Bookmarked Data altruism: how the EU is screwing up a good idea (by Winfried Veil)

I find this an unconvincing critique of the data altruism concept in the new EU Data Governance Act (caveat: the final consolidated text of the new law has not been published yet).

“If the EU had truly wanted to facilitate processing of personal data for altruistic purposes, it could have lifted the requirements of the GDPR”
GDPR slackened for common good purposes? Let’s loosen citizen rights requirements? It asumes common good purposes can be well enough defined to not endanger citizen rights, turtles all the way down. The GDPR is a foundational block, one in which the author, some googling shows, is disappointed with having had some first hand experience in its writing process. The GDPR is a quality assurance instrument, meaning, like with ISO style QA systems, it doesn’t make anything impossible or unallowed per se but does require you organise it responsibly upfront. That most organisations have implemented it as a compliance checklist to be applied post hoc is the primary reason for it being perceived as “straight jacket” and for the occurring GDPR related breaches to me.
It is also worth noting that data altruism also covers data that is not covered by the GDPR. It’s not just about person identifiable data, but also about otherwise non-public or confidential organisational data.

The article suggests it makes it harder for data altruistic entities to do something that already now can be done under the GDPR by anyone, by adding even more rules.
The GDPR pertains to the grounds for data collection in the context of usage specified at the time of collection. Whereas data altruism is also aimed at non-specified and at not yet known future use of data collected here and now. As such it covers an unaddressed element in the GDPR and offers a path out of the purpose binding the GDPR stipulates. It’s not a surprise that a data altruism entity needs to comply with both the GDPR and a new set of rules, because those additional rules do not add to the GDPR responsibilities but cover other activities. The type of entities envisioned for it already exist in the Netherlands, common good oriented entities called public benefit organisations: ANBI‘s. These too do not absolve you from other legal obligations, or loosen the rules for you. On the contrary these too have additional (public) accountability requirements, similar to those described in the DGA (centrally registered, must publish year reports). The DGA creates ANBI’s for data, Data-ANBI’s. I’ve been involved in data projects that could have benefited from that possibility but never happened in the end because it couldn’t be made to work without this legal instrument.

To me the biggest blind spot in the criticism is that each of the examples cited as probably more hindered than helped by the new rules are single projects that set up their own data collection processes. That’s what I think data altruism is least useful for. You won’t be setting up a data altruism entity for your project, because by then you already know what you want the data for and start collecting that data after designing the project. It’s useful as a general purpose data holding entity, without pre-existing project designs, where later, with the data already collected, such projects as cited as example will be applicants to use the data held. A data altruistic entity will not cater to or be created for a single project but will serve data as a utility service to many projects. I envision that universities, or better yet networks of universities, will set up their own data altruistic entities, to cater to e.g. medical or social research in general. This is useful because there currently are many examples where handling the data requirements being left to the research team is the source of not just GDPR breaches but also other ethical problems with data use. It will save individual projects such as the examples mentioned a lot of time and hassle if there’s one or more fitting data altruistic entities for them to go to as a data source. This as there will then be no need for data collection, no need to obtain your own consent or other grounds for data collection for each single respondent, or create enough trust in your project. All that will be reduced to guaranteeing your responsible data use and convince an ethical board of having set up your project in a responsible way so that you get access to pre-existing data sources with pre-existing trust structures.

It seems to me sentences cited below require a lot more thorough argumentation than the article and accompanying PDF try to provide. Ever since I’ve been involved in open data I’ve seen plenty of data innovations, especially if you switch your ‘only unicorns count’ filter off. Barriers that unintentionally do exist typically stem more from a lack of a unified market for data in Europe, something the DGA (and the GDPR) is actually aimed at.

“So long as the anti-processing straitjacket of the GDPR is not loosened even a little for altruistic purposes, there will be little hope for data innovations from Europe.” “In any case, the EU’s bureaucratic ideas threaten to stifle any altruism.”

Winfried Veil

Wired talks about the potential consequences of the EU Digital Markets Act which will enter into force later this year. It requires amongst others interoperability between messenger services by so-called tech ‘gatekeepers’ (Google, Apple, Facebook/Meta etc). The stance taken is that such interoperability is bad for end-to-end encryption. Wired uncritically accepts the industry’s response to a law that is addressing Big Tech’s monopolistic and competivity problems by regulating lock-in. Wired even goes hyperbolic by using ‘Doomed To Fail’ in the title of the piece. What stands out to me is WhatsApp (Facebook/Meta) gaslighting with the following:

“Changes of this complexity risk turning a competitive and innovative industry into SMS or email, which is not secure and full of spam,”

Will Cathcart, Meta’s head of WhatsApp, gaslighting the public about the DMA.

A competitive and innovative industry you say? Incapable of dealing with a mere rule change that just happens to break your monopolistic chokehold on your customers, you say? Nice dig towards e-mail and SMS too.

Meanwhile the non-profit Matrix has scoped out ways forward. Not easy, but also not impossible for the innovation and competivity inclined, as per the previous boasts of the competitive and innovative.

It reminds me of a session I with colleagues once had years ago with most providers of route navigation services, where it was about opening up real time traffic and road information by the Dutch government, specifically changes to roads. The big navigation providers, both of the consumer products, as well as the in-car providers, generally struggled with anything that would lead to more frequent changes in the underlying maps (adding stuff to dynamic layers on top of a map is easier, changing the map layer is harder). It would mess up their update cycles because of months long lead times for updates, and the tendency of the general public to only sporadically update their maps. This is the reason you still come across traffic signs saying ‘situation changed, switch off navigation’, because of your navigation provider’s ‘competitive and innovative’ attitude towards change.

There was one party in the room who already was able to process such deeper changes at whatever frequency. It wasn’t a ‘gatekeeper’ in that context of course but a challenger. It was the non-profit in the room, Open Street Map. Where changes are immediately rolled out to all users and services. Where interoperability is built in since the start.


“Situation changed, navigation on”, the type of response you’d expect instead of the usual ‘situation changed, navigation off’. This photo taken in 2016 or 2017 in Leeuwarden, where I’ve been working on open data. Image Ton Zijlstra, license CC BY NC SA

(The EU DMA is part of a much wider package of regulation, including the GDPR, expressing a geopolitical position w.r.t. everything digital and data.)
(I’m looking forward to the fits thrown when they close read the Data Act, where any consumer has the right of access to all data created through their use of a product of service, and can assign third parties to share it with. PSD2-for-everything, in short)

Bookmarked Meta’s failed Giphy deal could end Big Tech’s spending spree (by Ars Technica)

This is indeed a very interesting decision by the UK competition and markets authority. I recognise what Ars Technica writes. It’s not just a relevant decision in its own right, it’s also part of an emergent pattern. A pattern various components of which are zeroing in on large silo’d market players. In the EU the Digital Markets Act was approved in recent weeks by both the council of member state ministers and the European Parliament, with the negotation of a final shared text to be finished by next spring. The EU ministers also agreed the Digital Services Act between the member states (the EP still needs to vote on it in committee). The DMA and DSA make requirements w.r.t. interoperability, service neutrality and portability, democratic control and disinformation. On top of the ongoing competition complaints and data protection complaints this will lead to new investigations of FB et al, if not to immediate changes in functionality and accessibility of their platforms. And then there’s also the incoming AI Regulation which classifies manipulation of people’s opinion and sentiment as high risk and a to a certain extent prohibited application. This has meaning for algorithmic timelines and profile based sharing of material in those timelines. All of these, the competition issues, GDPR issues, DMA and DSA issues, and AI risk mitigation will hit FB and other big platforms simultaneously in the near future. They’re interconnected and reinforce each other. That awareness is already shining through in decisions made by competent authorities and judges here and now. Not just within the EU, but also outside it as the European GDPR, DMA, DSA and AI acts are also deliberate export vehicles for the norms written down within them.

….the strange position taken by Britain’s competition watchdog in choosing to block Meta’s takeover of GIF repository Giphy. Meta, the UK’s Competition and Markets Authority (CMA) ruled, must now sell all the GIFs—just 19 months after it reportedly paid $400 million for them. It’s a bold move—and a global first. ……regulators everywhere will now be on high alert for what the legal world calls “killer acquisitions”—where an established company buys an innovative startup in an attempt to squash the competition it could pose in the future.

Morgan Meaker, wired.com / Ars Technica

In reply to Collective Creativity by Wouter Groeneveld

Interestingly this came up yesterday at the FOSS4G-NL conference I visited, where Amélie A Gagnon talked about scenius as communal genius, a scene that jams together and creates results no single genius could. She also mentioned Austin Kleon’s quote ‘don’t be a genius, create a scenius’ (see his post on scenius, and about mapping a scenius, something I’ve elsewhere seen done based on LinkedIn profiles to see what is missing in terms of capabilities, roles and skills, to make a scene somewhere ‘explode’)

…and call it collective creativity: without a collective, the creativity of each genius partaking in the above meetings would never have reached that far.

Wouter Groeneveld

Since the start of this year I am actively tracking the suite of new European laws being proposed on digitisation and data. Together they are the expression into law of the geopolitical position the EU is taking on everything digital and data, and all the proposed laws follow the same logic and reasoning. Taken together they shape how Europe wants to use the potential and benefits of digitisation and data use, including specifically for a range of societal challenges, while defending and strengthening citizen rights. Of course other EU legal initiatives in parallel sometimes point in different directions (e.g. EU copyright regulations leading to upload filters, and the attempts at backdooring end-to-end encryption in messaging apps for mass surveillance), but that is precisely why to me this suite of regulations stands out. Where other legal initiatives often seem to stand on their own, and bear the marks of lobbying and singular industry interests, this group of measures all build on the same logic and read internally consistent as well as an expression of an actual vision.

My work is to help translate the proposed legal framework to how it will impact and provide opportunity to large Dutch government data holders and policy departments, and to build connections and networks between all kinds of stakeholders around relevant societal issues and related use cases. This to shape the transition from the data provision oriented INSPIRE program (sharing and harmonising geo-data across the EU), to a use needs and benefits oriented approach (reasoning from a societal issue to solve towards with a network of relevant parties towards the data that can provide agency for reaching a solution). My work follows directly from the research I did last year to establish a list of EU wide high value data sets to be opened, where I dived deeply into all government data and its governance concerning earth observation, environment and meteorology, while other team members did the same for geo-data, statistics, company registers, and mobility.

All the elements in the proposed legal framework will be decided upon in the coming year or so, and enter into force probably after a 2 year grace period. So by 2025 this should be in place. In the meantime many organisations, as well as public funding, will focus on already implementing elements of it even while nothing is mandatory yet. As with the GDPR, the legal framework once in place will also be an export mechanism of the notions and values expressed in it to the rest of the world. This as compliance is tied to EU market access and having EU citizens as clients wherever they are.

One element of the framework is already in place, the GDPR. The newly proposed elements mimic the fine structures of the GDPR for non-compliance.
The new elements take the EU Digital Compass and EU Digital Rights and Principles for which a public consultation is now open until 2 September as a starting point.

The new proposed laws are:

Digital Markets Act (download), which applies to all dominant market parties, in terms of platform providers as well as physical network providers, that de facto are gatekeepers to access by both citizens and market entities. It aims for a digital unified market, and sets requirements for interoperability, ‘service neutrality’ of platforms, and to prevent lock-in. Proposed in November 2020.

Digital Services Act (download), applies to both gatekeepers (see previous point) and other digital service providers that act as intermediaries. Aims for a level playing field and diversity of service providers, protection of citizen rights, and requires transparency and accountability mechanisms. Proposed in November 2020.

AI Regulatory Proposal (download), does not regulate AI technology, but the EU market access of AI applications and usage. Market access is based on an assessment of risk to citizen rights and to safety (think of use in vehicles etc). It’s a CE mark for AI. It periodically updates a list of technologies considered within scope, and a list of areas that count as high risk. With increasing risk more stringent requirements on transparency, accountability and explainability are set. Creates GDPR style national and European authorities for complaints and enforcement. Responsibilities are given to the producer of an application, distributors as well as users of such an application. It’s the world’s first attempt of regulating AI and I think it is rather elegant in tying market access to citizen rights. Proposed in April 2021.

Data Governance Act (download), makes government held data that isn’t available under open data regulations available for use (but not for sharing), introduces the European dataspace (created from multiple sectoral data spaces), mandates EU wide interoperable infrastructure around which data governance and standardisation practices are positioned, and coins the concept of data altruism (meaning you can securely share your personal data or company confidential data for specific temporary use cases). This law aims at making more data available for usage, if not for (public) sharing. Proposed November 2020.

Data Act, currently open for public consultation until 2 September 2021. Will introduce rules around the possibilities the Data Governance Act creates, will set conditions and requirements for B2B cross-border and cross-sectoral data sharing, for B2G data sharing in the context of societal challenges, and will set transparency and accountability requirements for them. To be proposed towards the end of 2021.

Open Data Directive, which sets the conditions and requirements for open government data (which build on the national access to information regulations in the member states, hence the Data Governance Act as well which does not build on national access regimes). The Open Data Directive was proposed in 2018 and decided in 2019, as the new iteration of the preceding Public Sector Information directives. It should have been transposed into national law by 1 July 2021, but not all MS have done so (in fact the Netherlands has just recently started the work). An important element in this Directive is EU High Value Data list, which will make publication of open data through APIs and machine readable bulk download mandatory for all EU member states for the data listed. As mentioned above, last year I was part of the research team that did the impact assessments and proposed the policy options for that list (I led the research for earth observation, environment and meteorology). The implementation act for the EU High Value Data list will be published in September, and I expect it to e.g. add an open data requirement to most of the INSPIRE themes.

Most of the elements in this list are proposed as Acts, meaning they will have power of law across the EU as soon as they are agreed between the European Parliament, the EU council of heads of government and the European Commission and don’t require transposition into national law first. Also of note is that currently ongoing revisions and evaluations of connected EU directives (INSPIRE, ITS etc.) are being shaped along the lines of the Acts mentioned above. This means that more specific data oriented regulations closer to specific policy domains are already being changed in this direction. Similarly policy proposals such as the European Green Deal are very clearly building on the EU digital and data strategies to achieving and monitoring those policy ambitions. All in all it will be a very interesting few years in which this legal framework develops and gets applied, as it is a new fundamental wave of changes after the role the initial PSI Directive and INSPIRE directive had 15 to 20 years ago, with a much wider scope and much more at stake.


The geopolitics of digitisation and data. Image ‘Risk Board Game’ by Rob Bertholf, license CC BY

Could one redo any useful app, for that matter, that now fills the start-up cemetery?

I was reminded of this as Peter mentioned Dopplr, a useful and beautifully designed service in the years 2007-2010. The Dopplr service died because it was acquired by Nokia and left to rot. Its demise had nothing to do with the use value of the service, but everything with it being a VC funded start-up that exited to a big corporation in an identity crisis which proved unequipped to do something useful with it.

Some years ago I kept track of hundreds of examples of open data re-use in applications, websites and services. These included many that at some point stopped to exist. I had them categorised by the various phases of when they stalled. This because it was not just of interest which examples were brought to market, but also to keep track of the ideas that materialised in the many hackathons, yet never turned into an app or service, Things that stalled during any stage between idea and market. An idea that came up in France but found no traction, might however prove to be the right idea for someone in Lithuania a year later. An app that failed to get to market because it had a one-sided tech oriented team, might have succeeded with another team, meaning the original idea and application still had intrinsic use value.

Similarly Dopplr did not cease to exist because its intrinsic value as a service was lost, but because everything around it was hollowed out. Hollowed out on purpose, as a consequence of its funding model.

I bet many of such now-lost valuable services could lead a healthy live if not tied to the ‘exit-or-bust’ cycle. If they can be big enough in the words of Lee Lefever, if they can be a Zebra, not aiming to become a unicorn.

So, what are the actual impediments to bring a service like Dopplr back. IP? If you would try to replicate it, perhaps yes, or if you use technology that was originally created for the service you’re emulating. But not the ideas, which aren’t protected. In the case of Dopplr it seems there may have been an attempt at resurrection in 2018 (but it looked like a copy, not a redo of the underlying idea).

Of course you would have to rethink such a service-redo for a changed world, with new realities concerning platforms and commonly used hardware. But are there actual barriers preventing you to repeat something or create variations?

Or is it that we silently assume that if a single thing has failed at some point, there’s no point in trying something similar in new circumstances? Or that there can ever only be one of something?



Repetitions and Variations, a beautiful Matisse exhibit we saw in 2012 in the Danish national art gallery in Copenhagen. Image by Ton Zijlstra, license CC BY-NC-SA


12 stages, 1 painting. I’m thinking the reverse, 1 sketch, 12 paintings. Image by Ton Zijlstra, license CC BY-NC-SA


Normandy Cliff with fish, times 3. Matisse ‘Repetitions and Variations’ exhibit. Image by Ton Zijlstra, license CC BY-NC-SA