The European Commission released the draft of its long-awaited Delegated Act on Data Access, open for public feedback until 26 November. The draft outlines rules for the “vetted researcher” mechanism, allowing researchers including civil society organisations (CSOs), to request data access from Very Large Online Platforms (VLOPs) and Very Large Search Engines (VLOSEs) through Digital Services Coordinators (DSCs).
On 14 November 2024, DRI hosted a roundtable with 18 representatives from the European Commission and Civil Society Organisations to discuss the implications of the new Delegated Act framework on CSO research. On 25 November, we submitted the following feedback and recommendations to the European Commission’s Delegated Act with contributions from Das Nettz, Fundación Maldita.es, and Science Feedback.
We appreciate the European Commission’s efforts in shaping the data access framework under the DSA. We recognize that this is a complex issue, intersecting with various regulations and requiring significant coordination among different authorities.
Before addressing potential areas for improvement, we would like to highlight some of the most positive aspects of this Delegated Act that we strongly believe should remain part of the framework:
- We appreciate the inclusion of Art. 15 (3) in the Delegated Act, which states that data providers cannot impose “archiving, storage, refresh, and deletion requirements that hinder the research referred to in the reasoned request in any way.” Given that the vetted researcher mechanism represents the most stringent form of data access for researchers, we believe that this provision should also extend to Art. 40 (12), which is less restrictive. Put simply, if such requirements are prohibited in the most restrictive mechanism, they should not be permitted in a less restrictive context either.
- We also commend the inclusion of an Independent Advisory Mechanism as a third-party body that DSCs may consult when assessing data access applications and amendment requests. However, we recommend making this consulting mechanism mandatory, at least during the initial years of the data access framework’s implementation, to help establish a solid baseline for future cases.
- Finally, we welcome the introduction of a Data Access Portal, which will be essential in streamlining data access applications. In particular, the requirement for DSCs to publish their reasoned requests in the portal (Art. 11) and making them publicly available will undoubtedly help researchers to understand the types of research questions covered by the vetted researcher mechanism and get an overview of previously conducted research that they can be built on.
Feedback and Recommendations
A. Comments on Section II “Information and contact obligations”
A.1. Data Inventories and metadata documentation: transparency, standarisation and quality issues
Context: Article 6(4) of the Delegated Act mandates that VLOPs and VLOSEs (i.e., “data providers”) must publish an “overview of the data inventory of their services,” which includes “examples of available datasets and suggested modalities to access them.” This requirement is a key feature of the Delegated Act, aimed at bridging the gap in researchers’ understanding of data available from online platforms. Recital (12) of the Delegated Act highlights that “the data that can be applied for to study systemic risks in the Union may vary over time”.
Recital (26) of the Delegated Act further requires data providers to include relevant metadata and documentation describing the available data, such as codebooks, changelogs, and architectural documentation.
Our concerns
Transparency: data providers should not be limited to sharing an “overview” of their data inventories. Instead, they should provide a comprehensive structure of the data they collect, with the only exception being data that poses a risk to trade secrets. This expectation should also apply to data documentation, which would also greatly benefit from standardised formats. Consistent documentation practices would make it easier for researchers to interpret and compare similar data across different platforms.
Definition of “data”: Article 40(4) specifies that researchers should be granted access to data “for the sole purpose of conducting research that contributes to the detection, identification, and understanding of systemic risks in the Union.” While this provision has primarily been interpreted as referring to user-related data from VLOPs and VLOSEs, we believe it should also encompass other types of data such as information on platforms’ internal processes for handling harmful content and data on the enforcement of their own policies.
Accuracy: The Delegated Act does not specify measures to ensure that data inventories accurately reflect the data collected by platforms. We do recognize, however, that the European Commission and DSCs have other mechanisms within the DSA to verify data accuracy, such as those outlined in Art. 40 (1) DSA and the third-party audits in Art. 37 DSA which aim to assess compliance with all obligations in Section V, Chapter III of the DSA, including data access obligations. It would be beneficial nonetheless to explicitly include these auditing mechanisms in the text of the Delegated Act.
Quality: there should be a mechanism for DSCs to verify the quality of the data provided. For example, this quality check could be integrated into the ongoing review process for appropriate access modalities, as stipulated in Article 9 of the Delegated Act. Crucially, DSCs should actively gather feedback directly from researchers to assess whether the access modalities are working as intended and the datasets meet the required quality standards.
Scope: the Delegated Act should explicitly state that data inventories do not represent all potentially accessible data. Researchers should have the ability to request data they believe is collected by platforms, even if it is not listed in the inventory. In cases where the requested data is not available, platforms can always submit an amendment request explaining the reasons for inaccessibility and clarifying whether the restriction is permanent or temporary, as required by Article 12(2)(a) and (b).
Our recommendations
- Data providers should provide a detailed structure of the data they collect, rather than just an overview.
- Standarised formats for metadata and documentation would facilitate the use and comparison of the datasets by researchers.
- Recital (12) of the Delegated Act should include a clear statement that data inventories do not reflect all potentially accessible data from data providers.
- Article 6(4) of the Delegated Act should include a requirement for data providers to update their data inventories regularly.
- Consider explicitly mentioning the options that the Commission and the DSCs have to verify the accuracy and quality of the datasets available from data providers (e.g. third-party audits under Art. 37 DSA).
- Data on platforms’ internal processes for managing harmful content and enforcing their policies should be explicitly considered as eligible for access by vetted researchers.
B. Comments on Section III “Requirements for formulating and assessing reasoned requests”
B.1. The conditions laid down in Article 40 (8) should be interpreted differently for the “vetted researcher mechanism” and the “publicly available data mechanism”.
Context: The Delegated Act (DA) lays down the technical conditions under which VLOPs and VLOSEs will provide data under Art. 40 para. (1), (4) and (8) of the DSA. Art. 40 (4) deals with a specific set of data: non-public data. In contrast, Art. 40 (12) deals with access to publicly available data. While both articles cover two distinct sets of data, para. (12) also refers to some of the conditions outlined in para. (8), specifically those in points (b) to (e). Due to this overlap, the Delegated Act could have an indirect effect on the way Art. 40 (12) will be understood and implemented. The Delegated Act should clarify this connection.
Our concern: Ever since the adoption of the DSA access to publicly available data has become very difficult. Data providers have overhauled their access to data regimes with the result that some consistently refuse data access with no justified reason while others have made it less meaningful and more cumbersome. The risk of the Delegated Act is that it will further complicate research to public data access, in contradiction to the language, legislative intention and meaning of paragraph 12.
The ratio legis of Art. 40 (12) DSA is that publicly available data should be treated differently to other sets of data. From a data protection standpoint, publicly available data is manifestly less sensitive than private data (see Art. 9, para. 2 (e) of the GDPR). Para. 12 reflects that difference and, hence, makes access easy and fast – the article even says that real-time data access should be available where technically possible. In the interest of speed (without “undue delay”) and easy access, paragraph 12 establishes a direct connection between the providers and the researchers. The DSCs are not involved in this process. Another key difference is that para. (12) opens up the types of organisations that can request access. Where para. 8 is limited to researchers “affiliated to a research organisation as defined in Art. 2, point (1) of Directive (EU) 2019/790”, access to publicly available data should be granted to researchers “including those affiliated to not for profit bodies, organisations and associations”.
In relation to public data, recital 98 of the DSA notes that “providers of very large online platforms or of very large online search engines should be encouraged to cooperate with researchers and provide broader access to data for monitoring societal concerns through voluntary efforts (…).” The legislative intention is clear: research access to public data should be broad and uncomplicated.
The wording of Para 8 itself signals that it has a different meaning depending on the context noting in (e): “(…) their application demonstrates that their access to the data and the time frames requested are necessary for, and proportionate to, the purposes of their research, and that the expected results of that research will contribute to the purposes laid down in paragraph 4;”. Necessity and proportionality should hence be different for public data, than for non-public data.
In short paragraph 12, sometimes dubbed the “Crowdtangle” rule, should allow non-profit organisations to conduct research to provide timely evidence to the regulatory regime of the DSA.
The risk that the Delegated Act must mitigate is that the reference in paragraph 12 to provisions of paragraph 8 b.) – e.) results in a heavy regulatory burden on the rights-bearers of paragraph 12 (including non-profit organizations), which is inconsistent with the ratio legis, the intent of the legislator (recital 98) and the wording of paragraph 12. Imposing the same interpretations of the vetting criteria to paragraph 4 and 12 would violate the very idea that differentiates the two: the element of speed and easiness of data applications in paragraph 12.
In the case law of the CJEU it is common that legal provisions may have a different meaning depending on the context. One only needs to look at the extensive case law on the meaning of “worker” under EU law.
In conclusion, when data providers apply article 8 paragraphs b.) – e.) in the context of paragraph 12, they should do so in a way that reflects the meaning, the legislative intention and the wording of that paragraph.
Our recommendation: We strongly encourage the Commission to clarify in the recitals of the Delegated Act that the framework proposed by the Delegated Act applies exclusively to the “vetted researcher mechanism”, while Art. 40 (12) DSA and its reference to the points listed under Art. 40 (8) DSA should be interpreted in line with the purpose, intention, and wording of paragraph 12.
B.2. Interpretation of “scientific research” should include research by Civil Society Organisations
Context: Article 40.8(a) of the Digital Services Act (DSA) states that eligible researchers must be “affiliated to a research organisation as defined in Article 2, point (1), of Directive (EU) 2019/790.” According to this Directive, a “research organisation” is defined as a university (including its libraries), a research institute, or any other entity whose primary objective is conducting scientific research.
Our concern: whether CSOs research will qualify as “scientific research” will depend on how flexible DSCs are in interpreting this term. The definition of “scientific research” is not universally agreed upon and remains a topic of debate. Directive 2019/790 itself provides limited clarity, with Recital (12) stating that “‘scientific research’ within the meaning of this Directive should be understood to cover both the natural sciences and the human sciences” and that “research organisations in the Member States generally have in common that they act either on a not-for-profit basis or in the context of a public-interest mission recognised by the State.”
Similarly, the Preliminary Opinion on Data Protection and Scientific Research by the European Data Protection Supervisor1 provides a rather broad definition of the term: “scientific research applies the ‘scientific method’ of observing phenomena, formulating and testing a hypothesis for those phenomena, and concluding as to the validity of the hypothesis. (…) The conduct of research must allow testing of hypotheses, with both the conclusion and the reasoning transparent and open to criticism. Openness and transparency help distinguish between science and pseudo-science” (Page 10).
The interpretation of “scientific research” under the Delegated Act framework should align with these inclusive definitions and explicitly encompass research conducted by CSOs. While CSO research may fall outside traditional academic settings, it offers notable advantages, such as providing timely and actionable insights which are crucial for enforcement.
Our recommendation: We encourage the Commission to include a provision in the recitals of the Delegated Act explicitly stating that the interpretation of “scientific research” should encompass research conducted by civil society organisations.
B.3. Delegated Act should include a provision clarifying the interpretation of Art. 8(3)(6) in light of practical obstacles faced by researchers
Context: Before formulating a reasoned request, DSCs must verify and assess whether the research project “cannot be carried out with alternative existing means such as using data available through other sources” (Art. 8(3)(6) of the Delegated Act). Recital (12) specifies that these alternative sources may include “public data access modalities and tools”.
Our concerns: Art. 40(12) of the DSA states that researchers, including those from CSOs, should have access to publicly available data from VLOPs and VLOSEs without undue delay. In practice, however, these mechanisms often do not work as intended. Even when researchers meet all the required conditions, platforms may add extra, non-mandatory requirements or fail to respond to data access requests altogether. These issues have been documented over the past year by various organisations resulting in the European Commission launching its enforcement actions (e.g. X potential infringements of Art. 40 (12)).
It is important to interpret Art. 8(3)(6) of the Delegated Act in light of these practical obstacles. DSCs should recognize that, while a research project might theoretically rely on publicly available data, platform-imposed delays and restrictions can significantly impede access. Therefore, DSCs should ensure that researchers have genuinely tried to obtain data from alternative sources and, when evaluating compliance with Art. 8(3)(6), take into account any platform-related obstacles the researchers faced.
This interpretation is particularly relevant because the European Commission has not issued guidelines or standards for implementing Art. 40(12) DSA, nor is there an independent body that researchers can turn to when platforms unfairly deny data access. Of course, the European Commission can start enforcement cases, but these most likely will not address individual infringements. Additionally, data scraping remains a legal grey area, particularly concerning potential GDPR violations. As a result, the vetted researcher mechanism may be the last resort for researchers to access publicly available data.
Our recommendation: The Delegated Act should include a provision clarifying the interpretation of Art. 8(3)(6): “DSCs should ensure that researchers have made genuine efforts to obtain data from alternative sources and, when verifying Art. 8(3)(6), take into account any platform-related obstacles that hindered access.”
B.4. Art. 8(2)(b) Should Include Sub-Grantee Contracts, Partnership Agreements, and Similar Arrangements Common in CSO Work
Context: Before formulating a reasoned request, DSCs must also verify, for each applicant researcher, “documentary evidence of the existence of a formal relationship between the applicant researcher and the research organisation of affiliation” (Art. 8 (2) (b)). Recital (9) clarifies that such documents include “employment contracts or any other form of legal association”.
Our concern: CSOs often collaborate with sub-grantees and consortium partners to carry out research projects. Some organisations contribute technical expertise, while others provide local knowledge and context crucial for interpreting research findings. In practice, only one CSO may apply for the vetted researcher mechanism as “applicant” or “principal” researcher, yet researchers from partner organisations or sub-grantees might also need access to the data. Therefore, Art. 8(2)(b) should be interpreted to include sub-grantee contracts, partnership agreements, subcontracted researchers, and other similar documents as valid evidence of a formal relationship between the applicant researcher and the affiliated research organisation.
Our recommendation: Recital (9) of the Delegated Act should include sub-grantee contracts, partnership agreements, and other similar documents as examples of valid evidence of a formal relationship between the applicant researcher and the affiliated research organisation.
B.5. Principal researchers should always be included as third parties in the mediation processes
Context: The Delegated Act introduces a Dispute Settlement Procedure, allowing data providers to request mediation if they disagree with a DSC’s decision on an amendment request. Data providers can propose a mediator, who must be impartial and independent. Article 13(5) states that DSCs may, “where appropriate”, invite the principal researcher to participate in the mediation to help reach an agreement that aligns with the research project’s objectives.
Our concern: while we trust that DSCs will act in the best interests of researchers, ensuring fairness requires that the principal researcher be included in the mediation process as a standard practice. The principal researcher is best positioned to explain the purpose of the research, justify the need for the requested data, and assess the feasibility of any alternative solutions proposed by the data provider. Inviting the principal researcher of the project is always appropriate to protect the integrity of the research and achieve balanced outcomes. Therefore, the Delegated Act should not leave this decision to the discretion of DSCs.
Our recommendation: Consider revising the wording of Art. 13(5) to ensure that the principal researcher is always invited to join the mediation as a party, rather than leaving this decision solely to the discretion of the DSC.
B.6. Clarify how researchers can challenge the decisions of DSCs not to formulate a reasoned request
Context: Articles 7 to 14 of the Delegated Act explain the steps and requirements for making and reviewing reasoned requests. DSCs have about one month to decide whether to submit a reasoned request to data providers or not. As noted earlier, data providers can request mediation if they disagree with a reasoned request. However, the Delegated Act does not include any process for researchers to challenge a DSC’s decision not to submit a reasoned request. The Act merely states in Art. 7 (2) (b) that DSCs should “inform the principal researcher about the reasons why the reasoned request could not be formulated”.
Our concern: DSCs are public authorities, and their decisions, such as choosing not to submit a reasoned request, are open to challenge by affected parties through administrative or judicial means, according to the legislation of each member state. Yet, the Delegated Act does not address this in either its recitals or main text. It is problematic that the Act emphasizes the rights of data providers, who have mechanisms like mediation to respond to DSC decisions, while the options available to researchers for recourse are not outlined.
Our recommendation:
- Establish a simpler, less bureaucratic process for researchers to appeal DSC decisions.
- Alternatively, include a provision in Section III that outlines recourse options for researchers to address a DSC’s decision not to submit a reasoned request.
B.7. Data protection measures should be evaluated with respect to the type of research institution
Context: One of the main goals of the Delegated Act is to balance researchers’ access to data with protecting users’ personal data on online platforms. To do this, the Act sets up several “filters” throughout the vetting process. First, during the application and verification stage, DSCs must confirm that researchers have the technical ability to meet GDPR data protection standards. They must also review the safeguards proposed by the applicant to reduce risks related to confidentiality, data security, and personal data protection (Article 8 (7)). If a reasoned request is made, the DSC must decide on the appropriate access methods. Recital (16) gives examples such as: (a) data transmission via an interface and data storage, and (b) data transmission and storage in a secure processing environment managed by the data provider or a certified third party. DSCs may determine the access modalities depending on the sensitivity of the data requested, as well as the rights and interests of the data provider.
Our concerns: While the goal of balancing data access with data protection is essential, the Delegated Act seems primarily designed for academic institutions, which typically have established procedures and infrastructure to comply with data protection standards. Although it is important for CSOs to align with these standards, potentially through partnerships with universities that can support capacity building, it should be acknowledged that CSOs conduct research that is distinct and valuable in its own way. CSO research often focuses not just on establishing causal relationships but also on providing actionable insights and timely evidence that are essential to make the regulatory framework meaningful.
To support inclusivity, the Delegated Act should include provisions that ensure smaller or non-traditional research organizations, such as CSOs, are not disadvantaged by rigid procedural or administrative requirements. This could involve applying more flexible standards during the initial vetting (“first filter”) and adopting stricter standards for determining access modalities to ensure data security. Such an approach would help maintain the diversity and richness of research contributions while upholding data protection standards.
Our recommendation: The Delegated Act should include language that ensures smaller or non-traditional research organizations, such as CSOs, are not disadvantaged by procedural or administrative requirements. Specifically, we recommend:
- Apply more flexible standards during the application and verification stage (the “first filter”) to accommodate the unique structures and capacities of CSOs while ensuring they still meet basic data protection requirements.
- Implement stricter standards when determining access methods to maintain data security and confidentiality once access is granted.
- Encourage collaboration between CSOs and academic institutions to align CSO research practices with those of established scientific research, promoting compliance with data protection standards without imposing undue burdens.
Acknowledgments
This position paper was written by Daniela Alvarado Rincon and Michael Meyer-Resende. Das Nettz, Fundación Maldita.es and Science Feedback contributed and co-signed the paper. The paper is part of the access://democracy project funded by the Mercator Foundation. Its contents do not necessarily represent the position of the Mercator Foundation.
