On Feb. 19, the European Commission presented its much-awaited proposals on artificial intelligence, a data strategy and Europe’s digital future.

Despite huge media speculation in recent weeks on what it would say about facial recognition, the "White Paper on Artificial Intelligence" stopped well short of recommending a two- to three-year ban that had appeared in earlier leaked drafts. Instead, from a data protection point of view, it proposed “requirements aimed at ensuring that privacy and personal data are adequately protected during the use of AI-enabled products” and “(ensured) that AI systems are trained on data sets that are sufficiently broad and cover all relevant scenarios.”

Specifically, on facial recognition, the paper continues, “The gathering and use of biometric data for remote identification purposes, for instance through deployment of facial recognition in public places, carries specific risks for fundamental rights,” though it also states that existing regulations apply.

“In accordance with the current EU data protection rules and the Charter of Fundamental Rights, AI can only be used for remote biometric identification purposes where such use is duly justified, proportionate and subject to adequate safeguards.”

In its Q&A on the topic, the commission added that facial recognition is normally prohibited “in principle” unless certain specific conditions are met, a point that Europe’s digital chief, Margrethe Vestager, has made repeatedly. But “the commission wants to launch a broad debate on which circumstances might justify exceptions in the future, if any.”

Presenting the package, Vestager — full title, “Executive Vice President for A Europe Fit for the Digital Age” — explained that AI can range from “nice to have to life or death,” adding that “with new technology should not come new values.”

The commission wants to take a risk-based approach to AI. One option is a mandatory testing of so-called “high risk” AI applications before they can be introduced in the EU.

EuroCommerce Director-General Christian Verschueren welcomed this. “It is beneficial that the white paper looks to a differentiated approach to rules on the application of AI depending on the degree of risk involved. It is clear that an AI system predicting what goods to order according to the weather, holds fewer risks for citizens than an application process for personal medical data,” he said.

The commission also published "Communication: A European strategy for data," which focuses on ways to encourage data sharing across the bloc, including public funding and a so-called “European cloud.”  The data strategy sets out a range of policy options to make data available in Europe, including suggestions to provide public subsidies and consolidate EU cloud offering and new rules and guidelines to encourage data sharing across Europe.

Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum, said this was the most interesting of the three documents. “It proposes new legislation with clear objectives, and it’s the first time I’ve seen a call to amend (an EU General Data Protection Regulation) article,” she said. The new proposals want to give individuals “more control over who can access and use machine-generated data” — an improvement on Article 20 of the GDPR on data portability. “Article 20 is notoriously limited in scope,” Zanfir-Fortuna said.

It is evident from the nearly 100 pages of strategy that the commission is worried about lagging behind the U.S. and being at the mercy of big tech. “Many decisions that strongly affect the lives of citizens and businesses are taken by private gatekeepers, based on their exclusive access to all data generated within their ecosystems,” the document states. “That is not what we want for our internal market,” European Commissioner for Internal Market and Services Thierry Breton explained.

This has led to a lot of reporting and speculation about so-called “data sovereignty” and what is meant by that.

“Digital sovereignty can be misunderstood as something that is turned towards other people, but it is really about ourselves,” Breton said. “My pledge is not to make Europe more like China or more like the U.S. but to make it more like itself and work with the rest of the world on that basis.”

In terms of extracting economic value from data, Breton wants the EU to pivot from business-to-consumer services to business-to-business. He admitted that although these B2C platforms “were not rocket science in terms of technology,” the EU had missed the boat in the area of exploitation of personal data.

“Our society is generating a huge wave of industrial and public data, which will transform the way we produce, consume and live. I want European businesses and our many (small- and medium-sized enterprises) to access this data and create value for Europeans — including by developing (AI) applications. Europe has everything it takes to lead the ‘big data’ race, and preserve its technological sovereignty, industrial leadership and economic competitiveness to the benefit of European consumers,” Breton said.

According to Digital Europe, AI could add 3.6 trillion euros to Europe’s economic growth by 2030, but right now, the U.S. is investing four times more than the EU, and China is investing twice as much.

The European strategy for data proposes the creation of nine European “common spaces,” including for health data, for mobility data and financial information, saying it wants to lead and support “international cooperation with regard to data, shaping global standards.”

Despite media hyperbole about a so-called “European cloud,” the document says, “Companies from around the world will be welcome to avail of the European data space, subject to compliance with applicable standards, including those developed relative to data sharing.”

However, Center for Data Innovation Policy Analyst Eline Chivot is unconvinced: “Unfortunately, the EU has chosen the right goal, but the wrong tactics. Key pillars of the commission’s new plan suffer from fundamental flaws. Its strategy to establish 'European data spaces' — a common digital environment with a shared set of technical and legal rules to facilitate data sharing within Europe — doubles down on policies like data localization, which would force companies to store and process data domestically, and other protectionist measures that would cut off foreign cloud providers out of fear they might encroach on Europe’s technological sovereignty.”

But Chair of the European Parliament’s Industry, Research and Energy Committee Cristian-Silviu Buşoi said, “We need to create a stable and clear environment in order to encourage the use, development and innovation of AI. The European added value of AI should be trust: Algorithms should be transparent, and their process should be made comprehensible, in order to allow traceability of their decision making. We Europeans should also keep control over the huge wave of data we generate, as a matter of sovereignty, so this data works for the benefits of European citizens.”

Kim Van Sparrentak, member of the Parliament Committee on the Internal Market and Consumer Protection, went further: “As Europe, we need to stop turbo-charged tech capitalism, this digital strategy is a step in the right direction. By making a distinction between low- and high-risk applications of AI, we can drive innovation in the EU. The digital strategy means that AI that poses limited risks to security and discrimination can be used for purposes that can benefit the public good, such as climate protection, sustainability, medicine or the green industrial transition.”

Consumer rights organization BEUC said EU-rules on accessing and sharing data must “require companies to provide access to data only if necessary to correct market failures, for instance if companies refuse to grant competitors access to data in order to prevent them offering innovative products or services.”

The commission statement on "Shaping Europe’s digital future" gives an overall view of all the commission’s tech plans for the coming years — including a pledge to promote the climate neutrality of data centers by 2030.

None of this is even in the form of draft law yet and is simply the commission setting out its thinking about what might be possible or desirable. There will be a public consultation and discussion with the European Parliament in the coming months.

Photo by Franck V. on Unsplash