Previous EU Data Policy Updates
Deep dive: European Health Data Space (EHDS)
On 3 May, the European Commission released its legislative proposal on the Regulation on European Health Data Space (EHDS). This initiative aims to create a system for health data exchange and access governed by common rules, procedures, and technical standards to ensure that health data can be accessed within and between the Member States, fully in line with the General Data Protection Regulation (GDPR) and Member State competences. As highlighted by the COVID-19 pandemic, governments are set to collect higher shares of health data in the future. The European Commission claims its use can add up to €11 billion over the next 10 years – with half coming from improved data exchanges in health care itself, and the other half from the use of health data in research and policy. To that end, the EU has set a fund of 810 million to build the necessary infrastructure.
Link with EU digital legislation
The EHDS is the EU’s first sector-specific regulation under its 2020 Data Strategy. It supplements the Data Governance Act and the Data Act which cannot address the specificities of sensitive data, such as health or genetic data. It provides more specific rules for ‘data altruism’ in the health sector and introduces limits to international transfers of non-personal health data.
More concretely, EHDS will improve:
Healthcare and timely access to data (primary use of data)
All Member States will be required to participate in the digital infrastructure MyHealth@EU to ensure that EU citizens can share their health data with health professionals in other EU Countries and therefore contribute to better cross-border healthcare. As of today, only 10 Member States have implemented the platform.
Research (secondary use of data)
This new legal framework and infrastructure will allow researchers, innovators, decision-makers, and regulators to re-use health data for cross-border research, policy making, educational activities, and personalised medicine.
Requirements and obligations specific to electronic health record (EHR) systems will ensure that EHR systems placed on the market and used are interoperable, secure and respect the rights of individuals over their health data.
Brussels Tech lobby DIGITALEUROPE saluted this initiative as an ambitious framework for health data, while adding that more harmonisation in the Single Market for digital health and data was needed. They also called on the Commission to clarify the scope and interactions of EHDS with other pieces of legislations such as GDPR, Data Act, Medical Device Regulation and AI Act. This reaction comes on the back of the release of their report on 7 April identifying two main roadblocks to developing and scaling life-saving health technologies in Europe: the lack of a framework for health data flows, and a fragmented market for digital health. The European Confederation of Pharmaceutical Entrepreneurs (EUCOPE) emphasised the need to set European Health Union that aims to reinforce the EU’s preparedness and response during health crises. On top of that, they also recommended the promotion of data interoperability.
The proposal will now be sent to the Parliament and Council for examination. The Commission is optimistic that the first results will start to show in 2025, especially for the exchange of data in health care itself, the MyHealth@EU program.
UK’s Data Bill Reform
During the Queen’s Speech on 10 May, the British government announced the reform of the country’s data protection regime. According to the executive, this Data Reform Bill is expected to create “a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection”. In its legislative agenda for the next 12 months, London said it wanted to “take advantage of the benefits of Brexit to create a world class data rights regime” by updating its local privacy rules to “fuel responsible innovation and drive scientific process.” The bill will make up part of a wider package of data protection reforms.
As it stands, the UK’s data protection rulebook is still modelled on the EU’s General Data Protection Regulation (GDPR). With this reform, the UK government remains cautious that any changes to its data protection regime would not imperil its data flows agreement with the EU, as it requires the UK to maintain an equivalent level of privacy protection compared with the Continent. Brussels is concerned of the UK’s stated desire to establish new data flows with countries including the U.S., Australia, South Korea, Singapore or India, which could lead to the transfer of EU individuals’ data to third countries with inadequate privacy standards.
Data flow deal with India
In parallel, Britain’s trade negotiators are under pressure to strike a trade deal with India this year. Prime Minister Boris Johnson has given the UK team until October to seal a post-Brexit deal on the liberalisation of data with New Delhi.
Nevertheless, experts claim that landing a deal will be a big challenge given that both sides are currently at opposite ends on their data policies. India is in the midst of setting up a new Data Protection Bill to manage the way commercial and personal data is handled. This draft law would require data to stay on Indian soil, as regulators believe the move is necessary to generate local jobs, and protect national security and the privacy of its citizens.
On its part, London is pushing hard to allow for the free flow of data between the two countries. More than 67% of UK services exports are digitally delivered. Britain currently imports more services from India than it exports.
According to a report from the UK-India Business Council (UKIBC) and think tank “The Dialogue”, if approved by the Parliament, the Indian draft law would restrict “the transfer and processing of critical personal data abroad, but also mandate commercial and nonpersonal anonymized datasets to be shared with the Indian government”. In other words, British companies selling goods or services online in India would have to set up data servers there to exclusively store payment data from national citizens. As a result, this setup could cost significant resources to UK businesses. It would limit the data they could transfer, and the value derived from analysing it with tools like machine learning, putting to the test the digital supply chains between London and New Delhi.
The EDPB and “dark patterns” in social media platform interfaces
On 2 May, the European Data Protection Board (EDPB) closed the feedback period on the “Guidelines 3/2022 on Dark patterns in social media platform interfaces: How to recognise and avoid them”. These guidelines offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements. These patterns aim to influence users’ behavior and hinder their ability to effectively protect their personal data and make conscious choices. They can be divided into these categories:
- Overloading: confronting users with a large number of requests, information, options or possibilities in order to prompt them to share more data or unintentionally allow personal data processing against the expectations of the data subject.
- Skipping: designing interfaces or user experiences in a way that users forget or do not think about all or some of the data protection aspects.
- Stirring: affecting the choice users would make by appealing to their emotions or using visual.
- Hindering: obstructing or blocking users in their process of becoming informed or managing their data by making the action hard or impossible to achieve.
- Left in the dark: designing interfaces in a way to hide information or data protection control tools or to leave users unsure of how their data is processed and what kind of control they might have over it regarding the exercise of their rights.
These dark patterns are practices that are not only relevant for personal data protection, but sit at the intersection between several fields of law, in particular consumer law, digital market and data protection law. The Digital Markets Act (DMA) and Digital Services Act (DSA) contain specific provisions prohibiting these types of practices. They are also addressed in other instruments regulating the digital sphere which are currently under discussion, such as the European Data Act.
Conference on the Future of Europe (CoFoE) and the digital transformation
On Europe day, the Conference of the Future of Europe’s Executive Board gave the final report on the outcome of the Conference to the Presidents of the European Parliament, Commission and Council in Strasbourg. As a reminder, the CoFoE is a one-year bottom-up exercise for Europeans to have their say on what they expect from the European Union. European citizens of different geographic origin, gender, age, socioeconomic background and/or level of education were encouraged to take part in the Conference, with young Europeans playing a central role. Strong of 49 proposals, this final document includes concrete objectives and more than 320 measures for the EU institutions to follow up on under nine topics, including digital transformation.
In the digital chapter, authors brought to the fore the importance of “long-term consequences of the seizure of personal information and the illegitimate use of that data in the future” especially following the Russian invasion of Ukraine. To tackle this issue, they suggested avoiding “data concentration and dependence on third countries in relation to infrastructure and services” and building “a data infrastructure based on European values.”
EU Data Act and its impact on EU competition and sustainability goals
On 5 May, Dr2 Consultants hosted a Breakfast Webinar to discuss the impact of the Data Act on European competition and sustainability goals. The event was moderated by Cathy Kremer, Senior Consultant at Dr2 Consultants.
Mr. Paolo Falcioni, Director-General of APPLiA, representing the home appliance sector in Europe, and Mr. Radu Surdeanu, Senior Director Government Affairs at Siemens Energy, a large energy company offering products and services along the entire value chain, were invited to shed light on the Data Act from an association and business perspective.
Both speakers agreed with the key ambition of the Data Act, its potential to increase Europe’s competitiveness and contribute to the EU’s sustainability goals, but they underlined there is still a long way to go for this proposal. The rules for the industry need to be more clearly defined, trade secrets should be protected, innovation should be stimulated, and the text should be strengthened in a participatory manner with all stakeholders.
Deep dive: Revamped EU-US Data Protection Shield
New Trans-Atlantic Data Privacy Framework
On 25 March, European Commission President von der Leyen and U.S. President Biden announced an agreement in principle on a new framework for transatlantic data flows. This comes on the back of the EU Court of Justice’s invalidation of the EU-US Data Protection Shield in July 2020, which ruled that the data protection provided for in the U.S. domestic law on the US public authorities’ access and use of personal data transferred from the European Union, did not meet sufficient privacy requirements. In addition, the European Data Protection Board – the EU’s privacy watchdog – had issued guidance that would restrict the use of alternative data transfer mechanisms.
On top of that, Russia’s invasion of its Black Sea neighbour has accrued the need to accelerate Brussels-Washington negotiations on a revamped Privacy Shield pact. Maintaining strong relationships between like-minded democracies is now important more than ever, and that includes fostering a secure framework of data flows from both sides of the Atlantic.
According to officials close to the ongoing negotiations, Washington’s latest offer is based, among others, on recent suggestions from a group of privacy experts that includes:
- The creation of a new agency within the U.S. Department of Justice to oversee how the country’s intelligence agencies handle the data of European citizens;
- A White House executive order to give investigative powers to said agency;
- The ability for the EU institutions to challenge that data collection through U.S. federal courts.
Brussels Tech lobbies DIGITALEUROPE and Computer & Communication Industry Association (CCIA) both welcomed the agreement. In the past, they stressed that the growth of the data economy and the success of European companies is dependent on the ability to transfer data.
Furthermore, the American Chamber of Commerce to the EU (AmCham EU) emphasised that the 2020 invalidation of the EU-US Privacy Shield caused uncertainty for over 5,000 companies that rely on the Privacy Shield to transfer personal data between US and the EU. This is corroborated by a study on data flows carried out by Frontier Economics, which shows that additional restrictions on cross-border data flows could lead to a loss of 2 million jobs and around €2 trillion worth of growth by the end of 2030. Results also show that in a scenario following the current trend towards a moderate increase in restrictiveness, European companies of all sizes and sectors could be affected – especially as the US is the EU’s largest data partner. In particular, the EU manufacturing sector stands to lose the most in absolute value. Sectors such as media and culture could also be some of the most impacted in relative terms, losing about 10% of their exports. Finally, as SMEs account for almost a quarter of all goods exported from the EU, they would be heavily impacted.
As it stands, details are yet to be discussed by negotiators between the U.S. Department of Commerce and the European Commission. The process still involves legal changes on the U.S. side and the ratification by the EU’s various bodies. The formal adoption process is expected to take about 6 months. The European Commission will publish a draft implementation act and seek the non-binding opinion of the EDPB/EDPS and the European Parliament. The Council also has to agree on the final text. In the US, the government should release the Executive Order that gives effect to the surveillance reforms agreed to.
Artificial Intelligence Act
The past month saw some relevant developments concerning AI policy in the European Parliament. This includes the publication of the final opinion of the European Parliament’s special committee for Artificial Intelligence in the Digital Age (AIDA), as well as the ongoing negotiations and recommendations by several Parliament committees on the Artificial Intelligence Act (AI Act).
Artificial Intelligence in the Digital Age (AIDA)
AIDA approved its opinion on the future of AI in Europe on 22 March, focusing on opportunities raised by AI for the European economy and delineating a European ambition to be a global democratic trendsetter in the field of AI. AI should not be regulated as a whole, the report argues. Specific applications should be evaluated in proportionality with their risks and benefits. Lastly, the report calls for constant evaluation and monitoring of the mass gathering of personal user data to prevent abuse.
Other EP committees’ negotiations
The AI Act itself is still being debated by the lead Parliament committees, Internal Market and Consumer Protection (IMCO) and Civil Liberties (LIBE), which have to produce a joint report. Other committees that were requested to form an opinion on the proposal have already announced draft amendments and opinions. Topics of contention in multiple committees include regulation on data gathering; and analysis by AI systems as well as certain data applications through AI such as social scoring and biometric identification. Additionally, within the responsible joint IMCO-LIBE meetings, there is still no agreement on definitions, streamlining with GDPR and facial recognition.
The deadline for amendments in the joint IMCO-LIBE meeting is 18 May. The plenary session is expected to discuss the AI Act in November.
Data Governance Act
On 6 April, members of the European Parliament endorsed the interinstitutional deal between the Parliament, Commission and Council clinched in December on the European Data Governance Act (DGA) with 501 votes to 12, with 40 abstentions. The Regulation must now be formally adopted by the EU Council before it is published in the Official Journal and enters into force. EU diplomats are set to take a look the Parliament’s position in Coreper on May 11.
This initiative, regulating intermediaries of data sharing, aims to set up a mechanism to enhance the reuse of certain categories of public sector data subject to the rights of others. It aims to increase trust in data intermediation services by creating a new framework for companies to share their data without fear of it being misused or of losing their competitive advantage, and for consumers to retain full control over their data. Moreover, the DGA also aims to foster “data altruism” – which refers to people voluntarily donating their data for the public good, e.g. by voluntarily providing information about adverse reactions to vaccinations.
A European Data Innovation Board is to come to life to facilitate cooperation and interoperability. When it comes to international access to and transfer of non-personal data, the agreement paves the way to the creation of safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data.
The DGA lays the foundations for future European data spaces and some of its provisions, including on the transfer of information, are included in the draft Data Act. When it comes to the latter, Renew and the Left respectively appointed MEP Alin Mituța (Romania) and Elena Kountoura (Greece) as their Shadow Rapporteurs to lead the work in the Committee on Industry, Research and Energy (ITRE).
French presidential elections
On 10 April, France held the first round of its presidential elections, qualifying for the second round sitting President Emmanuel Macron (La République en Marche !) and far-right candidate Marine Le Pen (Rassemblement National), respectively with 27.84 % and 23.15 % of the ballots. Despite apparent ideological differences, both candidates share the same overarching objective to strengthen France’s “digital sovereignty”. Yet, their programmes harbour different means to achieve it.
The quinquennium of Emmanuel Macron (2017-2022) has been characterised by efforts to persevere France’s digital sovereignty through regulation, securing industries and infrastructures, and supporting strategic sectors. The French government has highlighted the importance of “digital commons” (i.e. free software and data openness) as a vector of digital sovereignty – by offering an alternative to large platforms. In case of re-election, the government intends to follow up on a February 2022 initiative on these “digital commons” to “ensure the European Union’s role as a power for openness and back such efforts from a technological and financial perspective”.
In addition, to ensure data security, the government has also created a new label: the so-called “cloud confidence” which allows the creation of European cloud companies using foreign technologies under licence – a modality that offers a guarantee of the legal protection of data against extraterritorial laws. This label has sparked controversy within French political class as a missed opportunity to support French and European cloud players to perpetuate the stranglehold of non-European players in the sector.
For her part, Marine Le Pen has taken an even stronger stance on “digital sovereignty”, which is not limited to data protection, but also includes an industrial component. She considers the domination of digital technology by large foreign companies as a threat to France’s digital sovereignty and sees the “cloud of confidence” as insufficient as it risks perpetuating the status quo. In her programme, she proposes to store “sensitive data” on national territory and to prevent them from being transferred abroad. For the Rassemblement National (RN), digital issues must be dealt with at the European level, according to Member of the European Parliament Jean-Lin Lacapelle (RN, ID), digital referent of the Marine Le Pen campaign. However, the far-right candidate predicted in an interview that the European framework should be reviewed in terms of “control of concentrations according to the nationality of the actors or the framework of State aid”.
The second round of French presidential elections will take place on 24 April. The outcome of the vote will likely have a substantial impact on digital files’ policy push at the European level, especially as France is holding the Presidency of the Council of the EU until 30 June.
Public consultation on the European Cyber Resilience Act
On 16 March, the European Commission launched its public consultation on the European Cyber Resilience Act. In light of the surge of connected objects and the increased use of industrial data, the proposed act aims at setting common cybersecurity standards for connected devices and will complement the upcoming NIS 2 Directive. In a blog post, Commissioner Breton specified he hoped to increase Europe’s cyber defence capabilities by increasing collective resilience; improving response time; creating a joint cyber unit and developing a dissuasive European cyber defence doctrine. The public consultation will be open until 25 May 2022, feeding into a proposal for regulation to be published in Q3 2022.
Data economy and look at the year ahead
As non-rival goods – meaning that are consumed by people, but whose supply is not affected by people’s consumption – the volume of data is constantly growing. The generation of data is expected to reach up to 175 zettabytes in 2025, from 33 zettabytes in 2018. With these new rules, the European Commission will make more data available for reuse and are expected to create €270 billion of additional GDP by 2028 – as today 80% of industrial data is never used.
As part of its “Europe Fit for Digital Age” plan, the European Commission has laid down several targeted strategies with a wide impact on multiple sectors, including the European Strategy for Data. The latter is composed of two main legislative initiatives. First, the Data Governance Act, finalized in November 2021, creates the processes and structures to facilitate data sharing by companies, individuals and the public sector. Second, the European Data Act proposal for a Regulation published on 23 February, sets the framework to further guarantee an enhanced working market of data by building stronger enforcement for users that their data is managed responsibly, both with regards to access by governments, larger companies and other third parties.
Along with other digital initiatives in the data economy, the Data Act will have a cross-cutting impact on several business sectors. That is why Dr2 Consultants will carefully monitor the following proposals which are expected to be published in the coming months:
The Data Act has now been sent to the European Parliament and the Council of Ministers for examination. If not already done, this is the right time for businesses to assess internally with experts and the legal department how the Data Act affects your organization. Dr2 Consultants can also guide you through this process.
In the European Parliament, several committees are competing over which one gets the file. It is highly likely that the same committees which handled the Data Governance Act will be leading on this file: Industry, Research and Energy (ITRE) as lead, and Civil Liberties (LIBE), Legal Affairs (JURI) and Internal Market and Consumer Protection (IMCO) committees giving their respective opinions. The Council, for its part, has kick-started the internal discussions with a first meeting on 3rd March and draft conclusions of an informal summit in Versailles this week show that the member states express the wish to swiftly adopt legislative acts on data (next to the Digital Services Act, the Digital Markets Act, Artificial Intelligence and Cloud).
The Data Act is not expected to be finalized before the end of the year and negotiations are even likely to continue well into 2023.
How does the Data Act affect you?
In concrete terms, the Data Act will significantly modify the rights and responsibilities of businesses and service providers:
- Service providers should be aware that users should receive easier access to and greater control over their data.
- Government access will only be limited to circumstances that will be deemed necessary, and access by non-EU governments will be all but prohibited unless a bilateral agreement is in place between the EU or a member state and that specific third country.
- Organizations will have to carefully assess and consider their third party before sharing any data. Gatekeepers (companies with strong market position) will no longer be allowed to access or request data that belongs to other smaller companies, neither will these companies be allowed to offer them information or data.
In summation, this proposal is going to have a significant impact on European businesses and SMEs which make use of data in their day-to-day activities: any digital service that keeps data records will have to take steps to comply, and additionally any entity or person that uses such services should be made aware of their rights and the responsibilities that providers have.
This proposal will apply to device manufacturers, providers of digital services and connected products – such as connected vehicles or ‘the Internet of Things’.
Deep dive into the Data Act
Manufacturers and designers have the obligation to design the products in a way that makes the data generated easily accessible by default (Chapter II). Data holders would have to make available data to third parties, such as providers of aftermarket services, upon the request of the user. However, gatekeepers are not eligible third parties and, therefore, they could not encourage users to make data available to one of their services.
Unfair advantages caused by imbalances in negotiating power between contractual parties are to be removed (Chapter IV). Concrete arrangements pertaining to data-sharing agreements would introduce an instrument of an unfairness test. It would provide definitions of unfair elements in data sharing agreements. This test aims to protect the weaker party and guarantee better value creation as well as market practices.
Public sector bodies and EU institutions are entitled to access and use data held by the private sector that is necessary for exceptional circumstances, particularly in case of a public emergency (Chapter V). The requests for data would need to be proportionate, clearly indicate the purpose, and respect the interests of the enterprise making the data available. This should ensure that the right to request data is not abused and that the public body is accountable for its use.
Customers can effectively switch between different cloud data-processing service providers and safeguards against unlawful data transfer are put in place (Chapter VI). Providers of data processing services would need to remove commercial, technical, contractual and organizational obstacles that may inhibit customers to terminating the contractual agreement of the service, concluding new contract agreements with a different provider, porting its data to another provider, and maintaining a minimum level of functionality if using a different provider.
Creation of barriers and protection of data of European citizens and companies against access by third non-EU governments (Chapter VII). The data shall only be shared under circumstances when a specific agreement is in place and clear legal protection of the data holder is guaranteed. The European Union and the United States intend to negotiate such a bilateral agreement.
Interoperability and functional equivalence between platforms and data service providers (Chapter VIII). Technical requirements would be introduced for users and providers to enable easy and secure switch between services and transact data across platforms. The Commission will further develop specific guidelines and European Standardization organizations are mentioned as partners.
Click here for a more detailed analysis as well as a word-for-word comparison between the leak and final text of the Data Act.
Stakeholder reactions to the Data Act
From the EPP political group, ITRE member Christian Ehler (Germany) laudes the Data Act as a game changer that will stimulate competitiveness and innovation. While fellow MEP Axel Voss (EPP, Germany) welcomes the European harmonization, he does not think it will correct what he perceives as mistakes made by the GDPR.
MEP Damian Boeselager (Germany), who will reportedly lead on the file for the Greens/EFA in the ITRE committee, explains the need for a legal framework for data, data sharing, monitoring and exposes what he calls the invisible power of data.
Renew MEP Stéphanie Yon-Courtin (France) highlights important progress in data security and innovation. She also welcomes increased interoperability between cloud services and improved market competition.
European industry stakeholders
The European Consumer Organisation (BEUC) calls it an essential proposal for consumers. Consumers need to stay in control of how the data they help generate is shared. On the other hand, some of this data sharing can be beneficial to consumers and the service delivered. Interoperability and accessibility to third service providers is a good step.
However, many trade associations raise concerns about potential issues concerning the provisions impeding third-party service providers to grant any direct right to access the data generated by their products. For instance, automotive representatives – such as the European Association of Automotive Suppliers (CLEPA) – stressed it would “reduce the possibility for automotive part manufacturers to utilise data on component behaviour for the purposes of development and engineering”.
Brussels tech lobby Computer and Communications Industry Association (CCIA) warned that “incentives rather than obligations” would encourage companies to share data. They also outline potential economic downsides from “safeguards” to prevent data processing services from fulfilling access requests from third countries not in line with EU law. Such “restrictions” might cost 0.6 percent of EU GDP, according to a study commissioned by CCIA. These reactions spanning from totally different industry sectors confirm the far-reaching scope of the Data Act. Similar concerns can be found with Global tech trade association ITI. They ask for incentives rather than mandates and want strong safeguards for intellectual property and trade secrets.
War in Ukraine
Data becomes the sinews of war. Following Russian President Vladimir Putin’s military invasion of Ukraine on 24 February, the international community has imposed stringent sanctions on Russia’s economy. This move has preceded international companies, the likes of service providers Netflix and Facebook, who have announced that they would immediately put the brakes on their services in Russia – targeting Russia’s data economy.
In addition, the direct impact of the conflict also lies with cybersecurity and data protection. The international community fears that Russia might retaliate to the sanctions by targeting European data and networks. It appears that Russian, Belarussian, and Chinese hackers have launched cyber-attacks on Ukraine. The Russian hacker group Fancy Bear, as well as the Belarussian group Ghostwriter, and the Chinese Mustang Panda are allegedly sending phishing emails to Ukrainian media, militaries, and the European Institutions.
On 3 March, the ITRE committee discussed strengthened European efforts in the realm of cybersecurity in the face of potential threats to EU infrastructures. After trilogues between the Council, the Commission and the Parliament, increased efforts and more capabilities for Computer Security Incident Response Teams (CSIRTs) were highlighted within the committee.
Learn more about our EU Data Policy services
Dr2 Consultants offers tailor-made solutions to navigate the evolving policy environment at EU level and anticipate the impact of the EU data-related legislation on your organization. Visit this webpage to learn more about our EU Data Policy services.
For more information on Dr2 Consultants’ full range of services, don’t hesitate to contact us.