On Wednesday, the European Commission unveiled its Data Governance Act, a highly-anticipated piece of legislation that looks to rethink the European Union's approach to data and boost its ability to compete in the global tech marketplace. It comes amidst a sweeping set of reforms set to be proposed by the European Union executive that could dramatically change the digital landscape.
The goal? Empower a European tech industry that has perpetually seemed a step behind its U.S. counterpart. Just about every major city in Europe—from Tallinn to Krakow to Amsterdam—has been called the ‘future Silicon Valley’ and yet three out of four European startups are bought by American companies, according to research funded by the European Union.
In order to counteract this, the act—said to be the brainchild of Internal Market Commissioner of Thierry and former CEO of France Télécom Thierry Breton—would simultaneously limit sensitive personal data leaving the bloc while at the same time making it easier to access for firms within it.
One of the larger proposed changes is the establishment of so-called independent “data intermediaries” that would facilitate data-sharing between consumers and businesses. Critically, these data intermediaries would have to be neutral, meaning that they wouldn’t be able to sell data to other companies nor use it to benefit their own. They would also be legally required to refuse requests for access by non-European authorities, such as the NSA, unless they are approved by an EU court.
It’s pretty obvious who European officials had in mind when drafting the legislation. In a Wednesday press release, the European Commission wrote: “It [the act] offers an alternative model to the data-handling practices of the big tech platforms, which can acquire a high degree of market power because of their business models that imply control of large amounts of data.”
It’s also the latest escalation in an already tense relationship between the European Union and the United States when it comes to data. In a landmark decision in July, a top European court struck down an integral EU-U.S. data sharing pact because it didn’t do enough to protect personal data from U.S. surveillance. With the court's decision already being met with fierce backlash from Silicon Valley tech giants (Facebook even threatened to stop operating in Europe altogether), the European Union’s increasingly protectionist stance regarding data is sure to be met with only more dismay.
But just because Silicon Valley is losing doesn’t necessarily mean that user privacy is winning.
One of the flagposts of the Data Governance Act is the establishment of a “single market for data” that would make public sector data “reusable” and transferable across the bloc’s twenty-seven member states in the hopes of unlocking its “economic and societal potential.” The legislation also looks to make it easier for citizens to share their data for non-commercial purposes in what the Commission vaguely calls “data altruism.”
Diego Naranjo, Head of Policy at European Digital Rights (EDRi), sees this vague language as an unnecessary risk to existing protections such as the GDPR, and as giving companies more legroom to find creative ways to profit off personal data.
“The legislation is a significant wink-wink to private companies that want to commercialise personal data,” he wrote to Motherboard, “and it is a significant distantiation from the path the European Union took with the GDPR and the ePrivacy Directive, which was putting people at the center and protecting them.”
But more fundamentally, privacy activists argue, the act is emblematic of a rhetorical shift by European officials that increasingly positions data as an untapped commodity, rather than a right that deserves stringent safekeeping.
“Based on the proposal, we see a fundamental shift in the European Union's approach to data governance, from data protection to data harvesting,” Estelle Massé, a senior policy analyst at Access Now, wrote to Motherboard in an email. “From the narrative to the scope of the proposal, the European Commission is moving from a perspective of protecting and empowering people to one fostering more sharing of information. Now, these approaches don't necessarily have to be at odds, however, we see very little in the draft Data Governance Act that would help empower people.”
With the amount of data generated in the European Union expected to grow five fold from 2018 to 2025 according to the report, the legislation instead seems more aimed at making it easier for European industry to capitalize on a booming data economy. If Europe failed to make its mark on the tech landscape during the rise of tech giants like Facebook, Google, and Amazon, then the Data Governance Act hopes to prepare the continent for what some top officials see as an impending round 2.
But where all of this will leave users and their data remains an open question.
“The narrative is now about ‘race’, ‘battle’, and ‘battlegrounds’ where data is an asset, not a right,” Massé said. “Access Now strongly objects to this shift, protecting personal data is and remains part of fundamental rights in the EU. The European Union must not lose sight of its leadership role in defending privacy and data protection by advancing proposals that threaten to bin its legacy.”