no replies to questions or requests to provide more information. X “repeatedly failed to reply to applicants for more than a month and sometimes failed to reply until applicants enquired”—this while itself demanding replies within 2 weeks. This may partly stem from the fact that X “mentioned only three employees working part-time on assessing data access requests,” and “no indication was provided of their familiarity with the state of the art of research.”

All this corroborates the experiences of many applicants (see, for example, AlgorithmWatch’s blocked attempts to get data access from X to study non-consensual sexualization or the insights into data gathered by the DSA40 Data Access Collaboratory). This clearly describes how researcher access procedures should not be implemented.

‘Systemic risks’ should be interpreted broadly

For access under Art. 40.12, the DSA imposes a purpose limitation on data requests, namely that access needs to be used “solely for performing research that contributes to the detection, identification and understanding of systemic risks in the Union.” A (non-exhaustive) list of broad systemic risk categories, including, for example, risks to fundamental rights and public security, is provided in Article 34. However, the concept remains unclear and needs to be developed further. Still, the decision by the Commission includes some important clarifications, in response to an overly narrow interpretation by X as grounds for rejection.

As we understand it, the argument goes like this. Imagine you are a US-based researcher trying to collect posts to study information operations against various elections in multiple countries including some EU Member States—so a “systemic risk to electoral processes” in the EU, which is amongst the list in Article 34. X would have (incorrectly) first rejected because you’re not based in the EU. It would then argue that your research looks at uses made by bad actors of X, not "structural and operational systems characteristics” (in their words) of X. Also, you did not specify that you would only collect data that was directly about the EU. As such, your application is not “directly and exclusively” about systemic risks in the Union. Much of this follows from interpreting the language of Article 40.12, that researchers are only ‘qualified’ if they use the data “solely for performing research that contributes to the … understanding of systemic risks in the Union.”

The Commission rejected this as too narrow, since (i) studying use and content, not just design or functioning of a VLOPSE, is relevant, (ii) “it is justified for a research project to also consider wider geographical contexts where this is necessary to strengthen the contribution of the study for the understanding of systemic risks in the Union” and (iii) that “solely” refers to the use made of the data provided, and the language also states proposed research “contributes” to research on systemic risks. So collecting posts about elections worldwide, to understand how actors might target EU elections, is research contributing to understanding systemic risks in the Union.

The Commission also goes out of this way to stress that this understanding of systemic risks means that “a large array of research fields (including but not limited to political science, media studies, economics, psychology…), types, scopes, and methodologies”, including “both quantitative and qualitative methodologies, large-n as well as small-n studies, comparative studies, descriptive, inductive, or explorative studies” can draw on DSA-enabled data access to contribute to knowledge creation about systemic risks.

It is welcome to see this broad interpretation written down by the Commission. Research can take on a variety of forms, and often precisely strives to locate and contextualize potentially relevant material within a wider dataset. Data access should not depend on preemptively and prescriptively deciding what will be “relevant.”

Qualified researchers must be able to scrape

A key topic in the research community is whether scraping presents a viable alternative to accessing data via the platforms’ “permissioned” structures, such as their official APIs. The biggest concern here is often legal risk. X has been in the forefront of aggressively suing researchers for data access (though Facebook also threatened AlgorithmWatch in 2021). There are concerns that signing terms of service to gain permissioned access can create additional legal liability if you also scrape.

The Commission addresses these concerns, clearly stating that “a contractual prohibition to independently access data” is “in direct contradiction with Art. 40.12.” Based on this, the decision requests X to refrain “from contractually prohibiting Qualified Researchers from independently accessing data that is publicly accessible in X’s online interface, such as by means of data scraping, including by adapting the wording of X’s terms of service.”

Those conducting scraping should still be “eligible researchers” under 40.12, i.e., “capable of fulfilling the specific data security and confidentiality requirements”. Scraping, even of public data, comes with responsibilities to ensure data protection. There has been extensive work on responsible and ethical use of platform data by organizations like the Knight Georgetown Institute, GESIS and the European Digital Media Observatory, with the latter even producing model data sharing agreements. This work can now proceed with more confidence of legal protection for researchers eligible for 40.12 access.

If such researchers wish to ensure the platform(s) agree they are “qualified”, and therefore avoid their scraping being blocked and challenged, they can request permission to scrape from platforms. But the Commission decision argues this is not required under 40.12, as seeking ex ante permission may create an “undue delay” which would be “consequently noncompliant” with the wording of Article 40.12. So researchers with a higher risk tolerance or time pressure can scrape without ex ante permission. Given that platforms like X can (and do) identify scrapers, they would run the risk of being blocked. At this point they would need to contact the platform and demonstrate that they meet the eligibility criteria to be permitted to continue (e.g. by having the relevant IP whitelisted).

What now?

Following the Commission’s decision and fine, X is required to draw up an action plan by mid-April 2026. Specifically, X is asked to:

1. Refrain from imposing restrictive eligibility requirements (in particular regarding a narrow understanding of systemic risk as well as the affiliation and geographic location of researchers).
2. Provide free-of-charge access to the X API without undue delay, including by reworking their vetting procedures.
3. Enable applicants to request extensions of API quotas.
4. Refrain from contractually prohibiting researchers from independent access to data like scraping.

More broadly, the Commission’s decision offers welcome recognition of complaints voiced by advocates of data access and clarity regarding key aspects of the EU’s framework for publicly accessible data.

Still, there are some open questions. The Commission says that “research that contributes to the … understanding of systemic risks in the Union” can be interpreted broadly, but the data should still be used in a way that “solely” contributes to this purpose. The leaves open what “used” would mean, i.e. the extent to which any outputs based on the accessed data must solely contribute to the understanding etc. of systemic risks in the Union, and how this would be implemented. Also, while mentioned throughout the decision, it is still unclear which path researchers should take to challenge an unfounded decision by a platform.

It will be interesting to see how X and other platforms respond to these lessons. The Commission has been clear that limiting access on grounds of systemic risks, affiliation, and location is less likely to be compliant. Rejections may therefore shift towards explicitly referencing applicants’ data protection measures, demonstrations of independence, etc. However, with the rollout of Article 40.4, national coordinators will be increasingly providing precedents on these aspects. Together with lessons from this recent document, such cumulative decisions can support trustworthy research infrastructure and challenge further attempts to restrict researcher data access.