Previous EU Data Policy Updates
Deep dive: Interoperable Europe Act
On 18 November, the European Commission published the proposal for the Interoperable Europe Act, aimed at strengthening and securing cross-border interoperability and cooperation in the public sectors across the EU.
The EU’s digital ambition for 2030 and the remaining gaps in the actual uptake and implementation of interoperability have showed the necessity of creating a reinforced and more strategic interoperability policy with strengthened cooperation between the Member States and the EU Institutions on public sector interoperability.
The Interoperable Europe Act aims to solve these challenges by creating the setup and tools for interoperability within public administrations on a Union-wide scale and removing the unnecessary legal, organisational, semantical and technical obstacles. This way, in analogy with trans-European Transport and Energy Networks, a “network of networks” of sovereign, interconnected public administrations (at all levels of government) across the EU will emerge.
The estimated annual cost-savings credited to cross-border interoperability range between €5.5 and €6.3 million for citizens and between €5.7 and €19.2 billion for businesses. Furthermore, the benefits of improved public sector interoperability to citizens, businesses and public administrations goes beyond cross-border aspects, according to a report by the Joint Research Centre of the European Parliament. For example, individuals could save up to 24 million hours, and businesses could save up to 30 billion hours a year.
Details of the Act
This proposal updates the current European Interoperability Framework (EIF) and assesses the support it gives to governments to set up interoperable digital public services. To accomplish this, the Act proposes to introduce a structured and co-owned EU cooperation framework for public administrations with the following pillars:
- Interoperable Europe Board co-owned by the Member States and the EU and supported by public and private actors – for the development of a common strategic agenda for cross-border interoperability, the support in operational implementing interoperability solutions, and progress monitoring;
- Mandatory interoperability assessments to evaluate the impact of changes in IT systems related to cross-border interoperability in the EU;
- ‘Interoperable Europe Portal’ as a community platform and one-stop-shop for shared and reusable interoperability solutions;
- Innovation and support measures, including regulatory sandboxes and GovTech cooperation, to promote policy experimentation, developing skills, and the scaling up of interoperability solutions for reuse.
The future interoperability cooperation framework will be steered by the Interoperable Europe Board. The Board will be composed of representatives from the EU Member States, the Commission, the Committee of the Regions and the European Economic and Social Committee.
The deadline for feedback on the adoption of the proposal by the Commission is 16 January 2023.
Data Act update
Mid-November, several Parliamentary Committees working on the Data Act published their amendments, including the responsible Parliamentary Committee on Industry, Research and Energy (ITRE), and the advisory Committees on the Internal Market and Consumer Protection (IMCO) and Legal Affairs (JURI). The ITRE Committee published over 1000 amendments (AMs 95 – 294, 295 – 569, 570 – 843 and 844 – 1164), while the IMCO (AMs 87 – 286, 287 – 486 and 487 – 680) and JURI Committee (AMs 115 – 473) released close to 1100 amendments between them.
Initially, the Data Act regulated access and sharing conditions for the data generated by any connected device, except for products specifically designed to display or play content, such as smart TVs and smartphones. For MEP and ITRE shadow rapporteur Alin Mituța (RE, Romania), these products are still to be included, but only insofar as they function as an Internet of Things (IoT) device, for instance, when they calculate distance or speed, which in his view, could contribute to improving the performance of connected products.
While liberal and conservative MEPs backed the distinction between raw data – data as it is collected and prepared data-, MEP and ITRE shadow rapporteur Damian Boeselager (Greens/EFA, Germany) pushed for a different terminology. Boeselager’s new preferred term is ‘transmitted’ data, arguing that responsible ITRE rapporteur Pilar del Castillo’s (EPP, Spain) approach would prove too burdensome as it would have to be defined for each product category.
For Boeselager, the definition of data holder should also be extended to all parties with a contractual right to use the data, meaning that there could be more than one data holder for the same product. Similarly, Mituța pointed to a need to clarify the relationship between the data holder and the product manufacturer, two roles the Commission merged but that the MEP wants to distinguish, notably by having different contractual arrangements with the users.
Mituța emphasized the need to put users in the condition of monetizing their non-personal data and tasked the Commission with developing guidelines on how a reasonable price shall be calculated and what would be the circumstances for market distortion. Boeselager is another vocal proponent of data monetization. He considers that the right to monetize industrial data for users and data holders, combined with the data intermediaries established under the Data Governance Act, will foster the development of liquid data markets in Europe.
The Commission’s proposal excluded tech companies designated as gatekeepers under the Digital Markets Act from benefiting from the data-sharing provisions of the data law. Mituța suggested extending that ban to all players with a dominant position in the data market.
MEP Angelika Niebler (EPP, Germany), who was the ITRE rapporteur for the Data Governance Act, supported del Castillo’s amendments to clarify the relationship between data holder, users and a third party but went further in terms of trade secrets protection by requesting safeguards to be agreed upon in the contract and taken before the data-sharing takes place. MEP and ITRE shadow rapporteur Miapetra Kumpula-Natri (S&D, Finland), in turn, aimed to clarify the legal obligations and proposed technical solutions for effective data-sharing, namely in the form of Software Development Kits or Application Programming Interfaces.
Kumpula-Natri and Boeselager pitched a more substantial alignment with the Data Governance Act and an enhanced role for the European Data Innovation Board, which would be tasked with developing interoperability specifications to ensure data can be moved freely without technical restrictions.
On 13 December, the third Presidency compromise text has been presented during the Working Party on Telecommunications and Information Society.
Cyber Resilience Act update
On 18 November, the Czech presidency of the Council of the EU circulated the first compromise text on the Cyber Resilience Act, making major changes to the proposal’s scope and free movement clause. On 6 December, the Telecommunications Council discussed the progress report. It revealed that an essential part of the discussions in the Council focused on the extent to which Software-as-a-Service (SaaS) is covered in the regulation. The compromise text was discussed at the Horizontal Working Party on Cyber Issues on 23 November, as well as at the meeting of the Committee of Permanent Representatives (COREPER I) of the Council of the EU on the same day. Following this preliminary discussion, EU Member States were requested to provide written comments.
Even before the draft was out, Denmark, Germany and the Netherlands issued a non-paper calling for an extension of the scope to SaaS. In this regard, the Czechs proposed including a paragraph to define software as a computer code comprising a sequence or set of instructions described in a programming language, including machine or binary code, to be executed by another software or by hardware, to process, store or transmit digital data.
A new text from the Czech presidency, dated 2 December, updated the previous compromise text by placing SaaS firmly outside the regulation’s scope. In particular, the draft law has been rephrased to only apply to remote data processing solutions based on software or hardware that support the functioning of a connected device. The push for keeping SaaS outside the new cybersecurity rules is consistent with what Internal Market Commissioner Thierry Breton said at the Telecommunications Council meeting on 6 December. During the meeting, Breton stressed that SaaS is already covered by the NIS2 Directive, adding that incorporating these services under the Cyber Resilience Act would be a legal challenge because of the legal basis on which the proposal was based.
A call for feedback on the proposed legislation is open until 3 February. In the meantime, the European Parliament’s Industry, Research and Energy Committee (ITRE) has been appointed as the responsible committee, under the lead of MEP Nicola Danti (RE, Italy) as Rapporteur for Renew Europe. Shadow Rapporteurs will be Henna Virkkunen (EPP, Finland), Ignazio Corrao (Greens/EFA, Italy) and Evžen Tošenovský (ECR, Czechia). Eva Kaili (S&D, Greece) was also appointed as shadow rapporteur, but as she’s being investigated because of her involvement in the current parliamentary corruption scandal, it’s unlikely she will be able to execute this role. The Internal Market and Consumer Protection (IMCO) and Civil Liberties, Justice and Home Affairs (LIBE) Committees will produce an opinion but haven’t appointed their rapporteurs yet.
AI Act update
On 18 November, Dragoș Tudorache (RE, Romania) and Brando Benifei (S&D, Italy), the co-rapporteurs from the responsible Committees on Civil Liberties, Justice and Home Affairs (LIBE) and on the Internal Market and Consumer Protection (IMCO) of the European Parliament, shared a new compromise text in relation to the enforcement of the Artificial Intelligence Act (AI Act). The compromise text authorizes the national supervisory authorities to conduct unannounced on-site and remote inspections of high-risk AI, acquire samples related to high-risk systems to reverse-engineer them, and acquire evidence to identify non-compliance. For post-market monitoring, the AI providers of algorithms that pose a significant risk to cause harm will have to consider continuous analysis of the AI environment, including other devices, software, and other AI systems that interact with the AI system taking into account the limits resulting from data protection, copyright and competition law.
On 6 December, the Council of the EU adopted its common position (‘general approach’) on the AI Act. To ensure that the definition of an AI system provides sufficiently clear criteria for distinguishing AI from simpler software systems, the Council’s text narrows down the definition to systems developed through machine learning approaches and logic as well as knowledge-based approaches. Regarding the classification of AI systems as high-risk, the text adds a horizontal layer on top of the high-risk classification, to ensure that AI systems that are not likely to cause serious fundamental rights violations or other significant risks are not captured.
The adoption of the general approach will allow the Council to enter negotiations with the European Parliament -the so-called trilogues- once the latter adopts its own position with a view to reaching an agreement on the proposed regulation.
European Health Data Space update
The European Parliament and the Council of the EU are currently in the process of preparing their amendments to the Commission’s proposal on the European Health Data Space (EHDS) presented in May, before entering into interinstitutional talks to approve the new rules. The Czech Presidency is expected to reach a common position just on the first two chapters of the file, in which ministers will propose scrapping the European Commission’s provisions on cross-border telemedicine.
The question of cross-border telemedicine is tricky as it challenges Article 168 of the Treaty of the EU (TFEU), which states that individual Member States are responsible for their health policy and management of health services. Individual Member States have wildly different legal frameworks in regard to telemedicine and reimbursement schemes for it. Thus, turning this into cross-border practice with the EU would require the EU capitals to take big steps such as harmonizing their legal frameworks. However, they might be reluctant to.
Given the embeddedness of many elements in the EHDS a full negotiating mandate from the EU Council is unlikely before the Czech presidency ends on 31 December. As the compromise text only includes two chapters so far, the incoming Swedish presidency will take over the work from the Czechs.
A progress report on the topic was presented at the Health Council on 9 December. In Chapter II, in order to clarify the link with the GDPR, the Presidency proposed revising Article 3. The Presidency amended the provision allowing natural persons to insert data in their EHR systems and strengthened natural persons’ right to obtain information on any access to their personal electronic health data. In Chapter III, which focuses on electronic health record systems and wellness applications, the Presidency has made the requirement on the wellness applications labelling scheme mandatory if interoperability is claimed. Moreover, the Presidency proposed changing the delegated act to an implementing act to allow manufacturers to enter specific information into the EU database of EHR systems and wellness applications as an alternative to the information sheet. In general, the revised text was well received by delegations, who welcomed the amendments made by the Presidency.
Report on the development of biases in algorithms
On 8 December, the European Union Agency for Fundamental Rights (FRA) published a report on how biases develop in algorithms applied to predictive policing and content moderation models. This study comes as the proposal on the Artificial Intelligence Act (AI Act) makes its way through the legislative process, and concludes by calling on EU policymakers to ensure that these AI applications are tested for biases that could lead to discrimination.
The agency did a deep dive into the risk of discriminatory policing, which consists of influencing the distribution of police forces based on biased crime records that might lead to over-distribution or underserving certain areas, both of which could have severe impacts on fundamental rights. The AI Act includes specific requirements for high-risk systems that use feedback loops, but while that applies to predictive policing, place-based systems are not covered. Similarly, the EU’s Law Enforcement Directive mandates specific safeguards for automated decision-making related to individuals but not to geographical areas.
The second object of study is the risk of ethnic and gender bias automated tools to detect offensive speech. More advanced methodologies, using word correlations from other data sources, can mitigate this issue, but only to a limited extent. Moreover, these methodologies pose some challenges, as they rely heavily on general-purpose AI, which can also be biased. As a result, instead of removing biases altogether, they might increase them or introduce new ones.
The agency suggests that these algorithms should not be used without prior assessment of the bias they entail in putting people with sensitive characteristics at a disadvantage, concluding if the system is fit for purpose. These assessments should be conducted on a case-by-case basis and not limited to before the AI system is put into service but also during the system’s lifecycle. However, these assessments of potential discrimination require data on protected characteristics. This will require legal guidance on how such data collection is allowed and how they will interact with existing legislation like the EU’s Equal Treatment Directive.
OECD Digital Economy Conference and D9+ Group meeting
From 13 to 15 December, the fourth Ministerial Conference on the Digital Economy of the Organization for Economic Co-operation and Development (OECD) is taking place in Spain. More than 50 delegations from 50 countries and 40 OECD Senior Representatives including ministers, deputy ministers and secretaries of state, as well as a wide range of leading national and international companies and SMEs, participate in order to set the course for a more reliable, inclusive and sustainable digital future.
As the host of the Conference, Spain’s digital transformation has positioned the country as an international benchmark thanks to the strategic vision of the Digital Spain initiative, the sectoral plans and the investments and reforms of the Recovery Plan. Likewise, the approval of the Charter of Digital Rights and all the work that Spain has been doing since 2021 in this area have been decisive in hosting this multilateral meeting, the first in European territory after the previous events held in Canada (1998), South Korea (2008) and Mexico (2016).
On 15 December, the closing events of the Conference will take place, in which the results of the meetings will be presented, the Declaration of the ministerial meeting will be made public and will be accompanied by the conclusions of the ministerial meetings.
In addition, taking advantage of the unique framework of this industry meeting in Gran Canaria, two important forums have been organized. Firstly, the D9+ meeting, chaired by Spain and attended by the most digitized countries in Europe: Belgium, Spain, Estonia, Denmark, Finland, Ireland, Luxembourg, Netherlands, Poland, Portugal, Czech Republic and Sweden. Secondly, the B9+, a meeting point for entities in the business community – such as employers’ federations NVO-NCW, VBO/FEB and CEOE – of the D9+ Group.
In a recent report of the European Centre for International Political Economy (ECIPE) – a think tank dedicated to EU trade policy and other international economic policy issues –, it is argued that exactly the countries of the D9+ Group need to raise their profile in the development of EU digital policies. On 13 December 2022, the ECIPE organized a webinar to discuss their report on the future role and direction of the D9+ Group.
During the webinar, both researchers and public servants agreed that EU countries benefit from digital openness, and that a restrictive digital regulatory environment depresses economic activity. They continued with pointing out that the D9+ countries have a lot in common, such as having small- to medium-sized economies with few scale advantages, where specialization is paramount to economic success. This is because small- and medium-sized countries need access to markets to achieve specialization, and so are more open to digital trade. Small and medium-sized enterprises (SMEs) have an important place in the specialization of these digital economies. The speakers stressed that the voice of D9+ countries in Brussels is rarely heard, and that to remedy this the D9+ group could take a new and stronger role on digital policy within the EU.
Deep dive: Data Policy in Work Program 2023
On 18 October, the European Commission published its work program for 2023, which includes an overview of legislative and non-legislative initiatives for the coming year.
The Commission work program defines the actions on the agenda for the coming year in terms of publishing new initiatives, revising existing legislation and withdrawing existing proposals. Through the work program, titled “A Union standing firm and united,” the Commission aims to make the EU stronger in the world by 2023, on the one hand, and move forward when it comes to the digital and green transition, on the other.
Details of the Work Program
In the digital field, the Commission proposes to establish a common European mobility data space to boost the digitalization of the mobility sector and to encourage innovative solutions, as part of its mobility package. The Digital Europe Program is supporting the implementation of the mobility data space. A preparatory action will map existing initiatives and identify potential common building blocks. A deployment action will then help make available large amounts of data in machine-readable format, with a focus on urban mobility. Moreover, the Connecting Europe Facility (CEF) program is supporting a coordination mechanism to federate National Access Points. The non-legislative initiative is expected to be published in Q2 2023.
The Commission will also propose a package of measures to improve data access in financial services, by publishing an initiative for a framework on open finance. This initiative aims to enable data sharing and third-party access for a wide range of financial sectors and products, in line with data protection and consumer protection rules. It is based on the principle that financial services customers own and control the data they supply, and the data created on their behalf. Another initiative of the package is the revision of the payment services Directive, to support innovation whilst ensuring easier and safer use of online payment services and better protecting users against fraud and abuse. The Commission endeavors to publish both legislative proposals in Q2 2023.
In addition to publishing new initiatives, the Commission wants to push the Parliament and Council to finalize existing initiatives, such as the proposal for the Data Act, Artificial Intelligence Act and the Cyber Resilience Act. Furthermore, in order to improve the cooperation between national data protection authorities in enforcing the General Data Protection Regulation (GDPR), the Commission will propose to harmonize some national procedural aspects of their work.
Another existing initiative which will be prioritized in 2023, is the creation of a European Health Data Space, a key pillar of the European Health Union and recommended by the Conference on the Future of Europe. The EHDS is a health-specific data sharing framework establishing clear rules and practices, infrastructure and a governance framework for the use of electronic health data by patients, as well as for research, innovation, policy making and regulatory activities, while ensuring full compliance with the EU’s high data protection standards. The EHDS builds further on the GDPR, the proposed Data Governance Act, the draft Data Act and the Network and Information Security (NIS) Directive. It complements these initiatives and provides more tailor-made rules for the health sector.
The work program has 43 new initiatives, 10 more than in 2023. In view of the end of its mandate, the Commission intends to complete the already published as well as the new initiatives by May 2024.
Data Act update
On 26 October, the lead Committee on Industry, Research and Energy (ITRE) of the European Parliament held a debate on the draft report published by lead rapporteur Pilar del Castillo Vera (EPP, Spain). During the debate, MEP del Castillo Vera indicated that she is still working on delineating the concept of “data,” defining the concept of “data holder” and clarifying interoperability. Shadow rapporteur Miapetra Kumpula-Natri (S&D, Finland) welcomed the draft report and stated that the Data Act is going to create a level playing field between companies. She also stressed that companies do not have to reveal trade secrets and welcomed the work of the Legal Affairs Committee (JURI) who provide specific advice in this area. Shadow rapporteur Alin Mituta (RE, Romania) called for more safeguards on data management by public bodies.
On 3 November, the Czech Presidency circulated a new compromise text (Part I and II) on the Data Act, which amounts to a second full revision of the Act. Based on the new text, the notice period for the customer to request the termination of the contract was extended from the original 30 days to 2 months. Similarly, the customer was given ample discretion to extend the transition period to change service, also initially set at 30 days, to when the customer deems it more “appropriate.” The compromise text now also explicitly refers to common European data spaces, a framework for sharing or jointly processing data related to a specific sector like health or transport. Furthermore, the revised wording tasks the competent national authorities to promote voluntary data-sharing agreements between public and private actors. A new paragraph was added requesting that vendors using smart contracts to fulfil a data access agreement would have to perform a conformity assessment to the smart contract, conducted in the form of a self-assessment based on the EU’s market surveillance rules.
Most of the changes to the part of international data transfer were meant to align the wording with the similar provisions of the previous building block of the European data strategy, the recently adopted Data Governance Act. This section of the Data Act has not seen substantial changes since the beginning of the negotiations in the Council of the EU. It’s likely that this topic might become the object of political discussions at a later stage, given its potential impact on international cooperation.
Developments in the European strategy for data: Common European Data Spaces and associated projects
The common European data spaces are part of the 2020 European strategy for data, which aims at creating a single market for data that will ensure Europe’s global competitiveness and data sovereignty and also encompasses the Data Act. The common European data spaces, in turn, will ensure that more data becomes available for use in the economy and society, while keeping companies and individuals who generate the data in control. The Data Strategy and the White Paper on Artificial Intelligence were the first pillars of the new digital strategy. The European Health Data Space (EHDS) and the common Energy data space are officially part of the Common European data spaces, while the recently launched Data4Food 2030 is an EU project which reinforces the data economy in European food systems.
In a joint statement on 20 October, more than two dozen research and medical professional organizations, patient groups, and industry associations have petitioned all Member States and European decision-makers to strongly support the EHDS and to engage with the broad group of stakeholders to ensure the final Regulation optimizes its potential.
When it comes to stakeholders, the industry wants in, but not without promises that its own research and intellectual property will be protected. For their part, privacy organizations like the European Data Protection Board and concerned academics fear that the proposal may open the door to the abuse of health data or privacy infringements. Questions remain around contentious issues such as the use of pseudonymized data – the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information – and the fees applicable to accessing data for business consumers. More importantly, it is still unclear whether industry will be involved in the governance of the EHDS.
In September, a new EU project was launched, named Data4Food 2030. The project aims to improve the data economy for food systems by expanding its definition, mapping its development, reiterating the need for a robust monitoring system, and introducing business and governance models stemming from a dialogue with stakeholders. Data4Food2030 is equipped with 10 million euros of funding, to discover the value of data economy in European food systems. The project includes a network of 24 partners from 12 different countries across Europe, led by the Dutch Wageningen Research.
With the ongoing energy crisis, the need to rapidly integrate renewable sources in the EU’s energy mix is becoming more pressing. However, that requires developing a smart and decentralized energy system, according to the Commission. To this effect, the Commission wants to connect the dots on the digitalization of the energy sector with a new flagship initiative known as the common European energy data space. A couple of funding opportunities have opened up in order to establish this energy data space. First, the Horizon Europe 2021-2027 program can support initiatives to enhance interoperability, engage consumers in the new energy market and pilot energy data spaces. Subsequently, the Digital Europe program will be pivotal in kick-starting the deployment of the common European energy data space building on the results of the Horizon Europe-funded projects that demonstrate solutions for this data space.
Data protection visit EU-UK
From 2 to 4 November, a delegation of MEPs from the European Parliament’s Committee for Civil Liberties, Justice and Home Affairs (LIBE) visited the UK in the theme of data protection. Over the course of the visit, they met with Julia Lopez, Minister of State at the Department for Digital, Media, Culture and Sport (DCMS), Emily Keaney, Acting Deputy Commissioner at the Information Commissioner’s Office (ICO), Members of the Justice and Home Affairs Committee and European Affairs Committee of the House of Lords, MPs from the Conservatives and SNP, as well as representatives of NGOs and academia. The focus of the mission was UK adequacy under the EU’s General Data Protection Regulation (GDPR) and the Law Enforcement Data Protection Directive (LED). Among the issues discussed were the proposed Bill of Rights and the Retained EU Law Act. Annalisa Tardino (ID, Italy) acted as Head of Delegation, while Fulvio Martusciello (EPP, Italy) and Gwendoline Delbos-Corfield (Greens/EFA, France) were also included in the delegation.
Last year, the European Commission adopted two adequacy decisions, which allow for the free flow of personal data from the European Union to the United Kingdom without requiring additional appropriate safeguards to be put in place. A few months after obtaining the adequacy findings, the UK began legislative works on changing its data protection laws on which these decisions were based. The LIBE mission to the UK is directly related to last year’s EP resolution on the adequate protection of personal data by the United Kingdom and the issues raised in this document.
On 12 October, the European Data Protection Board’s chair Andrea Jelinek sent a letter containing a ‘wish list’ of procedural aspects to be harmonized at the EU level to the European Justice Commissioner Didier Reynders. The initiative is intended to speed up the enforcement of the GDPR, the EU’s privacy rulebook that entered into application in 2018. Every national authority is currently conducting its investigations following country-specific procedural rules. The letter of 12 October was anticipated in a statement the EDPB adopted in April, in which Jelinek marked attempts to reform the GDPR as premature. In her view, the GDPR is picking up speed. She also added that cross-border cooperation is becoming increasingly efficient also thanks to the work of the Board.
AI Act update
On 21 October and 19 October, the European Parliament’s co-rapporteurs for the Artificial Intelligence Act (AI Act), Dragoș Tudorache (RE, Romania) and Brando Benifei (S&D, Italy), and the Czech Presidency of the Council of the EU circulated respectively the eighth set of compromise amendments and the fourth compromise on the Artificial Intelligence Act (AI Act).
On 21 October, the co-rapporteurs of the responsible Committees on Civil Liberties, Justice and Home Affairs (LIBE) and on the Internal Market and Consumer Protection (IMCO), Dragoș Tudorache (RE, Romania) and Brando Benifei (S&D, Italy) respectively, suggest strengthening the review powers of the European Commission, to enable them to expand the list of risk systems and prohibited practices at a later stage. In terms of confidentiality, the leading MEPs proposed that the principles of purpose limitation and data minimization should apply to the information request made by competent authorities to the AI provider. Hence, the authorities should only ask for and retain data if necessary. The same principles apply when exchanging information between authorities.
Near the end of October, the United States circulated a on the EU AI Act, pushing for a narrower Artificial Intelligence definition, a broader exemption for general purpose AI and an individualized risk assessment in the AI Act. The document is a reaction to the progress made by the Czech Presidency of the Council of the EU on the AI regulation in September. According to US officials, the European Commission has increasingly shut down the door to non-EU countries on standard development, whilst the US is pushing for more bilateral cooperation.
On 3 November, the Czech presidency shared the of the AI Act with the other EU countries. The latest text introduces only minor changes to the version of 19 October. The final text confirms the Czech presidency’s solution to apply the AI rulebook to general purpose AI. New wording has been added in the case that the relevant national authority rejects the request to put into use a high-risk system that has not passed the conformity assessment procedure. The law enforcement agency in question is subsequently obliged to discard all the results and outputs resulting from that system. The regulation’s preamble has been changed to clarify that the system determining the legitimacy of the entitlement to public assistance benefits and services from the public sector is to be considered at high-risk – recalling the . Furthermore, the new text specifies that individuals belonging to a vulnerable group in terms of age or disability should be considered when complying with transparency obligations for deep fakes to avoid discrimination.
The AI Act is scheduled to receive the approval of the Committee of Permanent Representatives (COREPER I) on 18 November and the final adoption by EU ministers at the Telecom Council meeting on 6 December.
On 26 October, the Industry, Research and Energy (ITRE) Committee appointed its rapporteurs on the Cyber Resilience Act (CRA), of which it is the responsible Committee. Danti Nicola (RE, Italy) was appointed as lead rapporteur, while Henna Virkkunen (EPP, Finland), Eva Kaili (S&D, Greece) and Evžen Tošenovský (ECR, Czechia) were appointed as shadows. The Committees for opinion, Internal Market and Consumer Protection (IMCO) and Civil Liberties, Justice and Home Affairs (LIBE), are expected to appoint their rapporteurs in the coming months.
A public consultation on the adoption of the CRA by the Commission opened on 19 September, and the current deadline stands on 3 January 2023. The eight-week feedback period is being extended every day until this proposal is available in all EU languages. Meanwhile, the European Economic & Social Committee (EESC) is scheduled to publish its opinion on the CRA on 10 November.
On 18 October, during a plenary debate with Vice President and European Commissioner for Migration and Promoting the European Way of Life, Margaritis Schinas, MEPs called for greater EU ambition in cybersecurity and critical infrastructure protection. The MEPs argued that the recent Nord Stream gas leak incident revealed the vulnerability of the EU’s infrastructure. They also highlighted the danger of cyber-attacks, pointing to cases that affected public service organizations in Belgium and the healthcare system in Ireland. According to them, the EU needs more ambitious legislation to secure critical infrastructure beyond the proposals already discussed. These include the already published proposals for the Directive on the resilience of critical entities and the NIS2 Directive.
According to Schinas, the new legislation gives Europe an unprecedented “shield” against threats, but he also acknowledged that more needs to be done to increase resilience, especially against state-sponsored threats. The proposal for the NIS2 Directive aims to modernize the existing legal framework (NIS Directive) taking into account the increased digitization of the internal market in recent years and an evolving cybersecurity threat landscape.
The key element of the proposal is the expanded scope, which now covers public electronic communications providers, wastewater and waste management, food, space, postal and courier services, public administration, manufacturing of critical products and digital services.
Deep dive: AI Liability Directive
On 28 September 2022, the European Commission published a proposal for an Artificial Intelligence Liability Directive (AILD). The objective of the Commission is to adapt existing liability rules to the digital age, circular economy and the impact of global value chains. It does this by proposing to modernize the existing rules on the strict liability of manufacturers for defective products. This ranges from smart technology to pharmaceuticals. Furthermore, the Commission proposes a targeted harmonization of national liability rules for AI, making it easier for victims of AI-related damage to get compensation.
This proposal is part of a package of measures to support the roll-out of AI in Europe by fostering excellence and trust. It comprises three complementary work streams:
- A legislative proposal laying down horizontal rules on artificial intelligence systems, namely the Artificial Intelligence (AI) Act.
- A revision of sectoral and horizontal product safety rules.
- The establishment of EU rules to address liability issues related to AI systems.
The proposal will achieve synergies and is complementary with the , which also aims to increase trust in products with digital elements by introducing minimum requirements for cybersecurity. Furthermore, it does not affect the rules set by the , which provide for a comprehensive and fully harmonized framework for due diligence obligations for algorithmic decision-making by online platforms, including its exemption of liability for providers of intermediary services.
In addition, by promoting the roll-out of AI, this proposal is linked to the global standard-setting initiatives under the EU strategy for data. The proposal also has indirect links with the European Green Deal, in that new technology such as AI can be deployed for a wide range of applications to promote the goals of the legislative package. In particular, digital technologies, including AI, are a critical enabler for attaining the sustainability goals of the Green Deal in many different sectors, such as healthcare, transport and environment.
Details of the proposal
The proposal for a Directive aims to ensure fair and predictable rules for businesses and consumers alike by changing the rulebook on several differing aspects. The AILD:
- modernizes the liability rules for circular economy business models, by ensuring that these rules are clear and fair for companies that substantially modify products;
- modernizes liability rules for products in the digital age. It allows for compensation for damage when products like robots, drones or smart-home systems are made unsafe by software updates, AI or other digital services that are needed to operate the product. Additionally, it encompasses the compensation for damage when manufacturers fail to address cybersecurity vulnerabilities;
- aims to create a more level playing field between EU and non-EU manufacturers. When consumers are injured by unsafe products imported from outside the EU, they will be able to turn to the importer or the manufacturer’s EU representative for compensation;
- puts consumers of products on a more equal footing with the manufacturers of those products. This is achieved by requiring manufacturers to disclose evidence, introduce more flexibility to the time restrictions to introduce claims, and by alleviating the burden of proof for victims in complex cases. Examples of such cases are those involving pharmaceuticals or AI;
- sets in place a monitoring program to provide the Commission with information on incidents involving AI systems. The targeted review will assess whether additional measures would be needed, such as introducing a strict liability regime and/or mandatory insurance.
Following a public consultation on the White Paper on AI and the Commission report on safety and liability, an online public consultation was open from 18 October 2021 to 10 January 2022 to gather views from a wide variety of stakeholders. This included consumers, civil society organizations, industry associations, businesses (including SMEs) and public authorities. In total, 233 responses were received from respondents from 21 Member States, as well as from third countries. Overall, the majority of stakeholders confirmed the problems with burden of proof, legal uncertainty and fragmentation and supported action at EU level.
EU citizens, consumer organizations and academic institutions overwhelmingly confirmed the need for EU action to ease victims’ problems with the burden of proof. Businesses, while recognizing the negative effects of the uncertainty around the application of liability rules, were more cautious and asked for targeted measures to avoid limiting innovation.
Furthermore, EU citizens, consumer organizations and academic institutions strongly supported measures on the burden of proof and harmonizing no-fault liability (referred to as ‘strict liability’) coupled with mandatory insurance. Businesses were more divided on the policy options, with differences depending in part on their size. Strict liability was considered disproportionate by the majority of business respondents. Harmonization of the easing of the burden of proof gained more support, particularly among SMEs. However, businesses cautioned against a complete shift of the burden of proof.
The work program has 43 new initiatives, 10 more than in 2023. In view of the end of its mandate, the Commission intends to complete the already published as well as the new initiatives by May 2024.
Germany in favor of political discussion on EU’s Cloud Certification Scheme
On 19 September, Germany published a letter addressed to the European Commission asking for a political discussion on the sovereignty requirements that the Commission has been pushing to include in the European Cybersecurity Cloud Certification Scheme (EUCS). This scheme is a horizontal and technological mechanism that intends to provide cybersecurity assurance throughout the cloud supply chain and form a sound basis for sectoral schemes. Additionally, the EUCS is an implementing act under the Cybersecurity Act and is meant to establish the EU’s wide certification with several levels of assurance.
Although the cybersecurity cloud certification scheme is voluntary, the high assurance level of the EU’s wide certification is expected to become mandatory for the essential services listed under the Network and Information Security 2 (NIS2) Directive. Precisely on this high level of assurance, the Commission asked the European Union Agency for Cybersecurity (ENISA), the body responsible for drafting the scheme, to add sovereignty requirements to the scheme to ensure immunity from foreign jurisdictions. According to a draft version, published in June, the scheme included immunity from non-EU access by demanding that the cloud service providers are not only headquartered in Europe but also not controlled by any non-EU entities.
The approach prompted strong criticism by a growing number of EU countries. Earlier in the year, Denmark, Estonia, Greece, Ireland, Netherlands, Poland and Sweden circulated a raising ‘strong concerns’ about these requirements. The reasoning is that the Commission’s approach, which is modelled after the French SecNumCloud scheme, would restrict competition from non-European companies, mostly US hyperscalers, even if they can provide the same or even higher cybersecurity level.
Conversely, leading European cloud service providers, as well as France, Italy and Spain, have pushed in favor of the sovereignty requirements, arguing that data infrastructure is a critical dimension of technological sovereignty and that the measures would help rebalance the cloud market.
European Economic and Social Committee opinion on the European Health Data Space Regulation
On 22 September 2022, the European Economic and Social Committee (EESC) published an opinion on the Commission’s proposal for regulation on the European Health Data Space (EHDS). The proposal, published on 3 May 2022, is one of the central building blocks of a strong European Health Union. The EHDS is a health-specific data sharing framework establishing clear rules and practices, infrastructure and a governance framework for the use of electronic health data by patients, as well as for research, innovation, policy making and regulatory activities, while ensuring full compliance with the EU’s high data protection standards. The EHDS builds further on the General Data Protection Regulation (GDPR), the proposed Data Governance Act, the draft Data Act and the Network and Information Security (NIS) Directive. It complements these initiatives and provides more tailor-made rules for the health sector.
From a protective standpoint, the EESC opinion points out that a coordinated strategy to combat “cyber piracy” and to increase levels of cybersecurity is paramount. Without this kind of investment, the proposal is useless. The EESC further draws attention to the benefits of combining investment in infrastructure that allows digitalization and progress for all regions.
The EESC supports the idea that more than €480 million from the Digital Europe Program, the Connecting Europe Facility and Horizon Europe can be used by the Member States and bodies involved in the European Health Data Space, along with other sectors. The Digital Europe Program will also support the deployment of the infrastructure needed to make health data securely accessible across EU borders and to develop common data spaces. The EESC states that these investments will take time and that citizens’ expectations must be balanced within the timeline of these investments.
The legislative procedure is in its early stages and awaits a committee decision by the European Parliament. The Civil Liberties, Justice and Home Affairs (LIBE) Committee, the responsible committee for this Regulation, has not yet appointed a rapporteur. Additionally, the Environment, Public Health and Food Safety (ENVI) Committee still has to appoint a rapporteur in order to publish a draft opinion, while the Internal Market and Consumer Protection (IMCO) and Industry, Research and Energy (ITRE) Committees have appointed one rapporteur each in recent months, respectively Andrey Kovatchev (EPP, Bulgaria) and Cristian-Silviu Bușoi (EPP, Romania). The Budgets Committee decided not to give an opinion.
AI Act update
On 23 September, the Czech Presidency of the Council of the EU circulated a new compromise text on the Artificial Intelligence (AI) Act focusing on the European Commission’s responsibilities in terms of evaluating how to best adapt the obligation created by the AI Act towards general purpose AI.
The compromise text addresses the applicability of the AI Act on AI systems that are not qualified as “high risk” but may be used or integrated into high-risk applications. During the discussions in the Council of the EU, several countries lamented the lack of evaluation on what the direct application of these obligations might imply in terms of technical feasibility and market developments.
The Czech Presidency proposed that the European Commission should adapt the relevant obligations via implementing acts within one year and a half from the regulation’s entry into force, carrying out public consultation and impact assessment on how to best consider the specific nature of such technology.
As negotiations regarding the proposed AI Act continue, more and more political parties are aligning themselves with a ban on facial recognition. Renew Europe joined the Greens and the Socialists & Democrats in their support of a ban on biometric identification in public places in the debate surrounding the Act. A majority in the European Parliament is now in favor of banning facial recognition technology that scans crowds indiscriminately and in real-time. This contrasts sharply with developments within the Council of the EU, where many Member States argue that the technology is an important measure for protecting public safety. While Germany would prefer to see the technology banned, France and others are seeking more law enforcement exemptions. The Council of the EU hopes to adopt a position before the end of the year, after which they will have to negotiate with the European Parliament to reach a compromise.
Data Act update
On 14 September, the Industry, Research and Energy (ITRE) Committee of the European Parliament issued its report on the Data Act. Rapporteur on the file, Pilar del Castillo (EPP, Spain), focused on the parts that defined how and under what conditions users and public bodies will be able to access and share data. For connected devices, she included metadata. Conversely, processed data has been excluded to protect trade secrets. Moreover, Internet of Things products that are still in the development phase or yet to be launched on the market have also been excluded from the scope. Lastly, access requests motivated related to public health or natural disasters are the only ones that should be free of charge. In all other cases, the organization providing the data would be able to ask for a refund for the incurred costs.
On 4 October, the Committee on the Internal Market and Consumer Protection (IMCO) released its opinion report on the Data Act. Some of the main takeaways were:
- While in general unlocking data is a positive phenomenon, it could introduce challenges for stakeholders who have limited access to data, such as car manufacturers;
- The data represent the digitalization of user actions and events and should accordingly be accessible to the user, while volatile and data processed locally only and information derived or inferred from this data, where lawfully held, should not be considered within scope of the Regulation;
- Certain products that are primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service and which are not the essential part of the connected product or related service should not be covered by the Regulation;
- Introduced changes to the definition of a data holder are necessary to clarify that entity merely providing storage or computing resources for the third party is not covered by the definition;
- The data holder should have the right to quick objection, in order to protect its integrity, security or confidentiality;
- The Regulation will apply from 24 months after the date of entry into force of this Regulation.
The ITRE Committee has postponed its hearing and its subsequent deadline for amendments to, respectively, 26 and 28 October. According to the new timeline, the committee vote would take place in February, earlier than the one planned in the opinion Committees. Concurrently, the Civil Liberties, Justice and Home Affairs (LIBE) Committee has not published any draft opinion or timeframe for amendments and voting. The committees, already at odds over the competencies, are now clashing over the timing.
In the week of 10 October, the Council is working on the drafting of the second full compromise text, to have it available for approval in the Working Party of Telecommunication and Information meeting of 6 December. However, Dr2 Consultants has been made aware that the consensus on a General Approach will only be reached in Q1 of 2023.
US-EU Data deal
On 7 October 2022, U.S. President Biden signed an executive order as part of his government’s efforts to rekindle transatlantic data flows. This Trans-Atlantic Data Privacy Framework, set up to replace the invalidated Privacy Shield data transfer mechanism, marks an unprecedented commitment on the U.S. side to implement reforms that will strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.
Negotiations on the data pact between Brussels and Washington have been ongoing since the European Court of Justice struck down its predecessor Privacy Shield agreement in July 2020 because of fears over U.S. surveillance. The U.S. executive order is expected to address the EU judges’ concerns by outlining further restrictions on how American national security agencies access both European and U.S. citizens’ data via some new “necessary and proportionate” standard. There will also be a new regulatory oversight board via the U.S. Department of Justice for Europeans to seek legal redress if they believe their personal information has been used illegally.
On the side of the EU, the process will include a draft assessment by the European Commission that will be scrutinized by the bloc’s data protection authorities, national governments and the European Parliament. There’s no set timeline for that process, but in the past, it has taken up to six months. Furthermore, the legislative process will almost certainly be followed by legal procedures.
Concurrently, there is another negotiation process, overseen by the Organization for Economic Cooperation and Development (OECD), in which members are trying to create an international pact to set the ground rules for how national security agencies access people’s information. An important provision of this pact is the upholding of high privacy standards to avoid overreach by national spies.
Several important stakeholders have already provided a reaction on the renewed Data Privacy Framework.
Deep dive: Cyber Resilience Act
On 15 September 2022, the European Commission published a proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020 (Cyber Resilience Act – CRA). The Cyber Resilience Act introduces cybersecurity rules to ensure more secure hardware and software products.
The scope of the proposed legislation is far reaching as it covers products with digital elements placed on the market. Through the Cyber Resilience Act, the Commission aims to establish conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and ensure that manufacturers take security seriously throughout a product’s life cycle. Additionally, the Commission proposes conditions allowing users to take cybersecurity into account when selecting and using products with digital elements.
Details of the proposal
Chapter I – Definitions
Chapter I indicates the scope and definitions of the proposed Regulation. In particular, the CRA proposes cybersecurity rules to ensure more secure hardware and software products by laying down:
- Rules for the placing on the market of products with digital elements to ensure the cybersecurity of such products;
- Essential requirements for the design, development and production of products with digital elements, and obligations for economic operators in relation to these products with respect to cybersecurity;
- Essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole life cycle, and obligations for economic operators in relation to these processes;
- Rules on market surveillance and enforcement of the above-mentioned rules and requirements.
The scope of the CRA is to apply to products with digital elements whose use includes a direct or indirect logical or physical data connection to a device or network. Importantly, Article 2 also lists the products with digital elements that shall not be covered under the CRA, such as those that have already been certified in accordance with other EU Regulations and those developed exclusively for national security or military purposes.
According to Article 3, a product with digital elements is defined as ‘any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately’. Products with digital elements shall only be made available on the market if they meet the requirements as set out in sections 1 and 2 of Annex I. Articles 6-9 further define critical products with digital elements, general product safety, high-risk AI systems and machinery products.
Chapter II – Obligations
Chapter II details the obligations of economic operators, namely manufacturers, authorised representatives, importers, and distributors. In particular, Articles 10 and 11 aim to ensure that products with a digital element have been designed, developed, and produced in accordance with the essential cybersecurity requirements set out in this Regulation. Articles 13 and 14 state that the importers and distributors’ obligations ensure that only digital elements that comply with the cybersecurity requirements are placed on the market. This must be done by verifying products, take corrective measures if needed and storing products information for 10 years.
Lastly, Articles 15 and 16 detail the conditions under which obligations of manufacturers apply to importers, distributors, or others, while article 17 provides economic operators with information to downscale to market surveillance authorities, for 10 years.
Chapter III – Conformity
Chapter III sets out the conformity of products with digital elements and processes. In particular, Article 18 details the powers of the Commission to specify the European cybersecurity certification schemes that can be used to demonstrate conformity with the essential requirements or parts thereof as set out in Annex I. Article 19 lists the cases in which the Commission is empowered, by means of implementing acts, to adopt common specifications in respect of the essential requirements set out in Annex I. Article 20 clarifies how the EU declaration of conformity should be drawn up by manufacturers and what such a declaration should entail. Articles 21-23 define the conditions for CE marking, while article 24 lists conformity assessment procedures, which are set out in Annex VI.
Chapter IV – Notification of conformity assessment bodies
Chapter IV introduces the notification procedures of conformity assessment bodies. Articles 26 requires Member States to designate a responsible notifying authority for setting up and carrying out procedures, while the following articles detail the requirements for notifying authorities and conformity assessment bodies in order to be designated as such.
Additionally, attention is paid to small and medium sized enterprises (SMEs). Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, in particular taking into account the interests of SMEs in relation to fees.
Chapter V – Market surveillance and enforcement
Chapter V indicates that each Member State shall designate one or more, existing or new market surveillance authorities for the purpose of ensuring the effective implementation of the CRA. National market surveillance authorities shall carry out market surveillance in the territory of that Member State, in accordance with Regulation (EU) 2019/1020. The Commission shall facilitate the exchange of experience between market surveillance authorities and shall support the authorities when providing guidance and advice to economic operators. In turn, economic operators are asked to fully cooperate with market surveillance authorities and other competent authorities.
While the scope of the CRA is broad, an exception exists for products with digital elements that are classified as high-risk AI systems under the AI Act. Such systems shall be under the responsibility of the designated market surveillance authorities under the AI Act. Article 41 sets out the establishment of a dedicated administrative cooperation group (ADCO) tasked with the uniform application of the CRA and be composed of representatives of the designated market surveillance authorities.
Where the Member State can take measures against potentially cybersecurity threats, the Commission receives the competence to launch a consultation or evaluate whether such measures are justified. Where products with digital elements are deemed to present a significant risk, Article 46 requires the manufacturer to take all necessary steps to eliminate the risk. Subsequently, national market surveillance authorities may require a manufacturer to take measure. Should the non-compliance persist, the Member State must take appropriate measures to restrict or prohibit the product from being available on the market or recall the product from the market.
Chapter VI – Delegated Acts
Chapter VI, in its Articles 50 and 51, provides the technical details on the adoption of delegated acts, to ensure that the regulatory framework can be adapted where needed. The Commission holds this power and shall consult experts designated by Member States, before notifying the Parliament and Council. This power may be revoked at any time by both the Parliament and the Council, but this decision shall not affect any delegated act in force. Furthermore, the Commission should be assisted by a committee, for opinion.
Chapter VII – Confidentiality and penalties
This chapter contains the rules on confidentiality of information and data obtained in carrying out their tasks and activities. To ensure effective enforcement, Article 53 provides market surveillance authorities the competence to impose or request the imposition of administrative fines. However, the CRA also establishes the maximum levels of administrative fines that should be provided in national laws in case of non-compliance with the Regulation.
Chapter VIII – Final provisions
Chapter VIII includes the final provisions, amending Annex I of Regulation 2019/1020 on market surveillance and compliance of products and indicating that the latter will apply to products with digital elements insofar as there are no specific provisions with the same objective in the CRA.
The Regulation will become applicable 24 months after its entry into force, except for the reporting obligation on manufacturers which shall apply already from 12 months after its entry into force.
If you want to have a closer look at the content and the specific provisions of the Cyber Resilience Act, you can check out our in-depth analysis.
First EU-wide data space to simplify the exchange of official documents for citizens and businesses
On 6 September, the European Commission published the Implementing Regulation (EU) 2022/1463 on the Once Only Technical System (OOTS), following an agreement reached at Member States’ level. This new system lays the ground for the establishment of the first EU-wide data space, which will enable the sharing of information between public administrations across borders between EU countries. Available as of end of 2023, the Once Only Technical System (OOTS) will allow public authorities across the EU to exchange official documents and data at citizens and businesses’ request in a simplified and efficient manner.
More concretely, the OOTS enables the interconnection between Member States’ national portals, allowing EU citizens and SMEs to supply a document only once to a public authority. In other words, if another public authority across the EU needs access to the same document, and with the citizen’s explicit authorization, it will be able to retrieve it via the OOTS.
Today, the lack of interoperability and digital barriers between Member States obliges citizens to provide the same information to different authorities even if one of them already holds that information in electronic format. For instance, when applying for a master’s course at a university online, students need to provide a copy of their bachelor’s degree even though this document is held electronically by the university when the citizen graduated.
Thierry Breton, Commissioner responsible for the Internal Market saluted this initiative, highlighting it was “a much-awaited step for an effective Single Market without digital barriers”. The OOTS will provide a reusable template for other dataspaces that require data to flow securely within the EU.
New US-UK law enforcement data deal
During Summer, London and Washington have signed a new data sharing agreement related to law enforcement investigations. As of 3 October, law enforcement agencies may require telecommunication providers in either country to hand over data related to investigations into crimes linked to serious offenses such as child sexual abuse or terrorism.
The agreement is focused on speeding up the ability of both sides to access information held in the other jurisdiction. The U.S. government has tried to sign a similar deal with the European Union — under provisions in the U.S. Cloud Act — but some EU Capitals of the Old Continent raised concerns to give such widespread access to EU citizens’ data.
This decision comes on the back of the Court of Justice of the European Union’s invalidation of the EU-U.S. Privacy Shield back in 2020 with the so-called “Schrems II” ruling. Based on the EU General Data Protection Regulation, judges in Luxembourg concluded that data transfers in a jurisdiction that does not have an equivalent level of data protection are illegal unless adequate safeguards are in place.
The question brought forward by this ruling lies into the notion of “digital sovereignty”. Understood as “the EU’s ability to act independently in the digital world” and pushed by EU Member States such as France. In this case, the question of which jurisdiction would have applied was front and center. In other words, EU regulators were concerned that U.S. intelligence services have disproportionate access to the data of EU residents without the possibility of judicial redress. That is why the EU institutions have set a legislative framework to deal with both personal and non-personal data transfers to foreign jurisdictions. As a matter of facts, the Data Governance Act and the Data Act have provisions that concern data intermediaries to take all reasonable measures to prevent the international transfer or governmental access to non-personal data held in the EU that could create conflict with EU or national law.
For European regulators, the reasoning behind these measures is not meant to be punitive but to ensure that the rigorous rules that the EU is putting in place to create a marketplace for industrial data cannot be bypassed simply by residing outside the bloc.
Undoubtedly, this question will remain the main point of discussions in the remit of the New Trans-Atlantic Data Privacy Framework negotiations between the Washington and Brussels. As things stand, the U.S. government should release the Executive Order that gives effect to the surveillance reforms agreed to. On its part, the European Commission is expected to publish a draft implementation act and seek the non-binding opinion of the EDPB/EDPS and the European Parliament, before the Council also has to agree on the final text.
Data Act update
The inter-institutional negotiations within the Council of the EU and the European Parliament have already started in the past weeks.
As far as the European Parliament is concerned, it endorsed the allocation of competences between its committees on 30 June, after more than four months of internal discussions and bounces. In the final shape, the competences have been attributed as follows:
- Adam Bielan (ECR, PL) in the Internal Market and Consumer Protection (IMCO) Committee has shared competences on the entire file, plus exclusive competences on Articles 23, 24, 25 and 26, as well as Recitals 70 until 76,
- Sergey Lagodinsky (Greens, DE) in the Civil Liberties, Justice and Home Affairs (LIBE) Committee has shared competences on the entire file, plus exclusive competence on Articles 4(3), 4(6), 5(5), 5(8), 8(6), 17(2)(c), 27(3) sub-paragraph 2, 35 and 37, as well as the last sentence of Recital 63 and Recital 84,
- Ibán García del Blanco (S&D, ES) in the Legal Affairs (JURI) Committee has exclusive competences on Articles 1(3), 1(4), 4(5), 5(6), 5(7), 5(9), 6(1) (only on the caveat for the protection of personal data), 6(2b), 16(2), 18(5), 19(1b), 31(2a), 32(3) (only on specific cooperation mechanism of the GDPR), 33(3) and 33(4). The committee also shared competences on Articles 1-6, 8-12, 14-19 and 31-32.
MEP del Castillo Vera handed in her report last week for translation. The official report will be published soon. On the one hand, the focus of the report is to widen the exemption to the data-sharing obligations to include medium-sized enterprises with fewer than 250 employees; on the other hand, the draft report focuses on the obligations for companies to share data with governments (B2G) in which public emergencies need to be better clarified. Moreover, a lot of concerns from stakeholders on trade secrets, investments and intellectual property would be resolved by excluding sophisticated processed data. On the Council side, Member States are moving ahead with the proposal with some compromises already made. Until now, the focus has been on increasing legal clarity and consistency with existing EU legislation but there is still some work to be done. On 15 September, the Council of the EU discussed the next compromise text under discussion on cloud switching, international data transfers and interoperability. In the Council meetings, the discussion on B2G data transfers showed that most Member States understand the wording of exceptional need rather vague and find the definitions too wide.
If you would like to stay up to date with the developments regarding EU digital policies and related events, please sign up to our monthly EU Data Policy Update here. Learn more about our EU Data Policy Services here.
Deep dive: Models for sustainable and just data governance
On 12 July, the European Parliamentary Research Service (EPRS) published a study called “Governing data and artificial intelligence for all: Models for sustainable and just data governance”. It identifies and examines policy options for the EU’s data governance framework – such as the AI Act, the Data Governance Act, and the Data Act – that align with a data justice perspective.
As such, the central question this report addresses is how to foster a positive vision of AI as contributing to public goods and creating public value. Starting from research on data justice, the report proposes four benchmarks for good governance: preserving and strengthening public infrastructure and public goods, inclusiveness, contestability and accountability, and global responsibility. The EPRS looked at the principal ways in which data is currently understood – as a tradeable asset, as a commons, as a strategic national asset, and as a component of individual identities – and demonstrate how these different conceptualisations interact in governance models from various regions around the world.
Key takeaways stemming from this report include the need for EU institutions to:
1. Define data’s potential as a public good
The EU still has work to do in conceptualising what kind of public good data should be. While the legal framework under construction (especially the Data Act) articulates an aim of creating value from data for both public and private purposes, the mechanisms for arbitrating between these often conflicting aims are unclear, and the balancing of public and private interests varies across legislative instruments.
2.Constitutionalise the EU approach to data governance
The existing regulatory framework in the EU for data governance runs the risk of becoming fragmented. While the focus on building digital markets is coherent, the different instruments involved create disjunctures in the way technological harms are conceptualised (i.e., through the lenses of data protection, competition and consumer protection) and in turn, this limits the equitable distribution of power both in terms of accessing and using data, and in making claims and seeking redress where necessary.
3. Center collective will and decision-making
AI and data governance should center collective will and decision-making on the part of societal groups, along with a systemic orientation towards public value. The EU’s investments in public infrastructure (named in its data strategy and implied in the Data Governance Act and the Data Act) could be reoriented to reflect plural understandings of how data generates value, especially in terms of both large and smaller-scale computing and data infrastructure.
4. Contextualise tools of data governance
Current trends in data governance involve the development of different tools such as data trusts, various forms of cooperatives and commons, and stewardship processes. None of these are relevant as stand-alone approaches to data governance, but become relevant in relation to particular goals. As such, all are open to misuse if overarching normative goals are not clearly articulated and enforced.
5. Devolve and distribute oversight
Technology regulation enforcement and oversight are increasingly challenged to demonstrate that they can represent the democratic concerns of society. Democratising the process of oversight and enforcement with regard to data and AI could help address this challenge. As powerful technologies are increasingly used on the public in ways that are opaque to individuals, it has become urgently necessary to have oversight and enforcement structures that have a public-facing component, that can demonstrate democratic accountability and, therefore, that are also more representative of society.
French Presidency passes the baton to the Czech Republic
On 1 July, curtains went down on the French Presidency of the Council of the EU, heading over the reins to its Czech counterparts. It is now time to look back at some of its results and dive into the policy priorities of Prague’s digital agenda. The French Presidency had to navigate troubled waters as it accompanied the Union from the Covid-19 recovery to start dealing with the security and economic challenges posed by the Ukraine war. After 2000+ meetings of Council working parties and committees, 100+ Coreper meetings, 80+ Council meetings and Summits, what is the outcome of the past six months?
French Presidency’s achievements
In the field of digital policies, the Presidency has managed to gather support in the Council for a negotiating mandate on the 2030 Path to the digital decade and kickstart trilogues to define the guiding principles for digitalisation. In addition, the co-legislators successfully concluded negotiations with the Parliament on a number of critical files.
Among others, the Presidency reached agreements on the two landmark legislations that will structure the future of the Digital Single Market: the Digital Service Act (DSA) and the Digital Market Act (DMA).
When it comes to data-related policy, the French Presidency concluded the Data Governance Act, agreeing on the co-legislators’ position on 16 May. This legislation aims to set up a robust mechanism to enhance the reuse of certain categories of public sector data subject to the rights of others. It will also increase trust in data intermediation services by creating a new framework for companies to share their data of its being misused or of losing their competitive advantage, and for consumers to retain full control over their data. The French Presidency also made stiff progress on the Data Act, the EU’s non-personal data sharing legislation, by adopting the Council’s progress report in the Telecommunications Council in June. The French Presidency cited scope of application, data from connected devices, the sharing of data by companies with public authorities based on exceptional circumstances, cloud-switching and interactions with sectoral legislation as the main issues so far.
The Roaming Regulation and the Common Charger Directive were also concluded in the last semester. Finally, the Presidency closed two key procedures to foster the Union’s cybersecurity: the NIS 2 Directive and the Critical Entity Resilience Directive.
However, the French Presidency could not deliver on all the expected files. On ePrivacy, the negotiations progressed in March but failed to lead to an agreement as of yet. Similarly, the work on the eID or the Artificial Intelligence Act (AIA) will have to spill over into the agenda of the new Presidency.
Czech Presidency’s digital agenda
For its second Presidency of the Council after 2009, Prague has chosen Ivan Bartoš, the recently appointed Deputy Minister for digitisation and Minister of regional development, to spearhead negotiations among EU countries on tech laws. He is one of the founders of the Czech Pirates — a fringe political party with international chapters that was born to fight copyright laws.
Bartoš and his team will also have to reconcile diverging views within the Council on the Data Act which has alarmed various industries that are concerned about having to hand in large swaths of business information and trade secrets to governments, customers and third parties.
Czech Republic is also keen to prioritise work on reaching a general approach on the eID, as it represents a concrete Union action that is visible to EU citizens. Furthermore, it will pick up the work led on the AIA with a view to concluding a general approach. Forging a common position among all 27 EU governments on the artificial intelligence rulebook will not be a smooth ride. It will imply dealing with issues such as facial recognition ban and government-led social scoring, as well as restriction of a list of high-risk applications like algorithms used in health, during elections, and when handling immigration applications. On top of that, transatlantic cooperation within the TTC is very high on this Presidency’s priority list – especially given the Council will have to approve the new legal framework for data transfers to the US called the Transatlantic Data Privacy Framework.
Last but not least, the Czech Presidency will have to start working on a number of key initiatives that will be introduced by the Commission in the next semester such as the Cyber Resilience Act, the Media Freedom Act, the revision of the product liability directive, or the Connectivity Infrastructure Act – a proposal to have Big Tech contribute financially to telecomms infrastructure investments deemed necessary to address the issue of fairness in the architecture of the internet.
Webinar wrap-up: Third webinar on the EU Data Act with representatives from the EU Parliament and the Council
On 16 June, Dr2 Consultants hosted the third and final Breakfast Webinar on the Data Act with representatives from the EU Parliament and the Council. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Ms. Angelica Petrov, Policy Advisor on Cybersecurity and Digital Policy to MEP Alin Mituța, shadow rapporteur on the EU Data Act for Renew Europe in the leading Industry (ITRE) committee, and Ms. Anna-Liisa Pärnalaas, Counsellor for Digital and Cyber Affairs at the Permanent Representation of Estonia to the EU, were invited to shed light on the Data Act from an institutional perspective. Input gathered from the previous two webinars on the impact of the Data Act on EU competition and sustainability and smart mobility goals fed into the discussion.
Both speakers emphasised the importance of the proposal as one of the main cornerstones of the EU data economy. However, they also recognised that the proposal still requires a comprehensive assessment of the proposal’s real-life impact given the technical nature of some of its provisions. In addition, some clarifications are necessary to avoid putting an additional burden on EU SMEs and companies, thus guaranteeing a competitive edge for the digital economy and society. Against that background, they encouraged all stakeholders to come up with their input to implement a practical framework that works for everyone.
Ms. Anna-Liisa Pärnalaas stated that the proposal has several provisions that support businesses entering the market and empower consumers, e.g. data portability, interoperability safeguards, and unfair contractual contracts. On privacy rights, Ms. Pärnalaas underlined that this regulation should avoid a situation where requirements lead to loss of control of personal data. To tackle this issue, she mentioned that additional safeguards and clarifications about how GDPR applies to the Data Act would be beneficial.
Ms. Angelica Petrov said the European Parliament supports this piece of legislation as it comes at a timely moment with the surge of connected devices and IoT products which generate a significant amount of data. In her view, data holders should have access to the data they produce, and this framework comes at the right moment to regulate how to process and collect data, unleashing the true power of industrial data for EU consumers and businesses. Against that background, Ms. Petrov stressed how this legislation would help B2B, B2G and cloud switching. In that regard, Ms. Petrov would like to see more clarity on definitions as well as data anonymization; data sharing with Member States governments in emergency situations; and cloud switching rights including reverse switching.
From an institutional standpoint, Ms. Petrov noted that there has been a broad consensus on major issues in the European Parliament so far. She added that the timeline is on hold for now due to a conflict of competence between committees. Ms. Pärnalaas stipulated that the Council had finished the first reading of the French presidency’s report. She mentioned that the first written comments are with the Presidency before discussions kick off in July, adding that the most active part will begin in fall 2022.
You can watch the full replay here.
If you would like to stay up to date with the developments regarding EU digital policies and related events, please sign up to our monthly EU Data Policy Update here. Learn more about our EU Data Policy Services here.
Deep dive: Artificial Intelligence Act (AIA)
The Artificial Intelligence Act (AIA) is to introduce a first-of-its-kind legislative framework to set standards and norms in the field of AI. The objective is to both introduce a guiding set of ethical principles as well as to foster innovation, ultimately turning the EU into a global leader in the field of AI. The past month, the two leading rapporteurs in the European Parliament published their first report which is still under discussion while the Council of the EU also discussed the proposal for the first time.
Concretely, the AIA will aim at developing four categories of AI, each with different characteristics in terms of governance.
- AI applications with an unacceptable level of risk: to be banned entirely (article 5 in the proposal): for example AI applications that could exploit characteristics of vulnerable populations such as children and disabled persons or manipulation with psychological harm;
- High risk AI applications: strict obligations in terms of human oversight and regulation (article 6). For example applications that affect critical infrastructure, law enforcement and education;
- Limited risk AI applications: transparency obligations to be in place (article 52). For example the recognition of emotions and the creation of so called deep-fakes (the latter is controversial);
- Minimal risk AI: will not be in the scope of AIA: free to use and develop.This includes all applications that are not mentioned in AIA.
This designation is crucial for the data sector as AI is expected to become the most important tool to process and analyze the maze of data produced in the future (e.g. connected devices). Much of the elements which influence the risk level of AI applications are directly or indirectly related to how it will affect personal data and privacy. The use of personal data by AI for social scoring purposes or law enforcement are examples of controversial applications. Furthermore, the proposal includes ‘legal sandbox’ arrangements for SMEs, which should grant startups more legislative leniency to use data for the development and testing of new programs.
On 3 June, the Telecommunications Council discussed the AIA. Member states expressed their support for the majority of the proposal and decided that work will continue under the Czech presidency – starting from 1 July onwards. Importantly, Member States expressed support for the Commission’s approach to biometric identification and social scoring, two AI applications that are especially controversial and are still subject to debate in the European Parliament. With regards to real-time biometric identification it keeps certain possibilities for security reasons while it chose for a ban on so called ‘social scoring practices’ but kept possibilities for credit scoring for credit lending institutions.
In parallel, a first draft report was already published by the rapporteurs Tudorache (RE, Romania) and Benifei (S&D, Italy) with agreements on a ban on technologies for predictive policing, but there are still significant disagreements. S&D, as well as the Greens and a number of human rights NGOs, argue in favor of a total ban on real-time biometric identification while the Commission, as well as Renew and EPP, prefer to maintain certain specific legal conditions under which it would be allowed for public security reasons. This will have a strong impact on data regulation as biometric identification requires access to personal data on the physical characteristics of individuals. The European Parliament has furthermore also not yet found an agreement on the use of AI for social scoring applications, which closely relates to the protection of personal data.
The leading parliamentary committees IMCO and LIBE will have the last debate on AIA before the summer recess on 30 June, after which the debates will recommence from 26-29 September. The Plenary session will vote on a final position of the Parliament in November. The Council decided that the upcoming Czech presidency would further handle the trilogues with the parliament and the Commission.
European common data spaces
On 1 June, the European Commission’s DG CNECT published a report on the European common data spaces. This first report is vital as it allows to map the current landscape and to assess progress towards reference architectures and implementation of open (government) data and more specifically “data.europa.eu” – probably the world’s largest public investment in open government data to date.
Common data spaces can be defined as a “type of data relationship between trusted partners, each of whom apply the same high standards and rules to the storage and sharing of their data (…) In data spaces, data are not stored centrally but at source and are therefore only shared (via semantic interoperability) when necessary” (Gaia-X, 2022). As highlighted in the European Strategy for Data published in 2020, the EU envisages common data spaces as a genuine single market for data where personal and non-personal data, including sensitive business data, are secure and businesses have easy access to high-quality industrial data, boosting growth and creating value.
In this policy context, the European strategy for data announced the development of an initial set of nine sectoral data spaces, with more sectors to be added in due time. These initial European common data spaces are:
- Industrial/manufacturing data space, to support the competitiveness and performance of the EU’s industries;
- Green Deal data space, to use the major potential of data to support the Green Deal priority actions on issues such as climate change, a circular economy, pollution, biodiversity and deforestation;
- Mobility data space, to position Europe at the forefront of developing an intelligent transport system;
- Health data space, essential for advances in preventing, detecting and treating diseases as well as for informed, evidence-based decision-making to improve healthcare systems;
- Financial data space, to promote innovation, market transparency and sustainable finance, as well as access to finance for European businesses and a more integrated market;
- Energy data space, to promote the stronger availability and cross-sector sharing of data, in a customer-centric, secure and trustworthy manner;
- Agriculture data space, to enhance the sustainability performance and competitiveness of the agricultural sector through processing and analysing data;
- Public administrations, to improve the transparency of and accountability for public spending and spending quality, fighting corruption, both at EU and national levels;
- Skills, to reduce the skills mismatches between the education and training systems and labour market needs.
Having undertaken desk research and carried out interviews with developers of data spaces and data space architectures, DG CNECT elaborates how open government data portals and stakeholders should position themselves in emerging European common data spaces in the core areas discussed in European policy papers, as well as in other data spaces that are currently under development at city and regional levels in various EU Member States. They come to a three-fold conclusion:
- Open data are commonly mentioned alongside private and personal data as a core type of data source. However, open data holders are not well positioned or involved in initiatives developing data space reference architectures or implementation approaches. If this situation persists, the use and impact of open data could be reduced owing to the friction that may occur when combining the use of data shared in data spaces and the use of data published in open government portals.
- Open data holders have extensive experience in data publishing, metadata management, data quality, dataset discovery and data federation, as well as tried-and-tested standards (e.g. Data Catalog Vocabulary) and technologies. There seems to be little knowledge/technology transfer from the open data community to the data spaces community. Data spaces should not reinvent methods that the open data community has already developed, tested and used extensively.
- Whether the data are private, shared or open, using data from multiple sources requires interoperability at several levels, from identity providers to vocabulary providers. The question of which data intermediaries will act as neutral agents to ensure interoperability is underexplored in the data spaces context. Public administrations, building on their experience of publishing open data, are best placed to take on such roles.
By means of conclusion, the text states that it will undertake an in-depth case study analysis, based on the actual implementation of data spaces, to verify these initial findings and discuss challenges and opportunities for “data.europa.eu” in a follow-up report expected in 2023.
Bruno Lemaire gets digital portfolio
On 20 May, President Emmanuel Macron announced the French government reshuffle following his reelection for another quinquennium (2022-2027) after his victory against far-right leader Marine Le Pen (Rassemblement National) – casting 58,55% of the votes in the second round. To lead the country’s executive branch, he chose former Labour Minister Elisabeth Borne as his prime minister. Expectedly, he also reappointed former Finance and Economy Minister Bruno Lemaire, adding this time the competencies pertaining to “industrial and digital sovereignty”. This brings to the fore the increasing importance of these issues in French governance. In February, Bruno Lemaire already called on the EU to “guarantee our mastery of innovation, our technological sovereignty and the political sovereignty that we all desire, between China and the United States”.
Public consultation open: Availability of datasets
On 24 May, the European Commission launched its public consultation on the Implementing act on a list of High-Value Datasets. It aims to make more publicly-funded information available for new information products and innovation, in particular in artificial intelligence. It defines a list of ‘high-value’ datasets held by the public sector (datasets whose re-use can have major benefits for society and the economy). Under the initiative, these datasets should be re-usable for free; using application programming interfaces available in machine-readable format; downloadable in bulk, where possible.
Webinar wrap-up: The Data Act and its impact on EU competition and smart mobility goals
On 25 May, Dr2 Consultants hosted a second Breakfast Webinar to discuss the impact of the EU Data Act on the European competition and smart mobility goals. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Mr. Mikael Isaksson, Public Affairs Officer at Volvo Cars stated that the consumer-focused approach in the Commission proposal is the right approach. He underlined that Volvo Cars values people’s freedom to move in a personal, sustainable and safe way. He argued that data and connectivity have a role to play in decarbonizing transport, in managing traffic flows and in optimizing energy efficiency. Data must be shared in a way that is safe, technically feasible and relevant for the consumer. The Data Act should not stifle innovation, growth and investment. It should lay down the basic principles to ensure data can be accessed on a level playing field.
Dr. Nima Barraci, Senior Manager, Group Data Strategy and Transformation at Lufthansa Group said that Lufthansa Group had in principle a positive stance towards the Data Act. He noted that, currently, machine-generated data is to a large extent unregulated and there are no rules to whom the data belongs and who has access to it. The Data Act would level the playing field by creating ground rules, foster competition and innovation. It would help reach the EU’s sustainability goals by improving the ecological performance of aircrafts and aircraft operations. The Data Act will foster innovation and energy efficiency, he underlined.
Asked about their one key message to policymakers, Dr. Barraci wished to see the Data Act become an enabler for innovation and competition in Europe. Mr. Isaksson concluded that the Data Act should be designed in a way that it encourages innovation and that it will benefit everyone in the connected mobility ecosystem.
Next Thursday, 16 June, Dr2 Consultants will hold its final webinar on the Data Act. This time, we will hear from representatives from the European Parliament and the Council. Register for the upcoming last session in this series of webinars here.
If you would like to stay up to date with the developments regarding EU digital policies and related events, please sign up to our monthly EU Data Policy Update here. Learn more about our EU Data Policy Services here.
Deep dive: European Health Data Space (EHDS)
On 3 May, the European Commission released its legislative proposal on the Regulation on European Health Data Space (EHDS). This initiative aims to create a system for health data exchange and access governed by common rules, procedures, and technical standards to ensure that health data can be accessed within and between the Member States, fully in line with the General Data Protection Regulation (GDPR) and Member State competences. As highlighted by the COVID-19 pandemic, governments are set to collect higher shares of health data in the future. The European Commission claims its use can add up to €11 billion over the next 10 years – with half coming from improved data exchanges in health care itself, and the other half from the use of health data in research and policy. To that end, the EU has set a fund of 810 million to build the necessary infrastructure.
Link with EU digital legislation
The EHDS is the EU’s first sector-specific regulation under its 2020 Data Strategy. It supplements the Data Governance Act and the Data Act which cannot address the specificities of sensitive data, such as health or genetic data. It provides more specific rules for ‘data altruism’ in the health sector and introduces limits to international transfers of non-personal health data.
More concretely, EHDS will improve:
Healthcare and timely access to data (primary use of data)
All Member States will be required to participate in the digital infrastructure MyHealth@EU to ensure that EU citizens can share their health data with health professionals in other EU Countries and therefore contribute to better cross-border healthcare. As of today, only 10 Member States have implemented the platform.
Research (secondary use of data)
This new legal framework and infrastructure will allow researchers, innovators, decision-makers, and regulators to re-use health data for cross-border research, policy making, educational activities, and personalised medicine.
Requirements and obligations specific to electronic health record (EHR) systems will ensure that EHR systems placed on the market and used are interoperable, secure and respect the rights of individuals over their health data.
Brussels Tech lobby DIGITALEUROPE saluted this initiative as an ambitious framework for health data, while adding that more harmonisation in the Single Market for digital health and data was needed. They also called on the Commission to clarify the scope and interactions of EHDS with other pieces of legislations such as GDPR, Data Act, Medical Device Regulation and AI Act. This reaction comes on the back of the release of their report on 7 April identifying two main roadblocks to developing and scaling life-saving health technologies in Europe: the lack of a framework for health data flows, and a fragmented market for digital health. The European Confederation of Pharmaceutical Entrepreneurs (EUCOPE) emphasised the need to set European Health Union that aims to reinforce the EU’s preparedness and response during health crises. On top of that, they also recommended the promotion of data interoperability.
The proposal will now be sent to the Parliament and Council for examination. The Commission is optimistic that the first results will start to show in 2025, especially for the exchange of data in health care itself, the MyHealth@EU program.
UK’s Data Bill Reform
During the Queen’s Speech on 10 May, the British government announced the reform of the country’s data protection regime. According to the executive, this Data Reform Bill is expected to create “a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection”. In its legislative agenda for the next 12 months, London said it wanted to “take advantage of the benefits of Brexit to create a world class data rights regime” by updating its local privacy rules to “fuel responsible innovation and drive scientific process.” The bill will make up part of a wider package of data protection reforms.
As it stands, the UK’s data protection rulebook is still modelled on the EU’s General Data Protection Regulation (GDPR). With this reform, the UK government remains cautious that any changes to its data protection regime would not imperil its data flows agreement with the EU, as it requires the UK to maintain an equivalent level of privacy protection compared with the Continent. Brussels is concerned of the UK’s stated desire to establish new data flows with countries including the U.S., Australia, South Korea, Singapore or India, which could lead to the transfer of EU individuals’ data to third countries with inadequate privacy standards.
Data flow deal with India
In parallel, Britain’s trade negotiators are under pressure to strike a trade deal with India this year. Prime Minister Boris Johnson has given the UK team until October to seal a post-Brexit deal on the liberalisation of data with New Delhi.
Nevertheless, experts claim that landing a deal will be a big challenge given that both sides are currently at opposite ends on their data policies. India is in the midst of setting up a new Data Protection Bill to manage the way commercial and personal data is handled. This draft law would require data to stay on Indian soil, as regulators believe the move is necessary to generate local jobs, and protect national security and the privacy of its citizens.
On its part, London is pushing hard to allow for the free flow of data between the two countries. More than 67% of UK services exports are digitally delivered. Britain currently imports more services from India than it exports.
According to a report from the UK-India Business Council (UKIBC) and think tank “The Dialogue”, if approved by the Parliament, the Indian draft law would restrict “the transfer and processing of critical personal data abroad, but also mandate commercial and nonpersonal anonymized datasets to be shared with the Indian government”. In other words, British companies selling goods or services online in India would have to set up data servers there to exclusively store payment data from national citizens. As a result, this setup could cost significant resources to UK businesses. It would limit the data they could transfer, and the value derived from analysing it with tools like machine learning, putting to the test the digital supply chains between London and New Delhi.
The EDPB and “dark patterns” in social media platform interfaces
On 2 May, the European Data Protection Board (EDPB) closed the feedback period on the “Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them”. These guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements. These patterns aim to influence users’ behavior and hinder their ability to effectively protect their personal data and make conscious choices. They can be divided into these categories:
- Overloading: confronting users with a large number of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of the data subject.
- Skipping: designing interfaces or user experiences in a way that users forget or do not think about all or some of the data protection aspects.
- Stirring: affecting the choice users would make by appealing to their emotions or using visual.
- Hindering: obstructing or blocking users in their process of becoming informed or managing their data by making the action hard or impossible to achieve.
- Left in the dark: designing interfaces in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights.
These dark patterns are practices that are not only relevant for personal data protection, but sit at the intersection between several fields of law, in particular consumer law, digital market and data protection law. The Digital Markets Act (DMA) and Digital Services Act (DSA) contain specific provisions prohibiting these types of practices. They are also addressed in other instruments regulating the digital sphere which are currently under discussion, such as the European Data Act.
Conference on the Future of Europe (CoFoE) and the digital transformation
On Europe day, the Conference of the Future of Europe’s Executive Board gave the final report on the outcome of the Conference to the Presidents of the European Parliament, Commission and Council in Strasbourg. As a reminder, the CoFoE is a one-year bottom-up exercise for Europeans to have their say on what they expect from the European Union. European citizens of different geographic origin, gender, age, socioeconomic background and/or level of education were encouraged to take part in the Conference, with young Europeans playing a central role. Strong of 49 proposals, this final document includes concrete objectives and more than 320 measures for the EU institutions to follow up on under nine topics, including digital transformation.
In the digital chapter, authors brought to the fore the importance of “long-term consequences of the seizure of personal information and the illegitimate use of that data in the future” especially following the Russian invasion of Ukraine. To tackle this issue, they suggested avoiding “data concentration and dependence on third countries in relation to infrastructure and services” and building “a data infrastructure based on European values.”
EU Data Act and its impact on EU competition and sustainability goals
On 5 May, Dr2 Consultants hosted a Breakfast Webinar to discuss the impact of the Data Act on European competition and sustainability goals. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Mr. Paolo Falcioni, Director-General of APPLiA, representing the home appliance sector in Europe, and Mr. Radu Surdeanu, Senior Director Government Affairs at Siemens Energy, a large energy company offering products and services along the entire value chain, were invited to shed light on the Data Act from an association and business perspective.
Both speakers agreed with the key ambition of the Data Act, its potential to increase Europe’s competitiveness and contribute to the EU’s sustainability goals, but they underlined there is still a long way to go for this proposal. The rules for the industry need to be more clearly defined, trade secrets should be protected, innovation should be stimulated, and the text should be strengthened in a participatory manner with all stakeholders.
Deep dive: Revamped EU-US Data Protection Shield
New Trans-Atlantic Data Privacy Framework
On 25 March, European Commission President von der Leyen and U.S. President Biden announced an agreement in principle on a new framework for transatlantic data flows. This comes on the back of the EU Court of Justice’s invalidation of the EU-US Data Protection Shield in July 2020, which ruled that the data protection provided for in the U.S. domestic law on the US public authorities’ access and use of personal data transferred from the European Union, did not meet sufficient privacy requirements. In addition, the European Data Protection Board – the EU’s privacy watchdog – had issued guidance that would restrict the use of alternative data transfer mechanisms.
On top of that, Russia’s invasion of its Black Sea neighbour has accrued the need to accelerate Brussels-Washington negotiations on a revamped Privacy Shield pact. Maintaining strong relationships between like-minded democracies is now important more than ever, and that includes fostering a secure framework of data flows from both sides of the Atlantic.
According to officials close to the ongoing negotiations, Washington’s latest offer is based, among others, on recent suggestions from a group of privacy experts that includes:
- The creation of a new agency within the U.S. Department of Justice to oversee how the country’s intelligence agencies handle the data of European citizens;
- A White House executive order to give investigative powers to said agency;
- The ability for the EU institutions to challenge that data collection through U.S. federal courts.
Brussels Tech lobbies DIGITALEUROPE and Computer & Communication Industry Association (CCIA) both welcomed the agreement. In the past, they stressed that the growth of the data economy and the success of European companies is dependent on the ability to transfer data.
Furthermore, the American Chamber of Commerce to the EU (AmCham EU) emphasised that the 2020 invalidation of the EU-US Privacy Shield caused uncertainty for over 5,000 companies that rely on the Privacy Shield to transfer personal data between US and the EU. This is corroborated by a study on data flows carried out by Frontier Economics, which shows that additional restrictions on cross-border data flows could lead to a loss of 2 million jobs and around €2 trillion worth of growth by the end of 2030. Results also show that in a scenario following the current trend towards a moderate increase in restrictiveness, European companies of all sizes and sectors could be affected – especially as the US is the EU’s largest data partner. In particular, the EU manufacturing sector stands to lose the most in absolute value. Sectors such as media and culture could also be some of the most impacted in relative terms, losing about 10% of their exports. Finally, as SMEs account for almost a quarter of all goods exported from the EU, they would be heavily impacted.
As it stands, details are yet to be discussed by negotiators between the U.S. Department of Commerce and the European Commission. The process still involves legal changes on the U.S. side and the ratification by the EU’s various bodies. The formal adoption process is expected to take about 6 months. The European Commission will publish a draft implementation act and seek the non-binding opinion of the EDPB/EDPS and the European Parliament. The Council also has to agree on the final text. In the US, the government should release the Executive Order that gives effect to the surveillance reforms agreed to.
Artificial Intelligence Act
The past month saw some relevant developments concerning AI policy in the European Parliament. This includes the publication of the final opinion of the European Parliament’s special committee for Artificial Intelligence in the Digital Age (AIDA), as well as the ongoing negotiations and recommendations by several Parliament committees on the Artificial Intelligence Act (AI Act).
Artificial Intelligence in the Digital Age (AIDA)
AIDA approved its opinion on the future of AI in Europe on 22 March, focusing on opportunities raised by AI for the European economy and delineating a European ambition to be a global democratic trendsetter in the field of AI. AI should not be regulated as a whole, the report argues. Specific applications should be evaluated in proportionality with their risks and benefits. Lastly, the report calls for constant evaluation and monitoring of the mass gathering of personal user data to prevent abuse.
Other EP committees’ negotiations
The AI Act itself is still being debated by the lead Parliament committees, Internal Market and Consumer Protection (IMCO) and Civil Liberties (LIBE), which have to produce a joint report. Other committees that were requested to form an opinion on the proposal have already announced draft amendments and opinions. Topics of contention in multiple committees include regulation on data gathering; and analysis by AI systems as well as certain data applications through AI such as social scoring and biometric identification. Additionally, within the responsible joint IMCO-LIBE meetings, there is still no agreement on definitions, streamlining with GDPR and facial recognition.
The deadline for amendments in the joint IMCO-LIBE meeting is 18 May. The plenary session is expected to discuss the AI Act in November.
Data Governance Act
On 6 April, members of the European Parliament endorsed the interinstitutional deal between the Parliament, Commission and Council clinched in December on the European Data Governance Act (DGA) with 501 votes to 12, with 40 abstentions. The Regulation must now be formally adopted by the EU Council before it is published in the Official Journal and enters into force. EU diplomats are set to take a look the Parliament’s position in Coreper on May 11.
This initiative, regulating intermediaries of data sharing, aims to set up a mechanism to enhance the reuse of certain categories of public sector data subject to the rights of others. It aims to increase trust in data intermediation services by creating a new framework for companies to share their data without fear of it being misused or of losing their competitive advantage, and for consumers to retain full control over their data. Moreover, the DGA also aims to foster “data altruism” – which refers to people voluntarily donating their data for the public good, e.g. by voluntarily providing information about adverse reactions to vaccinations.
A European Data Innovation Board is to come to life to facilitate cooperation and interoperability. When it comes to international access to and transfer of non-personal data, the agreement paves the way to the creation of safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data.
The DGA lays the foundations for future European data spaces and some of its provisions, including on the transfer of information, are included in the draft Data Act. When it comes to the latter, Renew and the Left respectively appointed MEP Alin Mituța (Romania) and Elena Kountoura (Greece) as their Shadow Rapporteurs to lead the work in the Committee on Industry, Research and Energy (ITRE).
French presidential elections
On 10 April, France held the first round of its presidential elections, qualifying for the second round sitting President Emmanuel Macron (La République en Marche !) and far-right candidate Marine Le Pen (Rassemblement National), respectively with 27.84 % and 23.15 % of the ballots. Despite apparent ideological differences, both candidates share the same overarching objective to strengthen France’s “digital sovereignty”. Yet, their programmes harbour different means to achieve it.
The quinquennium of Emmanuel Macron (2017-2022) has been characterised by efforts to persevere France’s digital sovereignty through regulation, securing industries and infrastructures, and supporting strategic sectors. The French government has highlighted the importance of “digital commons” (i.e. free software and data openness) as a vector of digital sovereignty – by offering an alternative to large platforms. In case of re-election, the government intends to follow up on a February 2022 initiative on these “digital commons” to “ensure the European Union’s role as a power for openness and back such efforts from a technological and financial perspective”.
In addition, to ensure data security, the government has also created a new label: the so-called “cloud confidence” which allows the creation of European cloud companies using foreign technologies under licence – a modality that offers a guarantee of the legal protection of data against extraterritorial laws. This label has sparked controversy within French political class as a missed opportunity to support French and European cloud players to perpetuate the stranglehold of non-European players in the sector.
For her part, Marine Le Pen has taken an even stronger stance on “digital sovereignty”, which is not limited to data protection, but also includes an industrial component. She considers the domination of digital technology by large foreign companies as a threat to France’s digital sovereignty and sees the “cloud of confidence” as insufficient as it risks perpetuating the status quo. In her programme, she proposes to store “sensitive data” on national territory and to prevent them from being transferred abroad. For the Rassemblement National (RN), digital issues must be dealt with at the European level, according to Member of the European Parliament Jean-Lin Lacapelle (RN, ID), digital referent of the Marine Le Pen campaign. However, the far-right candidate predicted in an interview that the European framework should be reviewed in terms of “control of concentrations according to the nationality of the actors or the framework of State aid”.
The second round of French presidential elections will take place on 24 April. The outcome of the vote will likely have a substantial impact on digital files’ policy push at the European level, especially as France is holding the Presidency of the Council of the EU until 30 June.
Public consultation on the European Cyber Resilience Act
On 16 March, the European Commission launched its public consultation on the European Cyber Resilience Act. In light of the surge of connected objects and the increased use of industrial data, the proposed act aims at setting common cybersecurity standards for connected devices and will complement the upcoming NIS 2 Directive. In a blog post, Commissioner Breton specified he hoped to increase Europe’s cyber defence capabilities by increasing collective resilience; improving response time; creating a joint cyber unit and developing a dissuasive European cyber defence doctrine. The public consultation will be open until 25 May 2022, feeding into a proposal for regulation to be published in Q3 2022.
Data economy and look at the year ahead
As non-rival goods – meaning that are consumed by people, but whose supply is not affected by people’s consumption – the volume of data is constantly growing. The generation of data is expected to reach up to 175 zettabytes in 2025, from 33 zettabytes in 2018. With these new rules, the European Commission will make more data available for reuse and are expected to create €270 billion of additional GDP by 2028 – as today 80% of industrial data is never used.
As part of its “Europe Fit for Digital Age” plan, the European Commission has laid down several targeted strategies with a wide impact on multiple sectors, including the European Strategy for Data. The latter is composed of two main legislative initiatives. First, the Data Governance Act, finalized in November 2021, creates the processes and structures to facilitate data sharing by companies, individuals and the public sector. Second, the European Data Act proposal for a Regulation published on 23 February, sets the framework to further guarantee an enhanced working market of data by building stronger enforcement for users that their data is managed responsibly, both with regards to access by governments, larger companies and other third parties.
Along with other digital initiatives in the data economy, the Data Act will have a cross-cutting impact on several business sectors. That is why Dr2 Consultants will carefully monitor the following proposals which are expected to be published in the coming months:
The Data Act has now been sent to the European Parliament and the Council of Ministers for examination. If not already done, this is the right time for businesses to assess internally with experts and the legal department how the Data Act affects your organization. Dr2 Consultants can also guide you through this process.
In the European Parliament, several committees are competing over which one gets the file. It is highly likely that the same committees which handled the Data Governance Act will be leading on this file: Industry, Research and Energy (ITRE) as lead, and Civil Liberties (LIBE), Legal Affairs (JURI) and Internal Market and Consumer Protection (IMCO) committees giving their respective opinions. The Council, for its part, has kick-started the internal discussions with a first meeting on 3rd March and draft conclusions of an informal summit in Versailles this week show that the member states express the wish to swiftly adopt legislative acts on data (next to the Digital Services Act, the Digital Markets Act, Artificial Intelligence and Cloud).
The Data Act is not expected to be finalized before the end of the year and negotiations are even likely to continue well into 2023.
How does the Data Act affect you?
In concrete terms, the Data Act will significantly modify the rights and responsibilities of businesses and service providers:
- Service providers should be aware that users should receive easier access to and greater control over their data.
- Government access will only be limited to circumstances that will be deemed necessary, and access by non-EU governments will be all but prohibited unless a bilateral agreement is in place between the EU or a member state and that specific third country.
- Organizations will have to carefully assess and consider their third party before sharing any data. Gatekeepers (companies with strong market position) will no longer be allowed to access or request data that belongs to other smaller companies, neither will these companies be allowed to offer them information or data.
In summation, this proposal is going to have a significant impact on European businesses and SMEs which make use of data in their day-to-day activities: any digital service that keeps data records will have to take steps to comply, and additionally any entity or person that uses such services should be made aware of their rights and the responsibilities that providers have.
This proposal will apply to device manufacturers, providers of digital services and connected products – such as connected vehicles or ‘the Internet of Things’.
Deep dive into the Data Act
Manufacturers and designers have the obligation to design the products in a way that makes the data generated easily accessible by default (Chapter II). Data holders would have to make available data to third parties, such as providers of aftermarket services, upon the request of the user. However, gatekeepers are not eligible third parties and, therefore, they could not encourage users to make data available to one of their services.
Unfair advantages caused by imbalances in negotiating power between contractual parties are to be removed (Chapter IV). Concrete arrangements pertaining to data-sharing agreements would introduce an instrument of an unfairness test. It would provide definitions of unfair elements in data sharing agreements. This test aims to protect the weaker party and guarantee better value creation as well as market practices.
Public sector bodies and EU institutions are entitled to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency (Chapter V). The requests for data would need to be proportionate, clearly indicate the purpose, and respect the interests of the enterprise making the data available. This should ensure that the right to request data is not abused and that the public body is accountable for its use.
Customers can effectively switch between different cloud data-processing service providers and safeguards against unlawful data transfer are put in place (Chapter VI). Providers of data processing services would need to remove commercial, technical, contractual and organizational obstacles that may inhibit customers to terminating the contractual agreement of the service, concluding new contract agreements with a different provider, porting its data to another provider, and maintaining a minimum level of functionality if using a different provider.
Creation of barriers and protection of data of European citizens and companies against access by third non-EU governments (Chapter VII). The data shall only be shared under circumstances when a specific agreement is in place and clear legal protection of the data holder is guaranteed. The European Union and the United States intend to negotiate such a bilateral agreement.
Interoperability and functional equivalence between platforms and data service providers (Chapter VIII). Technical requirements would be introduced for users and providers to enable easy and secure switch between services and transact data across platforms. The Commission will further develop specific guidelines and European Standardization organizations are mentioned as partners.
Click here for a more detailed analysis as well as a word-for-word comparison between the leak and final text of the Data Act.
Stakeholder reactions to the Data Act
From the EPP political group, ITRE member Christian Ehler (Germany) laudes the Data Act as a game changer that will stimulate competitiveness and innovation. While fellow MEP Axel Voss (EPP, Germany) welcomes the European harmonization, he does not think it will correct what he perceives as mistakes made by the GDPR.
MEP Damian Boeselager (Germany), who will reportedly lead on the file for the Greens/EFA in the ITRE committee, explains the need for a legal framework for data, data sharing, monitoring and exposes what he calls the invisible power of data.
Renew MEP Stéphanie Yon-Courtin (France) highlights important progress in data security and innovation. She also welcomes increased interoperability between cloud services and improved market competition.
European industry stakeholders
The European Consumer Organisation (BEUC) calls it an essential proposal for consumers. Consumers need to stay in control of how the data they help generate is shared. On the other hand, some of this data sharing can be beneficial to consumers and the service delivered. Interoperability and accessibility to third service providers is a good step.
However, many trade associations raise concerns about potential issues concerning the provisions impeding third-party service providers to grant any direct right to access the data generated by their products. For instance, automotive representatives – such as the European Association of Automotive Suppliers (CLEPA) – stressed it would “reduce the possibility for automotive part manufacturers to utilise data on component behaviour for the purposes of development and engineering”.
Brussels tech lobby Computer and Communications Industry Association (CCIA) warned that “incentives rather than obligations” would encourage companies to share data. They also outline potential economic downsides from “safeguards” to prevent data processing services from fulfilling access requests from third countries not in line with EU law. Such “restrictions” might cost 0.6 percent of EU GDP, according to a study commissioned by CCIA. These reactions spanning from totally different industry sectors confirm the far-reaching scope of the Data Act. Similar concerns can be found with Global tech trade association ITI. They ask for incentives rather than mandates and want strong safeguards for intellectual property and trade secrets.
War in Ukraine
Data becomes the sinews of war. Following Russian President Vladimir Putin’s military invasion of Ukraine on 24 February, the international community has imposed stringent sanctions on Russia’s economy. This move has preceded international companies, the likes of service providers Netflix and Facebook, who have announced that they would immediately put the brakes on their services in Russia – targeting Russia’s data economy.
In addition, the direct impact of the conflict also lies with cybersecurity and data protection. The international community fears that Russia might retaliate to the sanctions by targeting European data and networks. It appears that Russian, Belarussian, and Chinese hackers have launched cyber-attacks on Ukraine. The Russian hacker group Fancy Bear, as well as the Belarussian group Ghostwriter, and the Chinese Mustang Panda are allegedly sending phishing emails to Ukrainian media, militaries, and the European Institutions.
On 3 March, the ITRE committee discussed strengthened European efforts in the realm of cybersecurity in the face of potential threats to EU infrastructures. After trilogues between the Council, the Commission and the Parliament, increased efforts and more capabilities for Computer Security Incident Response Teams (CSIRTs) were highlighted within the committee.
Learn more about our EU Data Policy services
Dr2 Consultants offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU data-related legislation on your organization. Visit this webpage to learn more about our EU Data Policy services.
For more information on Dr2 Consultants’ full range of services, don’t hesitate to contact us.