les Nouvelles March 2022 Article of the Month:
As Open As Possible, As Closed As Needed: Challenges Of The EU Strategy For Data

Ginevra Bruzzone

Senior Fellow,
LUISS School of European Political Economy,
Rome, Italy

Koenraad Debackere

Professor, Department of Management, Strategy and Innovation & ECOOM Research Center,
KU Leuven R&D,
Leuven, Belgium

1. The 2020 Package on Shaping Europe’s Digital Future

On February 19th, 2020, a few days before the outbreak of COVID-19, the European Commission published a package of four documents on the digital transformation in the EU: a general communication on shaping Europe’s digital future,¹ a European strategy for data,² a white paper on artificial intelligence (AI)³ and a report on the safety of products and liability in the era of AI, Internet of Things and robotics.⁴

This package was the first set of measures adopted by the new Commission in order to pursue one of the six priorities of the political program of President von der Leyen for 2019-2024, i.e., ensure that the EU is fit for the digital age. Therefore, the general approach and the specific contents of the digital package deserve careful consideration from a public policy perspective, although many initiatives were merely outlined in broad terms.

The legislative proposal for a regulation on European data governance (Data Governance Act), published by the European Commission on November 25th, 2020, is the first deliverable under the European strategy for data.⁵ It will be followed, in 2021, by sectoral proposals on common European data spaces and a legislative initiative on a data act aimed at fostering data sharing among businesses and between business and government.

This article provides a reasoned overview of the Commission’s agenda, as far as data are concerned, for the forthcoming months.⁶ We describe the main features of the approach outlined by the 2020 EU strategy for data and comment on the main challenges that have to be met to ensure that the strategy achieves its ambitious objectives, with a focus on the rules concerning access to data.

When designing data access rules and policies, concerns regarding potential social loss due to an inefficient single digital market and incentives for innovators allowing them to reap a fair share of the benefits of their innovation investments should be understood and balanced. Openness and exclusivity are two sides of a coin that must be managed carefully when shaping Europe’s digital future.

For instance, the second Payment Services Directive (PSD2)⁷ is linked to a trend in financial regulation (open banking) aimed at security, innovation and market competition. By requiring banks to provide other qualified payment-service providers (PSPs) connectivity to access customer account data and to initiate payments, commoditization in the European banking sector is stimulated. However, at the same time, innovation should not be hampered. This implies that, similar to what we will see in later paragraphs for the Public Sector Information Directive (EU) 2019/1024, there is a need for data access to be as open as possible, but as closed as needed to allow innovation dynamics in the financial sector to unfold.

Another data-related example is to be found in the current rush to identify safe and effective vaccines and therapeutics to counter the COVID-19 pandemic.⁸ Massive, rapid production will require firms to share data not just about what to make but how to make it. To achieve this, an appropriate equilibrium has to be found between recognizing the rights of the originator and nudging the knowledge transfer necessary for the adequate scale-up and production of the vaccines. Public procurement policies and guaranteed order placements can be instruments to achieve this balance between proprietary exploitation and broader diffusion. Both data economy examples illustrate the challenges the legislators face.

2. Technology With Purpose: the Goals of the EU Strategy

The starting point for the Commission is that innovation based on data has already brought, and can further bring, great benefits for the economy and society at large. It may improve decision-making in the different areas, increase productivity and competitiveness, stimulate entrepreneurial activity and contribute to the quality of public services and the effectiveness of health, mobility and environmental policies.

At the same time, the Commission stresses that the digital transformation in the EU should safeguard European fundamental values, from the protection of personal data to the protection of competition and consumers, from security to pluralism of information, as well as preserving democratic institutions.

In the last five years the EU has undertaken many initiatives to steer and promote the digital transformation of the EU economy and society. The protection of personal data in the internal market was strengthened by the General Data Protection Regulation—GDPR (Regulation (EU) 2016/679) in order to meet the challenges of the digital environment. Further measures were adopted within the Digital Single Market Strategy, launched in 2015. In the area of data, such measures include, in particular, Regulation (EU) 2018/1807 on the free flow of non-personal data in the EU, Directive (EU) 2019/1024, which revises the pre-existing rules on open data and re-use of public sector information (PSI Directive), as well as sectoral rules aimed at promoting access to data for payment services (PSD2 Directive), travel information and intelligent transport systems.⁹

Moreover, the relationship between data and market power has become a central issue in the debate on how to apply EU competition rules in the digital era. Not astonishingly, the role and position of Big Tech is under continuous scrutiny both by the Commission and the economic research community.¹⁰ Recently, the Commission has proposed a specific legislative framework aimed at ensuring contestable and fair markets in the digital sector (the Digital Markets Act), which lays down harmonized obligations on large platforms designated as gatekeepers. The proposal includes rules on the use of data.¹¹ Principles on modeling and data analytics, automated decision-making and profiling, direct marketing and cookies, data repurposing, transfer of data to other organizations and third countries, and the right of subjects to transfer their personal data from one controller to another are part of this framework.

All these initiatives notwithstanding, in its 2020 digital package the Commission acknowledges that Europe’s share of the global data economy is still underperforming according to its economic weight and argues that the ongoing technological developments, such as the Internet of Things (IoT), which will increase the production of data exponentially, may allow the EU to recover competitive positions. This opportunity should be seized in order to strengthen the geopolitical role of the EU with respect to data-driven innovation and enhance its capability to produce value, by means of innovation, for citizens, undertakings and society. Commissioner Vestager, who is in charge of the flagship priority “a Europe fit for the digital age,” describes the approach as “technology with purpose.”

3. The Challenges of the European Strategy for Data

The approach outlined by the Commission will be successful only if the EU is able to accelerate following a model which turns out to be competitive at the global level. Hence, the overarching challenge for policy makers is to create the conditions for a healthy and dynamic environment for data generation and use, enabling the development and growth of European undertakings while preserving EU values and exploiting any positive specificities of the EU environment.

In this perspective, in external relations the strategy, while endorsing an open approach to international flows of data, announces a proactive attitude of EU institutions both to promote EU values and rules at the global level and to address obstacles met by European companies when competing with non-EU undertakings or operating in developing countries. Within EU borders, the Commission aims at removing the remaining barriers to the free movement of data in the internal market and any unjustified obstacles to the sharing and re-use of data. In addition, it foresees measures that should strengthen the enabling factors for the data economy (e.g., infrastructures, skills and data-related services).

The Commission points out several problems that hinder the ability of the EU to fully exploit the potential of the data economy.

First of all, the approaches of the Member States remain fragmented with respect to some of the crucial features of the data economy, such as the conditions of access by government to data held by the private sector or how to better enforce competition rules.

A more specific issue is the relative scarcity in the EU, compared with other jurisdictions, of data available for re-use in innovative ways, also for the sake of artificial intelligence (AI) development. The PSI Directive of 2019, which should be transposed in the jurisdictions of the Member States by July 2021, contains several provisions aimed at fostering the re-use of data held by public bodies and public undertakings, as well as research data. For data held by private entities, a study promoted by the Commission in 2018 showed that 60 percent of undertakings did not share data with other undertakings and listed a number of reasons for the unwillingness to adopt a more open approach.¹²

In its 2020 strategy, the Commission also points to imbalances in market power or in bargaining power, which can affect access and use of data, and need to be properly addressed by appropriate institutional arrangements. The Commission mentions not only the ability of online platforms to collect huge amounts of data, but also potential imbalances in power along value chains between subjects involved in the co-generation of data in the context of the IoT (e.g., between the supplier of the device and the user).

For personal data, the high level of protection provided by the GDPR notwithstanding, the Commission deems that there remain weaknesses in terms of the actual ability of data subjects to hold control of their personal data.

Another problem is the lack of interoperability of data coming from different sources, within the same sector, or between sectors. For cloud services, the Commission points to the high level of concentration, the strong dependence on suppliers not established in the EU, the often unfair conditions applied to micro-enterprises and SME, as well as the scarce interoperability of services, which negatively affect data portability.

Finally, the Commission recalls the general need to ensure high levels of cybersecurity and to remedy the lack of professional skills in the area of big data and data analysis.

Overcoming all these problems requires an in-depth understanding of market dynamics and new business models and ascertaining whether there exist public interest needs the market alone cannot meet. Then, EU policy makers have to choose which policy tools are most appropriate to pursue the relevant goals. The whole set of policy tools should be considered: from public governance to the use of public resources, from legislation to European standardization initiatives.

In order to alleviate particular concerns, it is important to consider the full scope and implications of regulations like the PSI Directive. The PSI Directive was first enacted in 2003 to stimulate public sector bodies like statistics offices, meteorological institutes and mapping agencies to allow re-use of data that they already produced and disseminated in the exercise of public tasks for alternate uses by the private sector. It then only applied to information that is public under the (access) laws of Member States.

However, as the Directive evolved, new issues have been raised, in particular how it influences the possibility of organizations subjected to it to exercise intellectual property rights. It contains a number of obligations on how data must be made available, in which format(s), how terms and conditions may be set, etc. At the same time it does not apply to publications or data in which third parties hold intellectual property. The extension of the scope, for instance, to research data and public universities illustrates those evolving concerns: it must be clear exactly what obligations apply to making research data available, whether publicly funded universities are subjected to it for other types of information as well, what administrative costs compliance would bring inter alia with respect to information duties and how the management of intellectual property will be impacted. Possible unintended consequences of the new legislation gradually became visible during the genesis and design of the Directive and required appropriate formulation in order to better serve the goals of the EU data strategy.

4. Which Rules for Fostering Access and Re-use of Data?

The establishment of a horizontal framework for the governance of the access to data and of their re-use, going beyond the provisions of the PSI Directive, is probably the most challenging part of the EU strategy.

The aim is not access in itself, but the establishment of a vital environment for data generation and use in the EU. Reaching this aim requires taking into account how the different scenarios would affect the incentives of the private entities/public bodies, first of all, to collect data and take care of their quality, and then to share such data with other private and public entities and, in certain instances, to commercially exploit them. If the impact on incentives is neglected, overly extensive data sharing obligations may have the opposite effect of discouraging the production of data and, thus, its availability in the EU.

On the other hand, the legal framework establishing the conditions for access to data and their re-use is crucial since data is non-rival, i.e., can be used by different entities without being exhausted, and at the same time shows some quasi-public good features, which may entail a risk of free riding. Only by means of a clear legal framework establishing the conditions of access to data is it possible to associate to data an economic value and create the conditions for a data market to grow.

The task of establishing a proper legal framework for access to data, however, is complicated for a number of reasons relating to the features of the data involved and the interaction with EU fundamental rights and values, as well as the identity and mission of data holders (e.g., public administrations, public undertakings, public research bodies or private entity).

First, the general category of data is highly heterogeneous. It includes both personal and non-personal data; personal data may be more or less sensitive and require a different degree of protection depending both on their content (e.g., data related to health) and on whether they are directly or only indirectly related to an identifiable individual. Also, the investments needed for creating the data may vary significantly: for instance, it is uncontroversial that the collection of high-precision data on the earth produced by means of a satellite is economically very different from the collection of data on consumer preferences.

Second, in the EU an across-the-board obligation to share data in order to increase the volume of available data is not feasible because it would impinge on some fundamental rights/values.

Clearly, this approach cannot be pursued for personal data, which are strongly protected both by the TFEU and the EU Charter of Fundamental Rights. The GDPR is based on the general principle whereby data subjects should be in control of their personal data; processing of personal data is lawful only if it is rooted in one of the legal bases listed in Article 6 of the GDPR. In addition, personal data should not be processed beyond what is necessary for a well-defined purpose (data minimization and purpose limitation principles).

Also for non-personal data, EU law already acknowledges that keeping control on data processing deserves some protection although, differently from personal data, their value is foremost of an economic nature. Some sets of data may fall within the scope of intellectual property protection (trade secrets, databases). Some others may be protected as confidential information, as a corollary of the freedom of enterprise and of the protection of private life contemplated by the EU Charter of Fundamental Rights.
Also, unrestricted access to confidential information would be incompatible with EU law.¹³

On the other hand, when there are different fundamental values or well-defined public interest reasons at stake, the case law admits the possibility for legislators or public administrations, in case of trade-off, to carry out an appropriate balancing of the interests and fundamental values affected.

A specific problem for non-personal data concerns who should be in control. This problem occurs especially in those situations, which are common in the IoT environment, where several subjects contribute to data creation. Therefore, a proper institutional environment should acknowledge the co-generation of data and, where relevant, facilitate a fair distribution of the co-generated value.

Finally, the issue of the impact of rules on access and re-use of data on incentives has different features depending on the identity of the holder of the data (public body or private economic entity) and whether the potential re-users are only non-economic public bodies or, instead, are also undertakings.

The EU strategy refers to four different areas: re-use by undertakings of data held by the government (G2B); sharing of data between undertakings (B2B); re-use by public entities of data held by undertakings (B2G) and sharing of data between public administrations (G2G).

For each of these scenarios the Commission investigates, taking into account previous initiatives and the existing institutional framework, how to further promote data sharing, by a mix of clarification of the existing rules, enabling measures, incentives, and in some instances, also new behavioral obligations. Notwithstanding statements in the communication (data should be available to all) the duty to share data is not the general rule.

5. Access to Data Held by the Public Sector

As to data held by the government as a consequence of the fulfilment of its public tasks, the approach already adopted in the PSI Directive of 2019 is the following:

• (non-personal) data held by such public bodies should be open for commercial and non-commercial re-use and accessible free of charge;
• however, it is possible to recover the marginal costs incurred for the reproduction, provision, and dissemination of data, as well as for the anonymization of personal data and for measures taken to protect commercially confidential information.

The reasoning behind this approach is that such data are already there because of the institutional tasks assigned to public bodies, and therefore the obligation to make data available for re-use in principle has no negative impact on incentives. As long as this re-use cannot get exhausted. Consistent with this perspective, the PSI Directive does not apply to documents, the supply of which is an activity falling outside the scope of the public task of the public sector bodies concerned, or for which third parties hold IPRs. Moreover, taking into account other fundamental rights and public interests that may be at stake, the Directive does not apply to documents, such as sensitive data, which are excluded from access by virtue of the access regime in the Member State on grounds, for instance, of the protection of national or public security and of critical infrastructures, of the protection of personal data, and of statistical or commercial confidentiality (including business, professional or company secrets). Such interpretations are important, also given the scope of the Directive that includes public research funding at universities and other research centers as highlighted earlier.

The PSI Directive provides a less strict approach for situations that can only in part be equated to the situation, described above, of a public administration that in any case would hold the relevant information for the performance of its public tasks.

For instance, public sector bodies that are required to generate revenue to cover a substantial part of their costs relating to the performance of their public tasks are allowed to cover the cost of the collection, production, reproduction, dissemination and data storage, together with a reasonable return on investment.

The same rule on charges holds for libraries and public undertakings providing services of general economic interest not directly exposed to competition; moreover, for these entities the obligation applies only to those documents/data for which the entity has decided to permit re-use.

Summing up, the approach of the PSI Directive is to facilitate re-use of those data which are already available as a sub-product of the fulfilment of a public task (thus, with no impact on incentives), still taking into account economic sustainability and the protection of other relevant interests. Moreover, when a duty to provide access may entail distortions of competition (e.g., in the case of public undertakings) it is for the undertaking to choose which documents, if any, should be made available for re-use.

As anticipated, the PSI Directive also covers access to research data. More precisely, Article 10 of the Directive contains provisions on open data and re-use for research data (other than scientific publications) that are collected or produced in the course of publicly funded scientific research activities. In particular, the Directive requires Member States to encourage open access policies for research performing organizations and research funding organizations, following the principle “open by default” and complying with the FAIR principles (research data should be findable, accessible, interoperable and re-usable). Still, the PSI Directive acknowledges that in such context concerns relating to IPRs, personal data protection and confidentiality, security and legitimate commercial interest should be taken into account, in accordance with the principle “as open as possible, as closed as necessary.”

Moreover, the duty to make research data re-usable applies only to those research data that have been made publicly available through an institutional or subject-based repository. Research data that are purposed for commercial exploitation can remain as closed as necessary. Thus, partners to publicly funded research consortia can opt for closed data strategies when necessary to their exploitation pursuit. This option de facto is like an opt-out from openness when required for economic and competitive purposes. As a consequence, research exploitation and valorization should not be hampered or impeded, at least when the translation into national legislation is not gold-plated in such directions.

One of the main novelties of the 2019 revision of the PSI Directive is the provision whereby access and re-use of information held by the public sector should be further facilitated for some “high-value data sets,” the re-use of which is associated “with important benefits for society, the environment and the economy, in particular because of their suitability for the creation of value-added services, applications and new, high quality and decent jobs, and of the number of potential beneficiaries of the value-added services and applications based on those data sets.”¹⁴ The rule is that, for high-value data sets, public sector bodies and public undertakings shall make data available free of charge, in a machine-readable format and by means of standardized application programming interfaces (APIs) throughout the EU, and shall provide them as a bulk download where relevant.

The PSI Directive contains a list of thematic areas within which the Commission shall identify, by mid- 2021, those high-value data sets to which these provisions apply. The list of thematic areas that currently includes geospatial, earth observation and environment, meteorological, statistics, companies and company ownership and mobility, may be expanded by the Commission by means of delegated acts in order to reflect technological and market developments. As to the identification of high-value data sets within the thematic areas, the choice shall be based on an assessment of their potential to generate significant socio-economic or environmental benefits and innovative services, to benefit a high number of users, in particular, SMEs, to assist in generating revenues and to be combined with other data sets.

For high-value data sets, the technological and economic conditions for data sharing may be significantly burdensome for the public bodies and public undertakings concerned, since they may require some investments while, at the same time, it is not possible to charge users. Hence, the PSI Directive expressly requires a cost-benefit analysis for their identification. The Commission will have to take into account the impact of imposing the high-value data set obligations on the budget of public sector bodies, as well as on the role of public undertakings in a competitive economic environment. In particular, the obligation to make available high-value data sets free of charge will not apply to those specific data sets where that would lead to a distortion of competition in the relevant market. Presumably, the impact assessment will also consider whether access should be selective because of the risk of misuse of data, e.g., precise earth observation data, by bad actors.

Overall the PSI Directive as ultimately adjusted, while aimed at facilitating re-use of data, shows an awareness of the need to ensure the economic sustainability of the access provisions and for avoiding an adverse impact on incentives or distortions of competition. For this very reason, although the PSI Directive entails a minimum harmonization of national regimes concerning the conditions on re-use of public data in the internal market, and therefore Member States in principle can go beyond its provisions, it is important that in the transposition of the Directive in the Member States the impact on economic sustainability and on incentives is still carefully considered. In principle, avoiding gold-plating of the Directive provisions at the national level would help the establishment of a sustainable and healthy ‘Single Market for Data,’ especially in areas such as research and the provision of services of general economic interest by publicly controlled undertakings, in which there may be a relevant involvement of private resources.

6. Access to Data Held by Private Undertakings

The approach of the Commission to fostering the sharing of data held by undertakings, either in business-to-business (B2B) or in business-to-government (B2G) relations, was outlined in 2018 in the communication “Towards a common European space for data”¹⁵ and in a staff working document containing guidelines on sharing of private sector information in B2B and B2G relations.¹⁶ The Commission acknowledged that, in the B2B area, the cornerstone should be contractual freedom (and respect for IPR). At the same time, it outlined by means of measures of soft law some principles that should be followed in contractual agreements with reference to non-personal machine-generated data.

First, the Commission invites the parties to expressly acknowledge in contractual relations the shared value creation when data are generated as a by-product of using a product or service, although the consequences of this acknowledgement are left vague, without indicating what kind of right they entail (e.g., a right of share the economic benefits, a right to use the data, or a right to exclude). Second, the Commission encourages data portability in order to minimize the risk of lock. Third, undertakings should avoid exchanging commercially sensitive data, which may entail a restriction of competition pursuant to Article 101 TFEU. As to economic conditions, the Commission advocates an approach whereby holders and users of data are respectful of each other’s commercial interests and secrets.

The option to impose on companies, for non-personal machine-generated data, an obligation to provide access at fair, reasonable and not discriminatory (FRAND) conditions was discussed when preparing the 2018 package but was not included in the final version since the Commission judged that there was not sufficient justification for such a regulatory shift.

On the other hand, the Commission emphasized the need for transparency in B2B contractual relations, on who would have access to the data, to which data, and at which level of detail and for which purposes.
Regulation 2019/1150 set stricter rules on transparency with respect to the use of data in relations between intermediation platforms and their business customers.¹⁷

Moreover, within the horizontal framework based on contractual freedom, some sectoral rules require companies to share specific information with other undertakings in order to promote competition (see, for instance, Regulation 715/2007 on repair and maintenance of motor vehicles, and Directive 2015/2366 on payment services—PSD2), or with public and private entities in order to pursue objectives of public interest, or allow the provision of innovative services (e.g., Regulation 2017/1926 on road safety and intelligent transport systems or Regulation 1907/2006—REACH-for information resulting from testing of chemicals on vertebrate animals). As explained before, PSD2 offers another case that illustrates the importance of striking a proper balance between promoting competition while maintaining sufficient incentives for innovation. By way of example, the level and depth of third-party payers’ access to client account data should be balanced against innovators’ legitimate exclusive claims to unique data supplied through the design and development of novel, AI-based data generating interfaces as a result of their private investments in innovation.

As to the sharing of data between undertakings and public sector bodies (B2G), in the 2018 data package the Commission set out a list of key principles that should support the supply of private sector data to public sector bodies under preferential conditions for re-use:

• Requests for data by public bodies should not go beyond what is necessary and proportionate for pursuing objectives of public interest;
• The purpose and duration of the use of data should be clearly limited;
• B2G data collaboration should ensure that the legitimate interests of the companies are respected, and companies continue to be able to monetize the insights derived from the data in question with respect to other parties;
• The public sector body should be given a preferential treatment over other customers, in particular with respect to the level of compensation;
• Undertakings should offer reasonable and proportionate support to help assess the quality of data for the stated purposes (but should not be required to improve the quality of data in question);
• Transparency on the B2G data collaboration should be ensured.

In light of the existing framework, in its 2020 strategy for data the Commission announces that it will further explore the need for legislative action on issues that affect the relations between actors to provide incentives for horizontal data sharing across sectors. To this aim, it foresees the adoption in 2021 of a Data Act on the sharing of data held by undertakings. The Commission wishes to further promote the B2G sharing of data for purposes of public interest and, moreover, to encourage the B2B sharing of data, in particular reducing uncertainty on the rights of use of co-generated data that are typically regulated by means of private contracts. As to B2B data sharing, the Commission confirms that the general rule should be voluntary sharing: a duty to deal, where appropriate under FRAND conditions, may be justified only in specific circumstances or for specific market failures at the sectoral level. In the Commission’s view, the Data Act may also include a revision of the Database Directive 96/9/EC and a clarification of the application of the Trade Secrets Protection Directive (EU) 2016/943, with a view to further enhance data access and use.

Similar to what we have already stressed with reference to access to data held by the public sector, it is also of paramount importance in this context to take an ex ante view of the impact of any new regulatory measure on the incentives of the entities concerned and of the legitimate interests of the subjects who originally hold the data. And even when taking such an ex ante view, unintended consequences that become visible as the design of the regulatory measures unfolds will have to be dealt with in an expedient and appropriate manner in order to safeguard Europe’s ambitions on its role in the global, competitive data landscape.

7. The Interface with Competition Rules

Fostering the creation of data pools in the EU may help to increase volumes of data in support of innovation. Hence the Commission, which is usually suspicious of exchanges of information between companies for fear of distortions of competition, announced that it will provide guidelines on the compatibility of data sharing and data pools with antitrust rules (Art. 101 TFEU) within the ongoing revision of the Guidelines on Horizontal Cooperation Agreements and, if necessary, also with reference to specific projects.

In merger control, on the other hand, the Commission will ensure a careful assessment of the impact on competition of acquisitions that entail the accumulation of data on a large scale and will explore whether corrective measures, such as the obligation to grant access or share data with competitors, are needed to remove competition concerns.

Also, in the area of state aid, the Commission argues that corrective measures such as imposing on the aid beneficiary the duty to share data may be appropriate in order to ensure the compatibility of the aid measure with the Treaty. This statement can be seen as an extension of the principle underlying the PSI Directive, whereby some data-sharing obligation may be required in exchange of the benefit of public financial support. In this respect, however, it should be recalled that the final and approved version of the PSI Directive does not contemplate a general obligation to grant access to data for free but is based instead on the principle “as open as possible, as closed as necessary.” For instance, in the enforcement of the rules on state aid access obligations to data created with public support should not be provided if openness would entail risks for reasons of public interest, such as safety or security, or a significant loss of value for the European investment.

This is without prejudice of the access obligations already contemplated by EU competition rules, whereby the refusal by a dominant company to give access to data, which are indispensable to compete, may constitute an abuse pursuant to Article 102 TFEU. Further issues, related to the power of digital platforms, are addressed in the already mentioned proposal for a Digital Markets Act, laying down special obligations on large platforms designated as gatekeepers.

8. Data Governance, Enabling Factors and Skills

The proposal of a legislative initiative for the governance of data (Data Governance Act), foreseen in the strategy and adopted by the Commission last November, aims to foster the re-use of data both in the public and in the private sector by creating an institutional framework capable of increasing trust in data sharing.

First, the proposal enhances the framework for re-use of categories of data held by the public sector that are subject to rights of others (e.g., personal data, IPRs, commercial confidentiality) and therefore are not open pursuant to the PSI Directive. The Data Governance Act, while not establishing any right to re-use such data, lays down harmonized conditions under which the re-use of such data may be allowed. The relevant provisions concern, in particular: the need for the public sector to be technically equipped to ensure that data protection, privacy, and confidentiality are fully preserved; setting up competent structures which should provide the public sector with technical support and legal advice; transparency obligations; the prohibition of exclusive arrangements, with some exceptions; specific requirements for transfer of protected non-personal data to third countries; the possibility for the public sector to charge non-discriminatory and proportionate fees; setting up a single information point that will receive requests for re-use.

Second, the legislative proposal aims at increasing trust in data intermediaries for sharing personal and non-personal data in B2B and B2C relations. To this aim, the Data Governance Act creates a notification and supervision regime for providers of data sharing services. These intermediaries will have to comply with a number of requirements, which will differentiate them from other digital services providers. In particular, they cannot use the data for other purposes and will have to assume fiduciary duties towards individuals. As a result, these intermediaries are meant to allow companies and individuals to more effectively keep control of their data when they decide to share them.

Third, in order to make it easier for individuals and organizations to permit the use of their data for the public good (‘data altruism’), the Data Governance Act establishes the possibility for non-profit organizations engaging in the collection of data for specific reasons of general interest to register as a “data altruism organization recognized in the EU,” subject to some requirements, so as to increase trust in their operations.

The proposal also foresees the creation of a European Data Innovation Board in the form of an expert group composed of representatives of the competent authorities of the Member States, the European Commission and the European Data Protection Board, with the aim to facilitate the emergence of best practices and to advise the Commission on the prioritization of cross-sector standards for data use and cross-sector data sharing, and assist it in enhancing the interoperability of data and data-sharing services between different sectors and domains.

As to the initiatives announced by the Commission on the enabling factors for the data economy and the strengthening of skills in this area, appropriate support measures are needed, not rules. In particular, in 2021- 2027 the EU will invest in a High Impact Project on European data spaces and federated cloud infrastructures. Initiatives are also foreseen to improve price and quality conditions in the supply of cloud services (collection of existing codes of conduct and certifications in a cloud rulebook; development of standards and common requirements for public procurement relating to data processing services; development of a marketplace for cloud services).

9. Sectoral Initiatives for EU Common Data Spaces

As a complement to horizontal measures, the Commission’s strategy foresees the development of European common data spaces in some strategic sectors and areas of public interest: industrial manufacturing; the EU Green Deal; mobility; health; finance; energy; agriculture; public administration; digital skills. Details on each of these initiatives are contained in the annex to the communication on the EU strategy for data.

From a substantive viewpoint, the focus on the sectoral dimension is one of the main features of the strategy. The high heterogeneity of the data compound and the differences in productive processes and in uses of public interest in the various contexts require that general initiatives on the governance of data in the EU are accompanied by sectoral micro-strategies in order to maximize the benefits for citizens, undertakings, and the society at large.

For instance, in a sectoral perspective it becomes possible to justify specific data sharing obligations in terms of well-circumscribed reasons of public interest.

Also, for the processing of personal data, the general rules of the GDPR may be adapted by sectoral rules in light of the features of the relevant ecosystem. For instance, the data transmitted from one vehicle to another in the context of intelligent transport system, although pseudonymized, still fall within the category of personal data if it remains possible to identify the vehicle, and then, indirectly, its owner. However, applying the general GDPR approach, based on bilateral relations between the data controller and the data subject, would be hardly feasible to the exchange of signals between vehicles; sector-specific rules for the processing of personal data are needed.

Another example is provided by the health sector: only a targeted approach may reconcile a high level of protection of these data, which are highly sensitive, with a more effective circulation of the information needed to ensure access to health services in other Member States, and to foster, in closely monitored contexts, research for the prevention, diagnosis, and treatment of diseases.

Therefore, the initiatives that will be taken at the sectoral level for the development of common European dataspaces will play a crucial role in supporting the competitiveness of the EU in data-driven innovation.

There is one additional caveat, though. The need for sectoral granularity is obvious and legitimate. However, breakthrough technology innovation often also has a cross-sectoral dimension. Thus, going forward, legislators and regulators should think carefully how and to what extent sectoral common data spaces (and the rules to access and use them) may influence (hamper or stimulate) cross-sectoral technological innovation. Taking another perspective, how will sectoral common data spaces be used and integrated in processes of generating cross-sectoral technological innovations. This concern is of particular relevance across various areas of digital innovation where cross-sectoral technology development and impact are prevailing. For instance, the development of augmented reality algorithms and technology has ramifications in sectors as diverse as automotive and pharmaceuticals. Hence, common sectoral data spaces should not lead to silos impeding or slowing down cross-sectoral innovation trajectories.

10. Conclusions

The Single Market for Data is a critical strategic objective of the European Commission. This overview and analysis illustrate that producing value by means of innovation for citizens, undertakings, and society will always imply a balancing act. One of the more fundamental innovation axioms is that the innovator should reap sufficient economic benefit from private investment in innovation in order to assume such high-risk activities and minimize the presence of market failure. Thus, European values, economic impact of innovation, and protection of the citizen all come into play when designing and implementing legislation and regulation on the European Single Market for Data. That is why “as closed as needed” also is a fundamental tenet of the digital data-driven economy. Similar concerns hold for those interpretations of PSD2 that would force private undertakings investing in innovative interfaces for their customers to share their data benefits with any third-party payment provider. Such views are easily at odds with the fundamental economic dynamics linking risky investments in innovation to the creation of a competitive edge by firms and entrepreneurs,¹⁸ subject to competition rules.

Europe has the ambition to use the digital agenda to strengthen its competitiveness in the global digital economy.¹⁹ To this end, it is necessary to take into account the interactions (both reinforcing and impeding) between data access, data protection, data exclusivity and innovation implementation. In addition, the US/ China positions should be subject to close scrutiny when designing European legislative and regulatory actions. This process should explicitly examine how and where openness limits or supports the competitive advantage of European undertakings.

The same holds for scientific research data (partially or totally) funded by public money that also are subject to economic exploitation as requested by various national legislative frameworks. In order to realize the envisaged economic benefits, possibilities of data exclusivity will have to be in place (“as closed as needed”).

Finally, sectoral initiatives for common data spaces are highly welcome. However, the need for granularity should not lose sight of the cross-sectoral logic of many technology innovations. Thus, policy development and deployment on the Single Market for Data should carefully consider how such sectoral common data spaces (and the rules attached to them) have to be designed to foster cross-sectoral technological innovation.

Available at Social Science Research Network (SSRN): https://ssrn.com/abstract=3771438

---

1. COM(2020) 67 final.
2. COM(2020) 66 final.
3. COM(2020) 65 final.
4. COM(2020) 64 final.
5. COM(2020) 767 final.
6. A public consultation on the strategy ran from 19 February to 31 May 2020; a summary report on the contributions submitted by more than 800 stakeholders is available on the Commission’s website.
7. Directive (EU) 2015/2366.
8. Science Magazine, August 21st 2020: 312-314.
9. See, for instance, Regulation EU 2017/1926 on EU-wide multimodal travel information services, as well as Ricardo Energy & Environment and TEPR (2019), Support Study for the ex post evaluation of the ITS Directive 2010/40/EU.
10. See, for instance, De Loecker, J., Eeckhout, J. (2017). “The Rise of Market Power and the Macroeconomic Implications,” NBER Working Paper, 23687; Crémer J., de Montjoye Y., Schweitzer H. (2019), “Competition Policy for the Digital Era, Report for the European Commission; European Commission,” Report on Competition Policy 2020, SWD(2020) 126 final; “European Parliament,” Resolution of 18 June 2020 on Competition Policy-Annual Report 2019, P9_TA-PROV(2020)0158.
11. COM (2020) 842 final.
12. See Arnaut C. et al. (2018), Study on data sharing between companies in Europe, Study prepared for the European Commission, DG Connect, Final Report.
13. Court of Justice, case C-450/06, Varec SA v. Belgian State, para. 48 (“It follows from the case-law of the European Court of Human Rights that the notion of ‘private life’ cannot be taken to mean that the professional or commercial activities of either natural or legal persons are excluded”). Whereas the notion of trade secret is based on three requirements (the information is not generally known or readily accessible to persons within the circles that normally deal with the kind of information in question; it has commercial value because it is secret; it has been subject to reasonable steps under the relevant circumstances by the person lawfully in control of the information to keep it secret), for the broader category of confidential information it is sufficient that the information is known only to a limited number of persons, its disclosure is liable to cause serious harm to the interested subject or to third parties, the interests liable to be harmed by disclosure are objectively worth of protection.
14. PSI Directive, Article 1, no. 10.
15. COM(2018) 232 final.
16. Staff Working Document, Guidance on sharing private sector data in the European data economy, SWD (2018) 125 final.
17. On the use of data in P2B relations, see Hausemet et al. (2017), “Study on Data in Platform to Business Relations,” available at https://op.europa.eu/en/publication-detail/-/ publication/4af6cec1-48fb-11e8-be1d-01aa75ed71a1/language-en.
18. Kamien M.I., N.L Schwartz (1982), Market Structure and Innovation, Cambridge University Press.
19. For a broader discussion of the related policy challenges, see Aktoudianakis A. (2020), Fostering Europe’s Strategic Autonomy—Digital sovereignty for growth, rules and cooperation, European Policy Centre—Konrad Adenauer Stiftung.