The Data Governance Act proposal, published on 25 November 2020 by the European Commission, is a first step along what the Commission envisages as the path towards a common European data space. The act would establish principles for data sharing: between private entities and between the public and private sectors. After the great disappointment of COVID-19 tracking smartphone apps, with download rates as low as 3% in France, the aim with the proposed regulation is to incentivise data sharing by creating a system of trust-enhancing safeguards.
Effective action in this area is badly needed but this regulation alone is unlikely to meet that goal. Data is a primary input for key promising technologies such as artificial intelligence: even the most sophisticated algorithm or computing infrastructure cannot succeed without large quantities of information. If the European Union creates the right conditions for competitive data sharing, particularly among businesses, European companies might still have a chance to become credible and economically-appealing alternatives to their non-EU competitors.
This is what the proposal is supposed to do, even if it could risk undermining the EU’s commitment to the free trade in data by promoting an allegedly protectionist agenda. For example, it establishes conditions to be met by data intermediaries, or companies that help ‘data-holders’ (i.e. entities that control and could grant access to data) to make their data available for potential use by other entities. French platform Dawex, for example, could work with the owner of a smart factory to monetise the machine data it generates during production; other companies could then use that data to anticipate potential breakdowns in their factories.
An earlier version of the proposed rules contained measures that made it mandatory for data intermediaries to be established in Europe, so one may have wondered if the Commission was not working to put up barriers to prevent EU data from flowing away. Those measures were dropped in the final text. But even if they would have stayed, it might be a step too far to read a protectionist intent in the Commission’s suggested approach. The measures did not mean that intermediaries had to keep the data where it originates and may have rather be genuinely driven by the desire to facilitate supervision and enforcement by the competent national authority.
The proposal will therefore not limit competition, but it will also not be a game changer.
The proposed regulation covers three main areas. The first is data held by the public sector. Making such data widely available can be a powerful tool to stimulate growth. In 2019, the size of the EU open market data amounted to more than €184 billion. But it is hard to open the most valuable data, such as personal or confidential commercial information, because it might go against data protection rules. Consider for example data that could be used to monitor and improve the performance of schools or hospitals; often that data would convey information about specific students or patients. The Commission wants to remedy that by ensuring that this type of data can also be shared if adequate safeguards are implemented. But what is proposed is not enough to promote trust. For example, anonymising personal data may imply compliance with the General Data Protection Regulation. But open data can be misused. Hence public entities could be compelled to supervise how their data is being used and be held responsible if something goes wrong.
The second area in which new rules are proposed is that of authorised data intermediaries. To be authorised, intermediaries must be ‘neutral’; that is, their intermediary activity must be structurally separate from anything else they do. This requirement is meant to create trust by reassuring data holders that their data cannot be used for any other purpose than that intended by the intermediation. However, such structural separation has a significant cost. Preventing possible efficiencies for intermediaries that could have been achieved without going against data protection laws might undermine the viability of their business models. If the intent is to make the data intermediary market blossom, enhanced trust is unlikely to do the job in a notoriously tough landscape dominated by well-equipped competitors. Consider, for example, Amazon’s AWS Data Exchange, relying on Amazon’s cloud infrastructure services, that alone controls one-third of the global cloud market.
Finally, the proposed regulation covers ‘data altruism’, that is, the conditions under which the private sector can share data with non-profit entities for the purpose of pursuing a common good. Telecom data has been used to forecast Ebola outbreaks in West Africa, for example. The potential value creation is significant and the effort to design a framework is laudable. But the core issue has been sidestepped: how can the proposed regulation incentivise the private sector, companies and citizens alike, to share their data? The dramatic failure with the COVID-19 tracking apps shows that something more is needed to boost data sharing other than simply ensuring that it will happen lawfully, as the proposal seems to suggest.
The so-called Data Governance Act is a good start but on its own won’t have significant effects. It needs adequate complementary legislative and non-legislative action. Europe needs all pieces of its data strategy puzzle to be in place to enhance its competitive position: there is still a long way to go.