EU Data Policy Update

No. 10 | 18 January 2023

Receive Dr2 Consultants’ EU Data Policy updates in your inbox!

Subscribe

Dr2 Consultants’ monthly newsletter on EU Data Policy developments will keep you updated on all political and policy developments at the EU level related to the data economy, from cybersecurity to smart energy to e-mobility.

In this tenth issue, you will receive a deep dive into the Digital priorities of the new Swedish Presidency of the Council of the EU, which started its tenure on 1 January 2023. We also offer you an update on the Data Act and AI Act, based on developments in the Council of the EU and the European Parliament, respectively. This newsletter will also dive into the official publication of the Digital Operational Resilience Act (DORA) and the adequacy decision published by the European Commission concerning the EU-US Data Privacy Framework. Furthermore, the newsletter contains an account of the closure of the official inquiry of the EU Ombudsman into Ireland’s implementation of the EU’s General Data Protection Regulation (GDPR). Last but not least, we will briefly examine the current Council deadlock on the e-Evidence Regulation.

Deep dive: Digital priorities of the Swedish Presidency of the Council of the EU

Introduction

On 1 January 2023, Sweden took over the Presidency of the Council of the EU from the Czech Republic until 30 June 2023. The six-month rotating Presidency will provide Sweden with the opportunity to set and steer the EU’s agenda, find a compromise with the other 26 Member States as an “honest broker”, advance the Council’s work on legislation, and liaise between the Council and other EU institutions.

Previous work under the Czech Presidency

Under the auspices of the Czech Presidency, remarkable progress was booked regarding several key digital files. Significant strides were taken regarding the Data Act, which aims to facilitate access to and use of data and to review the rules on the legal protection of databases. Furthermore, the Council adopted general approaches on the European Digital Identity (eID Regulation) – the digital wallet that can be used to identify, authenticate or verify certain aspects such as age in any other EU country – and the Artificial Intelligence (AI) Act, which aims to introduce a common regulatory and legal framework for artificial intelligence. On top of that, the Council started work on the Cyber Resilience Act (CRA) – published by the Commission in September – which aims at setting common cybersecurity standards for connected devices and services. These developments were also part of the Czech drive to develop a strong and unified (transatlantic) approach to digital policy, according to the priorities of the Czech Presidency. Whether it will lead to a convergence of standards to improve the ease of transatlantic trade remains to be seen.

Expected progress on several digital initiatives

When looking at the Swedish Presidency’s program, one could say digital policies are not very ambitious. The effects of the War in Ukraine, which introduced serious doubts about energy security and the strategic resilience of the economy in the EU, is still front and center on the agenda of the Swedish Presidency. The continuing development of a fully functioning Internal Market is a strong indicator of this. However, Sweden Democrats (SD) party’s domestic political sway may influence the next EU Presidency’s work on a broad range of topics. Despite not being in government, SD is consulted on predefined topics, including energy and EU affairs. While the party will try to influence the progress on files related to security and migration, digital policy will be largely left to their political allies in government. We have detailed expected developments on several files important for the digital and data sector:

  • On the Data Act, the Swedes aim to develop a general approach in the Council and kick off Trilogue negotiations with the Parliament. However, the Swedes signal no commitment to finish the discussions before the Spanish take over in July.
  • In May, the European Commission presented its European Health Data Space, which aims to regulate the transmission and sharing of health data across Member States. On health data, the Presidency has the task to decide how this data can be used for research and policymaking and ensure the legislation includes sufficient safeguards around privacy and data protection.
  • On artificial intelligence, the European Parliament still has to adopt a position on the AI Act, which the Swedes can then use to coordinate the Trilogue negotiations. However, due to the file’s complexity, it is not expected that negotiations will be concluded within the next six months.
  • On 1 December 2022, the Council adopted its position (‘general approach’) on the proposed regulation establishing a framework of measures to strengthen Europe’s semiconductor ecosystem, better known as the Chips Act. The general approach provides the Council Presidency with a mandate for Trilogue negotiations with the European Parliament, which will start as soon as the Parliament adopts its position, expected to take place on 13 February 2023.
  • On the Cyber Resilience Act, the Council aims to adopt its position during the Telecommunications Council on 2 June 2023. However, there is a fair possibility that because of slow progress in the Council and Parliament, this meeting will instead entail a progress report.
  • The proposal on the European Critical Raw Materials Act – which aims to reinforce EU monitoring capacities and strengthen both the EU value chain and EU external policies on critical raw materials – is expected to be published by the Commission on 8 March 2023. The Swedish Presidency has stated it will prioritize this specific file as part of its industry strategy. On a more personal note, Sweden produces over 90 percent of all iron ore within the bloc, so it has an interest in ensuring the new legislation speeds up permitting and secures investment in new mining projects.
  • The proposal on the common European Mobility Data Space – which aims to facilitate data access as well as the pooling and sharing of data for more efficient, safe, sustainable and resilient transport – is expected to be published by the Commission on 21 June 2023. As this is near the end of the Swedish Presidency, it’s probable that the next Spanish Presidency will start Council work on this file.

 

For a detailed summary of the Swedish Presidency program, click here.

Data Act update 

On 10 January, the Swedish Presidency of the Council of the EU presented an options paper seeking Member States’ guidance on some of the most controversial points of the Data Act, namely the SMEs exemption, Business to Government (B2G) data sharing and trade secrets, at the first Working Party on Telecommunications and Information Society meeting of the year. The previous Czech Presidency advanced the file, but some critical issues remain open.

SMEs exemption

Regarding data sharing obligations, a fundamental part of the proposal, the original version excluded only micro and small companies. The Czechs proposed extending this exemption to medium-sized businesses that have launched a product on the market for less than one year and companies that have grown to medium size for less than a year. The Swedish Presidency offered three options: Going back to the initial wording, maintaining the Czech compromise or removing the exemption altogether. Another question is contractual fairness, as the initial proposal includes an article that automatically annuls unfair contractual arrangements unilaterally imposed on SMEs. Here the question is if this provision should be extended to all contractual situations, regardless of the companies’ size. Again, the options are to either maintain things as they are, expand the exemption to some medium-sized companies as per the data sharing part, or include companies of all sizes, without exceptions.

B2G data sharing

The paper notes that the Member States have expressed different views on allowing more access power to statistical offices. The Czech Presidency made the role of these bodies more prominent in the text. Hence, the Swedes want to understand if that is a satisfactory arrangement for the Member States. Alternatively, statistical offices might be prevented from requesting data for exceptional needs, but they could still receive the data from other public bodies that have made such requests. The third and final option is to exclude statistical institutes from the B2G obligations and address the matter in separate legislation.

Trade secrets

To what extent the Data Act’s obligations to share data should be limited by trade secrets is also a politically sensitive issue. While giving companies too much discretion would provide a vast loophole and invalidate the whole legislation’s purpose, several Member States asked for stronger safeguards to avoid the regulation forcing them to disclose confidential information. The Czechs tried to operationalize these requests by proposing that not only the person that receives the data should protect the trade secrets but also third parties that receive it at a later stage.

Cloud interoperability

On 13 December, the Working Party on Telecommunications and Information Society of the Council of the EU discussed the third compromise text of the Czech Presidency of the Council of the EU regarding the Data Act. One of these issues is the requirements for cloud interoperability, which were redrafted to align the text to the standard-setting process defined under other legislation, namely the Cyber Resilience Act. The compromise text states that, if these changes are accepted, they would be applied throughout the text, for instance, in the section on smart contracts for data sharing. The text also states that the regulation empowers the European Commission to adopt delegated acts to establish an EU repository with open interoperability specifications and European standards for the interoperability of cloud services. Furthermore, the possibility has been added for the EU executive to include non-European standards in the repository as long as they meet specific criteria.

Next steps

The Czech Presidency did not manage to broker a common position on the file at the Telecommunications Council on 6 December but worked on the new compromise text to address some of the outstanding issues. The Swedish Presidency will utilize the comments from the options paper to produce a fourth compromise text, which is expected to be finalized on 31 January. Subsequently, the Swedes will endeavor to develop a general approach in the Council.

AI Act update

On 9 January, the co-rapporteurs of the European Parliament for the Artificial Intelligence Act (AI Act), Dragoș Tudorache (RE, Romania) and Brando Benifei (S&D, Italy), circulated a new set of compromise amendments on the regulation. The co-rapporteurs want to require all users of high-risk AI systems, both public authorities and private entities, to conduct a fundamental rights impact assessment, listing a number of minimum elements that the assessment should include. In addition, the co-rapporteurs made some important additions to the obligations for users of AI systems considered high risk, for example, ensuring that they have appropriate robustness and cybersecurity measures in place and that these measures are regularly updated. Distributors, importers, users and any other third party would be considered high-risk system providers, with relative obligations, under some specific circumstances that leading MEPs worked heavily to address.

Inter-institutional negotiations on the AI Act are expected later this year, and while the EU Council has reached its position, Germany has reservations on certain points that bring it closer to the European Parliament’s position than that of other Member States. Berlin is in favor of a total ban on biometric recognition technology, as already mentioned in the coalition agreement the three governing parties signed in 2021. This is a fundamental point also for the Parliamentary co-rapporteurs. However, Germany is only in favor of banning real-time biometric identification in public spaces while allowing ex-post identification. At the same time, the Germans reserve themselves the right to provide more in-depth commentary on the matter at a later stage as the discussion evolved. Moreover, Germany wants to cross-reference the definition of biometric data to the one included in the EU’s General Data Protection Regulation (GDPR) to avoid a divergence of terminology and to classify biometric categorization systems as high-risk.

An underexposed aspect of the AI Act is the impact it will have on EU startups in the field of AI. On 12 December, appliedAI – Europe’s largest initiative for the application of leading-edge trustworthy AI technology – published the results of an impact survey detailing this impact. The survey participants were both AI startups and Venture Capital (VCs) firms. The survey asked the respondents several things:

  • To classify their AI Systems as High-Risk or General Purpose AI;
  • What kind of impact the AI Act would have on innovation and competitiveness;
  • To detail the new requirements and obligations for High-Risk AI Systems, as well as the compliance cost, financial impact and possible re-allocation of VC funds;
  • What kind of support needs to be offered to startups, what the expectations are for regulatory sandboxes and what kind of policy recommendations the participants would offer to each other and policy makers.

 

The participants offered several policy recommendations to protect, nourish and accelerate the growth of European AI startups, which can be useful for EU policymakers to identify the impact:

  • Keep European competitiveness in the center of the discussions;
  • Reduce the amount of High-Risk AI cases by narrowing the criteria to get closer to the anticipated 5-15% of affected AI Systems;
  • Consider the role of startups as General Purpose AI providers in the light of General Purpose AI obligations;
  • Foresee bottlenecks and systematically debottleneck them, for example in the area of third-party conformity assessments in order to accelerate innovation;
  • Conceptualize Regulatory Sandboxes as drivers for innovation in a protected, but attractive environment;
  • Update the Coordinated Plan and take the needs of European AI startups into account, specifically in areas that are considered very difficult or costly. This will reduce the cost of compliance.

Official publication of Digital Operational Resilience Act (DORA)

On 16 January, the Digital Operational Resilience Act (DORA) entered into force, alongside the NIS2 Directive. DORA is a regulation that aims to provide a robust system to enhance digital risk management, and line it up with financial institutions’ business practices. The Act is part of the Digital Finance package, a set of policies intended to maximize the value of digital finance in terms of growth and competitiveness while minimizing the risks.

DORA sets uniform requirements for the security of network and information systems of companies and organizations operating in the financial sector as well as critical third parties which provide ICT-related services to them, such as cloud platforms or data analytics services. DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU Member States.

Now that the DORA legislation is formally published, aspects that require national transposition will be passed into law by each EU Member State. At the same time, the relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.

Commission adequacy decision for the EU-US Data Privacy Framework

On 13 December, the European Commission launched the process towards the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework, which will foster safe trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union in its Schrems II decision of July 2020. The draft adequacy decision concluded that the United States ensures an adequate level of protection for personal data transferred from the EU to US companies.

The draft decision follows the signature of a US Executive Order by President Biden on 7 October 2022, along with the regulations issued by the US Attorney General Merrick Garland. These two instruments implemented into US law the agreement in principle announced by European Commission President von der Leyen and US President Biden in March 2022.

As a first step in the adoption procedure, the Commission submitted its draft decision to the European Data Protection Board (EDPB). Afterwards, the Commission will seek approval from a committee formed by Member States’ national representatives. In addition, the European Parliament has a right of scrutiny over adequacy decisions. Once this procedure is completed, the Commission can proceed to adopt the final adequacy decision. The decision is expected to be finalized and become effective around July 2023.

The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with European data protection authorities, and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision, to verify whether all relevant elements of the US legal framework have been fully implemented and are functioning effectively in practice.

Inquiry of EU Ombudsman on Ireland’s implementation of the EU’s General Data Protection Regulation closed

On 19 December 2022, an inquiry opened by the EU Ombudsman into whether the Commission adequately oversees the work of the Irish Data Protection Commission on cases concerning “Big Tech” has found that the EU executive’s oversight is appropriate. The inquiry was opened on 10 February 2022 because a range of public bodies and civil society organizations – including the complainant, the Irish Council for Civil Liberties – reported that the application of the General Data Protection Regulation (GDPR) in Ireland was inadequate.

Ireland has a special role in the implementation of the GDPR because it hosts most of the ‘big tech’ companies in the European Union. Other Member States’ supervision authorities often depend on the work of the Irish Data Protection Commission to pursue fully personal data issues that concern citizens of their own country. This makes it particularly important that the European Commission adequately informs itself as to whether the GDPR is properly applied in Ireland in respect of ‘big tech’ companies. 

The Ombudsman’s inquiry brought to light an established practice of the European Commission to examine a regular case overview from the Irish Data Protection Commission on its handling of ‘big tech’ cases. She concluded that this practice is appropriate and in line with good administration. She considered, however, that a number of technical improvements could be made, and made suggestions to that effect. One of these recommendations was to provide the Irish Data Protection Authority with a form to fill in the information on cross-border cases and to give an account on such information sharing in the next report on the application of the GDPR.

Council deadlock on e-Evidence Regulation

During a Committee of Permanent Representatives (COREPER I) meeting on 21 December, discussion on the e-Evidence Regulation was reinflamed. It was expected that the regulation was successfully concluded after the eighth round of trilogue negotiations on 29 November, but Bulgaria, Finland, Hungary, Slovenia, and Poland openly opposed the provisional political agreement brokered during that round of talks. The general feeling was that the Council gave up too much in the negotiations, with countries like Austria, France, Greece, Italy, Portugal, Romania, and Slovakia going into silent mode, signaling they might abstain in a future ratifying vote. Only Belgium, Germany, Ireland, and Spain displayed various degrees of support.

The e-Evidence Regulation aims to facilitate cross-border criminal investigations by putting in place a cooperation mechanism for European police forces to obtain data – considered as evidence – stored in electronic form by a service provider like an email service or messaging that is based in another EU country. The regulation empowers judicial authorities to issue European Production Orders to request electronic evidence from a service provider based in another EU country within ten days in normal cases and within eight hours in case of emergency. The other tool the legislation provides is the European Preservation Order, meaning a judge could order a service provider to preserve data related to a suspect that might be requested at a later stage. A politically sensitive point was whether the Member State issuing the order should inform the authorities in the receiving country.

The provisional agreement, still to be ratified by policymakers and EU governments, was thus not without controversy. On the one hand, Member States asked for less red tape to favor swift investigations. On the other hand, MEPs pushed for stricter safeguards and guarantees against abuses. In June 2022, the French Presidency of the EU Council tried to close a deal but went too far in its mandate. Subsequently, the Czech Presidency went back to consultations with the Member States after it obtained a revised mandate by EU ambassadors in November 2022. The question is now if the Swedish Presidency of the Council of the EU will try to go for a formal vote or reopen the negotiations with the European Parliament, as in the latter scenario, MEPs might be tempted to also reopen other points of the agreement.

Learn more about our EU Data Policy services

Dr2 Consultants offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU data-related legislation on your organization. Visit this webpage to learn more about our EU Data Policy services.

For more information on Dr2 Consultants’ full range of services, don’t hesitate to contact us.

Learn more

Previous updates

Visit our archive page to read our previous EU Data Policy updates.

Go to archive