Data at the heart of EU flagship digital strategy

Out-Law News | 21 Feb 2020 | 8:27 am | 7 min. read

New laws to spur data-driven innovation by Europe's businesses, the introduction of a single 'rulebook' for cloud providers, and risk-based rules governing the use of artificial intelligence (AI) are among plans contained in the European Commission's wide-ranging new digital strategy.

The Commission's 'shaping Europe's digital future' strategy is the EU policymaker's flagship plan for digital transformation across the EU single market under the presidency of Ursula von der Leyen. The plans contained in the document have broad implications for businesses and public sector organisations alike, from pharmaceutical companies exploring personalised medicines and automotive manufacturers developing connected cars, to online platforms and telecoms providers exploring next-generation wireless technology.

Dr Nils Rauer of Pinsent Masons, the law firm behind Out-Law, said: "The von der Leyen Commission's plans build on what the previous Commission achieved in delivering on its digital single market objectives, so this strategy is not being developed from scratch. Instead, the new strategy aims to take many of the previous legislative developments further in more detail. Some of the previous Commission's digital single market legislation is still in the process of being implemented in EU member states, and so these latest proposals reflect the dynamic, ongoing process of change that is necessary to enable digital transformation across the EU."

Two of the main components of the new digital strategy – a data strategy promising legislative reform, and a new white paper exploring options for new regulation of AI – were published alongside the strategy on Wednesday. Those papers contain more detail on some of the specific changes organisations are likely see as the digital strategy is delivered.

The data strategy

At the core of the five-year data strategy is the Commission's belief that data is the "lifeblood of economic development" and can and should be used to address challenges facing society and for driving economic growth. It said there is currently "not enough data available for innovative re-use".

To address this, the Commission first plans to bring forward proposals for what it has called an 'enabling legislative framework for the governance of common European data spaces' later this year.

The legislation will underpin the Commission's additional plans to establish nine distinct 'common European data spaces' in areas such as manufacturing, mobility, energy, finance and health, where it is envisaged that businesses will be able to access large datasets, as well as technical tools and infrastructure to use and exchange information, as well as governance mechanisms.

The overarching enabling legislation will expand on existing rules applicable to data governance, lay down rules on the use of data for scientific research, and also give individuals control of the circumstances in which their data can be used for the "public good". Sector-specific rules concerning the various new common data spaces would then be built upon that new governance framework.

The Commission said it will also build on the existing Open Data Directive to liberate "high-value data sets" held by public bodies. An implementing act is scheduled to be published in that respect in early 2021.

Within the data strategy are proposals aimed at bolstering Europe's cloud services market

The Commission has also said that a new Data Act could be brought forward in 2021. The Commission has still to finalise its plans for the Act, but it has suggested that the legislation could mandate business-to-business data sharing in some circumstances.

The Data Act could also lead to changes in the EU's intellectual property rights framework, including a potential revision of EU laws on database rights and clarification of the laws on trade secrets.

The Commission also hinted that the right to data portability, currently enshrined in the General Data Protection Regulation (GDPR), could be enhanced through the Data Act to give individuals "more control over who can access and use machine-generated data".

Cloud computing

Within the data strategy are proposals aimed at bolstering Europe's cloud services market.

The Commission said it plans to develop a single "cloud rulebook" by the middle of 2022 which it said "will offer a compendium of existing cloud codes of conduct and certification on security, energy efficiency, quality of service, data protection and data portability".

Further plans to develop an EU cloud services marketplace by the end of 2022 were also outlined. According to the Commission's proposals for the marketplace, it could operate in a similar fashion to the UK's existing G-Cloud framework.

"The marketplace will put potential users (in particular the public sector and SMEs) in the position to select cloud processing, software and platform service offerings that comply with a number of requirements in areas like data protection, security, data portability, energy efficiency and market practice," the Commission said. "Participation in the marketplace for service providers will be made conditional on the use of transparent and fair contract conditions, which the current market does not always provide, specifically to micro-enterprises and SME users."

The regulation of AI

Many businesses have already begun exploring the potential of AI to make their processes more efficient, improve customer interactions and ultimately deliver products and services and outcomes for consumers. However, as research conducted for Pinsent Masons and Innovate Finance in the UK's financial services market shows, there are legal, ethical and cultural challenges to overcome to deliver AI-powered services.

The Commission had previously, with the help of businesses, piloted ethical guidelines on the use of AI that were developed by a high-level expert group last year, and it also presented a report which looked at the need for reform to the existing liability framework to account for new technologies, such as AI, which another group of experts had prepared on its behalf.

Two papers published by the Commission on Wednesday provide the clearest indications yet that there will be forthcoming new regulations and legislation to account for the use of AI.

While the Commission said it believes existing legislation in areas such as liability, product safety and cybersecurity "could be improved" to better address risks around the use of AI, its most striking proposals concern AI deemed to be 'high-risk'.

In its AI white paper, the Commission suggested it is in favour of a new "risk-based approach" to regulation being set at EU level. This, it indicated, would address the risk of fragmentation of rules concerning AI emerging across the EU as individual member states explore their own regulatory regimes. "Divergent national rules", it warned, "are likely to create obstacles for companies that want to sell and operate AI systems in the single market".

The risk-based approach would, under the Commission's proposals, see a bespoke new system of rules established for 'high-risk' AI. Criteria would be developed to help make the distinction between AI that is 'high-risk' and AI which is not.

According to the Commission two cumulative criteria would foremost apply to determine 'high-risk' AI application, and this would factor in the sector in which the AI is being used where the "risks are deemed most likely to occur" – such as in the transport, health and energy sectors, the Commission said – and whether AI is used in such a manner that significant risks are likely to arise, regardless of the sector in which the technology is being applied.

The use of 'high-risk' AI would be subject to a raft of regulatory requirements, under the Commission's plans, and a "prior conformity assessment" framework would apply to "verify and ensure" the regulatory obligations are met before the technology is put into use. That process could involve "procedures for testing, inspection or certification" as well as "checks of the algorithms and of the data sets used in the development phase".

The type of data used to train AI systems, data and record keeping obligations, and obligations concerning the disclosure of information about AI systems, including about the AI system’s capabilities and limitations, could all be specified in the new regulations on 'high-risk' AI.

Other rules would seek to ensure the AI systems are robust and accurate, including that outcomes are reproducible and that errors can be adequately addressed when they arise, while businesses can also expect rules to be laid down on human oversight of those systems.

According to the Commission, the regulations would be framed in such a way as to apply "to the actor(s) who is (are) best placed to address any potential risks". This means those developing the AI systems may be subject to some requirements, while those deploying the technology are subject to others.

All economic operators providing AI-enabled products or services in the EU would be subject to the proposed new regulations, regardless of whether they are established in the EU or not.

As well as a system of prior conformity assessment, the new rules would also provide for post-market monitoring and enforcement by national regulators.

The introduction of a new strict liability regime to address increased risks of harm arising from the use of AI is one of the options that could be taken forward

Additional rules in relation to the use of AI in the context of remote biometric identification, which the Commission said will otherwise fall subject to the regulation on 'high-risk' AI, are also to be explored.

Alongside its white paper, the Commission also published a separate report concerning liability for AI that sets out options for potential legislative reform in this area. The Commission previously set up an expert group to explore liability and new technologies, and many of the recommendations that group made are presented in the Commission's new report. The introduction of a new strict liability regime to address increased risks of harm arising from the use of AI is one of the options that could be taken forward.

Other digital initiatives

The 'shaping Europe's digital future' strategy sets out a number of other actions the European Commission intends to take in the coming months and years.

These include plans for:

  • A new Digital Services Act, which will include new rules governing online platforms;
  • New EU laws on cryptoassets, and on digital operational and cyber resilience in the financial sector;
  • New obligations to be set to make Europe's data centres climate neutral by 2030;
  • Revision of the EU's existing eIDAS Regulation, which concerns the concept of trusted digital identities;
  • A review of the Network and Information Security Directive, and a new European cybersecurity strategy;
  • An updated action plan on '5G', and a new '6G' action plan too;
  • A new digital sector inquiry;
  • A new industrial strategy, which will aim to deliver "clean, circular, digital and globally competitive EU industries";
  • New strategies on quantum computing, blockchain and an integrated EU payments market