The fourth industrial revolution has been fueled by an explosion of information. From social media to home appliances - everything produces data. This includes details about our health, location, preferences, and behaviours. The amount of data we create is expected to grow exponentially, and around 150 years from now digital bits would exceed atoms on Earth¹. Only in 2020, 79 trillion gigabytes of data were generated². But where does all the data go, who owns it and has the right to use it, and what is the best way to share it? This article sets out to summarise the main data debates and the European Union’s (EU) regulations that arise from them. In particular, you will learn about:

• Advantages and disadvantages of big data
• Why it is hard to control your private and personal information
• The European data strategy
• The General Data Protection Regulation (GDPR)
• The Data Act
• Common data spaces:
• European Single Access Point (ESAP) for the financial sector
• European data spaces for manufacturing
• European Dataspace for Smart Circular Applications (EDSCA) for achieving the objectives of the Green Deal
• Benefits of creating common data spaces

‍

Advantages and disadvantages of big data

Consumer data can be used for various purposes. Some data applications are promising, while others are potentially harmful. Diverse aggregated data delivers richer insights and helps in meeting the needs of new products and services. For example, the use of data has the potential to allocate resources better to fight malaria, consequently saving up to 5 billion euros³. Furthermore, harmonised data collection can enable large-scale collaboration, hence accelerating innovations⁴ in such fields as AI⁵ and circular economy. Data pooling also creates an opportunity to increase transparency and data sovereignty by keeping companies and individuals who generated it in control and empowering those stakeholders affected by data processing to access it.

At the same time, risks to privacy and security arise when personal data is handled inappropriately⁶. Security breaches or loss of data are almost inevitable, while privacy protection is costly and time-consuming, unless effective legal and technological measures are put in place.

Sometimes, the benefits of data are not accessible to all, creating knowledge and power asymmetry between firms who own the data and individuals who do not⁷. Instagram and Facebook can see what people like and share, Google what we search for, Amazon what we buy. Big corporate players start accumulating capital by collecting and selling this behavioural and other data as a market commodity⁸. When Google began using personal data for advertisement, it managed to increase its revenues by a shocking 3590%⁷. Similarly, Facebook’s 2019 revenue accounted for 20% of the $333 billion worldwide digital advertising market. While businesses capture the growing potential of the data economy⁹, many data subjects pay little attention to what happens to their information.

‍

Why it is hard to control your private and personal information

There are two potential explanations as to why the majority of the users are careless with their data, even when such an attitude is unfavourable. First, it might lie in the fact that consumers are not yet accustomed to seeing data as a unit of exchange, thinking in conventional monetary terms. Unless it is money, it is not valuable, or not valuable enough. Another explanation might be that data subjects do not see data as something that can be owned.

Some people stress the need not only to start treating data as a tradable property that can be owned but also as a fundamental right to privacy⁴. However, by doing so, they forget that privacy and data protection is already a human right in many jurisdictions¹⁰. For example, Article 8 of the EU Charter of Fundamental Rights - which was created in 2000 - states¹¹:

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

In those regions where data regulations are already in place, then, the problem lies within the weak legal regimes that do not develop fast enough and cannot account for nascent threats. To utilise the benefits of data proliferation without suffering the risk associated with it, successful data management has to enhance the flow of information in the economy while simultaneously effectively protecting it. The issue calls for tighter and detailed technological regulations, and policymakers in the European Union (EU) are starting to respond to this.

‍

The European data strategy

At the centre stage of these efforts to ensure the effectiveness of regulation is the EU, with its dynamic and innovative data economy that is estimated to grow to 829 billion euros by 2025³. In February 2020, the European Commission published the European data strategy. The framework sets a general direction for data regulations. The strategy increases the availability of data for better EU-wide decision-making, while keeping those who generated it in control. ‍

The priorities are:

• To set up a single market for data, where
• data can flow within the EU
• European privacy, data protection, and competition rules are fully respected
• the rules for access and use of data are practical and clear
• To establish a secure and dynamic data economy by:
• pooling data in key sectors with data spaces
• setting clear and fair rules on access
• investing in tools to store and process data
• joining forces in cloud capacity
• giving users rights, tools, and skills to control their data

The strategy for data is not only limited to guaranteeing privacy but also focused on ensuring secure management of the data economy as public infrastructure, which includes handling (collection, storage, and distribution) of data. The key data management inititatives are the General Data Protection Regulation (GDPR), Data Act, and European data spaces (the European Single Access Point, data spaces for smart manufacturing, and the European Dataspace for Smart Circular Applications).

‍

The General Data Protection Regulation (GDPR)

In May 2018, the EU rolled out the General Data Protection Regulation (GDPR). The GDPR is believed to be one of the most rigid privacy and security regulations in the world⁹. It establishes a harmonised framework for the protection of personal data by setting requirements for collecting, storing, and managing it¹².

The regulation applies to¹³:

1. All EU-based firms handling users’ data
2. All non-EU firms targeting people living within the union and processing their data
   ‍

The GDPR describes 6 conditions under which firms have a right to collect personal data. For example, a presence of a formal opt-in of a data subject. In all of these cases, firms are required to be transparent about how the data is managed¹³. The minimum information to be included is:

• Who is processing data
• Why is it being processed
• On what legal basis
• Who will receive it
  ‍

Another focus area of the regulation is users’ empowerment. The increased transparency around what happens to the data gives the subjects the right - after the it has been collected - to access, rectify, erase, and transfer the data, as well as to lodge a complaint about data usage¹².

Within organisations that regularly process large scales of users’ data as a core business activity, compliance with these requirements has to be monitored by a data protection officer designated by the company. The officer serves as a contact point for data subjects and the Data Protection Authority. The officer is also responsible for keeping a record of company acts. Firms that violate the EU’s privacy rules risk fines up to either 4% of their annual turnover or 20 million euros. Furthermore, additional measures such as an order requesting to stop data handling might be considered.

The GDPR is a complex and elaborate law, so not all the requirements can be summarised in a single paragraph. If desired, find more details on the regulation here.

‍

The Data Act

The European Data Act is the first deliverable of the European data strategy¹⁴. The proposal was published on February 23rd 2022 and is to enter into force by mid-2024. The European Data Act aims to make valuable data more accessible between companies and consumers in all economic sectors¹⁵. It harmonises rules on fair access to and use of data, cloud switching, and transfers by setting relevant obligations for stakeholders.

Such obligations are of a contractual, commercial, and technical nature and specify who, other than manufacturers or other data holders, is entitled to access the data generated by products, under which conditions and on what basis. Examples of the requirements are designing products in a way that makes the data they collect easily accessible by default, ensuring a secure transfer of data to other providers, or pushing providers to prevent access to unlawful third-party access to non-personal data held in the EU. These stakeholders affected by the regulation are companies handling data, providers of Internet of things products, and cloud services providers. Fines will be imposed on those non-compliant with the requirements.

As regulations, the GDPR and the European Data Act set rules governing obligations for organisations handling data to protect consumer data and encourage information sharing. However, to fulfil some of its obligations, the policies need to be complemented by a relevant digital infrastructure. For example, to ensure a secure transfer of data to other providers, a system that can read data in a single format must be established to make a successful data transfer. In part, this is fulfilled by the introduction of industry-specific common European data spaces.

‍

Common European data spaces

The European strategy for data includes an objective to create common and interoperable data spaces³. Data spaces will connect governance frameworks (e.g. the GDPR and the European Data Act) and relevant digital infrastructure (tools and services) for secure and scalable data merging, processing, and sharing across the EU¹⁶. The data to be stored in the European data spaces is the information that must be made public in accordance with the EU legislation (e.g. CSRD, GDPR) or the voluntarily shared information.

The European data spaces are currently being created in 14 fields of economic and public interests, with an intention to gradually enlarge to other sectors:

1. Financial
2. Public administration
3. Health
4. Agriculture
5. Manufacturing
6. Energy
7. Mobility
8. Skills
9. The European Open Science Cloud
10. The Green Deal objectives
11. Tourism
12. Construction
13. Media
14. Cultural heritage
    ‍

European Single Access Point (ESAP) for the financial sector

One of the data spaces currently being developed for the financial sector is the European Single Access Point (ESAP)¹⁷. The European Single Access Point offers an ability to examine public financial and sustainability-related information that firms operating in the EU have to share in accordance with the standards for reporting, such as the Sustainable Finance Disclosure Regulation, the EU Taxonomy, and the Corporate Sustainability Reporting Directive (CSRD). The measure aims to ensure that key stakeholders such as investors, banks, customers, and consumers can easily access the required information about entities and products.

Read more about reporting requirements of the CSRD.

The proposal text describes a set of technical principles to be followed when collecting the information:

1. The accumulation of data will be monitored by designated collection bodies¹⁸.
2. Firms will have to submit their information to a collection body in a machine-readable format at the same time as they make the data public.
3. The platform is to build upon existing EU and national IT infrastructure in order to avoid adding to companies’ reporting burden¹⁹.
4. It will include a ‘file only once principle’, meaning that firms should only have to report once and to one authority, with as little additional formatting and reporting requirements as possible to avoid duplication.

The initiative is going to be gradually implemented from 2024 to 2026.

European data spaces for manufacturing

In the industrial sector, the data spaces for smart manufacturing aim to enable key actors in the supply chain (e.g. supplier, client, service provider), including those firms involved with the circular economy (e.g. remanufacturing and recycling companies), to access large amounts of manufacturing data²⁰. Thus, addressing the industrial data silos and high fragmentation of the supply chain digitalisation.

The dataspaces are now being created for specific value chains through several workshops with stakeholders. Some questions under discussion are:

1. What data (design/maintenance/product engineering/supply chain planning/etc.; historical/live) to share
2. Which subsector to focus on
3. Whether to implement the data space in a centralised or distributed way

In November 2021, the Commission published a call for proposals to establish two viable manufacturing data spaces. The work started around July-September 2022 and will last 1-2 years.

European Dataspace for Smart Circular Applications (EDSCA)

Similarly, there is a plan to create several data spaces for information necessary for reaching the objectives of the European Green Deal²⁰. One of these data spaces is the European Dataspace for Smart Circular Applications (EDSCA), which is going to be a registry that will make available the relevant data for enabling circular value creation along supply chains. This data will be related to such applications and services as:

• Digital Product Passports (DPPs)
• Resource mapping
• Consumer information
  ‍

The call for proposals for working on the data space was published in 2021 and the project started around July-September 2022 and will last for 2 years. The EDSCA is planned to first assist in the creation of DPPs for electronics and batteries and then to expand to textiles and building materials.

Read more about the DPPs and the requirements for the battery passports and/or contact us to discuss it.

Benefits of creating common data spaces

The European Commission sees several key advantages in setting up data spaces¹⁶.

1. First of all, the common and interoperable format can enable the pooling of a wide range of first-party data together. This data, in turn, has the potential to be used for the public good and the development of new data-driven innovative products.
2. Second, European data spaces can make the information organisations have to report accessible for the data subject and for the stakeholders affected by the data processing. Accessibility of data, in turn, enhances transparency.
3. Third, the data spaces have the potential to enhance data control, when data holders get the ability to use the tool to, for example, upload data in a single format, and make changes to access rights.
   ‍

Ultimately, the European Commission believes the standards will provide a coordinated technical infrastructure prioritising the findable, accessible, interoperable and reusable principles. It is essential to bear in mind, however, that whether all these aspirations become a reality depends greatly on the implementation of the strategy, as well as its effectiveness in addressing key challenges associated with data processing mentioned in the beginning of the blog post.

‍

Conclusion

Big data can be used for various reasons. Some data applications are promising, while others are potentially harmful. To help utilise the benefits of data proliferation without suffering the risk associated with it, a system governing the data economy that sets strict harmonised rules for data handling should be set up. The steps in this direction have been taken by the EU.

The European data strategy sets a general direction for data regulation, prioritising the single market for data and data economy. Following from the strategy, the General Data Protection Regulation sets out to protect users’ personal data. The European Data Act establishes the harmonised rules to encourage information sharing by service providers and firms handling data. The regulations require the establishment of industry-specific common European data spaces (e.g. the European Single Access Point (ESAP) for the financial sector, European Dataspace for Smart Circular Applications (EDSCA) for reaching the objectives of the Green Deal, and two other dataspaces for smart manufacturing that are yet to be defined). These spaces connect the aforementioned governance frameworks with relevant digital infrastructure for secure and scalable data merging, processing, and sharing.

Besides the GDPR that came into effect in 2018, other policy measures are still in development. The European Data Act will only be implemented by mid-2024. The least progress has been made with data spaces. Among them, most defined are the data spaces in the financial sector. The main challenge in policy formulation for other sectors seem to lie in defining what data to share and through which medium (e.g. centralised versus decentralised storage).

To be ready for the new requirements for data spaces, firms need to start preparing now. For example, the regulations around the ESAP and EDSCA require information - such as data to be included in DPPs or annual management reports - to be disclosed in a machine-readable format. Hence, already now, organisations can start thinking on how to implement a new secure and scalable enterprise system for storing and sharing data that is to be made public.

Stakeholders should closely monitor the policy progress because the European data strategy, being the first fully fledged data management framework, will define how the narrative around big data (should data owned, be seen as a unit of exchange or perceived as a fundamental right, and other) will evolve and, most importantly, will test how to implement it practice.

Want to know more about other regulations mentioned in this article? Read our blog post explaining the DPPs, Battery Passports, and CSRD.