Digitalization has been a top priority for the European Commission combined with the epochal ‘green’ transition to bring the EU to the forefront of the macrotrends that are reshaping the world economy.
As part of that priority, the EU executive put forth an extensive legislative package, which ranges from platform regulation to artificial intelligence, from data sharing to cybersecurity.
With its mandate set to expire in Spring 2024, the European Commission has only two years to push its digital policy through the legislative process, trying to close as many files as possible. At the same time, this year is the last one the EU executive has to present proposals that could complete the legislative process within this mandate.
The following is what the new year has in store on digital matters for the EU.
European data strategy
The EU recently adopted the Data Governance Act, a legislation with the ambition to establish a ‘Schengen of industrial data’ by introducing clear and fair conditions for data marketplaces. The hope is to accelerate the digitalization of Europe’s industrial basis and make smaller businesses reap the benefits of the data economy.
Public institutions are also expected to start sharing their data whilst also granting privacy and intellectual property rights. As the data law enters into force at the beginning of 2022, the industry’s uptake will determine the initiative’s success.
The regulation on data governance was only the first legislative milestone of the European Data Strategy. The next and more delicate step is the Data Act, legislation the European Commission is now expected to present 23 Feb., following delays due to the proposal failing an internal review.
According to a leaked impact assessment, the new data law will define data-sharing obligations between platforms and consumers as well as business users, the economic value attributed to data, and rules for public bodies to access privately-held data for reasons of public interest.
In other words, the European Commission has first put in place a data governance architecture, and it is now working on binding data-sharing rules. While the legislative process for the DGA was relatively smooth, policymakers in Brussels consider the Data Act a much thornier endeavor.
Regarding personal data, the calls for reviewing the EU General Data Protection Regulation and its enforcement architecture might further intensify in the coming months. The European Data Protection Supervisor is organizing a conference in June to re-assess the data protection regulation and how regulators could improve their collaboration.
The review might not only regard the current enforcement mechanism, based on the one-stop-shop, but also on creating bridges between data protection authorities and competition regulators, something for which there is growing consensus on both sides of the Atlantic.
Finally, the EU and United States are still engaged in negotiations to solve the issue of international data transfers following the "Schrems II" decision. For Brussels, the priority is to avoid a third debacle, whereas Washington is working on a legal expedient that could survive judicial review in Europe without changing its intelligence laws.
Platform regulation
In December 2020, the Commission presented the Digital Markets Act and Digital Services Act, two proposals that are part of a regulatory package for the online environment. Somewhat unexpectedly, EU institutions managed to develop a position on such complex legislation in less than one year, with the final part of the legislative process due to start in January.
The DMA aims to impose ex-ante obligations on the largest technology corporations, which play a gatekeeper role in the internet economy. The DSA is horizontal legislation for the entire digital ecosystem, introducing rules in terms of transparency and responsibility proportionally to the size and impact of the company.
In December, EU lawmakers finalized their position on the DMA, and the DSA is expected to follow in January. In the EU Council, the European governments adopted both files in November. The French government will negotiate the files on behalf of the other member states, as France is taking over the rotating presidency of the EU Council for the first half of 2022.
Paris has made no secret they want to reach an agreement before the presidential elections in April. Brokering these EU laws would be a strong campaigning point for the incumbent president, Emmanuel Macron, as curbing the power of Big Tech is a topic that finds unanimous consensus in the French political culture.
However, that leaves the French only two months to reach an agreement. As things currently stand, a deal on the DMA seems much more likely in this timeframe for the simple fact that it is sectorial legislation and that most of the companies in its scope will not be European. Conversely, the horizontal nature of the DSA might mean it will take more time to compromise.
Artificial Intelligence
In April 2021, the European Commission presented a grand proposal to regulate artificial intelligence based on a risk-based approach that introduces liability obligations based on the potential impact of the AI application.
However, the file is so technical, and AI is at such an early stage, that the progress has been slow as policymakers are still struggling to understand the impact of the new rules. To add further complexity, the AI Act interacts with some key EU legislation, including the GDPR, the product safety regulation and the law enforcement directive.
European countries made some progress on key aspects of the proposal, but the legislative process is still at a very early stage as France is taking over the file. As mentioned, Paris’ priorities correspond to possible quick wins it can sell to its electorate ahead of the upcoming elections. While AI is potentially an appealing topic, the proposal is not mature enough.
In the European Parliament, the slow progress was also due to a conflict over the leadership of the file. The solution found is a co-lead between the committees on consumer protection and civil liberties, the latter being the home of the GDPR. This dual structure means double of the amount of people involved; hence slower progress is expected.
The agreement sidelined the conservative European People’s Party, isolated in resisting a ban on biometric recognition technologies in publicly accessible spaces. Both MEPs in charge of the AI regulation recently voted in favor of a resolution calling for a total ban.
Rules for the gig economy
In December, the European Commission presented a draft directive to regulate the conditions of platform workers. The proposal’s core is a provision that would make platform workers that meet specific criteria qualify as employees. The legislation is expected to requalify as many as 4.1 million people.
The directive aims to put harmonized rules on the gig economy, filling in a legislative void and avoiding conflicting judicial decisions and national legislation across the European bloc. In September, EU lawmakers adopted a resolution calling for similar measures, with support from both sides of the political spectrum. Several EU countries have also expressed support for the Commission’s initiative.
While there seems to be broad consensus in Europe for these measures, the type of legislation proposed will set some minimum standards the EU countries will have to incorporate into their national framework. Therefore, even swift adoption at the EU level would lead to the legislation entering into force any time soon.
Cybersecurity
The EU executive is also due to present a new cybersecurity law in the second half of 2022, the Cyber Resilience Act. The aim is to set minimum cybersecurity standards for connected devices, as the market for the Internet of Things is expected to grow exponentially in the coming years.
The final stage of the negotiations on the revised version of the Network and Information Security Directive, better known as NIS2, starts in January. The directive introduces minimum cybersecurity requirements for businesses and organizations with a critical role in economic activities or society’s functioning.
Thus, the scope of what organizations should be deemed essential for society is a crucial contention point, with the European Parliament pushing for a broad definition. However, recent cyberattacks on vital infrastructure and the tension at the Eastern border have put cybersecurity at the top of the security agenda for European countries.
Although there is an emerging consensus among national authorities to consider cybersecurity a priority, as is often the case when touching upon national security, political considerations are also at play. For instance, the Commission recently launched the idea of a Joint Cyber Unit that was coldly received by the member states, as there are already several structures at the European level.
Photo by Amy-Leigh Barnard on Unsplash