Navigating the nexus of Policy, Digital Technologies, and Futures (S1/E8)
S1/E8: Data in the European Union – a matter of Knowledge, Intelligence, and Wisdom?
After discussing EU policies and legislation that regulate the Software Industry in areas like personal data processing, cybersecurity, and Big-Tech services and competition, this episode will turn our attention to probably the most essential component of the software world, namely data. Yes, in general.
I remember my early years studying Computer Science, where one of the main textbooks was titled Algorithms + Data Structures = Programs, by Niklaus Wirth, published in 1976. In that time, we were taught that both data and instructions to process data are stored with the same format and in the same locations within computers. And think that this very simple piece of knowledge has proven to be a bonanza for hackers worldwide.
And since I wrote about knowledge and data, allow me a digression about the well-known sequence that states that Data becomes Information that becomes Knowledge. I’d actually add that Knowledge becomes LLMs, like ChatGPT, which, in this sequence, is certainly a form of Intelligence, that becomes Wisdom. Perhaps the page about DIKW in Wikipedia could use an updating in view of the recent advances in Artificial Intelligence.
But now, let’s come back to our main focus today and dive into Digital Sovereignty as a matter of EU governance. According to the European Parliament, 'Digital sovereignty' refers to Europe's ability to act independently in the digital world and should be understood in terms of both protective mechanisms and offensive tools to foster digital innovation (including in cooperation with non-EU companies).
A strategy
As we know, plethora of EU policies and legislation have been promulgated since 2016 in order to try and regulate our digital lives in the EU (and beyond). One of them was the Communication from the European Commission to the European Parliament, the Council, the European Economic and Social Committee, and the Committee of the Regions, about A European Strategy for data. Such a Communication is one of the first formal steps indicating that new law proposals are in the making at the EC. This one was published in February 2020.
The declared objectives of this strategy are the following.
- Create a single market for data that will ensure Europe’s global competitiveness and data sovereignty.
- Common European data spaces will ensure that more data becomes available for use in the economy and society, while keeping the companies and individuals who generate the data in control of their data.
The main measures of the European Strategy for data are:
- Adopt legislative measures on data governance, access and reuse. For example, for business-to-government data sharing for the public interest;
- Make data more widely available by opening up high-value publicly held datasets across the EU and allowing their reuse for free;
- Invest €2 billion in a European High Impact Project to develop data processing infrastructures, data sharing tools, architectures and governance mechanisms for thriving data sharing and to federate energy-efficient and trustworthy cloud infrastructures and related services;
- Enable access to secure, fair and competitive cloud services by facilitating the set-up of a procurement marketplace for data processing services and creating clarity about the applicable regulatory framework on cloud.
First brick: Governance
The first indicated measure in the EU Data Strategy was to regulate data governance, access, and reuse. Accordingly, the European Data Governance Act was published in May 2022, stating the following as its main objectives. (Proposed 25 November 2020. In force. Applies from 24 September 2023.)
- Increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data.
- Also support the set-up and development of common European data spaces in strategic domains, involving both private and public players, in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills.
The main measures of the European Data Governance Act are:
- Mechanisms to facilitate the reuse of certain public sector data that cannot be made available as open data. For example, the reuse of health data could advance research to find cures for rare or chronic diseases.
- Measures to ensure that data intermediaries will function as trustworthy organisers of data sharing or pooling within the common European data spaces.
- Measures to make it easier for citizens and businesses to make their data available for the benefit of society.
- Measures to facilitate data sharing, in particular to make it possible for data to be used across sectors and borders, and to enable the right data to be found for the right purpose.
Second brick: regulating value in data
But data governance was only part of the picture, and in February 2022 the EC proposed to the EP and the Council a regulation on harmonised rules on fair access to, and use of, data, better known as The Data Act. This law is still under negotiation, with the EP having agreed on its position in March 2023.
The objectives of the Data Act, as proposed by the European Commission are as follows.
- Complements the Data Governance Regulation, the first deliverable of the European strategy for data.
- The Data Governance Regulation creates the processes and structures to facilitate data use
- The Data Act clarifies who can create value from data and under which conditions
- The Data Act will ensure fairness by setting up rules regarding the use of data generated by Internet of Things (IoT) devices.
- In the context of connected objects, manufacturers have developed business models offering smart functions that typically generate data. In many cases, these data are currently locked in, the manufacturer can track the use of the object and offer repair and maintenance even before a problem occurs. The Data Act will enable access to data to the users of such objects
- Users of objects or devices generally believe that they should have full rights of the data they generate. However, these rights are often unclear. And, manufacturers do not always design their products in a way that allows users, both professionals and consumers, to take full advantage of the digital data they create when using IoT objects. This leads to a situation where there is no fair distribution of the capacity to build on such important digital data, holding back digitisation and value creation.
- It also clarifies the role of the sui generis database right (i.e. the right to protect the content of certain databases) and its application to databases resulting from data generated or obtained by IoT devices.
- The Data Act will make more data available for the benefit of companies, citizens and public administrations through a set of measures
With its main measures being the following.
- Measures to increase legal certainty for companies and consumers who generate data on who can use what such data and under which conditions, and incentives for manufacturers to continue investing in high-quality data generation. These measures will make it easier to transfer data between service providers and will encourage more actors, regardless of their size, to participate in the data economy.
- Essentially, an IoT product user, (whether a legal or natural person), may require from the “data holder” access to the data generated by the use of her product and may port it away
- Not only are data holders mandated to share data, but their use of data is also regulated (see also the regulation of data use by the beneficiary of the data portability right, Art. 6). In particular, Art. 4(6) lays down a by default non-personal data processing ban on the data holder, except when based on a contractual agreement with the user. Read in combination with the data access and sharing rights of the user, it implies that data are allocated to the user, as ancillary to the IoT product.
- Measures to prevent abuse of contractual imbalances that hinder fair data sharing. SMEs will be protected against unfair contractual terms imposed by a party enjoying a significantly stronger market position. The Commission will also develop model contract clauses in order to help such market participants draft and negotiate fair data-sharing contracts.
- Means for public sector bodies to access and use data held by the private sector that is necessary for specific public interest purposes. For instance, to develop insights to respond quickly and securely to a public emergency, while minimising the burden on businesses.
- New rules setting the right framework conditions for customers to effectively switch between different providers of data-processing services to unlock the EU cloud market. These will also contribute to an overall framework for efficient data interoperability.
More to come?
One could say that a recent embodiment of the geo-political concept of Digital Sovereignty is reflected in the recent decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022, establishing the Digital Decade Policy Programme 2030, whose proposed rights and principles are as follows:
- Putting people and their rights at the centre of the digital transformation
- Supporting solidarity and inclusion
- Ensuring freedom of choice online
- Fostering participation in the digital public space
- Increasing safety, security and empowerment of individuals
- Promoting the sustainability of the digital future
The fact is that the EU institutions finally woke up and understood that the Digital Revolution led to a new, Digital Era, and those institutions are now trying and regulating every single aspect of our Digital Societies. While waking up and facing reality is a good thing, going into a regulation spree that may have unintended consequences, some of which I discussed in the last episode, may not be a wise path to follow. Maybe the EU institutions would gain from taking more time to analyse existing Intelligence, that have been gathered from sound Knowledge, which were built with diverse Information, that sprung from, well, data.
Keep tuned! If ChatGPT had been trained with data up and until June 2023, I’d ask it to write about the new and most famous kid in town: the AI Act. As it stands, I’ll have to write it myself. Watch this space.
[This blog series is inspired by research work that is or was partially supported by the European research projects CyberSec4Europe (H2020 GA 830929), LeADS (H2020 GA 956562), and DUCA (Horizon Europe GA 101086308), and the CNRS International Research Network EU-CHECK.]
CNRS - France
Digital Skippers Europe (DS-Europe)