On 19 February 2020 the European Commission (EC) published a package of initiatives (the AI and Data Package) on Europe’s “digital future”, delivering on the promise in President von der Leyen’s political guidelines to put forward legislation on artificial intelligence (AI) and big data in her first 100 days in office. This package includes a communication on European digital policy, a white paper on AI (the AI White Paper, or the White Paper), a communication on European data strategy (the Data Strategy Communication, or the Communication) and a report on safety and liability implications of AI, the Internet of Things (IoT) and robotics. On 10 March 2020 the EC published a related communication on Europe’s industrial strategy (the Industrial Strategy Communication) underlining the key role of the European data strategy, as well as European Union (EU) competition law reforms.
- summarises the main elements of the AI White Paper and Data Strategy Communication, as well as related initiatives described in these documents and the Industrial Strategy Communication. These include, notably, a separate Digital Services Act package in 2020 and a Data Act in 2021; and
- discusses the role of EU antitrust reform, highlighted in the Data Strategy Communication and Industrial Strategy Communication, in the new EU digital strategy.
The AI White Paper
The AI White Paper breaks the EC proposals into two main categories: achieving an “ecosystem of excellence” and creating an “ecosystem of trust”. The EC’s proposals for an “ecosystem of excellence” consist of a bundle of “carrots.” These include initiatives for co-operation between the EC, Member State authorities and the private sector, as well as continued work in multilateral fora, such as the Council of Europe, UNESCO and the OECD. The EC proposes significant increases in funding and a focus on skills and small and medium-sized enterprises.
The EC “sticks” accompanying the “carrots” will be contained in the EC’s “ecosystem of trust,” for which the EC proposes an EU-wide AI regulatory framework. The AI White Paper identifies the main issues as:
- risks for fundamental rights, including personal data and privacy protection and non-discrimination; and
- risks for safety and the effective functioning of the EU’s liability regime.
Although there is already an extensive body of EU legislation in both areas, the EC believes that the existing framework needs improvement in a number of respects to address the particular challenges created by the use of AI.
Separately, the EC believes a new EU regulatory framework is required. This framework would apply to products and services “relying on AI”, which would need to be defined with sufficient flexibility to accommodate technical progress, while being precise enough to provide legal certainty.
The EC envisages a risk-based approach in which new mandatory obligations would apply to AI applications identified as “high risk,” while the current regulatory framework (and potentially a voluntary certification approach) would apply to non-high-risk applications.
AI applications would normally be considered “high risk” only when they are employed: (i) in a sector where significant risks can be expected to occur (e.g., healthcare, transport, energy and parts of the public sector); and (ii) in such a manner that significant risks are likely to arise (e.g., those that produce legal or other significant effects on individuals, pose a risk of injury, death or significant damage or produce effects that cannot reasonably be avoided). However, the EC suggests that certain applications may be defined as high risk per se, mentioning as examples recruitment, workers’ rights and remote biometric identification (e.g., facial recognition).
The AI White Paper lays out a range of features that could be included in future mandatory requirements for high-risk applications. These include training data, data and record-keeping; information to be provided; robustness and accuracy; human oversight; and specific requirements for particular applications, such as remote biometric identification.
How might the mandatory requirements work in practice?
Data used to train AI systems would be required to meet EU safety standards, not lead to prohibited discrimination and protect privacy and personal data.
Companies could also be required to keep records regarding the data used to train and test AI systems and in some cases the data sets themselves.
Companies could be required to provide information on AI systems’ capabilities and limitations; to inform citizens when they are interacting with AI systems; and to ensure that AI systems are robust and accurate, that outcomes are reproducible and that AI systems can deal with errors and inconsistencies.
The EC called for comments on the proposals in the AI White Paper, but the paper does not follow the format of many EC consultations, setting out specific questions and a range of possible policy options. The EC seems to have a relatively clear idea of the system it intends to propose. Draft legislation may follow by year-end, but the AI White Paper does not lay out the EC’s timeline. The new framework will likely be controversial, but if adopted it may have a global precedential impact similar to the GDPR’s.
The Data Strategy Communication
The Data Strategy Communication identifies a number of issues holding back the EU in the data economy. These include the volumes of data available for re-use; imbalances in market power in relation to access to and use of data; data interoperability and quality issues that impede the combination of data from different sources; data governance; data infrastructures and technologies; individuals’ control over their data; skills; data literacy; and cybersecurity.
To address these concerns, the EC aims to create a single European data space - a single market for data. The EC’s strategy rests on four pillars:
- cross-sectoral regulations for data access and use;
- enabling investments in data and standards, tools and infrastructures for hosting, processing and using data;
- increasing competences and data literacy; and
- creating common European data spaces in strategic sectors and domains of public interest.
The Data Strategy Communication’s proposals in each of these areas are summarised below.
Governance framework for data
The EC plans to propose cross-sectoral measures for data access and use to create an over-arching framework for the “data-agile” economy. Specifically, the EC will: (1) in the fourth quarter of 2020, propose a legislative framework for the governance of common European data spaces; (2) in the first quarter of 2021, adopt an implementing measure on high-value data-sets under the 2019 Open Data Directive, which Member States are required to implement by July 2021; and (3) in 2021, propose a Data Act.
The new framework for European data spaces would support decisions on what data can be used in which situations, facilitate cross-border data use, and prioritise interoperability requirements and standards for data use in the common sectoral data spaces. This could include mechanisms to:
- prioritise standardisation activities, more harmonised descriptions and overview of datasets, data objects and identifiers;
- facilitate decisions on which data can be used, how and by whom for scientific research; and
- make it easier for individuals to allow the use of the data they generate for the public good (“data altruism”).
The proposed implementing measure under the Open Data Directive would be intended to help make high-value data sets available across the EU for free, in machine-readable format and through standardised Application Programming Interfaces (APIs).
The Data Act (2021) would address some or all of the following objectives:
- fostering business-to-government and business-to-business data sharing, in particular addressing issues related to usage rights for co-generated data (such as IoT data in industrial settings), in general through voluntary sharing, but potentially also sector-specific compulsory sharing under fair, transparent, reasonable, proportionate and/or non-discriminatory conditions; and
- revision of the Database Directive and Trade Secrets Directive to further enable data sharing. (The Industrial Strategy Communication refers to a forthcoming Intellectual Property Action Plan, but it does not outline the contents of the plan or provide a timetable for its adoption.)
The EC also intends to conduct further analysis of the importance of data in the digital economy and to review the existing policy framework in the context of the Digital Services Act package, which is to be published in late 2020. The Data Strategy Communication is vague as to what this review will entail, but it is apparently linked to various ongoing and planned competition policy initiatives, such as the review of the EC’s vertical and horizontal co-operation measures and State aid guidelines.
The Commission indicates that imbalances in bargaining power are being addressed under broader fact-finding around the degree of market power of certain platforms in the Digital Services Act context, which may be addressed by ex ante regulation, if appropriate.
The EC will also be looking at:
- issues around jurisdiction (potentially proposing legislation to override contractual dispute resolution mechanisms creating exclusive jurisdiction in non-EU fora);
- enhancing the data portability right under the GDPR to give individuals more control over who can access and use machine-generated data; and
- the current self-regulatory approach for cloud provider switching.
Other issues that could be addressed through the Data Act (2021) include business-to-government data sharing; clarifying usage rights to co-generated data (for instance in the IoT context), to support business-to-business (B2B) data sharing; refining intellectual property rules; and establishing data pools for data analysis and machine learning.
The initiatives to be proposed include investing in a “High Impact project on European data spaces”, encompassing data sharing architectures and governance mechanisms and a European federation of cloud infrastructures; signing Memoranda of Understanding with Member States on cloud federation; launching a European cloud services marketplace; and creating an EU (self-)regulatory cloud rulebook.
The EC’s proposals to empower individuals with respect to their data include exploring an enhanced portability right for individuals to give them more control over whom can access and use machine generated data, which could be included in the Data Act (2021).
Common data spaces
The Commission intends to promote the development of common European data spaces in strategic economic sectors and domains of public interest, supported by common governance models complemented by sectoral legislation and mechanisms to ensure interoperability.
Proposed data spaces
- A Common European industrial (manufacturing) data space to capture the potential value of use of non-personal data in manufacturing
- A Common European Green Deal data space
- A Common European mobility data space to facilitate access, pooling and sharing of data from existing and future transport and mobility databases
- A Common European health data space
- A Common European financial data space
- A Common European energy data space
- A Common European agriculture data space
- Common European data spaces for public administration
- A Common European skills data space, to reduce the skills mismatches between the education and training system on the one hand and the labour market needs on the other
More detail in relation to each of these proposed Data Spaces is contained in an annex to the Communication.
The Data Strategy Communication is more open ended than the AI White Paper. Although the EC invited comment, the most specific proposals, notably a new legislative framework for the governance of common European data spaces and an implementing measure for high-value data-sets under the Open Data Directive, are not fleshed out sufficiently for detailed comments. The 2020 Digital Services Act package and the Data Act (2021), though frequently referred to, are not actually part of the communication.
Many of the other proposed initiatives relate to government and other public sector data, and many are permissive, designed to encourage, but not compel, data sharing in the private sector. These permissive initiatives include, notably, measures to promote the development and uptake of a new European cloud federation and the creation of nine sectoral European Data Spaces.
Relation to EU Competition Reform
As mentioned, the Data Strategy Communication and the Industrial Strategy Communication indicate that the EC views competition law reform as a key element of the EU’s data and industrial strategies. The Industrial Strategy Communication states that the EC is reviewing the EU competition framework to ensure that “competition rules remain fit for today’s world”.
The Data Strategy Communication mentions an important report published in May 2019, which, among other things, recommended significant changes in EU anti-trust enforcement as related to big data and online platforms, as well as the sharing and pooling of data. The Communication states that the EC intends to provide more guidance on the compliance of data sharing and pooling arrangements with EU competition law by means of an update of the Horizontal Co-operation Guidelines, which was one of the recommendations in the 2019 report.
Importantly for companies active in the IoT sector or otherwise generating large volumes of data, however, the Communication does not propose any specific regulations to mandate data-sharing by private companies, and states that a “data access right should only be sector-specific and only given if a market failure in this sector is identified/can be foreseen, which competition law cannot solve”.
The Communication also mentions that the EC will examine the competitive effects of large-scale data accumulation through acquisitions and at the utility of data-access or data-sharing remedies to resolve any concerns raised in its review of transactions under the EU Merger Regulation.
In its ongoing review of a number of State Aid guidelines, the EC also plans to examine the relationship between public support to undertakings (e.g. for digital transformation) and the minimisation of competition distortions through data-sharing requirements for beneficiaries. New State aid guidelines are to be in place by 2021. In particular, the EC plans to put in place new rules for the assessment of State aid aspects of Important Projects of Common European Interest, known as IPCEIs.
Also related to State aid, the Industrial Strategy Communication highlights a forthcoming white paper on an instrument on foreign subsidies by mid-2020, to be followed by legislation in 2021. This initiative would address the distortive effects of foreign subsidies on competition in the EU and the related issue of lack of reciprocal access for European firms, particularly in public procurement.
In addition, the Communication mentions the EC’s plans to engage in “broader fact-finding around the high degree of market power of certain platforms,” which may be an allusion to President von der Leyen’s instructions to Executive Vice-President Vestager to “consider using the tool of sector inquiries into new and emerging markets that are shaping our economy and society”.
President von der Leyen has made development of new European approaches to AI and big data a top priority. The AI and Data Package goes a long way in this direction.
Specifically, the AI White Paper calls for a review of EU safety legislation to address AI-related risks and, perhaps more ambitiously, the creation of a new framework for regulation of “high-risk” AI applications. As predicted, this legislation would codify elements of non-binding EU and international guidelines on AI ethics, such as transparency and reproducibility.
The Data Strategy Communication is more open-ended, but it foreshadows many related initiatives that are outside the scope of the package. In addition to the Digital Services Act package of 2020 and the Data Act (2021), these include:
- 2020: a mapping of opportunities and action plan for bilateral and multilateral initiatives; a white paper on an instrument for foreign subsidies; a strategy for digital standardisation; a European Strategy for quantum computing and blockchain; a Media and Audiovisual Action Plan; a European Democracy Action Plan; a Digital Education Action Plan; revision of the eIDAS regulation; a Digital Finance package with proposed legislation on crypto assets, operational and cyber resilience and pan-European digital payments services; and the Digital Services Act package; and
- 2021: initiatives to improve labour conditions for platform workers; a circular electronics initiative; a global digital co-operation strategy; and a reinforced EU government interoperability strategy.
The EC will also be reviewing and considering revision of a wide range of existing legislation, including legislation on databases and copyright, the Network and Information Security Directive and the Open Data Directive, which is not yet even in force. The EU’s “digital future” initiatives further include portions of its work on EU industrial strategy and consumer agenda, as well as work on digital taxation together with the OECD.
It is difficult to keep track of the wide range of initiatives announced for the coming two years, and impossible to predict what will come of them. Based on the EC’s success with the Digital Single Market, in the last mandate, however, we can expect substantial changes in EU legislation.
Reflecting Executive Vice-President Vestager’s dual appointment as Commissioner for competition and for making Europe fit for the digital age, moreover, we will likely see more of the mixed regulatory and anti-trust approaches to digital topics seen in the Digital and Industrial Strategy Communications.