First privacy, now data: The EU seeks a managed digital space

European Commissioner for a Europe Fit for the Digital Age Margrethe Vestager and European Internal Market Commissioner Thierry Breton attend the presentation of the European Commission's data/digital strategy in Brussels, Belgium February 19, 2020. REUTERS/Yves Herman

On February 19, the European Commission launched a major regulatory initiative aimed at creating a transformational digital economy in Europe. Since Ursula von der Leyen’s selection as European Commission president in 2019, she has made it clear that creating a vibrant digital economy would be a top priority. With the publication of three papers—Shaping Europe’s Digital Future, A European Strategy for Data, and Artificial Intelligence: A European Approach to Excellence and Trustthe Commission has put forth its vision of an economy that will include significant regulation to manage the risks associated with digitalization. Given the close integration of the US and European Union (EU) economies—including in the digital sphere—this European initiative is likely to have a significant impact on US companies and consumers.

In the papers, the Commission establishes the goal of having the European Union develop the infrastructure, knowledge, and technologies needed to be a leading player in the global digital economy, while safeguarding the privacy of its citizens and adhering to “European values.” Technology must work for people and put the citizen at the center of an “ecosystem of trust,” while contributing to a fair and competitive economy and enhancing Europe’s democratic values and fundamental rights. Indeed, “trust,” and therefore regulation, become a major advantage of the “European brand,” encouraging consumers and citizens to deal with companies that have undertaken significant safeguards. As a result, European innovation will be based on incorporating the safeguards that create trust. To reach this vision, the Commission proposes to support and empower key actors in the European economy, use regulation and investment to achieve a “level-playing field” with others, and establish standards and requirements in the name of protecting its citizens and values.

The Commission’s approach is based on an awareness that the EU punches considerably below its weight in the global digital economy. On a range of indicators—from valuation of “unicorns” to numbers of patents—the EU is woefully behind the United States and China, and even some much smaller economies. Thus, the new proposals can be seen as an effort to jumpstart the EU’s digital capabilities so that its levels of innovation and investment will match those of other large economies. Additionally, the Commission’s recommendations are intended to help increase the EU’s share of the global digital economy in accordance with its market of five hundred million people.

The Commission also argues that the relatively slow uptake of digitalization in Europe is due to a lack of trust by citizens in digital products and services. This is due, in part, to the domination of the European digital space by large non-EU companies—primarily US and Chinese—and these proposals are certainly part of the push for “digital sovereignty” that is much discussed in Europe today. By creating a level-playing field with non-EU companies and an “ecosystem of trust,” the Commission’s proposals are intended to allow European citizens, companies, institutions, and even democracies, to flourish in a digital age. 

Many elements of this initiative are focused on investment and education rather than regulation. The papers include calls for increases in EU research funding, including the creation of a network of research hubs focused on artificial intelligence (AI). Major projects are to be launched, including the creation of data pools in key sectors (industry, healthcare, energy, etc.) and a high precision digital model of Earth for use in weather and climate tracking. The Commission calls for the creation of a European-owned cloud service as an alternative to the current non-EU services that dominate the market. There will also be pan-EU efforts to increase digital skills among the workforce and overall digital literacy among citizens, as well as to encourage access to AI among small and medium enterprises. Several specific measures are designed to boost cybersecurity in both the public and private sectors.

These efforts to empower Europe in the digital arena are mostly positive. But the current EU negotiations over the 2021-2027 budget offer a dose of reality, with early reports indicating that funding for digital initiatives has been reduced. Moreover, some elements of these proposals, such as the creation of data pools, raise questions about state aid and competition policy. The Commission acknowledges this, noting that new arrangements may have to be made to allow companies to share data without being accused of anti-trust behavior. The call for a European cloud service raises concerns about data localization and whether the EU is changing its longtime opposition to that trend. However, any questions about how the EU plans to support its own companies and create a level-playing field with US and Chinese firms will have to wait until the Commission publishes its anticipated white paper on industrial strategy.

The regulatory elements proposed under the Commission’s initiative are ambitious and far-reaching. While data management and AI development and use has so far been subject to little regulation, the EU proposes to create a specific regulatory regime (as it did with the protection of personal data through the General Data Protection Regulation (GDPR). These rules will affect any data or AI-related product or service marketed in the EU. As A European Strategy for Data makes clear, this European data space should “be a space where EU law can be enforced effectively, and where all data-driven products and services comply with the relevant norms of the EU’s single market.” Specifically, the Commission proposes to:

  • Create a single market for data that is focused on industrial data and open to data from around the world, with a governance framework that establishes rules for the collection and processing of that data.
  • Revise existing EU product safety and liability rules to take into account the inclusion of AI into products and services.
  • Identify uses of AI that are judged to be “high-risk”—healthcare, transport, etc.—and require those uses to comply with new regulations focused on creating greater transparency, traceability, and ensuring adequate human oversight in AI development and application.
  • Require AI used in high-risk areas to go through a prior conformity assessment or certification before being placed on the EU market. This could effectively require anyone importing AI into Europe to follow EU regulations throughout the process of development and training.
  • The rules would include acknowledgement that products and services can change during their lifetime thanks to software upgrades and may have to be re-certified.

Finally, the Commission clearly indicates that it believes that EU rules should serve as a gold standard to be emulated internationally, à la the EU’s GDPR. The data strategy suggests the possible establishment of an international “adequacy framework” for data—similar to that which exists for personal data—where other countries pledge to treat data similarly to EU rules so that data can be transferred between them and the EU .

These proposals are still far from reality, as the process of creating an EU regulatory regime for data and AI has only just been launched. The Commission must present specific legislative proposals, and these must be agreed upon by the Council of Ministers and the European Parliament. But these proposals give a clear indication of the direction Europe will take—one that is toward a managed digital space governed by rules and standards that will affect both EU and non-EU companies.

This approach is likely to present major challenges to US companies and others who will face an environment in which many new products and services must meet regulatory requirements before entering the market. Thus, non-EU companies may find themselves forced to change current operations considerably and this could be a significant barrier to the EU market. Moreover, this is only the first of the expected EU proposals likely to affect the transatlantic digital space—there will soon be proposals on platforms, industrial strategy, and taxation. Given the close integration of the US-EU digital market, there is a real need for consultation and engagement as the European Union heads for a more managed digital world.

Frances G. Burwell is a distinguished fellow at the Atlantic Council and a senior adviser at McLarty Associates.

Further reading: