Previous EU Data Policy Updates
Deep dive: Models for sustainable and just data governance
On 12 July, the European Parliamentary Research Service (EPRS) published a study called “Governing data and artificial intelligence for all: Models for sustainable and just data governance”. It identifies and examines policy options for the EU’s data governance framework – such as the AI Act, the Data Governance Act, and the Data Act – that align with a data justice perspective.
As such, the central question this report addresses is how to foster a positive vision of AI as contributing to public goods and creating public value. Starting from research on data justice, the report proposes four benchmarks for good governance: preserving and strengthening public infrastructure and public goods, inclusiveness, contestability and accountability, and global responsibility. The EPRS looked at the principal ways in which data is currently understood – as a tradeable asset, as a commons, as a strategic national asset, and as a component of individual identities – and demonstrate how these different conceptualisations interact in governance models from various regions around the world.
Key takeaways stemming from this report include the need for EU institutions to:
1. Define data’s potential as a public good
The EU still has work to do in conceptualising what kind of public good data should be. While the legal framework under construction (especially the Data Act) articulates an aim of creating value from data for both public and private purposes, the mechanisms for arbitrating between these often conflicting aims are unclear, and the balancing of public and private interests varies across legislative instruments.
2.Constitutionalise the EU approach to data governance
The existing regulatory framework in the EU for data governance runs the risk of becoming fragmented. While the focus on building digital markets is coherent, the different instruments involved create disjunctures in the way technological harms are conceptualised (i.e., through the lenses of data protection, competition and consumer protection) and in turn, this limits the equitable distribution of power both in terms of accessing and using data, and in making claims and seeking redress where necessary.
3. Center collective will and decision-making
AI and data governance should center collective will and decision-making on the part of societal groups, along with a systemic orientation towards public value. The EU’s investments in public infrastructure (named in its data strategy and implied in the Data Governance Act and the Data Act) could be reoriented to reflect plural understandings of how data generates value, especially in terms of both large and smaller-scale computing and data infrastructure.
4. Contextualise tools of data governance
Current trends in data governance involve the development of different tools such as data trusts, various forms of cooperatives and commons, and stewardship processes. None of these are relevant as stand-alone approaches to data governance, but become relevant in relation to particular goals. As such, all are open to misuse if overarching normative goals are not clearly articulated and enforced.
5. Devolve and distribute oversight
Technology regulation enforcement and oversight are increasingly challenged to demonstrate that they can represent the democratic concerns of society. Democratising the process of oversight and enforcement with regard to data and AI could help address this challenge. As powerful technologies are increasingly used on the public in ways that are opaque to individuals, it has become urgently necessary to have oversight and enforcement structures that have a public-facing component, that can demonstrate democratic accountability and, therefore, that are also more representative of society.
French Presidency passes the baton to the Czech Republic
On 1 July, curtains went down on the French Presidency of the Council of the EU, heading over the reins to its Czech counterparts. It is now time to look back at some of its results and dive into the policy priorities of Prague’s digital agenda. The French Presidency had to navigate troubled waters as it accompanied the Union from the Covid-19 recovery to start dealing with the security and economic challenges posed by the Ukraine war. After 2000+ meetings of Council working parties and committees, 100+ Coreper meetings, 80+ Council meetings and Summits, what is the outcome of the past six months?
French Presidency’s achievements
In the field of digital policies, the Presidency has managed to gather support in the Council for a negotiating mandate on the 2030 Path to the digital decade and kickstart trilogues to define the guiding principles for digitalisation. In addition, the co-legislators successfully concluded negotiations with the Parliament on a number of critical files.
Among others, the Presidency reached agreements on the two landmark legislations that will structure the future of the Digital Single Market: the Digital Service Act (DSA) and the Digital Market Act (DMA).
When it comes to data-related policy, the French Presidency concluded the Data Governance Act, agreeing on the co-legislators’ position on 16 May. This legislation aims to set up a robust mechanism to enhance the reuse of certain categories of public sector data subject to the rights of others. It will also increase trust in data intermediation services by creating a new framework for companies to share their data of its being misused or of losing their competitive advantage, and for consumers to retain full control over their data. The French Presidency also made stiff progress on the Data Act, the EU’s non-personal data sharing legislation, by adopting the Council’s progress report in the Telecommunications Council in June. The French Presidency cited scope of application, data from connected devices, the sharing of data by companies with public authorities based on exceptional circumstances, cloud-switching and interactions with sectoral legislation as the main issues so far.
The Roaming Regulation and the Common Charger Directive were also concluded in the last semester. Finally, the Presidency closed two key procedures to foster the Union’s cybersecurity: the NIS 2 Directive and the Critical Entity Resilience Directive.
However, the French Presidency could not deliver on all the expected files. On ePrivacy, the negotiations progressed in March but failed to lead to an agreement as of yet. Similarly, the work on the eID or the Artificial Intelligence Act (AIA) will have to spill over into the agenda of the new Presidency.
Czech Presidency’s digital agenda
For its second Presidency of the Council after 2009, Prague has chosen Ivan Bartoš, the recently appointed Deputy Minister for digitisation and Minister of regional development, to spearhead negotiations among EU countries on tech laws. He is one of the founders of the Czech Pirates — a fringe political party with international chapters that was born to fight copyright laws.
Bartoš and his team will also have to reconcile diverging views within the Council on the Data Act which has alarmed various industries that are concerned about having to hand in large swaths of business information and trade secrets to governments, customers and third parties.
Czech Republic is also keen to prioritise work on reaching a general approach on the eID, as it represents a concrete Union action that is visible to EU citizens. Furthermore, it will pick up the work led on the AIA with a view to concluding a general approach. Forging a common position among all 27 EU governments on the artificial intelligence rulebook will not be a smooth ride. It will imply dealing with issues such as facial recognition ban and government-led social scoring, as well as restriction of a list of high-risk applications like algorithms used in health, during elections, and when handling immigration applications. On top of that, transatlantic cooperation within the TTC is very high on this Presidency’s priority list – especially given the Council will have to approve the new legal framework for data transfers to the US called the Transatlantic Data Privacy Framework.
Last but not least, the Czech Presidency will have to start working on a number of key initiatives that will be introduced by the Commission in the next semester such as the Cyber Resilience Act, the Media Freedom Act, the revision of the product liability directive, or the Connectivity Infrastructure Act – a proposal to have Big Tech contribute financially to telecomms infrastructure investments deemed necessary to address the issue of fairness in the architecture of the internet.
Webinar wrap-up: Third webinar on the EU Data Act with representatives from the EU Parliament and the Council
On 16 June, Dr2 Consultants hosted the third and final Breakfast Webinar on the Data Act with representatives from the EU Parliament and the Council. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Ms. Angelica Petrov, Policy Advisor on Cybersecurity and Digital Policy to MEP Alin Mituța, shadow rapporteur on the EU Data Act for Renew Europe in the leading Industry (ITRE) committee, and Ms. Anna-Liisa Pärnalaas, Counsellor for Digital and Cyber Affairs at the Permanent Representation of Estonia to the EU, were invited to shed light on the Data Act from an institutional perspective. Input gathered from the previous two webinars on the impact of the Data Act on EU competition and sustainability and smart mobility goals fed into the discussion.
Both speakers emphasised the importance of the proposal as one of the main cornerstones of the EU data economy. However, they also recognised that the proposal still requires a comprehensive assessment of the proposal’s real-life impact given the technical nature of some of its provisions. In addition, some clarifications are necessary to avoid putting an additional burden on EU SMEs and companies, thus guaranteeing a competitive edge for the digital economy and society. Against that background, they encouraged all stakeholders to come up with their input to implement a practical framework that works for everyone.
Ms. Anna-Liisa Pärnalaas stated that the proposal has several provisions that support businesses entering the market and empower consumers, e.g. data portability, interoperability safeguards, and unfair contractual contracts. On privacy rights, Ms. Pärnalaas underlined that this regulation should avoid a situation where requirements lead to loss of control of personal data. To tackle this issue, she mentioned that additional safeguards and clarifications about how GDPR applies to the Data Act would be beneficial.
Ms. Angelica Petrov said the European Parliament supports this piece of legislation as it comes at a timely moment with the surge of connected devices and IoT products which generate a significant amount of data. In her view, data holders should have access to the data they produce, and this framework comes at the right moment to regulate how to process and collect data, unleashing the true power of industrial data for EU consumers and businesses. Against that background, Ms. Petrov stressed how this legislation would help B2B, B2G and cloud switching. In that regard, Ms. Petrov would like to see more clarity on definitions as well as data anonymization; data sharing with Member States governments in emergency situations; and cloud switching rights including reverse switching.
From an institutional standpoint, Ms. Petrov noted that there has been a broad consensus on major issues in the European Parliament so far. She added that the timeline is on hold for now due to a conflict of competence between committees. Ms. Pärnalaas stipulated that the Council had finished the first reading of the French presidency’s report. She mentioned that the first written comments are with the Presidency before discussions kick off in July, adding that the most active part will begin in fall 2022.
You can watch the full replay here.
If you would like to stay up to date with the developments regarding EU digital policies and related events, please sign up to our monthly EU Data Policy Update here. Learn more about our EU Data Policy Services here.
Deep dive: Artificial Intelligence Act (AIA)
The Artificial Intelligence Act (AIA) is to introduce a first-of-its-kind legislative framework to set standards and norms in the field of AI. The objective is to both introduce a guiding set of ethical principles as well as to foster innovation, ultimately turning the EU into a global leader in the field of AI. The past month, the two leading rapporteurs in the European Parliament published their first report which is still under discussion while the Council of the EU also discussed the proposal for the first time.
Concretely, the AIA will aim at developing four categories of AI, each with different characteristics in terms of governance.
- AI applications with an unacceptable level of risk: to be banned entirely (article 5 in the proposal): for example AI applications that could exploit characteristics of vulnerable populations such as children and disabled persons or manipulation with psychological harm;
- High risk AI applications: strict obligations in terms of human oversight and regulation (article 6). For example applications that affect critical infrastructure, law enforcement and education;
- Limited risk AI applications: transparency obligations to be in place (article 52). For example the recognition of emotions and the creation of so called deep-fakes (the latter is controversial);
- Minimal risk AI: will not be in the scope of AIA: free to use and develop.This includes all applications that are not mentioned in AIA.
This designation is crucial for the data sector as AI is expected to become the most important tool to process and analyze the maze of data produced in the future (e.g. connected devices). Much of the elements which influence the risk level of AI applications are directly or indirectly related to how it will affect personal data and privacy. The use of personal data by AI for social scoring purposes or law enforcement are examples of controversial applications. Furthermore, the proposal includes ‘legal sandbox’ arrangements for SMEs, which should grant startups more legislative leniency to use data for the development and testing of new programs.
On 3 June, the Telecommunications Council discussed the AIA. Member states expressed their support for the majority of the proposal and decided that work will continue under the Czech presidency – starting from 1 July onwards. Importantly, Member States expressed support for the Commission’s approach to biometric identification and social scoring, two AI applications that are especially controversial and are still subject to debate in the European Parliament. With regards to real-time biometric identification it keeps certain possibilities for security reasons while it chose for a ban on so called ‘social scoring practices’ but kept possibilities for credit scoring for credit lending institutions.
In parallel, a first draft report was already published by the rapporteurs Tudorache (RE, Romania) and Benifei (S&D, Italy) with agreements on a ban on technologies for predictive policing, but there are still significant disagreements. S&D, as well as the Greens and a number of human rights NGOs, argue in favor of a total ban on real-time biometric identification while the Commission, as well as Renew and EPP, prefer to maintain certain specific legal conditions under which it would be allowed for public security reasons. This will have a strong impact on data regulation as biometric identification requires access to personal data on the physical characteristics of individuals. The European Parliament has furthermore also not yet found an agreement on the use of AI for social scoring applications, which closely relates to the protection of personal data.
The leading parliamentary committees IMCO and LIBE will have the last debate on AIA before the summer recess on 30 June, after which the debates will recommence from 26-29 September. The Plenary session will vote on a final position of the Parliament in November. The Council decided that the upcoming Czech presidency would further handle the trilogues with the parliament and the Commission.
European common data spaces
On 1 June, the European Commission’s DG CNECT published a report on the European common data spaces. This first report is vital as it allows to map the current landscape and to assess progress towards reference architectures and implementation of open (government) data and more specifically “data.europa.eu” – probably the world’s largest public investment in open government data to date.
Common data spaces can be defined as a “type of data relationship between trusted partners, each of whom apply the same high standards and rules to the storage and sharing of their data (…) In data spaces, data are not stored centrally but at source and are therefore only shared (via semantic interoperability) when necessary” (Gaia-X, 2022). As highlighted in the European Strategy for Data published in 2020, the EU envisages common data spaces as a genuine single market for data where personal and non-personal data, including sensitive business data, are secure and businesses have easy access to high-quality industrial data, boosting growth and creating value.
In this policy context, the European strategy for data announced the development of an initial set of nine sectoral data spaces, with more sectors to be added in due time. These initial European common data spaces are:
- Industrial/manufacturing data space, to support the competitiveness and performance of the EU’s industries;
- Green Deal data space, to use the major potential of data to support the Green Deal priority actions on issues such as climate change, a circular economy, pollution, biodiversity and deforestation;
- Mobility data space, to position Europe at the forefront of developing an intelligent transport system;
- Health data space, essential for advances in preventing, detecting and treating diseases as well as for informed, evidence-based decision-making to improve healthcare systems;
- Financial data space, to promote innovation, market transparency and sustainable finance, as well as access to finance for European businesses and a more integrated market;
- Energy data space, to promote the stronger availability and cross-sector sharing of data, in a customer-centric, secure and trustworthy manner;
- Agriculture data space, to enhance the sustainability performance and competitiveness of the agricultural sector through processing and analysing data;
- Public administrations, to improve the transparency of and accountability for public spending and spending quality, fighting corruption, both at EU and national levels;
- Skills, to reduce the skills mismatches between the education and training systems and labour market needs.
Having undertaken desk research and carried out interviews with developers of data spaces and data space architectures, DG CNECT elaborates how open government data portals and stakeholders should position themselves in emerging European common data spaces in the core areas discussed in European policy papers, as well as in other data spaces that are currently under development at city and regional levels in various EU Member States. They come to a three-fold conclusion:
- Open data are commonly mentioned alongside private and personal data as a core type of data source. However, open data holders are not well positioned or involved in initiatives developing data space reference architectures or implementation approaches. If this situation persists, the use and impact of open data could be reduced owing to the friction that may occur when combining the use of data shared in data spaces and the use of data published in open government portals.
- Open data holders have extensive experience in data publishing, metadata management, data quality, dataset discovery and data federation, as well as tried-and-tested standards (e.g. Data Catalog Vocabulary) and technologies. There seems to be little knowledge/technology transfer from the open data community to the data spaces community. Data spaces should not reinvent methods that the open data community has already developed, tested and used extensively.
- Whether the data are private, shared or open, using data from multiple sources requires interoperability at several levels, from identity providers to vocabulary providers. The question of which data intermediaries will act as neutral agents to ensure interoperability is underexplored in the data spaces context. Public administrations, building on their experience of publishing open data, are best placed to take on such roles.
By means of conclusion, the text states that it will undertake an in-depth case study analysis, based on the actual implementation of data spaces, to verify these initial findings and discuss challenges and opportunities for “data.europa.eu” in a follow-up report expected in 2023.
Bruno Lemaire gets digital portfolio
On 20 May, President Emmanuel Macron announced the French government reshuffle following his reelection for another quinquennium (2022-2027) after his victory against far-right leader Marine Le Pen (Rassemblement National) – casting 58,55% of the votes in the second round. To lead the country’s executive branch, he chose former Labour Minister Elisabeth Borne as his prime minister. Expectedly, he also reappointed former Finance and Economy Minister Bruno Lemaire, adding this time the competencies pertaining to “industrial and digital sovereignty”. This brings to the fore the increasing importance of these issues in French governance. In February, Bruno Lemaire already called on the EU to “guarantee our mastery of innovation, our technological sovereignty and the political sovereignty that we all desire, between China and the United States”.
Public consultation open: Availability of datasets
On 24 May, the European Commission launched its public consultation on the Implementing act on a list of High-Value Datasets. It aims to make more publicly-funded information available for new information products and innovation, in particular in artificial intelligence. It defines a list of ‘high-value’ datasets held by the public sector (datasets whose re-use can have major benefits for society and the economy). Under the initiative, these datasets should be re-usable for free; using application programming interfaces available in machine-readable format; downloadable in bulk, where possible.
Webinar wrap-up: The Data Act and its impact on EU competition and smart mobility goals
On 25 May, Dr2 Consultants hosted a second Breakfast Webinar to discuss the impact of the EU Data Act on the European competition and smart mobility goals. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Mr. Mikael Isaksson, Public Affairs Officer at Volvo Cars stated that the consumer-focused approach in the Commission proposal is the right approach. He underlined that Volvo Cars values people’s freedom to move in a personal, sustainable and safe way. He argued that data and connectivity have a role to play in decarbonizing transport, in managing traffic flows and in optimizing energy efficiency. Data must be shared in a way that is safe, technically feasible and relevant for the consumer. The Data Act should not stifle innovation, growth and investment. It should lay down the basic principles to ensure data can be accessed on a level playing field.
Dr. Nima Barraci, Senior Manager, Group Data Strategy and Transformation at Lufthansa Group said that Lufthansa Group had in principle a positive stance towards the Data Act. He noted that, currently, machine-generated data is to a large extent unregulated and there are no rules to whom the data belongs and who has access to it. The Data Act would level the playing field by creating ground rules, foster competition and innovation. It would help reach the EU’s sustainability goals by improving the ecological performance of aircrafts and aircraft operations. The Data Act will foster innovation and energy efficiency, he underlined.
Asked about their one key message to policymakers, Dr. Barraci wished to see the Data Act become an enabler for innovation and competition in Europe. Mr. Isaksson concluded that the Data Act should be designed in a way that it encourages innovation and that it will benefit everyone in the connected mobility ecosystem.
Next Thursday, 16 June, Dr2 Consultants will hold its final webinar on the Data Act. This time, we will hear from representatives from the European Parliament and the Council. Register for the upcoming last session in this series of webinars here.
If you would like to stay up to date with the developments regarding EU digital policies and related events, please sign up to our monthly EU Data Policy Update here. Learn more about our EU Data Policy Services here.
Deep dive: European Health Data Space (EHDS)
On 3 May, the European Commission released its legislative proposal on the Regulation on European Health Data Space (EHDS). This initiative aims to create a system for health data exchange and access governed by common rules, procedures, and technical standards to ensure that health data can be accessed within and between the Member States, fully in line with the General Data Protection Regulation (GDPR) and Member State competences. As highlighted by the COVID-19 pandemic, governments are set to collect higher shares of health data in the future. The European Commission claims its use can add up to €11 billion over the next 10 years – with half coming from improved data exchanges in health care itself, and the other half from the use of health data in research and policy. To that end, the EU has set a fund of 810 million to build the necessary infrastructure.
Link with EU digital legislation
The EHDS is the EU’s first sector-specific regulation under its 2020 Data Strategy. It supplements the Data Governance Act and the Data Act which cannot address the specificities of sensitive data, such as health or genetic data. It provides more specific rules for ‘data altruism’ in the health sector and introduces limits to international transfers of non-personal health data.
More concretely, EHDS will improve:
Healthcare and timely access to data (primary use of data)
All Member States will be required to participate in the digital infrastructure MyHealth@EU to ensure that EU citizens can share their health data with health professionals in other EU Countries and therefore contribute to better cross-border healthcare. As of today, only 10 Member States have implemented the platform.
Research (secondary use of data)
This new legal framework and infrastructure will allow researchers, innovators, decision-makers, and regulators to re-use health data for cross-border research, policy making, educational activities, and personalised medicine.
Requirements and obligations specific to electronic health record (EHR) systems will ensure that EHR systems placed on the market and used are interoperable, secure and respect the rights of individuals over their health data.
Brussels Tech lobby DIGITALEUROPE saluted this initiative as an ambitious framework for health data, while adding that more harmonisation in the Single Market for digital health and data was needed. They also called on the Commission to clarify the scope and interactions of EHDS with other pieces of legislations such as GDPR, Data Act, Medical Device Regulation and AI Act. This reaction comes on the back of the release of their report on 7 April identifying two main roadblocks to developing and scaling life-saving health technologies in Europe: the lack of a framework for health data flows, and a fragmented market for digital health. The European Confederation of Pharmaceutical Entrepreneurs (EUCOPE) emphasised the need to set European Health Union that aims to reinforce the EU’s preparedness and response during health crises. On top of that, they also recommended the promotion of data interoperability.
The proposal will now be sent to the Parliament and Council for examination. The Commission is optimistic that the first results will start to show in 2025, especially for the exchange of data in health care itself, the MyHealth@EU program.
UK’s Data Bill Reform
During the Queen’s Speech on 10 May, the British government announced the reform of the country’s data protection regime. According to the executive, this Data Reform Bill is expected to create “a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection”. In its legislative agenda for the next 12 months, London said it wanted to “take advantage of the benefits of Brexit to create a world class data rights regime” by updating its local privacy rules to “fuel responsible innovation and drive scientific process.” The bill will make up part of a wider package of data protection reforms.
As it stands, the UK’s data protection rulebook is still modelled on the EU’s General Data Protection Regulation (GDPR). With this reform, the UK government remains cautious that any changes to its data protection regime would not imperil its data flows agreement with the EU, as it requires the UK to maintain an equivalent level of privacy protection compared with the Continent. Brussels is concerned of the UK’s stated desire to establish new data flows with countries including the U.S., Australia, South Korea, Singapore or India, which could lead to the transfer of EU individuals’ data to third countries with inadequate privacy standards.
Data flow deal with India
In parallel, Britain’s trade negotiators are under pressure to strike a trade deal with India this year. Prime Minister Boris Johnson has given the UK team until October to seal a post-Brexit deal on the liberalisation of data with New Delhi.
Nevertheless, experts claim that landing a deal will be a big challenge given that both sides are currently at opposite ends on their data policies. India is in the midst of setting up a new Data Protection Bill to manage the way commercial and personal data is handled. This draft law would require data to stay on Indian soil, as regulators believe the move is necessary to generate local jobs, and protect national security and the privacy of its citizens.
On its part, London is pushing hard to allow for the free flow of data between the two countries. More than 67% of UK services exports are digitally delivered. Britain currently imports more services from India than it exports.
According to a report from the UK-India Business Council (UKIBC) and think tank “The Dialogue”, if approved by the Parliament, the Indian draft law would restrict “the transfer and processing of critical personal data abroad, but also mandate commercial and nonpersonal anonymized datasets to be shared with the Indian government”. In other words, British companies selling goods or services online in India would have to set up data servers there to exclusively store payment data from national citizens. As a result, this setup could cost significant resources to UK businesses. It would limit the data they could transfer, and the value derived from analysing it with tools like machine learning, putting to the test the digital supply chains between London and New Delhi.
The EDPB and “dark patterns” in social media platform interfaces
On 2 May, the European Data Protection Board (EDPB) closed the feedback period on the “Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them”. These guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements. These patterns aim to influence users’ behavior and hinder their ability to effectively protect their personal data and make conscious choices. They can be divided into these categories:
- Overloading: confronting users with a large number of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of the data subject.
- Skipping: designing interfaces or user experiences in a way that users forget or do not think about all or some of the data protection aspects.
- Stirring: affecting the choice users would make by appealing to their emotions or using visual.
- Hindering: obstructing or blocking users in their process of becoming informed or managing their data by making the action hard or impossible to achieve.
- Left in the dark: designing interfaces in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights.
These dark patterns are practices that are not only relevant for personal data protection, but sit at the intersection between several fields of law, in particular consumer law, digital market and data protection law. The Digital Markets Act (DMA) and Digital Services Act (DSA) contain specific provisions prohibiting these types of practices. They are also addressed in other instruments regulating the digital sphere which are currently under discussion, such as the European Data Act.
Conference on the Future of Europe (CoFoE) and the digital transformation
On Europe day, the Conference of the Future of Europe’s Executive Board gave the final report on the outcome of the Conference to the Presidents of the European Parliament, Commission and Council in Strasbourg. As a reminder, the CoFoE is a one-year bottom-up exercise for Europeans to have their say on what they expect from the European Union. European citizens of different geographic origin, gender, age, socioeconomic background and/or level of education were encouraged to take part in the Conference, with young Europeans playing a central role. Strong of 49 proposals, this final document includes concrete objectives and more than 320 measures for the EU institutions to follow up on under nine topics, including digital transformation.
In the digital chapter, authors brought to the fore the importance of “long-term consequences of the seizure of personal information and the illegitimate use of that data in the future” especially following the Russian invasion of Ukraine. To tackle this issue, they suggested avoiding “data concentration and dependence on third countries in relation to infrastructure and services” and building “a data infrastructure based on European values.”
EU Data Act and its impact on EU competition and sustainability goals
On 5 May, Dr2 Consultants hosted a Breakfast Webinar to discuss the impact of the Data Act on European competition and sustainability goals. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Mr. Paolo Falcioni, Director-General of APPLiA, representing the home appliance sector in Europe, and Mr. Radu Surdeanu, Senior Director Government Affairs at Siemens Energy, a large energy company offering products and services along the entire value chain, were invited to shed light on the Data Act from an association and business perspective.
Both speakers agreed with the key ambition of the Data Act, its potential to increase Europe’s competitiveness and contribute to the EU’s sustainability goals, but they underlined there is still a long way to go for this proposal. The rules for the industry need to be more clearly defined, trade secrets should be protected, innovation should be stimulated, and the text should be strengthened in a participatory manner with all stakeholders.
Deep dive: Revamped EU-US Data Protection Shield
New Trans-Atlantic Data Privacy Framework
On 25 March, European Commission President von der Leyen and U.S. President Biden announced an agreement in principle on a new framework for transatlantic data flows. This comes on the back of the EU Court of Justice’s invalidation of the EU-US Data Protection Shield in July 2020, which ruled that the data protection provided for in the U.S. domestic law on the US public authorities’ access and use of personal data transferred from the European Union, did not meet sufficient privacy requirements. In addition, the European Data Protection Board – the EU’s privacy watchdog – had issued guidance that would restrict the use of alternative data transfer mechanisms.
On top of that, Russia’s invasion of its Black Sea neighbour has accrued the need to accelerate Brussels-Washington negotiations on a revamped Privacy Shield pact. Maintaining strong relationships between like-minded democracies is now important more than ever, and that includes fostering a secure framework of data flows from both sides of the Atlantic.
According to officials close to the ongoing negotiations, Washington’s latest offer is based, among others, on recent suggestions from a group of privacy experts that includes:
- The creation of a new agency within the U.S. Department of Justice to oversee how the country’s intelligence agencies handle the data of European citizens;
- A White House executive order to give investigative powers to said agency;
- The ability for the EU institutions to challenge that data collection through U.S. federal courts.
Brussels Tech lobbies DIGITALEUROPE and Computer & Communication Industry Association (CCIA) both welcomed the agreement. In the past, they stressed that the growth of the data economy and the success of European companies is dependent on the ability to transfer data.
Furthermore, the American Chamber of Commerce to the EU (AmCham EU) emphasised that the 2020 invalidation of the EU-US Privacy Shield caused uncertainty for over 5,000 companies that rely on the Privacy Shield to transfer personal data between US and the EU. This is corroborated by a study on data flows carried out by Frontier Economics, which shows that additional restrictions on cross-border data flows could lead to a loss of 2 million jobs and around €2 trillion worth of growth by the end of 2030. Results also show that in a scenario following the current trend towards a moderate increase in restrictiveness, European companies of all sizes and sectors could be affected – especially as the US is the EU’s largest data partner. In particular, the EU manufacturing sector stands to lose the most in absolute value. Sectors such as media and culture could also be some of the most impacted in relative terms, losing about 10% of their exports. Finally, as SMEs account for almost a quarter of all goods exported from the EU, they would be heavily impacted.
As it stands, details are yet to be discussed by negotiators between the U.S. Department of Commerce and the European Commission. The process still involves legal changes on the U.S. side and the ratification by the EU’s various bodies. The formal adoption process is expected to take about 6 months. The European Commission will publish a draft implementation act and seek the non-binding opinion of the EDPB/EDPS and the European Parliament. The Council also has to agree on the final text. In the US, the government should release the Executive Order that gives effect to the surveillance reforms agreed to.
Artificial Intelligence Act
The past month saw some relevant developments concerning AI policy in the European Parliament. This includes the publication of the final opinion of the European Parliament’s special committee for Artificial Intelligence in the Digital Age (AIDA), as well as the ongoing negotiations and recommendations by several Parliament committees on the Artificial Intelligence Act (AI Act).
Artificial Intelligence in the Digital Age (AIDA)
AIDA approved its opinion on the future of AI in Europe on 22 March, focusing on opportunities raised by AI for the European economy and delineating a European ambition to be a global democratic trendsetter in the field of AI. AI should not be regulated as a whole, the report argues. Specific applications should be evaluated in proportionality with their risks and benefits. Lastly, the report calls for constant evaluation and monitoring of the mass gathering of personal user data to prevent abuse.
Other EP committees’ negotiations
The AI Act itself is still being debated by the lead Parliament committees, Internal Market and Consumer Protection (IMCO) and Civil Liberties (LIBE), which have to produce a joint report. Other committees that were requested to form an opinion on the proposal have already announced draft amendments and opinions. Topics of contention in multiple committees include regulation on data gathering; and analysis by AI systems as well as certain data applications through AI such as social scoring and biometric identification. Additionally, within the responsible joint IMCO-LIBE meetings, there is still no agreement on definitions, streamlining with GDPR and facial recognition.
The deadline for amendments in the joint IMCO-LIBE meeting is 18 May. The plenary session is expected to discuss the AI Act in November.
Data Governance Act
On 6 April, members of the European Parliament endorsed the interinstitutional deal between the Parliament, Commission and Council clinched in December on the European Data Governance Act (DGA) with 501 votes to 12, with 40 abstentions. The Regulation must now be formally adopted by the EU Council before it is published in the Official Journal and enters into force. EU diplomats are set to take a look the Parliament’s position in Coreper on May 11.
This initiative, regulating intermediaries of data sharing, aims to set up a mechanism to enhance the reuse of certain categories of public sector data subject to the rights of others. It aims to increase trust in data intermediation services by creating a new framework for companies to share their data without fear of it being misused or of losing their competitive advantage, and for consumers to retain full control over their data. Moreover, the DGA also aims to foster “data altruism” – which refers to people voluntarily donating their data for the public good, e.g. by voluntarily providing information about adverse reactions to vaccinations.
A European Data Innovation Board is to come to life to facilitate cooperation and interoperability. When it comes to international access to and transfer of non-personal data, the agreement paves the way to the creation of safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data.
The DGA lays the foundations for future European data spaces and some of its provisions, including on the transfer of information, are included in the draft Data Act. When it comes to the latter, Renew and the Left respectively appointed MEP Alin Mituța (Romania) and Elena Kountoura (Greece) as their Shadow Rapporteurs to lead the work in the Committee on Industry, Research and Energy (ITRE).
French presidential elections
On 10 April, France held the first round of its presidential elections, qualifying for the second round sitting President Emmanuel Macron (La République en Marche !) and far-right candidate Marine Le Pen (Rassemblement National), respectively with 27.84 % and 23.15 % of the ballots. Despite apparent ideological differences, both candidates share the same overarching objective to strengthen France’s “digital sovereignty”. Yet, their programmes harbour different means to achieve it.
The quinquennium of Emmanuel Macron (2017-2022) has been characterised by efforts to persevere France’s digital sovereignty through regulation, securing industries and infrastructures, and supporting strategic sectors. The French government has highlighted the importance of “digital commons” (i.e. free software and data openness) as a vector of digital sovereignty – by offering an alternative to large platforms. In case of re-election, the government intends to follow up on a February 2022 initiative on these “digital commons” to “ensure the European Union’s role as a power for openness and back such efforts from a technological and financial perspective”.
In addition, to ensure data security, the government has also created a new label: the so-called “cloud confidence” which allows the creation of European cloud companies using foreign technologies under licence – a modality that offers a guarantee of the legal protection of data against extraterritorial laws. This label has sparked controversy within French political class as a missed opportunity to support French and European cloud players to perpetuate the stranglehold of non-European players in the sector.
For her part, Marine Le Pen has taken an even stronger stance on “digital sovereignty”, which is not limited to data protection, but also includes an industrial component. She considers the domination of digital technology by large foreign companies as a threat to France’s digital sovereignty and sees the “cloud of confidence” as insufficient as it risks perpetuating the status quo. In her programme, she proposes to store “sensitive data” on national territory and to prevent them from being transferred abroad. For the Rassemblement National (RN), digital issues must be dealt with at the European level, according to Member of the European Parliament Jean-Lin Lacapelle (RN, ID), digital referent of the Marine Le Pen campaign. However, the far-right candidate predicted in an interview that the European framework should be reviewed in terms of “control of concentrations according to the nationality of the actors or the framework of State aid”.
The second round of French presidential elections will take place on 24 April. The outcome of the vote will likely have a substantial impact on digital files’ policy push at the European level, especially as France is holding the Presidency of the Council of the EU until 30 June.
Public consultation on the European Cyber Resilience Act
On 16 March, the European Commission launched its public consultation on the European Cyber Resilience Act. In light of the surge of connected objects and the increased use of industrial data, the proposed act aims at setting common cybersecurity standards for connected devices and will complement the upcoming NIS 2 Directive. In a blog post, Commissioner Breton specified he hoped to increase Europe’s cyber defence capabilities by increasing collective resilience; improving response time; creating a joint cyber unit and developing a dissuasive European cyber defence doctrine. The public consultation will be open until 25 May 2022, feeding into a proposal for regulation to be published in Q3 2022.
Data economy and look at the year ahead
As non-rival goods – meaning that are consumed by people, but whose supply is not affected by people’s consumption – the volume of data is constantly growing. The generation of data is expected to reach up to 175 zettabytes in 2025, from 33 zettabytes in 2018. With these new rules, the European Commission will make more data available for reuse and are expected to create €270 billion of additional GDP by 2028 – as today 80% of industrial data is never used.
As part of its “Europe Fit for Digital Age” plan, the European Commission has laid down several targeted strategies with a wide impact on multiple sectors, including the European Strategy for Data. The latter is composed of two main legislative initiatives. First, the Data Governance Act, finalized in November 2021, creates the processes and structures to facilitate data sharing by companies, individuals and the public sector. Second, the European Data Act proposal for a Regulation published on 23 February, sets the framework to further guarantee an enhanced working market of data by building stronger enforcement for users that their data is managed responsibly, both with regards to access by governments, larger companies and other third parties.
Along with other digital initiatives in the data economy, the Data Act will have a cross-cutting impact on several business sectors. That is why Dr2 Consultants will carefully monitor the following proposals which are expected to be published in the coming months:
The Data Act has now been sent to the European Parliament and the Council of Ministers for examination. If not already done, this is the right time for businesses to assess internally with experts and the legal department how the Data Act affects your organization. Dr2 Consultants can also guide you through this process.
In the European Parliament, several committees are competing over which one gets the file. It is highly likely that the same committees which handled the Data Governance Act will be leading on this file: Industry, Research and Energy (ITRE) as lead, and Civil Liberties (LIBE), Legal Affairs (JURI) and Internal Market and Consumer Protection (IMCO) committees giving their respective opinions. The Council, for its part, has kick-started the internal discussions with a first meeting on 3rd March and draft conclusions of an informal summit in Versailles this week show that the member states express the wish to swiftly adopt legislative acts on data (next to the Digital Services Act, the Digital Markets Act, Artificial Intelligence and Cloud).
The Data Act is not expected to be finalized before the end of the year and negotiations are even likely to continue well into 2023.
How does the Data Act affect you?
In concrete terms, the Data Act will significantly modify the rights and responsibilities of businesses and service providers:
- Service providers should be aware that users should receive easier access to and greater control over their data.
- Government access will only be limited to circumstances that will be deemed necessary, and access by non-EU governments will be all but prohibited unless a bilateral agreement is in place between the EU or a member state and that specific third country.
- Organizations will have to carefully assess and consider their third party before sharing any data. Gatekeepers (companies with strong market position) will no longer be allowed to access or request data that belongs to other smaller companies, neither will these companies be allowed to offer them information or data.
In summation, this proposal is going to have a significant impact on European businesses and SMEs which make use of data in their day-to-day activities: any digital service that keeps data records will have to take steps to comply, and additionally any entity or person that uses such services should be made aware of their rights and the responsibilities that providers have.
This proposal will apply to device manufacturers, providers of digital services and connected products – such as connected vehicles or ‘the Internet of Things’.
Deep dive into the Data Act
Manufacturers and designers have the obligation to design the products in a way that makes the data generated easily accessible by default (Chapter II). Data holders would have to make available data to third parties, such as providers of aftermarket services, upon the request of the user. However, gatekeepers are not eligible third parties and, therefore, they could not encourage users to make data available to one of their services.
Unfair advantages caused by imbalances in negotiating power between contractual parties are to be removed (Chapter IV). Concrete arrangements pertaining to data-sharing agreements would introduce an instrument of an unfairness test. It would provide definitions of unfair elements in data sharing agreements. This test aims to protect the weaker party and guarantee better value creation as well as market practices.
Public sector bodies and EU institutions are entitled to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency (Chapter V). The requests for data would need to be proportionate, clearly indicate the purpose, and respect the interests of the enterprise making the data available. This should ensure that the right to request data is not abused and that the public body is accountable for its use.
Customers can effectively switch between different cloud data-processing service providers and safeguards against unlawful data transfer are put in place (Chapter VI). Providers of data processing services would need to remove commercial, technical, contractual and organizational obstacles that may inhibit customers to terminating the contractual agreement of the service, concluding new contract agreements with a different provider, porting its data to another provider, and maintaining a minimum level of functionality if using a different provider.
Creation of barriers and protection of data of European citizens and companies against access by third non-EU governments (Chapter VII). The data shall only be shared under circumstances when a specific agreement is in place and clear legal protection of the data holder is guaranteed. The European Union and the United States intend to negotiate such a bilateral agreement.
Interoperability and functional equivalence between platforms and data service providers (Chapter VIII). Technical requirements would be introduced for users and providers to enable easy and secure switch between services and transact data across platforms. The Commission will further develop specific guidelines and European Standardization organizations are mentioned as partners.
Click here for a more detailed analysis as well as a word-for-word comparison between the leak and final text of the Data Act.
Stakeholder reactions to the Data Act
From the EPP political group, ITRE member Christian Ehler (Germany) laudes the Data Act as a game changer that will stimulate competitiveness and innovation. While fellow MEP Axel Voss (EPP, Germany) welcomes the European harmonization, he does not think it will correct what he perceives as mistakes made by the GDPR.
MEP Damian Boeselager (Germany), who will reportedly lead on the file for the Greens/EFA in the ITRE committee, explains the need for a legal framework for data, data sharing, monitoring and exposes what he calls the invisible power of data.
Renew MEP Stéphanie Yon-Courtin (France) highlights important progress in data security and innovation. She also welcomes increased interoperability between cloud services and improved market competition.
European industry stakeholders
The European Consumer Organisation (BEUC) calls it an essential proposal for consumers. Consumers need to stay in control of how the data they help generate is shared. On the other hand, some of this data sharing can be beneficial to consumers and the service delivered. Interoperability and accessibility to third service providers is a good step.
However, many trade associations raise concerns about potential issues concerning the provisions impeding third-party service providers to grant any direct right to access the data generated by their products. For instance, automotive representatives – such as the European Association of Automotive Suppliers (CLEPA) – stressed it would “reduce the possibility for automotive part manufacturers to utilise data on component behaviour for the purposes of development and engineering”.
Brussels tech lobby Computer and Communications Industry Association (CCIA) warned that “incentives rather than obligations” would encourage companies to share data. They also outline potential economic downsides from “safeguards” to prevent data processing services from fulfilling access requests from third countries not in line with EU law. Such “restrictions” might cost 0.6 percent of EU GDP, according to a study commissioned by CCIA. These reactions spanning from totally different industry sectors confirm the far-reaching scope of the Data Act. Similar concerns can be found with Global tech trade association ITI. They ask for incentives rather than mandates and want strong safeguards for intellectual property and trade secrets.
War in Ukraine
Data becomes the sinews of war. Following Russian President Vladimir Putin’s military invasion of Ukraine on 24 February, the international community has imposed stringent sanctions on Russia’s economy. This move has preceded international companies, the likes of service providers Netflix and Facebook, who have announced that they would immediately put the brakes on their services in Russia – targeting Russia’s data economy.
In addition, the direct impact of the conflict also lies with cybersecurity and data protection. The international community fears that Russia might retaliate to the sanctions by targeting European data and networks. It appears that Russian, Belarussian, and Chinese hackers have launched cyber-attacks on Ukraine. The Russian hacker group Fancy Bear, as well as the Belarussian group Ghostwriter, and the Chinese Mustang Panda are allegedly sending phishing emails to Ukrainian media, militaries, and the European Institutions.
On 3 March, the ITRE committee discussed strengthened European efforts in the realm of cybersecurity in the face of potential threats to EU infrastructures. After trilogues between the Council, the Commission and the Parliament, increased efforts and more capabilities for Computer Security Incident Response Teams (CSIRTs) were highlighted within the committee.
Learn more about our EU Data Policy services
Dr2 Consultants offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU data-related legislation on your organization. Visit this webpage to learn more about our EU Data Policy services.
For more information on Dr2 Consultants’ full range of services, don’t hesitate to contact us.