Workshop Report: Researchers on Data Access and Preparing for DSA Article 40(4)

By John Albert and Paddy Leerssen
DSA Observatory

Drawing on a March 2025 workshop hosted by the DSA Observatory, this post shares practical and strategic insights from researchers preparing to make use of Article 40(4)—from scoping proposals and navigating compliance to building collective support structures.

---

Workshop context and format

On March 28, 2025, the DSA Observatory at the Institute for Information Law (IViR) hosted a full-day workshop exploring two interlinked aspects of the Digital Services Act: systemic risk management under Articles 34 and 35, and researcher data access under Article 40(4).

Organized as part of our work with the DSA Research Network, supported by Stiftung Mercator, the workshop convened academic and civil society researchers, legal scholars, and policy experts to discuss the DSA’s transparency and accountability framework. Through a dual-track format, participants discussed both the practical challenges of implementing and enforcing the DSA and the broader political context in which it is unfolding.

This blog post focuses on the Researcher Data Access track (a companion post explores the systemic risk framework access under Articles 34 and 35).

Over the course of three sessions, participants reflected on how to scope and justify data access requests, how to manage privacy and compliance concerns, and how to coordinate across institutions and jurisdictions to build resilient support structures for researchers.

These conversations are especially timely: the delegated regulation that will govern Article 40(4) is nearly finalized (for expert insights on the draft delegated act, see our DSA Observatory post from November 2024).

Once the delegated act is adopted, researchers will be able to apply through national Digital Services Coordinators (DSCs) for access to data from very large online platforms and search engines. The first wave of applications will test not only the access process itself, but the DSA’s broader promise of platform transparency.

Session 1: Making the case for access

The first session began with project pitches from researchers preparing to apply for data access under Article 40(4) of the DSA. Under this provision, researchers must argue that their project contributes to the understanding of systemic risks or the evaluation of platforms’ mitigation measures, and that their access needs are both necessary and proportionate to fulfill those aims.

The proposed projects addressed many potential risks tied to platform design and governance, including risks to fundamental rights, electoral processes, and civic discourse. They ranged from investigations into shadowbanning and undisclosed political influence campaigns, to efforts to simulate regulatory interventions and analyze how virality functions within recommender systems.

How to scope access requests and build a data inventory

The projects showed both a diversity both of risks under scrutiny and possible methodologies for studying them using platform data under Article 40(4). Several proposals, for instance, combined user-contributed data (via interviews, surveys, or data donations) with requests for platform-held data on engagement, moderation, and ranking systems.

Yet nearly every researcher ran into the same problem: how do you request data from platforms when you don’t even know what’s available?

One proposed solution was to take a “stepwise” approach: frame initial requests as exploratory, use early data to test assumptions, and refine future inquiries accordingly. This strategy was likened to Freedom of Information (FOIA) tactics and is consistent with any good scientific process: start with a hypothesis and iterate based on findings.

There was also broad agreement that internal governance data (like platform policies, design decisions, enforcement workflows) should count as data under Article 40(4). Early applications, participants argued, should help establish this precedent by explicitly requesting such documentation.

To improve their chances, researchers recommended peer feedback and informal review prior to submitting applications. They also suggested tapping into the knowledge of tech workers or former platform employees—people who understand how these systems function and what kinds of data might realistically be retrieved.

Some NGO and civil society participants noted that their project-based funding structures might make it harder to engage in the kind of long-term planning required to use the DSA’s access framework effectively.

Still, the involvement of civil society organizations can be in scope for the Article 40(4) framework—and is arguably vital, as each application contributes to shaping the access process and building a collective data inventory.

Not just evidence providers

Participants acknowledged a broader strategic tension: aligning proposals with regulatory priorities might increase the likelihood of approval, but could it compromise independence?

One researcher likened the process to writing a grant proposal—to maximize the chance of success, it makes sense to frame one’s proposal to fit the reviewer’s priorities. While regulators do not technically have discretion to prioritize research on substantive grounds (each valid application must, in principle, be treated equally), it’s likely inevitable that political forces will shape implementation in practice. Researchers must, therefore, also consider how their work may be perceived or leveraged in the context of DSA enforcement.

It was stressed that researchers can stay engaged in this process without compromising independence. As one participant put it: “We’re not just evidence providers—we’re part of a governance system that’s still being built. And our presence in that system has to be claimed.”

Session 2: Navigating compliance and access modalities

The second session focused on privacy obligations and “access modalities” through which data is provided. Legal, technical, and organizational safeguards are essential to comply with GDPR and protect data subjects.

Potential access modalities may include secure downloads, Application Programming Interfaces (APIs), and Secure Processing Environments (SPEs): closed, monitored environments that may be hosted by platforms or certified third parties like GESIS.

Platform-controlled SPEs aren’t it

Many participants welcomed the idea of trusted third parties hosting SPEs that could manage GDPR compliance on behalf of researchers. But there was broad concern that platform-controlled SPEs might end up as the default modality afforded to vetted researchers.

Participants related kafka-esque experiences trying to use platform-controlled SPEs for the purpose of analyzing public data, and warned that these can hamper both research quality and researcher autonomy—to such an extent that it may not even warrant the effort to use them.

To counter this, participants encouraged exploring non-platform alternatives for SPEs, and making maximal use of non-SPE research designs. If researchers can demonstrate robust organizational and technical safeguards, they can push for access modalities that enable more meaningful research.

Help! I need some DPIAs

Despite the clear need for strong safeguards, participants noted a lack of institutional guidance on how to navigate data protection requirements.

To help bridge this gap, participants recommended practical tools like standard templates for Data Protection Impact Assessments (DPIAs) to support GDPR compliance from the outset. Although some universities already follow these best practices, many researchers still lack easy access to such resources.

Session 3: Organizing for access

The third session focused on the collective work required to make Article 40(4) viable in practice. One message came through clearly: this access regime will not implement itself.

Don’t wait for a lighthouse

Participants described a research environment in which basic information is often lacking. “I answer emails every week from people asking: how do I get access?” one participant said.

The lack of clear, shared resources reflects a broader problem: few incentives exist to maintain this information, and no one institution is responsible for doing so. The Irish Digital Services Coordinator, Coimisiún na Meán, did recently publish an overview of vetted researcher data access under Article 40—yet the average researcher unfamiliar with the DSA framework may not know where to look for this kind of resource.

Instead of relying on a central authority to cover these information gaps, researchers proposed a decentralized approach, with multiple organizations offering overlapping guidance and support.

“We need a lot of fires along the shore,” one participant said—not a single lighthouse.

Organizations doing this kind of work include the DSA40 Collaboratory and the Coalition for Independent Technology Research. During the workshop, representatives of both organizations shared their experience documenting outcomes of data access efforts, sharing resources, and building collective resilience through networking and mutual support.

When it comes to documenting outcomes, it’s worth noting that, according to the draft delegated act on Article 40, the Commission plans only to publish the general details of successful 40(4) applications in its public-facing data access portal. Rejected applications can also be instructive, however—so researchers should (unless this provision changes in the final version of the delegated act) be prepared to share their experiences through other channels.

Researchers can lawyer up, too

Throughout the workshop, participants described frustrating experiences with platforms, from outright refusals to data being delivered under absurdly limited or unworkable conditions. Even when access was granted, they noted, the data was often incomplete or poorly structured.

These experiences carry legal implications. Failed access attempts may bolster legal arguments for independent data collection methods, including scraping.

There was also interest in litigation as a tool for reform. One example is the recent lawsuit by the German NGOs Gesellschaft für Freiheitsrechte and Democracy Reporting International against X (formerly Twitter), seeking to compel access to X’s research API under Article 40(12), in which vetting is left to the platforms.

Several participants saw 40(4) requests as a way to expose the inadequacies of 40(12)—a complementary approach that could help build pressure for stricter enforcement or regulatory reform.

A case for change

Participants also flagged the lack of meaningful recourse for researchers when platforms reject access requests or deliver data that is unusable. While the draft delegated regulation outlines a mediation process under Article 13, it only allows platforms (not researchers) to initiate formal disputes (it also gives platforms the power to select the mediator).

This asymmetry was highlighted as a major concern among researchers during the delegated act’s feedback period. Whether the final version includes stronger procedural safeguards for researchers remains to be seen.

In the meantime, researchers should be prepared to document and publicize denials, delays, and obstruction to highlight systemic shortcomings—and build a case for change.

As one participant put it, “We have the right to access data under Article 40. If platforms don’t comply, they’re infringing. We should act like it.”

Building bridges, hitting walls

Participants emphasized the value of building relationships with national DSCs to better understand local enforcement priorities and improve the odds of successful applications. Several expressed optimism that the DSC where their organization was based was genuinely committed to empowering researchers under the DSA.

By contrast, direct engagement with platforms was described as one-sided: researchers submit requests; platforms delay or evade. Some participants reported escalating issues to the Commission, though it was often difficult to determine how their complaints factor into enforcement.

Independent advisory mechanisms

The data access framework envisioned under the DSA was built on the premise of good-faith cooperation—not just between researchers and regulators, but with platforms as well. Its effectiveness depends on a complex interplay of stakeholders, including independent intermediaries who can help facilitate access and trust in the system. The draft delegated act for Article 40 reiterates the potential utility of such advisory mechanisms and independent expertise under the framework.

The workshop discussion pointed to the independent intermediary body envisioned under the EU Code of Practice on Disinformation (now a Code of Conduct under the DSA) to help foster best practices in data access through multi-stakeholder collaboration. But major platforms recently withdrew their commitments to support its development, raising doubts about long-term funding and cooperation.

This shift reflects broader political headwinds. As platform support for transparency initiatives weakens, researchers face growing pressure to assert their role and its value to the public interest.

Closing session: Reframing access as a political imperative

The plenary discussions underscored how systemic risk management and data access have become politically charged. There is no fixed definition of “systemic risk.” This opens the door to a wide range of investigative methods, but also political framings.

Participants warned of growing politicization in Europe and abroad. In Germany, trusted flaggers have come under attack; a CDU/CSU Bundestag inquiry has targeted civil society actors. The U.S. House Judiciary Chairman Jim Jordan has made erroneous claims about the DSA requiring platforms to systematically remove legal content; in February, he subpoenaed a host of major tech companies, seeking each company’s communications with foreign governments regarding compliance with foreign “censorship laws.”

As this “censorship industrial complex” narrative gains traction across borders, researchers increasingly find themselves in an uneasy position: defending flawed institutions against conspiratorial attacks, despite recognizing that such attacks often stem from legitimate frustration with technocratic governance that, in the words of one participant, “sucks the democratic life out of the system.”

There are valid critiques to make about the DSA; we’ve raised many of them at the DSA Observatory. Yet the DSA’s transparency and data access framework—insofar as it doesn’t become a mere box-ticking compliance exercise—has real potential to enable more democratic oversight of major tech platforms.

Who’s afraid of transparency?

Article 40 remains politically vulnerable, especially to powerful actors who feel threatened by the DSA’s transparency requirements and seek to discredit them by crying censorship.

One way to challenge these bad-faith narratives is to expose the gap between platforms’ public messaging and their actual practices.

Consider Meta: Mark Zuckerberg dismantled the company’s US fact-checking initiatives and publicly questioned their value, even as Meta’s own DSA risk assessment touted its fact-checking efforts as a risk-mitigation measure against misinformation. Elon Musk, meanwhile, casts X as a beacon of transparency while systematically obstructing independent scrutiny and bullying researchers through harassment and lawsuits.

As participants noted, surfacing these contradictions is part of the work.

Looking ahead

The DSA promises vetted researchers unprecedented access to platform data for the purpose of studying systemic risks, thereby assigning them a meaningful role in the broader accountability system for very large online platforms and search engines.

The first wave of applicants under Article 40(4) will help test and shape that system—setting precedents, exposing frictions, and producing research that informs our shared understanding of systemic risks, and whether platforms are doing enough to address them.

Workshops like this one offer a space for researchers to prepare for the work ahead. It won’t be easy: the DSA’s data access framework is untested, and the legal, technical, and institutional hurdles it presents are real. Resistance from platforms is expected. A level of pessimism among participants was not surprising.

Yet amid the uncertainty, there was also a shared sense of purpose. Whether the DSA’s transparency framework delivers on its promise will depend not only on the strength of the law, but on the collective courage and creativity of those working to activate it.

As one participant put it: “Platforms have their legal teams. We need each other.”