From an American perspective, the European Union can appear to be a coercive force in the technology sector, ensuring that big technology companies don’t step out of line on issues like data privacy – Europe’s Single Data Market
But there’s another perspective to consider. In the future, the EU could well help US companies access all the data that is stored in data warehouses all across Europe.
Digging Into the European Commission Strategy
In fact, the new European data governance strategy foresees a situation where the EU will become a player in the monetization of European citizen’s personal data with the full consent of those citizens that have no objection to providing that data to organizations.
Unveiled in February of this year, the news slipped under the radar of many tech companies but it forms one of three strands of a new digital strategy that will guide the EU over the next five years. The new strategy is outlined in three different papers which foresee the emergence of a “Digital Europe” that has undergone a digital transformation.
The papers outline a five-year policy roadmap, an AI policy that includes plans for legislation aimed at creating human-controlled AI systems and a European Data Strategy that envisages the creation of a huge single market for data.
And it is already underway. The first initiative is called the Trusts Project which is due to be in place by 2022. This involves the creation of a European-wide pool of personal and nonpersonal data that will be accessible by businesses and technology companies through a system of trusts. While they will not be able to move that data, businesses will be able to use it, although terms of usage and what they will have to offer in exchange have not yet been decided.
That said, close to 500 million people in Europe could become a data source for governments, public bodies and private companies, effectively creating the biggest data marketplace in the world. Could this be a way out of the conundrum American companies have to navigate to use this data?
The Implications of EUSD
Kara Birch is director of policy and compliance at the Australian law firm Peripheral Blue and, as a specialist in privacy and data protection law, has been looking at the possible implications of the new strategy. The EU’s European Strategy for Data (EUSD) has been met with some robust debate in privacy and cybersecurity circles, she said.
At its core, it proposes a conceptual departure from the data protection approach currently taken in many privacy jurisdictions. In particular, the idea that trusts would control large amounts of accessible data on behalf of individuals who would enforce their own rights via those data trusts, as opposed to primarily being enforced by companies complying with obligations on the personal data they control, is a significant shift.
At a conceptual and compliance level, the EUSD seems to place a substantial burden on individuals to exercise choice and control over their own data in the context of some particularly sophisticated and complex data ecosystems. “We have already seen, through recent examples like the Cambridge Analytica scandal, that individuals may not always have a complete understanding of how a decision they make will impact on their own privacy, or on the privacy of others,” Birch said.
“It’s very ambitious to assume that the EC’s proposals around supporting improvements to individual digital literacy will be enough to the address all possible restrictions on every individual’s decision making capacity in relation to the protection of their own data.”
It is also unclear how much of the burden of improving customer’s digital literacy and understanding of complex data systems and processes would be shifted to enterprises.
From a governance and security perspective, the EUSD also raises significant issues. The creation of any centralized repository of data always rings alarm bells for privacy and cybersecurity professionals. Birch added that the security, governance, oversight and accountability of the data trusts themselves, which appear to be the data custodians under the EUSD model, would need careful consideration. For enterprises who have made substantial investments in data security and data governance, transferring this responsibility may seem counter-intuitive.
At an implementation level, it is unclear how much cost there will be to businesses to ensure that their systems, infrastructure and services provide the required security, sustainability, interoperability and scalability that will be needed to participate in the new data market the EUSD creates.
Birch also said…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…