Europe's Data Strategy: Challenging Big Tech's Dominance

Google’s ambition is to organize the world’s information; however, European legislators are focused on structuring the regional digital landscape and establishing Europe as “the most data-empowered continent globally,” as stated today by Thierry Breton, internal market commissioner, during a livestreamed discussion hosted by the Brussels-based economic think tank, Bruegel, outlining the principles behind the bloc’s data strategy.

Another key objective is to rebalance the dynamics of big data, shifting the advantage away from major technology companies.

Breton compared the EU’s extensive effort to promote industrial data sharing and recalibrate platform influence to previous initiatives aimed at organizing the region’s airspace and other physical infrastructure—though acknowledging the considerably shorter timeframe due to the rapid evolution of digital technologies.

“This endeavor will naturally require both political foresight—which we possess—and a strong commitment, which I believe we also share, alongside intelligent regulation, hopefully deemed effective, to establish appropriate guidelines and invest in essential infrastructure,” Breton explained.

During the discussion, he provided a comprehensive overview of the legislative proposals currently being developed by EU lawmakers, which are intended to enable European businesses and governments to securely unlock the potential of industrial and public data, thereby fueling economic expansion in the coming decades.

“We have demonstrated the courage to establish our regulations in the realm of personal data, and we must now replicate this approach for government, public, and industrial data—by setting the rules, the European rules. All entities will be welcome in Europe, crucially, provided they adhere to our regulations,” Breton stated.

“We have no time to waste,” he emphasized. “The competition for industrial data is commencing now, and Europe may well be the primary arena, so we must prepare—and that is my priority.”

EU lawmakers are currently formulating regulations concerning the utilization and sharing of (non-personal) data, determining access rights, and ensuring safeguards within the established framework, as outlined by Breton. He further contended that the concerns stemming from European privacy challenges to international data transfers—as highlighted in the recent Schrems II ruling—extend beyond privacy and personal data.

“These concerns are, in fact, central to the Single Market for data that I am constructing,” he said. “These worries are evident in the evolving landscape where individuals and organizations seek to maintain control over their data. The fundamental question, therefore, is how to facilitate this control while simultaneously enabling data flow—which is vital in the data economy.”

To foster an open, unified European market for data, it is essential to recognize that not all data are equivalent—specifically “in terms of their sensitivity”—Breton stressed, referencing the EU’s General Data Protection Regulation (GDPR) data protection framework as “evidence of this”.

“Moving forward, there is also sensitive industrial data that should be subject to specific conditions when accessed, used, or shared,” he continued. “This applies, for example, to sensitive public data [such as] from public hospitals, as well as anonymized data that remains sensitive, and mixed data that presents handling complexities.”

He cited the example of European hospitals during the pandemic being unable to share data across borders to aid in combating the virus due to the absence of a dedicated framework for secure data exchange.

“I want our SMEs and startups, our public hospitals, our cities, and numerous other stakeholders to leverage more data—to make it accessible, to derive value from it, and to share it—but to achieve this, we must establish trust,” he added.

The initial legislative step towards transforming into a single European data economy is the Data Governance Act (DGA)—which Breton announced EU lawmakers will present tomorrow, following a vote on the proposal this afternoon.

“With this act, we are defining a European approach to data sharing,” he noted regarding the DGA. “This new regulation will facilitate data sharing across sectors and Member States. And it will empower those who generate the data—moving away from the current practices of large technology platforms.”

“Specifically, this legislation will create the conditions for accessing and reusing sensitive public data, establishing a set of harmonized rules for the single market.”

A crucial aspect of building the necessary trust for the data economy involves establishing rules that stipulate “European highly sensitive data should be stored and processed within the EU,” Breton also stated, indicating that data localization will be a central component of the strategy—consistent with a number of recent public statements in which he’s argued it’s not protectionist for European data to be stored in Europe.

“Without this possibility, Member States will never agree to open their data holdings,” Breton went on, clarifying that while Europe will be “open” with data, it will not offer a “naive” data free-for-all.

The Commission also intends for the data framework to support an ecosystem of data brokers, whose role Breton described as connecting data owners and data users “in a neutral manner”—suggesting this will empower organizations to exert greater control over the data they generate, (i.e the implication being rather than the current situation where data-mining platform giants can use their market power to asset-strip weaker third parties).

“We are redefining the product here,” he said. “And we also promote data altruism—the practice of sharing data, industrial or personal, for the common good.”

Breton also mentioned that the upcoming data governance proposal will include a shielding provision—meaning data actors will be required to take measures to avoid complying with what he termed “abusive and unlawful” data access requests for data held in Europe from third countries.

“This is a significant point. It is not about questioning our international judicial or policy cooperation. We cannot tolerate abuses,” he said, specifying three unacceptable examples (“unauthorized access; access that do not offer sufficient legal guarantees; or fishing expeditions), adding: “By doing so, we are ensuring that European law and the protections it provides are respected. This is about enforcing our own rules.”

Breton also discussed other interconnected elements of the policy strategy that regional lawmakers consider essential for delivering a functional data framework: Namely the Digital Services Act (DSA) and Digital Markets Act (DMA)—which are both scheduled to be detailed early next month.

The DSA will impose “a clear responsibility and obligation on platforms and the content they disseminate,” Breton said.

While the accompanying ex ante regulation, the DMA, will “define the behaviors of gatekeepers—of systemic actors in the Single Market—and target their actions against competitors or customers”; thereby further restricting the influence of large technology companies.

“With this set of regulations, I aim to establish clear rules—based on our values,” he added.

He also confirmed that interoperability and portability will be key features of the EU’s anticipated data transformation.

“We are working on this through several avenues,” he said. “The first is establishing standards for interoperability. This is absolutely crucial for the sectoral data spaces we will create and is very important for data flows. You will see that we will create a European innovation data board—established in the DGA today—which will assist the Commission in setting and developing the appropriate standards.”

While addressing “blocking efforts and abusive behaviors” by platform gatekeepers—which could otherwise limit the value of the data economy—will be “the responsibility of the DMA,” he noted.

A fourth pillar of the data strategy—which Breton referred to as a “data act”—will be introduced in 2021, with the goal of “increasing fairness in the data economy by clarifying data usage rights in business-to-business and business-to-government contexts”.

“We will also consider enhanced data portability rights to give individuals greater control—which is extremely important—over the data they produce,” he added. “And we will review the intellectual property rights framework.”

He also emphasized that key infrastructure investments will be vital—pointing to the Commission’s plan to build a European industrial cloud and related strategic tech investment priorities such as in compute power capacity, expanding next-generation connectivity, and supporting cutting-edge technologies like quantum encryption.

Privacy advocate Max Schrems, who was also invited as a guest speaker, raised the issue of enforceability—pointing out that Ireland’s data protection authority, responsible for overseeing numerous major tech companies in the region, has yet to issue any decisions on cross-border complaints filed under the 2.5-year-old GDPR framework.

Breton acknowledged that enforcement will be a critical component—asserting that EU lawmakers are aware of the enforcement “bottlenecks” in the GDPR.

“We need clear, predictable, implementable rules—and that is what drives me when I regulate the data market. But also what you will find behind the DSA and the DMA with an ex ante regulation to be able to apply it immediately and everywhere in Europe, not only in one country, everywhere at the same time,” he said. “Just to ensure that things happen quickly. In this digital space, we must be fast.”

“So we will again ensure in DSA that Member State authorities can request platforms to remove content cross-border immediately—like, for example, the European Arrest Warrant.”

The Commission will also have the authority to intervene through cooperation at the European level, Breton further noted.

“So you see we are putting in rules, we are not naive, we understand very well where we have the bottleneck—and again we try to regulate. And also, in parallel, that’s very important because like everywhere where you have regulation you need to have sanctions—you will have appropriate sanctions,” he said, adding: “We are learning the lessons from the GDPR.”