The European Commission’s Communication from February of this year describes Europe’s “strategy for data”. As a leader in data protection, it is interesting to see the EU strategize on how to make data more available in order to stimulate the European single market. Can the EU be just as successful in making data available to all sectors of the economy to drive innovation, competition, and other benefits for consumers as it was in protecting personal data?
At first glance, the vision seems quite radical. It is to create a single data market where global, high-quality, public and personal data can be made available to all businesses in Europe in order to spur innovation and increase competition while protecting European fundamental values like privacy and fairness. The idea is meant to encourage all sectors of the economy, including non-profit and civil society, to take advantage of data, to produce new and better products and services that benefit society. It would work by creating data pools (to a more or less centralized degree) into which organizations submit data and in return can access the data in the pool as well as other services like analytics and maintenance. The general feeling that motivates this strategy is that there is not enough data available to public institutions, researchers, start-ups, and small and medium-size businesses because the data is siloed within big tech companies, many of which are outside the EU and do not share data.
The Commission proposed a 4-Step Action Plan.
- In 2020, the Commission will propose a legislative framework for “common European data spaces”
- In 2021, it will make more public datasets available under the 2019 Open Data Directive, which requires that public sector data is made available for re-use for the public good
- In 2021, a “Data Act” may be proposed that would incentivize horizontal data sharing from government to business, business to government, business to business, and within government, making sharing compulsory in some instances where market failures cannot be solved through competition law
- Further analysis of the “data-agile” economy
The Commission, in the next ten years, will also invest in “European data spaces” of which 9 have been identified so far (manufacturing, climate change, transportation, healthcare, finance, energy, agriculture, public administration, and digital skills) and Europe’s cloud infrastructure to improve data sharing and interoperability in what is being called the “High Impact Project”, investing 4-6 billion euro. This is meant to drive a robust cloud services marketplace and a cloud rulebook will bring together all the relevant regulations and guidelines for how to procure cloud services that meet European standards of privacy, security, interoperability, energy efficiency, and scalability.
In reality, when existing regulatory restrictions and market disincentives are taken into account, the strategy seems more like one of improvements at the edges than a radical remaking of European data sharing. First, rather than a single data repository, each sector is likely to remain siloed because each will face different challenges related to the nature of the data that it processes, which are not (yet) addressed in the strategy. For example, the healthcare sector will face challenges in protecting the privacy of sensitive electronic health records, while the manufacturing sector may face intellectual property concerns, while data related to the European Green Deal may be the easiest to share. Therefore data sharing may progress at different rates in each sector. Second, much of the data sharing may be stimulated through existing measures rather than new ones, particularly when it comes to non-personal data where the Open Data Directive for public datasets and the 2019 Free Flow of Non-Personal Data Regulation already apply. Time will tell if new measures, such as the proposed Data Act, will come to fruition and if so what effect they will have.
The starkest challenge will be encouraging net new data sharing, particularly in the private sector and particularly of personal data given the regulatory (GDPR), competition, and brand reputational risks of sharing gone wrong. The benefits of access to new data in these data pools will have to far outweigh the potential costs of these risks (perhaps mitigated through policy innovations like regulatory sandboxes). Finally, sharing between different types of institutions like public agencies, businesses, and non-profit organizations will pose significant challenges as each of these types of institutions will use the data in different ways, ranging from commercial to public good to law enforcement purposes. It is difficult enough to inventory personal data within a single organization and to restrict its data processing to only the purposes for which there exists a lawful basis for processing, let alone compiling all of the data together and letting many institutions with many divergent use cases access it.
Of course, all of these challenges may actually stimulate technological and policy innovations in data handling that will make data use easier and simultaneously more secure. Perhaps innovations in encryption, differential privacy, or machine learning will help to get more value out of vast amounts of data while preserving privacy, security and consumer control over personal data. Although the strategy is still light on details on how data sharing challenges with regard to these fundamental values will be overcome, the vision is certainly bold and worth pursuing given the potential benefits that may be unlocked for European businesses, consumers, and public authorities.