The fourth industrial revolution has been fueled by an explosion of information. From social media to home appliances - everything produces data. This includes details about our health, location, preferences, and behaviours. The amount of data we create is expected to grow exponentially, and around 150 years from now digital bits would exceed atoms on Earth1. Only in 2020, 79 trillion gigabytes of data were generated2. But where does all the data go, who owns it and has the right to use it, and what is the best way to share it? This article sets out to summarise the main data debates and the European Union’s (EU) regulations that arise from them. In particular, you will learn about:
Consumer data can be used for various purposes. Some data applications are promising, while others are potentially harmful. Diverse aggregated data delivers richer insights and helps in meeting the needs of new products and services. For example, the use of data has the potential to allocate resources better to fight malaria, consequently saving up to 5 billion euros3. Furthermore, harmonised data collection can enable large-scale collaboration, hence accelerating innovations4 in such fields as AI5 and circular economy. Data pooling also creates an opportunity to increase transparency and data sovereignty by keeping companies and individuals who generated it in control and empowering those stakeholders affected by data processing to access it.
At the same time, risks to privacy and security arise when personal data is handled inappropriately6. Security breaches or loss of data are almost inevitable, while privacy protection is costly and time-consuming, unless effective legal and technological measures are put in place.
Sometimes, the benefits of data are not accessible to all, creating knowledge and power asymmetry between firms who own the data and individuals who do not7. Instagram and Facebook can see what people like and share, Google what we search for, Amazon what we buy. Big corporate players start accumulating capital by collecting and selling this behavioural and other data as a market commodity8. When Google began using personal data for advertisement, it managed to increase its revenues by a shocking 3590%7. Similarly, Facebook’s 2019 revenue accounted for 20% of the $333 billion worldwide digital advertising market. While businesses capture the growing potential of the data economy9, many data subjects pay little attention to what happens to their information.
There are two potential explanations as to why the majority of the users are careless with their data, even when such an attitude is unfavourable. First, it might lie in the fact that consumers are not yet accustomed to seeing data as a unit of exchange, thinking in conventional monetary terms. Unless it is money, it is not valuable, or not valuable enough. Another explanation might be that data subjects do not see data as something that can be owned.
Some people stress the need not only to start treating data as a tradable property that can be owned but also as a fundamental right to privacy4. However, by doing so, they forget that privacy and data protection is already a human right in many jurisdictions10. For example, Article 8 of the EU Charter of Fundamental Rights - which was created in 2000 - states11:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
In those regions where data regulations are already in place, then, the problem lies within the weak legal regimes that do not develop fast enough and cannot account for nascent threats. To utilise the benefits of data proliferation without suffering the risk associated with it, successful data management has to enhance the flow of information in the economy while simultaneously effectively protecting it. The issue calls for tighter and detailed technological regulations, and policymakers in the European Union (EU) are starting to respond to this.
At the centre stage of these efforts to ensure the effectiveness of regulation is the EU, with its dynamic and innovative data economy that is estimated to grow to 829 billion euros by 20253. In February 2020, the European Commission published the European data strategy. The framework sets a general direction for data regulations. The strategy increases the availability of data for better EU-wide decision-making, while keeping those who generated it in control.
The priorities are:
To set up a single market for data, where
To establish a secure and dynamic data economy by:
The strategy for data is not only limited to guaranteeing privacy but also focused on ensuring secure management of the data economy as public infrastructure, which includes handling (collection, storage, and distribution) of data. The key data management inititatives are the General Data Protection Regulation (GDPR), Data Act, and European data spaces (the European Single Access Point, data spaces for smart manufacturing, and the European Dataspace for Smart Circular Applications).
In May 2018, the EU rolled out the General Data Protection Regulation (GDPR). The GDPR is believed to be one of the most rigid privacy and security regulations in the world9. It establishes a harmonised framework for the protection of personal data by setting requirements for collecting, storing, and managing it12.
The regulation applies to13:
The GDPR describes 6 conditions under which firms have a right to collect personal data. For example, a presence of a formal opt-in of a data subject. In all of these cases, firms are required to be transparent about how the data is managed13. The minimum information to be included is:
Another focus area of the regulation is users’ empowerment. The increased transparency around what happens to the data gives the subjects the right - after the it has been collected - to access, rectify, erase, and transfer the data, as well as to lodge a complaint about data usage12.
Within organisations that regularly process large scales of users’ data as a core business activity, compliance with these requirements has to be monitored by a data protection officer designated by the company. The officer serves as a contact point for data subjects and the Data Protection Authority. The officer is also responsible for keeping a record of company acts. Firms that violate the EU’s privacy rules risk fines up to either 4% of their annual turnover or 20 million euros. Furthermore, additional measures such as an order requesting to stop data handling might be considered.
The GDPR is a complex and elaborate law, so not all the requirements can be summarised in a single paragraph. If desired, find more details on the regulation here.
The European Data Act is the first deliverable of the European data strategy14. The proposal was published on February 23rd 2022 and is to enter into force by mid-2024. The European Data Act aims to make valuable data more accessible between companies and consumers in all economic sectors15. It harmonises rules on fair access to and use of data, cloud switching, and transfers by setting relevant obligations for stakeholders.
Such obligations are of a contractual, commercial, and technical nature and specify who, other than manufacturers or other data holders, is entitled to access the data generated by products, under which conditions and on what basis. Examples of the requirements are designing products in a way that makes the data they collect easily accessible by default, ensuring a secure transfer of data to other providers, or pushing providers to prevent access to unlawful third-party access to non-personal data held in the EU. These stakeholders affected by the regulation are companies handling data, providers of Internet of things products, and cloud services providers. Fines will be imposed on those non-compliant with the requirements.
As regulations, the GDPR and the European Data Act set rules governing obligations for organisations handling data to protect consumer data and encourage information sharing. However, to fulfil some of its obligations, the policies need to be complemented by a relevant digital infrastructure. For example, to ensure a secure transfer of data to other providers, a system that can read data in a single format must be established to make a successful data transfer. In part, this is fulfilled by the introduction of industry-specific common European data spaces.
The European strategy for data includes an objective to create common and interoperable data spaces3. Data spaces will connect governance frameworks (e.g. the GDPR and the European Data Act) and relevant digital infrastructure (tools and services) for secure and scalable data merging, processing, and sharing across the EU16. The data to be stored in the European data spaces is the information that must be made public in accordance with the EU legislation (e.g. CSRD, GDPR) or the voluntarily shared information.
The European data spaces are currently being created in 14 fields of economic and public interests, with an intention to gradually enlarge to other sectors:
One of the data spaces currently being developed for the financial sector is the European Single Access Point (ESAP)17. The European Single Access Point offers an ability to examine public financial and sustainability-related information that firms operating in the EU have to share in accordance with the standards for reporting, such as the Sustainable Finance Disclosure Regulation, the EU Taxonomy, and the Corporate Sustainability Reporting Directive (CSRD). The measure aims to ensure that key stakeholders such as investors, banks, customers, and consumers can easily access the required information about entities and products.
Read more about reporting requirements of the CSRD.
The proposal text describes a set of technical principles to be followed when collecting the information:
The initiative is going to be gradually implemented from 2024 to 2026.
In the industrial sector, the data spaces for smart manufacturing aim to enable key actors in the supply chain (e.g. supplier, client, service provider), including those firms involved with the circular economy (e.g. remanufacturing and recycling companies), to access large amounts of manufacturing data20. Thus, addressing the industrial data silos and high fragmentation of the supply chain digitalisation.
The dataspaces are now being created for specific value chains through several workshops with stakeholders. Some questions under discussion are:
In November 2021, the Commission published a call for proposals to establish two viable manufacturing data spaces. The work started around July-September 2022 and will last 1-2 years.
Similarly, there is a plan to create several data spaces for information necessary for reaching the objectives of the European Green Deal20. One of these data spaces is the European Dataspace for Smart Circular Applications (EDSCA), which is going to be a registry that will make available the relevant data for enabling circular value creation along supply chains. This data will be related to such applications and services as:
The call for proposals for working on the data space was published in 2021 and the project started around July-September 2022 and will last for 2 years. The EDSCA is planned to first assist in the creation of DPPs for electronics and batteries and then to expand to textiles and building materials.
The European Commission sees several key advantages in setting up data spaces16.
Ultimately, the European Commission believes the standards will provide a coordinated technical infrastructure prioritising the findable, accessible, interoperable and reusable principles. It is essential to bear in mind, however, that whether all these aspirations become a reality depends greatly on the implementation of the strategy, as well as its effectiveness in addressing key challenges associated with data processing mentioned in the beginning of the blog post.
Big data can be used for various reasons. Some data applications are promising, while others are potentially harmful. To help utilise the benefits of data proliferation without suffering the risk associated with it, a system governing the data economy that sets strict harmonised rules for data handling should be set up. The steps in this direction have been taken by the EU.
The European data strategy sets a general direction for data regulation, prioritising the single market for data and data economy. Following from the strategy, the General Data Protection Regulation sets out to protect users’ personal data. The European Data Act establishes the harmonised rules to encourage information sharing by service providers and firms handling data. The regulations require the establishment of industry-specific common European data spaces (e.g. the European Single Access Point (ESAP) for the financial sector, European Dataspace for Smart Circular Applications (EDSCA) for reaching the objectives of the Green Deal, and two other dataspaces for smart manufacturing that are yet to be defined). These spaces connect the aforementioned governance frameworks with relevant digital infrastructure for secure and scalable data merging, processing, and sharing.
Besides the GDPR that came into effect in 2018, other policy measures are still in development. The European Data Act will only be implemented by mid-2024. The least progress has been made with data spaces. Among them, most defined are the data spaces in the financial sector. The main challenge in policy formulation for other sectors seem to lie in defining what data to share and through which medium (e.g. centralised versus decentralised storage).
To be ready for the new requirements for data spaces, firms need to start preparing now. For example, the regulations around the ESAP and EDSCA require information - such as data to be included in DPPs or annual management reports - to be disclosed in a machine-readable format. Hence, already now, organisations can start thinking on how to implement a new secure and scalable enterprise system for storing and sharing data that is to be made public.
Stakeholders should closely monitor the policy progress because the European data strategy, being the first fully fledged data management framework, will define how the narrative around big data (should data owned, be seen as a unit of exchange or perceived as a fundamental right, and other) will evolve and, most importantly, will test how to implement it practice.
Circularise provides cutting edge end-to-end traceability & transparency solution for complex industrial supply chains.
We help companies to verify the origins, certificates, CO2 footprint and other material and product data on blockchain to improve their ESG performance, demonstrate responsible sourcing, and enable a circular economy at scale.