Platform for the study of systemic risk: Art. 40(4) DSA and the draft delegated act

In this week’s blog, we put the DMA’s little sister into the spotlight, the Digital Services Act (DSA), and explore an important topic for the academic community: Art. 40(4) DSA. This provision grants researchers the right to request data from very large online platforms and search engines in order to study systemic risks. Juliane Mendelsohn, Junior Professor at the Technical University Ilmenau, evaluates the current draft delegated act and the technical details of this access right.

By Juliane Mendelsohn

Ten days before the US election, Donald Trump appeared on The Joe Rogan Experience. The conversation ran for almost three hours and by election day the show boasted 40 million views (now 52.621.044) on YouTube. Airtime and attention any traditional politician could only dream of, leading some commentators to call it the (first) ‘podcast election‘ and one with previously unpredictable results. And indeed, after several elections this year – from Thuringa, Germany to Washington – a strange mood set it. It wasn’t just sorrow or disappointment, there was an element of sheer disbelief, not only that so many people had voted a certain way, but that we no longer understand the societies we live in and the causalities and rationalities that led to such results. If we want to understand these events, media-driven causalities and discourse rationalities, we need more than just grief and opinions, we need transparency and access to a lot of data: specifically, non-public media platform data.

Democracy at risk

The relevant platform data required by civil society to understand past, present (France) and (very near future) elections (Germany), as well as a number of similar events, social mechanisms and digital causalities, is complex, sometimes very sensitive and best placed in the hands of independent researchers (rather than the state or state institutions). This data not is not only required to understand the workings and influence of the media but also to understand and mitigate so-called systemic risks. While systemic risks have thus far mainly been associated with cascading events such as financial crises, new platform regulations, in particular the Digital Services Act (DSA), recognise that such shock events and social volatility can also occur in areas far removed from the financial sector and arise from the design or functioning of platform services, their algorithmic systems and potential misuses by their recipients (see Art. 34(1) DSA).

Art. 34(2) DSA specifies that such systemic risks may result from, inter alia, the dissemination of illegal content; relate to negative effects on fundamental rights such as human dignity, family rights, freedom of expression or pluralism of the media; negative effects on civil discourse, electoral processes and public security; negative repercussions in relation to gender violence and mental well-being. 

The access right to vital data and the draft delegated act

It is essential that not only the state but also civil society itself is resilient and competent enough to understand and avoid these risks. Art. 40(4) of the DSA therefore grants so-called vetted researchers the right to access data necessary to study such risks. Art. 40 (4) DSA reads as follows:

Upon a reasoned request from the Digital Services Coordinator of establishment, providers of very large online platforms or of very large online search engines shall, within a reasonable period, as specified in the request, provide access to data to vetted researchers who meet the requirements in paragraph 8 of this Article, for the sole purpose of conducting research that contributes to the detection, identification and understanding of systemic risks in the Union, as set out pursuant to Article 34(1), and to the assessment of the adequacy, efficiency and impacts of the risk mitigation measures pursuant to Article 35.

In its current form, and given the legitimate debate about the nature (public or private) of the data in question, this right is still quite narrowly construed. However, given the enormous technical difficulties and often outright refusals that communications researchers face today, it is an important step towards a more open, informed and resilient society. In order to clarify the scope and mechanism of this right of access, the EU Commission has drafted a delegated regulation or act (DDA). Consultations on this draft were open until 10 December 2024. Responses received by the Commission can be found here.

Looking at the details of the Act and based on the joint response submitted by the Weizenbaum Institute‘s DSA 40 Collaboratory, I would like to highlight a) the good, b) the bad (or incomplete) and c) the ugly (or unnecessarily skewed) elements of the current draft with a focus on enabling effective research and mitigating the power imbalance that currently exists with regard to data.

The good 

  • Art. 2(3) and (4) of the DDA contain definitions that make it clear that both individuals and groups (led by a principal investigator) are covered by the DDA. Furthermore, there is no restriction on the nationality or other status of the researchers. This clarification recognises that research is a collaborative process and is not restricted by national or EU borders.
  • The DDA makes no mention of fees. Given the public interest in the dissemination of the relevant data, and the already existing burden of obtaining funding for such projects, it is essential that this remains the case. It is also fair, given that, in most cases, the platforms have already extensively monetised their data (in similar vein with regards to IOT data). 
  • It is also commendable that the Commission has tried to streamline and demystify the application process (Art. 7-14 DDA) by creating a transparent data access portal (Art. 3 DDA).  This transparency, however, also comes at the cost of a fairly detailed and opaque application process. To the extent that it allows researchers to learn from each other’s requests, they will have to consider carefully how much of their research questions and methodology to reveal.

The bad

  • Recital 12 DDA gives examples of data that could be applied for and also (importantly) recognises that „the data that can be applied for to study systemic risks in the Union may vary over time“ and that research projects, by their nature, can develop and evolve in unpredictable ways. Considering platforms as organisations and not mere technical tools, however, this list seems somewhat static and does not provide detailed or dynamic insights into the functioning of these platforms. Researchers affiliated with the Weizenbaum Institute’s DSA 40 Collaboratory, have thus suggested a number of additional data points to be included. These include internal data, which is not derived from or created by the users on the platform but to the platforms as such; data inferred by the platforms; and data related to the governance of user attention via platform design implementations.
  • The DDA grants a lot of discretion to the platforms and seems to take their interests into account carefully through possible amendments to requests, meditation procedures, etc. The DDA, however, does little to bolster the researcher’s access right with clear remedies or methods of recourse in the event that the data provided is either inadequate or does not allow for the research to be carried out as intended. Talking to my colleague, Emese Domadhidi, I have come to realise that such shortcomings are by no means hypothetical, but are part of the everyday reality of researchers, all of whom can cite extensive experiences of receiving data or access modalities that are not or poorly suited to their research purposes.

The ugly

While the new access right is important and reaches far beyond the status quo – where researchers‘ requests are often met with blatant rejections, APIs are changed on a whim, or the data pool received is at best a random sample, enabling anecdotes rather than sound hypotheses – the Commission does not always seem to consider the underlying balance of power. This is meant in two ways. First, the DDA affords the platforms a great deal of discretion, despite the fact that the data already is in their domain. Second, the DDA often seems designed for large and resourceful research institutions, and does not recognise the challenges faced by smaller research institutions, or even individual researchers, whose positions, research projects and funding depend on guaranteed access to data. This is problematic not only because it seems inequitable and unfair, but also because research depends on diversity and because a small number of large research institutions make the process more susceptible to regulatory capture. Moreover, the potential for capture and arbitrage is already facilitated by the level of power and discretion afforded to platforms. The latter is particularly prominent in two cases: 

  • While the researchers submit their requests for access to data, these are ultimately formulated by the DSC (Art. 9 DDA). During this process, the platforms may modify the request and ask that certain data be categorised as sensitive (Art. 40(5) DSA) and researchers are only informed of such changes ex post (Art. 11(2) DDA). Without good reason, the status quo thus gives platforms a great deal of discretion and flexibility, while leaving researchers in a take-it-or-leave-it position with regard to the data they are ultimately offered. Given that research projects can take a long time to complete and should explore unknown and unpredictable avenues, and that requests may require extensions or expansions, the right of amendment is as essential for researchers as it is for platforms.  
    • The core provisions of the DDA are probably those relating to the access modalities. These are not only very limited, but also left entirely to the discretion of the DSC, albeit taking into account the interests of the platforms (Art. 9 DDA). The current choice is between a data transfer option and the provision of so-called Secure Processing Environments (SPE). Effective data access and governance is a thorny issue that cuts across several regulatory areas (PSD2, DGA, Data Act) and for which few workable solutions have been found. With the exception of very large volumes of data, most researchers would prefer the transfer option in almost all cases.

Not having to conduct their research in the digital domains of the platforms not only enhances research freedoms, the provision of SPE’s has also has a difficult track record. Lukas Seiling and his colleagues elaborate that:

  • Meta’s Researcher Platform not only requires a VPN connection but also implements a “cleanroom” which regularly deletes all data within it, making it mostly unusable for reproducible research; and that
  • TikTok’s Virtual Compute Environment enables the close supervision of researchers, as all results from queries within the environment are reviewed. 
  • Where data cannot be transferred, they thus suggests the creation of sandboxes for researchers to test and monitor new forms of data collection and sharing.

To conclude, the right to data access must be safeguarded and – where needed – improved upon. If information is power, then data is the resource of a better future. And while it is utopian for an access right to this data to work smoothly and in the public interest from the outset, it is only by formulating viable demands and amendments, that we can guarantee civil society‘s participation in that future. 

We thank Juliane Mendelsohn for this contribution. If you want to stay up to date on our blogs and reports, subscribe to our newsletter. If you are interested in writing a guest contribution, please contact team@scidaproject.com.

Posts created 15

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top