In response to my question about overviews of GDPR decisions across the EU, GDPR Hub was mentioned, a project by noyb. noyb is the initiave of Max Schrems, a leading voice in ensuring GDPR enforcement by bringing cases against e.g. BigTech. I decided to become a nyob supporting member, and applied to volunteer for processing Dutch DPA and court decisions to be added to the GDPR Hub. A business colleague does something similar for market related court cases across the EU, and I see what value such a pan-EU resource has. Having a good and thorough overview of GDPR related decisions helps citizens to better argue their own cases where companies breach the GDPR. This makes it a source of agency, enabled by working together to ensure we all have the same information.
Since the start of this year I am actively tracking the suite of new European laws being proposed on digitisation and data. Together they are the expression into law of the geopolitical position the EU is taking on everything digital and data, and all the proposed laws follow the same logic and reasoning. Taken together they shape how Europe wants to use the potential and benefits of digitisation and data use, including specifically for a range of societal challenges, while defending and strengthening citizen rights. Of course other EU legal initiatives in parallel sometimes point in different directions (e.g. EU copyright regulations leading to upload filters, and the attempts at backdooring end-to-end encryption in messaging apps for mass surveillance), but that is precisely why to me this suite of regulations stands out. Where other legal initiatives often seem to stand on their own, and bear the marks of lobbying and singular industry interests, this group of measures all build on the same logic and read internally consistent as well as an expression of an actual vision.
My work is to help translate the proposed legal framework to how it will impact and provide opportunity to large Dutch government data holders and policy departments, and to build connections and networks between all kinds of stakeholders around relevant societal issues and related use cases. This to shape the transition from the data provision oriented INSPIRE program (sharing and harmonising geo-data across the EU), to a use needs and benefits oriented approach (reasoning from a societal issue to solve towards with a network of relevant parties towards the data that can provide agency for reaching a solution). My work follows directly from the research I did last year to establish a list of EU wide high value data sets to be opened, where I dived deeply into all government data and its governance concerning earth observation, environment and meteorology, while other team members did the same for geo-data, statistics, company registers, and mobility.
All the elements in the proposed legal framework will be decided upon in the coming year or so, and enter into force probably after a 2 year grace period. So by 2025 this should be in place. In the meantime many organisations, as well as public funding, will focus on already implementing elements of it even while nothing is mandatory yet. As with the GDPR, the legal framework once in place will also be an export mechanism of the notions and values expressed in it to the rest of the world. This as compliance is tied to EU market access and having EU citizens as clients wherever they are.
One element of the framework is already in place, the GDPR. The newly proposed elements mimic the fine structures of the GDPR for non-compliance.
The new elements take the EU Digital Compass and EU Digital Rights and Principles for which a public consultation is now open until 2 September as a starting point.
The new proposed laws are:
Digital Markets Act (download), which applies to all dominant market parties, in terms of platform providers as well as physical network providers, that de facto are gatekeepers to access by both citizens and market entities. It aims for a digital unified market, and sets requirements for interoperability, ‘service neutrality’ of platforms, and to prevent lock-in. Proposed in November 2020.
Digital Services Act (download), applies to both gatekeepers (see previous point) and other digital service providers that act as intermediaries. Aims for a level playing field and diversity of service providers, protection of citizen rights, and requires transparency and accountability mechanisms. Proposed in November 2020.
AI Regulatory Proposal (download), does not regulate AI technology, but the EU market access of AI applications and usage. Market access is based on an assessment of risk to citizen rights and to safety (think of use in vehicles etc). It’s a CE mark for AI. It periodically updates a list of technologies considered within scope, and a list of areas that count as high risk. With increasing risk more stringent requirements on transparency, accountability and explainability are set. Creates GDPR style national and European authorities for complaints and enforcement. Responsibilities are given to the producer of an application, distributors as well as users of such an application. It’s the world’s first attempt of regulating AI and I think it is rather elegant in tying market access to citizen rights. Proposed in April 2021.
Data Governance Act (download), makes government held data that isn’t available under open data regulations available for use (but not for sharing), introduces the European dataspace (created from multiple sectoral data spaces), mandates EU wide interoperable infrastructure around which data governance and standardisation practices are positioned, and coins the concept of data altruism (meaning you can securely share your personal data or company confidential data for specific temporary use cases). This law aims at making more data available for usage, if not for (public) sharing. Proposed November 2020.
Data Act, currently open for public consultation until 2 September 2021. Will introduce rules around the possibilities the Data Governance Act creates, will set conditions and requirements for B2B cross-border and cross-sectoral data sharing, for B2G data sharing in the context of societal challenges, and will set transparency and accountability requirements for them. To be proposed towards the end of 2021.
Open Data Directive, which sets the conditions and requirements for open government data (which build on the national access to information regulations in the member states, hence the Data Governance Act as well which does not build on national access regimes). The Open Data Directive was proposed in 2018 and decided in 2019, as the new iteration of the preceding Public Sector Information directives. It should have been transposed into national law by 1 July 2021, but not all MS have done so (in fact the Netherlands has just recently started the work). An important element in this Directive is EU High Value Data list, which will make publication of open data through APIs and machine readable bulk download mandatory for all EU member states for the data listed. As mentioned above, last year I was part of the research team that did the impact assessments and proposed the policy options for that list (I led the research for earth observation, environment and meteorology). The implementation act for the EU High Value Data list will be published in September, and I expect it to e.g. add an open data requirement to most of the INSPIRE themes.
Most of the elements in this list are proposed as Acts, meaning they will have power of law across the EU as soon as they are agreed between the European Parliament, the EU council of heads of government and the European Commission and don’t require transposition into national law first. Also of note is that currently ongoing revisions and evaluations of connected EU directives (INSPIRE, ITS etc.) are being shaped along the lines of the Acts mentioned above. This means that more specific data oriented regulations closer to specific policy domains are already being changed in this direction. Similarly policy proposals such as the European Green Deal are very clearly building on the EU digital and data strategies to achieving and monitoring those policy ambitions. All in all it will be a very interesting few years in which this legal framework develops and gets applied, as it is a new fundamental wave of changes after the role the initial PSI Directive and INSPIRE directive had 15 to 20 years ago, with a much wider scope and much more at stake.
My first reading of the yet to be published EU Regulation on the European Approach for Artificial Intelligence, based on a leaked version, I find pretty good. A logical approach, laid out in the 92 recitals preceding the articles, based on risk assessment, where erosion of human and citizen rights or risk to key infrastructure and services and product safety is deemed high risk by definition. High risk means more strict conditions, following some of the building blocks of the GDPR, also when it comes to governance and penalties. Those conditions are tied to being allowed to put a product on the market, and are tied to how they perform in practice (not just how they’re intended). I find that an elegant combination, risk assessment based on citizen rights and critical systems, and connected to well-worn mechanisms of market access and market monitoring. It places those conditions on both producers and users, as well as other parties involved along the supply chain. The EU approach to data and AI align well this way it seems, and express the European geopolitical proposition concerning data and AI, centered on civic rights, into codified law. That codification, like the GDPR, is how the EU exports its norms to elsewhere.
The text should be published soon by the EC, and I’ll try a write-up in more detail then.
Facebook has warned that it may pull out of Europe if the Irish data protection commissioner enforces a ban on sharing data with the US, after a landmark ruling by the European court of justice found in July that there were insufficient safeguards against snooping by US intelligence agencies.
Never issue a threat you’re not really willing to follow up on… FB says it might stop servicing EU citizens because it isn’t allowed to transfer their data to US servers over data protection concerns. To me it would seem good news if the FB data-kraken would withdraw its tentacles. It is also an open admission that they can’t provide their service if it is not tied to adtech and the rage-fed algorithmic timeline built on detailed data collection. Call it, I’d say.
Welcome home, again, Alberto. What a nice write-up. When my (then Honduran) brother in law received his Dutch nationality, we as family attended a similar session with him in his hometown Utrecht. Although it was definitely more formal (with an oath and all that jazz), it was also very festive and relaxed and not just a routine.
Of course it does mean that as a Dutchman I now get to make Belgium jokes about you. But luckily that goes both ways, you get to tell Dutch jokes about me. Brussels is one of those places that prove every time I visit that Europe works.
Last weekend it was 30 years ago the Wall/iron curtain fell. I sat in front of the tv deep into the night watching German live tv. Having visited Eastern Germany just two years before it, I cried watching. I felt a strong urge to go there, but it wasn’t my place I also felt, not my personal history being made and I didn’t want to be a spectator in their midst. It was my neighbour’s, Rainer’s, history, who fled Eastern Germany with his parents as the iron curtain came up in ’61, while his sister stayed as she was freshly in love. Their lives separated for almost 3 decades, punctuated by his visits as often as he was allowed in. Their parents never being allowed back in. I remember in ’87 getting into an argument with an East-Berlin civil servant who told us the wall was there as a ‘Anti-Fascist Protection Rampart’ against the/us fascists in the West. It was so much cognitive dissonance for me that the Wall was supposedly there to keep me out, but yet here I was let in, just not them let out. A prison with the key on the inside. He couldn’t acknowledge my comment obviously, which I couldn’t in turn accept as a teenager. Now, as I’ve worked in various places and settings, where diplomacy is the only way forward, allowing others to save face, and room to manoeuvre to get somewhere, I know why there was no way at all I would have ‘won’ being right that day in East-Berlin city hall. Yet I was, empathy against bureaucracy is/should always be right.
Last weekend it was also 81 years ago that Nazis roamed the streets in Germany trashing Jewish owned businesses, homes and synagogues, and the murder of hundreds and internment in concentration camps of some thirty thousand German citizens of Jewish faith, Kristallnacht.
Oddly enough it is in the regions most affected by the separation of the Wall, Thuringia and Saxony, that the fascist echoes ring the loudest in Germany these days, where AfD. ‘alternative for Germany’ finds an electoral feeding ground. Or maybe it is not surprising, as societal complexity may make you yearn for the (imagined) simplicity of something that never was, exchange the simplicity of one authoritarian construct for another, or at least to blame someone, anyone, some mythical Other, for the baffling complexity around us.
All three of these things are important and current to my own life in different ways. As is the next.
Today I was in Brussels, a very complicated city in an equally complicated country in its own right. Whatever you can say about this place, and here too nationalist (or rather regionalist) sentiments boil, there is beauty in the elegance of dealing with otherness here. Where you are being spoken to in French or Dutch, and answer in a mixture of French, Dutch and English, or vice versa, and it’s all fine. Where the hotel barman tonight has a distinctive Flemish/Dutch name, Gert, yet is Walloon, and we both shrug and say, yeah Europe is complicated, and we appreciate each other’s efforts to be understood and embrace how our lands have been the crossroads of so many different things. It’s fitting that the EU has its institutions in both Brussels and Luxembourg, the two linguistically most confused/mixed cities in Europe.
E and I often remark to each other when we encounter situations like me and the barman above how ‘Europe works’. Last time I was here in Brussels, over dinner I sat next to a family of 4 who amongst themselves effortlessly conversed in Italian, Dutch and German, while fluently ordering in French. I texted to E that very phrase, “Europe works”, not for the first time. It’s our regular shorthand for what the EU has achieved, starting from co-governing the coal and steel works of 6 nations in 1951 so that none of us could build up a war machine without the others being able to stop it, to what the EU is now and how it plays out practically in the lives of us, our networks and the people we encounter across the continent. I intimately know the divisions national borders created within my own family, as well as the deep pain on all sides and resentment of World War II. Equally, I deeply know in my bones what we’ve all gained when freedom of movement kicked in 27 years ago (it’s a tangible sensation every time I personally or professionally do something where there before was a fence), as well as how it makes my professional life possible. Yet across the EU, which from my travels around the world I know to be a place of such enormous abundance (which is not a synonym for perfection nor utopia), resentment against those gains has built. While I recognise the things that feed into that resentment, all too often it smacks of Kristallnacht. It reeks. German rock-band BAP, singing in the Cologne dialect which in itself is a testament to the age-old connection between my own lands of origin and Germany (I can use may own Dutch dialect deep into Germany without issue of being understood, and Cologne’s dialect is akin to my own), sketches out the political pantomime of the copy-cat fascists perfectly. Their 1982 song is just as pertinent in 2019.