Per deze maand moet het in alle EU landen mogelijk zijn om digitaal een onderneming op te richten. Nederland is nog lang niet zover, zelfs amper begonnen met de benodigde wetswijzigingen, lees ik bij jurist Ellen Timmer in een blogpost. Daarin wordt ook verwezen naar de Nederlandse notarissen die zeggen per 1 augustus wél klaar te zijn voor wat ze ‘digitaal passeren’ noemen, en een video hebben gemaakt waarin ze denken dat te laten zien.

(link naar de video van de Nederlandse Notarissen op YouTube)

Als ik die video bekijk zie ik niet het digitaal oprichten van een onderneming. Ik zie daarin dat de notaris bereid is om een afspraak met je te maken om een videoconference met je te houden. Het gesprek ten kantore van de notaris is vervangen door een Zoom call en de documenten zijn vervangen door een PDF. Dat is geen digitale transformatie, waarin de mogelijkheden van digitalisering worden gebruikt om de wijze waarop iets tot stand komt vele malen effectiever, sneller en wrijvingslozer te maken, meestal door het proces geheel om te gooien.
De notarissen staat kennelijk alleen voor ogen het digitaal maken van wat papieren artefacten, en een beeldscherm te gebruiken voor het gebruikelijke gesprek, en de rest geheel bij het oude(*) te laten. ‘Passeren’ wordt niet digitaal door er ‘digitaal passeren’ van te maken. Dat is zoals de KvK die je nog altijd formulieren op hun site laat invullen, die je vervolgens moet printen om ze te ondertekenen en per post in te sturen, en dat dan het digitaal doorgeven van wijzigingen noemen. Met digitalisering heeft dat allemaal nauwelijks iets te maken.

Ter vergelijking kun je als niet-ingezetene in Estland, met behulp van je e-residency kaart (de mijne is verlopen) die je identiteit cryptografisch borgt, al sinds 6 jaar in een uurtje of twee (al is de recordtijd 18 minuten) geheel zelfstandig vanuit elke locatie ter wereld en op elk tijdstip een onderneming registreren. De Nederlandse variant kan dat niet, want het moet wel onder kantoortijd van de notaris, en die moet bovendien tijd voor je hebben. Wat er digitaal kan bij de Nederlandse notaris, kan pas nadat ik heb gebeld voor een afspraak zodat ik er over 3 weken terecht kan. (En als de notaris er nog niet is voor je afspraak, word je in een ‘digitale wachtkamer’ geplaatst!) In de tijd die het kost om een notaris te kiezen en daarmee die afspraak te maken ben je in Estland al klaar met het hele proces. Want daar hebben ze het registratieproces wél herontworpen vanuit wat er digitaal mogelijk is.

De uitleg van hoe je in Estland digitaal een bedrijf start wordt dan ook gegeven door de mensen die de overheidswebsite hebben gemaakt, niet door een notaris. En beperkt zich tot het uitleggen welke velden je moet invullen en welke vinkjes je moet zetten.

(link naar een webinar over het digitaal registreren van een bedrijf in Estland

* ‘het oude’ als in de papieren processen gebaseerd op de wet op het Notarisambt van 1842 en de wijzigingen uit 1999.

Open Street Map has the option to add the location, type and viewing angle of surveillance cameras.
Peter wrote about adding the cameras in his neighbourhood to the map, and says ‘we didn’t have to walk far‘ to add 47 cameras, including his own door bell. Cameras are added to Open Street Map but not shown in the usual map interfaces. The Open Street Map wiki does list a number of projects that render this information. These projects have different areas of focus and different selection criteria for information included it seems. One of them that seems most comprehensive is Surveillance Under Surveillance.

It shows about 3500 cameras listed in the Netherlands, surely a tiny fraction of the total.

And only a handful in my city, none in my neighbourhood. Again, a low number far from reality.

This reminds of a game that, I think Kars Alfrink and/or Alper Çuğun conceptualised, where you had to reach a destination in Amsterdam avoiding the views of the cameras along the way. It also reminds me how a former colleague had some basic camera detection device in his car years ago that became useless as surveillance cameras at private homes increased in numbers. It detected not just speeding camera signals, but also all those other cameras. At some point driving down a residential street, especially in more affluent neighbourhoods, the warning noises the device made were constant.

I’ll be on the lookout for cams in our area. There are I know two in our court yard (one on our frontdoor, not connected though, and one on a neighbour’s frontdoor).

I’ve been using the Post Kinds plugin for a few years on this WordPress site. It allows you to easily style a specific type of posting (a like, bookmark, reply, rsvp, read, check-in etc), it automatically pulls in the relevant information form the posting you’re reacting to, and adds the right machine readable micro-formats so that if you ping the source website that site can see if it is a direct reply, a like, a regular mention etc.

David Shanske deserves a lot of credit for creating and maintaining this valuable WP plugin, and for his contributions to the IndieWeb community over the years. Yet I always kept some reservations even while I’ve been depending on the Post Kinds plugin. One thing was the ability to shape how these post kinds look, meanwhile addressed. One is it prevents me from adopting Gutenberg in WordPress, even while others (of the few) plugins I use are moving to a Gutenberg only stance, meaning conflict and/or hard choices lie in the near future of this blog.

Most of all however I balk at how information around a post kind gets stored. To me the thing I am reacting to is an inherent and equal part of my posting. Because pointing to the thing I’m reacting to is nothing other than a hyperlink, the core feature of the web itself. That in the case of a post kind such a hyperlink is more fancily handled and presented does not change that. However the thing I am reacting to gets lifted outside the posting and is stored differently in the WordPress database by Post Kinds. This has as a consequence that should I switch off Post Kinds the connection between my postings and what it is reacting to is severed, even if it is still in the database. It changes “Reply to hyperlink.tld: That’s a great idea” to “That’s a great idea”, which is a serious loss of meaning. In that way Post Kinds becomes a lock-in and a potential single point of failure that breaks the web, at least my part of the web that this blog forms. The two images below demonstrate the effect:

A ‘like’ posting with Post Kinds enabled

The same posting without Post Kinds, which means a serious loss of information because the actual hyperlink to the thing discussed disappears

So I want to break out of that lock-in, and find a work around. This means all relevant info about the thing I am reacting to should be in the actual posting. My current idea is that I will create simple templates for the post kinds I actually have used until now, and put them behind a keyboard shortcut. That way I can ensure the right micro-formats are used for others to interpret. Over time I can replace the existing Post Kinds dependent postings (about 900 in this blog) in the same way, clearing the way for switching it off entirely. This should increase the autonomy of keeping this blog, and decrease dependencies.

Amazon has been fined 746 million Euro by the Luxembourg DPA (where Amazon’s EU activities reside). In its response Amazon shows it isn’t willing to publicly acknowledge to even understand the EU data protection rules.

There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed., said an Amazon spokesperson according to Techcrunch.

Those facts are of course undisputed because a data breach or exposure of data to third parties is not a prerequisite for being in breach of GDPR rules. Using the data yourself in ways that aren’t allowed is plenty reason in itself for fines the size of a few percentage points of your global yearly turnover. In Amazon’s case the fine isn’t even a third of a percentage point of their turnover, so about a day’s worth of turnover for them: they’re being let-off pretty lightly actually compared to what is possible under the GDPR.

How Amazon uses the data it collects, not any breach or somesuch, is the actual reason for the complaint by La Quadrature du Net (PDF) filed with the Luxembourg DPA: the complaint “alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.” (emphasis mine)

The complaint and the ruling are laying bare the key fact Amazon and other tech companies aren’t willing to publicly comment upon: adtech in general is in breach of the GDPR.

There are a range of other complaints along these lines being processed by various DPA’s in the EU, though for some of those it will be a long wait as e.g. the Irish DPA is working at a snail’s pace w.r.t. complaints against Apple and Facebook. (The slow speed of the Irish DPA is itself now the subject of a complaint.)

Meanwhile two new European laws have been proposed that don’t chime with the current modus operandi of Amazon et al, the Digital Markets Act and the Digital Services Act, which both contain still bigger potential fines than the GDPR for non-compliance w.r.t. e.g. interoperability, service-neutrality, and transparency and accountability measures. And of course there are the European anti-trust charges against Amazon as well.

Amazon will of course appeal, but it can only ever be an attempt to gaslight and gloss over the fundamental conflict between adtech and GDPR. Let’s hope the Luxembourg DPA continues to see through that.

Since the start of this year I am actively tracking the suite of new European laws being proposed on digitisation and data. Together they are the expression into law of the geopolitical position the EU is taking on everything digital and data, and all the proposed laws follow the same logic and reasoning. Taken together they shape how Europe wants to use the potential and benefits of digitisation and data use, including specifically for a range of societal challenges, while defending and strengthening citizen rights. Of course other EU legal initiatives in parallel sometimes point in different directions (e.g. EU copyright regulations leading to upload filters, and the attempts at backdooring end-to-end encryption in messaging apps for mass surveillance), but that is precisely why to me this suite of regulations stands out. Where other legal initiatives often seem to stand on their own, and bear the marks of lobbying and singular industry interests, this group of measures all build on the same logic and read internally consistent as well as an expression of an actual vision.

My work is to help translate the proposed legal framework to how it will impact and provide opportunity to large Dutch government data holders and policy departments, and to build connections and networks between all kinds of stakeholders around relevant societal issues and related use cases. This to shape the transition from the data provision oriented INSPIRE program (sharing and harmonising geo-data across the EU), to a use needs and benefits oriented approach (reasoning from a societal issue to solve towards with a network of relevant parties towards the data that can provide agency for reaching a solution). My work follows directly from the research I did last year to establish a list of EU wide high value data sets to be opened, where I dived deeply into all government data and its governance concerning earth observation, environment and meteorology, while other team members did the same for geo-data, statistics, company registers, and mobility.

All the elements in the proposed legal framework will be decided upon in the coming year or so, and enter into force probably after a 2 year grace period. So by 2025 this should be in place. In the meantime many organisations, as well as public funding, will focus on already implementing elements of it even while nothing is mandatory yet. As with the GDPR, the legal framework once in place will also be an export mechanism of the notions and values expressed in it to the rest of the world. This as compliance is tied to EU market access and having EU citizens as clients wherever they are.

One element of the framework is already in place, the GDPR. The newly proposed elements mimic the fine structures of the GDPR for non-compliance.
The new elements take the EU Digital Compass and EU Digital Rights and Principles for which a public consultation is now open until 2 September as a starting point.

The new proposed laws are:

Digital Markets Act (download), which applies to all dominant market parties, in terms of platform providers as well as physical network providers, that de facto are gatekeepers to access by both citizens and market entities. It aims for a digital unified market, and sets requirements for interoperability, ‘service neutrality’ of platforms, and to prevent lock-in. Proposed in November 2020.

Digital Services Act (download), applies to both gatekeepers (see previous point) and other digital service providers that act as intermediaries. Aims for a level playing field and diversity of service providers, protection of citizen rights, and requires transparency and accountability mechanisms. Proposed in November 2020.

AI Regulatory Proposal (download), does not regulate AI technology, but the EU market access of AI applications and usage. Market access is based on an assessment of risk to citizen rights and to safety (think of use in vehicles etc). It’s a CE mark for AI. It periodically updates a list of technologies considered within scope, and a list of areas that count as high risk. With increasing risk more stringent requirements on transparency, accountability and explainability are set. Creates GDPR style national and European authorities for complaints and enforcement. Responsibilities are given to the producer of an application, distributors as well as users of such an application. It’s the world’s first attempt of regulating AI and I think it is rather elegant in tying market access to citizen rights. Proposed in April 2021.

Data Governance Act (download), makes government held data that isn’t available under open data regulations available for use (but not for sharing), introduces the European dataspace (created from multiple sectoral data spaces), mandates EU wide interoperable infrastructure around which data governance and standardisation practices are positioned, and coins the concept of data altruism (meaning you can securely share your personal data or company confidential data for specific temporary use cases). This law aims at making more data available for usage, if not for (public) sharing. Proposed November 2020.

Data Act, currently open for public consultation until 2 September 2021. Will introduce rules around the possibilities the Data Governance Act creates, will set conditions and requirements for B2B cross-border and cross-sectoral data sharing, for B2G data sharing in the context of societal challenges, and will set transparency and accountability requirements for them. To be proposed towards the end of 2021.

Open Data Directive, which sets the conditions and requirements for open government data (which build on the national access to information regulations in the member states, hence the Data Governance Act as well which does not build on national access regimes). The Open Data Directive was proposed in 2018 and decided in 2019, as the new iteration of the preceding Public Sector Information directives. It should have been transposed into national law by 1 July 2021, but not all MS have done so (in fact the Netherlands has just recently started the work). An important element in this Directive is EU High Value Data list, which will make publication of open data through APIs and machine readable bulk download mandatory for all EU member states for the data listed. As mentioned above, last year I was part of the research team that did the impact assessments and proposed the policy options for that list (I led the research for earth observation, environment and meteorology). The implementation act for the EU High Value Data list will be published in September, and I expect it to e.g. add an open data requirement to most of the INSPIRE themes.

Most of the elements in this list are proposed as Acts, meaning they will have power of law across the EU as soon as they are agreed between the European Parliament, the EU council of heads of government and the European Commission and don’t require transposition into national law first. Also of note is that currently ongoing revisions and evaluations of connected EU directives (INSPIRE, ITS etc.) are being shaped along the lines of the Acts mentioned above. This means that more specific data oriented regulations closer to specific policy domains are already being changed in this direction. Similarly policy proposals such as the European Green Deal are very clearly building on the EU digital and data strategies to achieving and monitoring those policy ambitions. All in all it will be a very interesting few years in which this legal framework develops and gets applied, as it is a new fundamental wave of changes after the role the initial PSI Directive and INSPIRE directive had 15 to 20 years ago, with a much wider scope and much more at stake.

The geopolitics of digitisation and data. Image ‘Risk Board Game’ by Rob Bertholf, license CC BY