The period of the European Commission that has just finished delivered an ambitious and coherent legal framework for both the single digital market and the single market for data, based on the digital and data strategies the EU formulated. Those laws, such as the Data Governance Act, Data Act, High Value Data implementing regulation and the AI Act are all finished and in force (if not always fully in application). This means efforts are now switching to implementation. The detailed programme of the next European Commission, now being formed, isn’t known yet. Big new legislation efforts in this area are however not expected.

This summer Ursula von der Leyen, the incoming chairperson of the Commission has presented the political guidelines. In it you can find what the EC will pay attention to in the coming years in the field of data and digitisation.

Data and digital are geopolitical in nature
The guidelines underline the geopolitical nature of both digitisation and data. The EU will therefore seek to modernise and strengthen international institutions and processes. It is noted that outside influence in regular policy domains has become a more common instrument in geopolitics. Data and transparency are likely tools to keep a level headed view of what’s going on for real. Data also is crucial in driving several technology developments, such as in AI and digital twins.

European Climate Adaptation Plan Built on Data
The EU will increase their focus on mapping risks and preparedness w.r.t. natural disasters and their impact on infrastructure, energy, food security, water, land use both in cities and in rural areas, as well as early warning systems. This is sure to contain a large data component, a role for the Green Deal Data Space (for which the implementation phase will start soon, now the preparatory phase has been completed) and the climate change digital twin of the earth (DestinE, for which the first phase has been delivered). Climate and environment are the areas where already before the EC emphasised the close connection between digitisation and data and the ability to achieve European climate and environmental goals.

AI trained with data
Garbage in, garbage out: access to enough high quality data is crucial to all AI development, en therefore data will play a role in all AI plans from the Commission.

An Apply AI Strategy was announced, aimed at sectoral AI applications (in industry, public services or healthcare e.g.). The direction here is towards smaller models, squarely aimed at specific questions or tasks, in the context of specific sectors. This requires the availability and responsible access to data in these sectors, in which the European common data spaces will play a key role.

In the first half of 2025 an AI Factories Initiative will be launched. This is meant to provide SME’s and newly starting companies with access to the computing power of the European supercomputing network, for AI applications.

There will also be an European AI Research Council, dubbed a ‘CERN for AI’, in which knowledge, resources, money, people, and data.

Focus on implementing data regulations
The make the above possible a coherent and consistent implementation of the existing data rules from the previous Commission period is crucial. Useful explanations and translations of the rules for companies and public sector bodies is needed, to allow for seamless data usage across Europe and at scale. This within the rules for data protection and information security that equally apply. The directorate within the Commission that is responsible for data, DG Connect, sees their task for the coming years a mainly being ensuring the consistent implementation of the new laws from the last few years. The implementation of the GDPR until 2018 is seen as an example where such consistency was lacking.

European Data Union
The political guidelines announce a strategy for a European Data Union. Aimed at better and more detailed explanations of the existing regulations, and above all the actual availability and usage of data, it reinforces the measure of success the data strategy already used: the socio-economic impact of data usage. This means involving SME’s at a much larger volume, and in this context also the difference between such SME’s and large data users outside of the EU is specifically mentioned. This Data Union is a new label and a new emphasis on what the European Data Strategy already seeks to do, the creation of a single market for data, meaning a freedom of movement for people, goods, capital and data. That Data Strategy forms a consistent whole with the digital strategy of which the Digital Markets Act, Digital Services Act and AI Act are part. That coherence will be maintained.

My work: ensuring that implementation and normalisation is informed by good practice
In 2020 I helped write what is now the High Value Data implementing regulation, and in the past years my role has been tracking and explaining the many EU digital and data regulations initiatives on behalf of the main Dutch government holders of geo-data. Not just in terms of new requirements, but with an accent on the new instruments and affordances those rules create. The new instruments allow new agency of different stakeholder groups, and new opportunities for societal impact come from them.
The phase shift from regulation to implementation provides an opportunity to influence how the new rules get applied in practice, for instance in the common European data spaces. Which compelling cases of data use can have an impact on implementation process, can help set the tone or even have a normalisation effect? I’m certain practice can play a role like this, but it takes bringing those practical experiences to a wider European network. Good examples help keep the actual goal of socio-economic impact in sight, and means you can argue from tangible experience in your interactions.

My work for Geonovum the coming time is aimed at this phase shift. I already helped them take on a role in the coming implementation of the Green Deal Data Space, and I’m now exploring other related efforts. I’m also assisting the Ministry for the Interior in formulating guidance for public sector bodies and data users on how to deal with the chapter of the Data Governance Act that allows for the use (but not the sharing) of protected data held by the public sector. Personally I’m also seeking ways to increase the involvement of civil society organisations in this area.

Favorited EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta by EDPB

This is very good news. The European Data Protection Board, at the request of the Norwegian DPA, has issued a binding decision instructing the Irish DPA and banning the processing of personal data for behavioural targeting by Meta. Meta must cease processing data within two weeks. Norway already concluded a few years ago that adtech is mostly illegal, but European cases based on the 2018 GDPR moved through the system at a glacial pace, in part because of a co-opted and dysfunctional Irish Data Protection Board. Meta’s ‘pay for privacy‘ ploy is also torpedoed with this decision. This is grounds for celebration, even if this will likely lead to legal challenges first. And it is grounds for congratulations to NOYB and Max Schrems whose complaints filed the first minute the GDPR enforcement started in 2018 kicked of the process of which this is a result.

…take, within two weeks, final measures regarding Meta Ireland Limited (Meta IE) and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).

European Data Protection Board

Een paar weken geleden had ik een gesprek van een uur met Bart Ensink van Little Rocket over mijn werk en mijn bedrijf The Green Land. Dat gesprek is als zesde aflevering van de Datadriftig podcast nu te beluisteren. We ‘kwamen elkaar tegen’ in de interactie op een draadje op Mastodon in december. Little Rocket is een ebusiness bedrijf en maakt voor hun zakelijke klanten data bruikbaarder. Het is gevestigd in Enschede, dus bracht ik een bezoek aan de stad waar ik tot 6 jaar geleden woonde, en dook Enschede en de Universiteit Twente vaker op in het gesprek.

De Rechtbank Midden-Nederland heeft op 22 december een belangrijke uitspraak gedaan. De Kamer van Koophandel (KvK) kan zich niet beroepen op het databankenrecht in het stellen van eisen aan gebruikers van de data uit het Handelsregister.

De KvK had per 1 januari 2021 haar voorwaarden aangepast en daarbij het databankenrecht voor zichzelf geclaimd. Dit was een redelijk verbijsterende stap, die ik zelf interpreteerde als bewust obstructieve handeling vooruitlopend op een mogelijke verplichting tot open data binnen de nieuwe Hergebruiksrichtlijn / Open Data Richtlijn. Die nieuwe Hergebruiksrichtlijn verbiedt namelijk in Artikel 1.6 het gebruik van het databankenrecht door publieke instellingen (zoals ZBO’s als KvK ook) om extra toegangsrestricties te kunnen opleggen behoudens wat is toegestaan in de Hergebruiksrichtlijn zelf. Dat wist de KvK uiteraard ook sinds 2019, en dus was het tevoren een nieuwe status quo proberen te creëren (zodat je die kunt verdedigen tegen de ‘overmatige’ eisen van nieuwe regels) een daad van obstructie in mijn ogen.

Die in 2021 verwachte verplichting is er overigens nog niet. Enerzijds omdat Nederland in gebreke is gebleven bij het aanpassen van de Wet Hergebruik Overheidsinformatie dat afgelopen juli rond had moeten zijn (en daarvoor in het strafbankje is gezet door de EU). Anderzijds omdat de implementatiewet t.a.v. verplichte open data die een jaar geleden al bekend had zullen zijn nog altijd niet gepubliceerd is (waarschijnlijk door politieke onenigheid tussen lidstaten over precies diezelfde handelsregisters.).

Terecht is over de nieuwe gebruiksvoorwaarden een zaak begonnen door een aantal commerciële hergebruikers van informatie uit het Handelsregister. In deze zaak is nu uitspraak gedaan.

Die uitspraak zaagt de stoelpoten onder KvK weg. Waar de Hergebruiksrichtlijn stelt dat het hebben van databankenrecht de werking van de Hergebruiksrichtlijn kan beperken, maar dat overheden zich daar niet op mogen beroepen, stelt de rechter dat de KvK helemaal geen databankenrecht heeft.

In 2009 hadden we al de Landmark zaak tegen de Gemeente Amsterdam waar de rechter uitsprak dat de Gemeente geen producent in de zin van het databankenrecht is omdat de Gemeente niet aan de investeringsvoorwaarde voor toekenning daarvan voldeed.

In de nu gedane uitspraak wordt door de rechter erkend dat de KvK weliswaar flinke inspanningen investeert in het opbouwen van het Handelsregister. Maar omdat er geen enkel financieel risico is voor die investering (wettelijk gedekt door de overheid), en omdat het de uitvoering van een wettelijke taak betreft die de investering noodzakelijk maakt, is er geen economische rechtvaardigingsgrond voor databankenrechten. De KvK is, aldus de uitspraak, geen producent in de zin van de Databankenwet. Daarmee is er een streep getrokken door de obstructieve elementen in de gebruiksvoorwaarden van de KvK die begin dit jaar zijn ingevoerd.

In deze context is ook de recente (10-12) brief aan de Tweede Kamer van de Minister van EZK over de datavisie van het Handelsregister interessant. Daarin wordt ondermeer ingegaan op problemen die ervaren worden met het Handelsregister. Het gaat dan tegelijkertijd om teveel toegang en hergebruik, als om te weinig toegang en hergebruik. De brief positioneert dat als een tegenstelling tussen privacy en transparantie, maar dat is een vals dilemma. Je kunt gerust beiden maximaliseren.
EZK stelt, terecht, dat het hebben van een betaalmuur geen privacybescherming kan zijn (het betekent hooguit dat alleen mensen met iets meer te besteden je privacy schenden), en stelt ook terecht het maatschappelijk belang van openbare informatie over rechtspersonen centraal (ik schreef er al eerder over, in ruil voor het zichtbaar maken van wie ik ben als ondernemer, zodat anderen kunnen nagaan met wie ze te maken hebben, krijg ik als ondernemer ook bepaalde voordelen en rechtsbescherming die me in mijn ondernemendheid kunnen stimuleren).
Wat niet klopt in de brief van EZK is dat de voorstanders van open data alleen naar de socio-economische opbrengsten zouden kijken, en EZK probeert ook nog eens aan te voeren dat de socio-economische voordelen die met die data elders zijn bereikt misschien door andere oorzaken zijn ontstaan. Hier wordt kennelijk ook verwezen naar het nog niet openbaar gemaakte maar wel gepubliceerde advies over de verplichte open data. Daarin wordt inderdaad bijna niets gezegd over bescherming van persoonsgegevens, omdat dat door de Europese Commissie nadrukkelijk buiten scope van het onderzoek en advies was geplaatst. De AVG is gewoon een gegeven.

Er is volgens mij niemand die de privacy problemen rond het Handelsregister miskent. Zoals bijvoorbeeld dat tweederde van alle rechtspersonen op een woonadres van iemand (zoals ik) staan.

De volgorde van redenering t.a.v. open data begint namelijk met de bescherming van persoonsgegevens:

De AVG beschermt persoonsgegevens en werkt beperkend op de WOB (WOO).
Wat openbaar is wordt geregeld in de WOB (WOO), met persoonsgegevens als uitzonderingsgrond, en een aantal specifieke wetten (bijv Handelsregisterwet, Kadasterwet). Die laatsten, de Handelsregisterwet en Kadasterwet maken een gerichte afweging t.a.v. het maatschappelijk belang van openbaarheid in het economisch verkeer van bepaalde persoonsgegevens versus de bescherming van persoonsgegevens.
De Hergebruiksrichtlijn stelt dat wat openbaar is, herbruikbaar moet kunnen zijn.
De Implementatiewet m.b.t. High Value Data in de Hergebruiksrichtlijn maakt het pro-actief voor hergebruik publiceren van sommige data die herbruikbaar moet kunnen zijn verplicht (waaronder waarschijnlijk het Handelsregister).

De AVG en de Hergebruiksrichtlijn met de Implementatiewet EU High Value Data zijn gelijktijdig van groot maatschappelijk belang voor iedereen, en dat is niet strijdig met elkaar. Ook niet bij het Handelsregister. De bewegende delen zitten in de Handelsregisterwet en de praktische informatiehuishouding van de KvK. Daar moeten de problemen worden opgelost. Niet met pogingen het zo in te richten dat je als KvK vooral zelf niets hoeft te doen door je voorwaarden aan te passen. Het is een herkenbaar patroon dat we ook bij de WOO al zagen. De VNG/Gemeenten vonden voldoen aan de WOO eerst te duur, en kregen toen extra de tijd van Tweede Kamer om e.e.a. te regelen, om vervolgens bij voorbaat al te zeggen dat het nooit gaat lukken. De EU open data verplichting voor het Handelsregister is net zomin als de invoering van de WOO voor gemeenten het probleem. De nieuwe wetten maken alleen heel nadrukkelijk zichtbaar dat de KvK, en m.b.t. de WOO de Gemeenten, hun informatiehuishouding niet op orde hebben. De inspanningen die nodig zijn om te kunnen gaan voldoen zijn namelijk niet de invoeringskosten van die wetten, maar zijn de optelsom van achterstallig onderhoud aan je informatiehuishouding, legacy systemen en als organisatie nalaten vooruit te kijken in je eigen informatievak startend vanuit de positieve impact die je op de omgeving nastreeft. Die optelsom van organisatiegebreken wordt nu slechts voor iedereen, inclusief de KvK zelf, zichtbaar door die nieuwe wetten, omdat je er nu eindelijk iets aan moet gaan doen.

De obstructiepoging van de KvK is met de rechterlijke uitspraak niet alleen terzijde geschoven door bijvoorbeeld te zeggen dat databankenrecht niet mag worden gebruikt om hergebruik te beperken. Sterker, de argumentatie van KvK is geheel ondergraven: de KvK heeft helemaal geen databankenrecht.

Dat is een mooi kerstcadeau voor iedereen.

I notice a strong and persistent reluctance with Dutch civil servants to use the word citizen. Apparantly because the Dutch word ‘burger’ carries overtones of ‘kleinburgerlijk’, petty bourgeois, of bourgeoisie, and of the general disdain university students voice for ‘burgers’ (with ‘burger’ being bandied about as an insult amongst them, which gained national usage through the 1990’s Jiskefet satirical tv program). Many civil servants said to me they think the word citizen is ‘old fashioned’.

I find this not only an oddity, but also detrimental to public governance and potentially dangerous.
Not using the word citizen obscures how in the relationship to government citizens have basic human rights, specific constitutional rights, and some duties. A citizen has autonomy and a certain power vis-a-vis the government.
Not using the word citizen, easily obscures that power and those rights to civil servants.

I hear civil servants talk about

  • ‘customers’, usually in the context of providing public service
  • ‘clients’, often in the context of the social domain, reminiscent of how therapists talk
  • ‘inhabitants’, usually a hand-wavy acknowledgement that other people are involved, but in an abstracted, passive or even statistical way,
  • ‘users’, usually carried over from an IT related context
  • or worst case ‘residents’ as if you’re institutionalised.

In all these cases it creates either a distance to people or implies power assymmetries. It makes it easier to dehumanise people. The consequence is the creation of policies about people, but not with those people, because people are never perceived to be on equal footing. Policy gets done over people’s heads, done to them. Participatory processes are then easily reduced to a ritual, a checkbox to mark, something that is a pain and a drag without which your policy process would be so much more efficient. Clients, users and inhabitants are never equal to those who determine policies, whereas citizens would have to be met eye to eye. Acknowledging people as citizens would require curiosity about their needs, motives and actual experiences when developing policy.

Every civil servant I’ve worked with cares about good governance and public service, and individually they wouldn’t treat people as passive objects on which their policies operate, but collectively in their work context they do abstract people out of the equation. And their own choice of words contributes to that, makes it more likely to happen, I think.

In conversations with our public sector clients I always talk about citizens with emphasis. I often also introduce myself as citizen (not as consultant e.g.).

In our projects we always emphasize the need for civil servants to go outside, to check their data and documents against the reality outside, and as often as possible create conversations with real people, with citizens.

With the drive towards ‘data driven’ work, this is ever more essential. Data must be presumed to always describe only a sliver of reality, and to always do so badly on top of that. There is always a check against reality necessary when you want to start relying on data in policy decisions. Visit the places and the people represented in the data, do you recognise them? Do you have a sufficiently nuanced, detailed and rich view on an issue before making a decision? Do people’s stories validate the data, is their meaning incorporated?
Acknowledging people as citizens is also essential to being able to see and use government data publication as a policy instrument, meant to provide agency to people in the context of societal issues and as equal partners in addressing these issues.

Hight time for the public sector to use the word citizen routinely and meaningfully again.

Since the start of this year I am actively tracking the suite of new European laws being proposed on digitisation and data. Together they are the expression into law of the geopolitical position the EU is taking on everything digital and data, and all the proposed laws follow the same logic and reasoning. Taken together they shape how Europe wants to use the potential and benefits of digitisation and data use, including specifically for a range of societal challenges, while defending and strengthening citizen rights. Of course other EU legal initiatives in parallel sometimes point in different directions (e.g. EU copyright regulations leading to upload filters, and the attempts at backdooring end-to-end encryption in messaging apps for mass surveillance), but that is precisely why to me this suite of regulations stands out. Where other legal initiatives often seem to stand on their own, and bear the marks of lobbying and singular industry interests, this group of measures all build on the same logic and read internally consistent as well as an expression of an actual vision.

My work is to help translate the proposed legal framework to how it will impact and provide opportunity to large Dutch government data holders and policy departments, and to build connections and networks between all kinds of stakeholders around relevant societal issues and related use cases. This to shape the transition from the data provision oriented INSPIRE program (sharing and harmonising geo-data across the EU), to a use needs and benefits oriented approach (reasoning from a societal issue to solve towards with a network of relevant parties towards the data that can provide agency for reaching a solution). My work follows directly from the research I did last year to establish a list of EU wide high value data sets to be opened, where I dived deeply into all government data and its governance concerning earth observation, environment and meteorology, while other team members did the same for geo-data, statistics, company registers, and mobility.

All the elements in the proposed legal framework will be decided upon in the coming year or so, and enter into force probably after a 2 year grace period. So by 2025 this should be in place. In the meantime many organisations, as well as public funding, will focus on already implementing elements of it even while nothing is mandatory yet. As with the GDPR, the legal framework once in place will also be an export mechanism of the notions and values expressed in it to the rest of the world. This as compliance is tied to EU market access and having EU citizens as clients wherever they are.

One element of the framework is already in place, the GDPR. The newly proposed elements mimic the fine structures of the GDPR for non-compliance.
The new elements take the EU Digital Compass and EU Digital Rights and Principles for which a public consultation is now open until 2 September as a starting point.

The new proposed laws are:

Digital Markets Act (download), which applies to all dominant market parties, in terms of platform providers as well as physical network providers, that de facto are gatekeepers to access by both citizens and market entities. It aims for a digital unified market, and sets requirements for interoperability, ‘service neutrality’ of platforms, and to prevent lock-in. Proposed in November 2020.

Digital Services Act (download), applies to both gatekeepers (see previous point) and other digital service providers that act as intermediaries. Aims for a level playing field and diversity of service providers, protection of citizen rights, and requires transparency and accountability mechanisms. Proposed in November 2020.

AI Regulatory Proposal (download), does not regulate AI technology, but the EU market access of AI applications and usage. Market access is based on an assessment of risk to citizen rights and to safety (think of use in vehicles etc). It’s a CE mark for AI. It periodically updates a list of technologies considered within scope, and a list of areas that count as high risk. With increasing risk more stringent requirements on transparency, accountability and explainability are set. Creates GDPR style national and European authorities for complaints and enforcement. Responsibilities are given to the producer of an application, distributors as well as users of such an application. It’s the world’s first attempt of regulating AI and I think it is rather elegant in tying market access to citizen rights. Proposed in April 2021.

Data Governance Act (download), makes government held data that isn’t available under open data regulations available for use (but not for sharing), introduces the European dataspace (created from multiple sectoral data spaces), mandates EU wide interoperable infrastructure around which data governance and standardisation practices are positioned, and coins the concept of data altruism (meaning you can securely share your personal data or company confidential data for specific temporary use cases). This law aims at making more data available for usage, if not for (public) sharing. Proposed November 2020.

Data Act, currently open for public consultation until 2 September 2021. Will introduce rules around the possibilities the Data Governance Act creates, will set conditions and requirements for B2B cross-border and cross-sectoral data sharing, for B2G data sharing in the context of societal challenges, and will set transparency and accountability requirements for them. To be proposed towards the end of 2021.

Open Data Directive, which sets the conditions and requirements for open government data (which build on the national access to information regulations in the member states, hence the Data Governance Act as well which does not build on national access regimes). The Open Data Directive was proposed in 2018 and decided in 2019, as the new iteration of the preceding Public Sector Information directives. It should have been transposed into national law by 1 July 2021, but not all MS have done so (in fact the Netherlands has just recently started the work). An important element in this Directive is EU High Value Data list, which will make publication of open data through APIs and machine readable bulk download mandatory for all EU member states for the data listed. As mentioned above, last year I was part of the research team that did the impact assessments and proposed the policy options for that list (I led the research for earth observation, environment and meteorology). The implementation act for the EU High Value Data list will be published in September, and I expect it to e.g. add an open data requirement to most of the INSPIRE themes.

Most of the elements in this list are proposed as Acts, meaning they will have power of law across the EU as soon as they are agreed between the European Parliament, the EU council of heads of government and the European Commission and don’t require transposition into national law first. Also of note is that currently ongoing revisions and evaluations of connected EU directives (INSPIRE, ITS etc.) are being shaped along the lines of the Acts mentioned above. This means that more specific data oriented regulations closer to specific policy domains are already being changed in this direction. Similarly policy proposals such as the European Green Deal are very clearly building on the EU digital and data strategies to achieving and monitoring those policy ambitions. All in all it will be a very interesting few years in which this legal framework develops and gets applied, as it is a new fundamental wave of changes after the role the initial PSI Directive and INSPIRE directive had 15 to 20 years ago, with a much wider scope and much more at stake.


The geopolitics of digitisation and data. Image ‘Risk Board Game’ by Rob Bertholf, license CC BY