The European Commission recently released a data strategy which proposes to create a common European “data space,” a digital single market for data, with a shared set of technical and legal rules for data processing along with EU-based data infrastructure. The goal is a good one, but the implementation will be problematic.
First, the strategy calls for making it easier to share commercial data in nine different sectors—a welcome objective—but since commercial datasets often include both personal and non-personal data, any new rules would likely conflict with the GDPR, particularly in the case of the financial and healthcare sectors. Separating the two kinds of data can be costly. As a result, companies will have to deal with greater legal complexity and uncertainty as to whether they are compliant. Case-by-case arbitrations when sharing commercial datasets will lead to delays and higher costs.
Second, and more problematic, the strategy asserts that the EU needs cloud providers owned and operated in Europe, implying that U.S. cloud providers are neither secure nor trustworthy. But storing data within a country’s borders does not make it more private and secure, and non-EU cloud providers must still comply with EU laws. Moreover, all major U.S. cloud providers have data centers in Europe and provide customers with the option to store their data in Europe.
In addition, the strategy pushes for data localization in the hope that it will support digital development of EU companies. Yet their success will depend on cross-border data sharing and secure infrastructure which, in many respects, U.S. cloud providers remain best equipped to provide. Building a European cloud is a protectionist project that will make it harder for non-EU companies to sell to the EU. This is particularly troublesome for two reasons: the first is that the United States is not calling for 5G equipment sovereignty, and most of the equipment U.S. carriers will buy are from Ericsson and Nokia, two European companies; second, the EU as a bloc runs a massive and growing trade surplus with the United States. Does the EU really want to emulate China by seeking comparative advantage in all sectors? Does it want to do without U.S. exports of advanced goods and services to the EU, including cloud services? Going forward with an EU sovereign cloud strategy sends a clear message to U.S. policymakers that the answer to these questions is yes.
The strategy also calls for regulators to mandate data hubs, assuming the private sector is failing to sufficiently share data. But this is not true in all areas of the economy. While some government initiatives may be helpful, such as by identifying specific industries where there are barriers to data sharing or convening stakeholders, there are many examples of the private sector sharing data. For instance, in pharmaceutical research, companies have begun sharing historical clinical trial data with outside researchers, including competitors. In the U.S. agricultural sector, successful private models enable farmers to share data.
Furthermore, the EU data strategy needs funding—€4 to 6 billion, according to the European Commission, including from EU countries and the EU industries—but obtaining this funding will prove challenging in the context of the economic recession and as countries have been dragging their feet to approve the new EU budget. Companies need to believe the project is viable before they participate in it, so the data strategy should clarify EU’s plans to mobilize sufficient funding, how it will divide funds across the nine data spaces and for what purposes, and whether it plans to cover ongoing maintenance costs.
Finally, the EU data strategy calls for the creation of “personal data spaces” and the expansion of data portability requirements to give consumers granular control over their data, but the proposal offers few details on who would provide these personal data spaces or whether consumers would even use them. In addition, it fails to account for the cost and feasibility of this project. At least in the United States there have been a number of venture capital-backed startups to provide these services, yet all have struggled due to a lack of consumer interest and healthy business models.
While data portability can make it easier for consumers to share their data with companies that leverage AI, thereby fueling innovation, in some cases this requirement means companies must provide users access to extremely large, complex, and disparate data sets accumulated over many years in a reusable format, and could deter them to collect and store data. The EU should instead simplify its existing rules to ensure legal certainty for both users and companies and amend data portability rights to account for the costs and technical difficulties they involve.
Overall, the EU data strategy has an ambitious objective, but to succeed, policymakers should ensure the data strategy is compatible with existing rules, clarifies how implementation will work in practice, does not impose more costs on companies and rallies the participation of both EU and non-EU stakeholders.
Image credits: Flickr user European Parliament.