Tag: da

Posted on
by

Over at Netzpolitik two leaked draft texts for new EC proposals w.r.t. data and digital legislation have been published. I’ve been reading them the past days, though not yet finished. In a week the final proposal should be announced by the EC. That they have been leaked beforehand tells you there’s some differences of opinion within the EC on this, giving the outside a way to read ahead and mount criticism in time.

The EC’s goals for digital regulation this period are simplification, consistency and clarity. In consultations for the upcoming European Data Union Strategy, I and others put forward to please not merely interpret ‘simplification’ as rule slashing. Simplification can also mean making it much easier to demonstrate compliance. And it would also help if the EC would come out and say the quiet part out loud: that a lot of wat is now presented by third parties as cumbersome regulation is in reality malicious compliance by those third parties. The annoying cookie walls of the past years e.g. are not in any way required by regulation, it’s just the single most annoying way for third parties to deal with it so you might think the EC is the problem. Tracking is the problem, that adtech is fundamentally in conflict with the rules is the problem. It’s not a ‘compliance burden’ if your actions bump into the law. That’s properly called ‘illegal actions’. Simplification in short could also mean a much clearer enforcing of existing rules, as most digital regulation now has very little in the way of actual consequences for third parties, and none that rise above the ‘cost of doing business’.

There are two ‘Omnibus’ proposals in the works, meaning a proposal that makes changes to a number of existing laws at the same time.

One deals with data regulations. It amends the Data Act in such a way that the Data Governance Act, the Open Data Directive and the Free Flow of Non-Personal Data Regulation all get repealed, and mostly incorporated into the Data Act. I’m working my way through the meaning of that still, at 90 pages of text it’s not a quick read. But one thing stands out immediately to me: the Open Data rules until now were a Directive, meaning every Member State would create a national law to implement it. The entirety now gets added to a Regulation (Act), meaning it has immediate working across the EU. This is something I and others have long (like since 2008 more or less) called for, because as a directive it means there’s differences between countries in how open data gets interpreted. What can be open data is currently based on the national information access regimes and not on a unified European notion. I still need to explore how that would play out in the new Omnibus. This first Omnibus also touches the GDPR, and that is something to be careful about too.

The other Omnibus is aimed at the AI Act and the GDPR. I haven’t looked at this one at all yet. But around the web I see fears and first takes that the GDPR will get weakened to feed AI model training, a.o. by stretching the notion of ‘legitimate interest’ in ways that make Facebook’s attempt at interpretation of the term in the past years seem conservative. It used to be that legitimate should be read as ‘lawful’ (e.g. I need your name if I’m to send you an invoice, because I’m legally obliged to put that on the invoice), but we seem to shift to where the interpretation of legitimate is as ‘justifiable’, and at that in the very generic meaning of ‘well, I have my reasons, ok?’. Another step, judging by what others have posted, seems to do away with the notion that inferred data can be collection of personal data (As in, I did not ask you about your religion and stored that, but I inferred it from tracking your visits to websites of houses of worship).

In a week we will know what the proposals of the EC really are. Until then I will be reading the leaked drafts, to see what mechanisms are being created, dumped and altered.

Posted on
by

Some good movement on EU data legislation this month! I’ve been keeping track of EU data and digital legislation in the past three years. In 2020 I helped determine the content of what has become the High Value Data implementing regulation (my focus was on earth observation, environmental and meteorological data), and since then for the Dutch government I’ve been involved in translating the incoming legislation to implementing steps and opportunities for Dutch government geo-data holders.

AI Act

The AI Act stipulates what types of algorithmic applications are allowed on the European market under which conditions. A few things are banned, the rest of the provisions are tied to a risk assessment. Higher risk applications carry heavier responsibilities and obligations for market entry. It’s a CE marking for these applications, with responsibilities for producers, distributors, users, and users of output of usage.
The Commission proposed the AI Act in april 2021, the Council responded with its version in December 2022.

Two weeks ago the European Parliament approved in plenary its version of the AI Act.
In my reading the EP both strengthens and weakens the original proposal. It strengthens it by restricting certain types of uses further than the original proposal, and adds foundational models to its scope.
It also adds a definition of what is considered AI in the context of this law. This in itself is logical as, originally the proposal did not try to define that other than listing technologies in an annex that were deemed in scope. However while adding that definition, they removed the annex. That, I think weakens the AI Act and will make future enforcement much slower and harder. Because now everything will depend on the interpretation of the definition, meaning it will be a key point of contention before the courts (‘my product is out of scope!’). Whereas by having both the definition and the annex, the legislative specifically states which things it considers in scope of the definition at the very least. As the Annex would be periodically updated, it would also remain future proof.

With the stated positions of the Council and Parliament the trilogue can now start to negotiate the final text which then needs to be approved by both Council and Parliament again.

All in all this looks like the AI Act will be finished and in force before the end of year, and will be applied by 2025.

Data Act

The Data Act is one of the building blocks of the EU Data Strategy (the others being the Data Governance Act, applied from September, the Open Data Directive, in force since mid 2021, and the implementing regulation High Value Data which the public sector must comply with by spring 2024). The Data Act contains several interesting proposals. One is requiring connected devices to not only allow users access to the (real time) data they create (think thermostats, solar panel transformers, sensors etc.), as well as allowing users to share that data with third parties. You can think of this as ‘PSD2-for-everything’. PSD2 says that banks must enable you to share your banking data with third parties (meaning you can manage your account at Bank A with the mobile app of Bank B, can connect your book keeping software etc.). The Data Act extends this to ‘everything’ that is connected. Another interesting component is that it allows public sector bodies in case of emergencies (floods e.g.) to require certain data from private sector parties, across borders. The Dutch government heavily opposed this so I am interested in seeing what the final formulation of this part is in the Act. Other provisions make it easier for people to switch platform services (e.g. cloud providers), and create space for the European Commission to set, let develop, adopt or mandate certain data standards across sectors. That last element is of relevance to the shaping of the single market for data, aka the European common data space(s), and here too I look forward to reading the final formulation.

With the Council of the European Union and the European Parliament having reached a common text, what rests is final approval by both bodies. This should be concluded under the Spanish presidency that starts this weekend, and the Data Act will then enter into force sometime this fall, with a grace period of some 18 months or so until sometime in 2025.

There’s more this month: ITS Directive

The Intelligent Transport Systems Directive (ITS Directive) was originally created in 2010, to ensure data availability about traffic conditions etc. for e.g. (multi-modal) planning purposes. In the Netherlands for instance real-time information about traffic intensity is available in this context. The Commmission proposed to revise the ITS Directive late 2021 to take into account technological developments and things like automated mobility and on-demand mobility systems. This month the Council and European Parliament agreed a common text on the new ITS Directive. I look forward to close reading the final text, also on its connections to the Data Act above, and its potential in the context of the European mobility data space. Between the Data Act and the ITS Directive I’m also interested in the position of in-car data. Our cars increasinly are mobile sensor platforms, to which the owner/driver has little to no access, which should change imo.