Europe’s competition commissioner Margaret Vestager is in a hurry. At a Brussels event focused on AI and data regulations in mid-April, she responded crisply to comments on the speed of changes the EU is looking to implement. While GDPR took many years to negotiate, today the EU is motoring ahead on four new tech laws, which are expected to start coming into force over the next 18 months. Why so fast? “Our legislators, the parliament and council share the sense of urgency that this cannot wait,” Vestager said.
This four-course legal buffet consists of the Digital Markets Act, which regulates very large platforms, the Digital Services Act, which tackles illegal content and the rights of users, the Data Governance Act which promotes trust and portability of data via regulated spaces and intermediaries, and finally the Data Act which controls the data produced by connected IoT devices.
The fuel behind this frenetic activity is the sheer force of political will in Europe right now to upend the status quo, not simply to introduce more refined management to a digital space currently dominated by libertarian principles and ‘postal’ regulations.
As was made clear at this event, it’s nothing less than a bid for the EU to stay relevant and build an open, thriving economy which opens up the potential of data for new uses, stakeholders and business models. As Marco-Alexander Breit from the German Federal Ministry for Economic Affairs put it: “The silver bullet here is creating a vibrant data economy”.
This is long overdue: while platforms have moved some way from denial and seen their lobbying efforts to water down key elements of these regulations backfire, there remains a huge imbalance in power between these operators and the individuals who have rights under GDPR to own and benefit from their data.
Currently it’s the Digital Markets Act (DMA) which now dominates the order of business in Brussels. It will be presented to the Council’s working party on 28th April and approved by EU ambassadors at the Committee of Permanent Representatives on the 4th May. Between now and then, according to Vestager, “we’re ordering in snacks and preparing for some long nights”.
So what is the detail of the DMA, and why is it such a “Big F***ing Deal” according to Protocol journo Ben Brody? Part of its importance is the size of the target, which is Big Tech itself - represented by what the EU calls digital “gatekeeper” platforms worth over 80 Billion euros and covering messaging, social networking, browsers and mobile operating systems.
Many of these are US companies such as Amazon, Google and Meta which will now be subject to fines up to 20% of global turnover for repeat offences unless they fundamentally re-address how they operate in Europe. For example:
- Apple will have to let iMessage text interoperate with smaller messenger players like Signal and Telegram (as will WhatsApp). It will also have to allow third-party app stores and payment systems into apps.
- Google won’t be able to combine users’ personal data for targeted advertising without explicit consent, and Android will have to make sure there is a genuine choice for people to include Google competitors like DuckDuckGo, Firefox and Siri.
- Amazon will have to deal with an apparent ban on self-preferencing which seems likely to force the company to pull back from its competition against third-party business sellers on its sites, particularly its use of their data.
We can see how this accelerates the move away from market forces being left to play out in an arena where certain players enjoy unprecedented dominance, and why the platforms lobbied so hard to stop this happening.
But it’s a less publicised aspect of the DMA which may have the broadest implications. Come early 2024, business and individual users of gatekeepers i.e. Google, Meta, Amazon & Apple will be able to port their data in real-time from those platforms via API’s, as has become the norm in open banking.
Having spent decades creating and defending data silos in order to maintain their pre-eminence these castles built by the ‘Big 4’ and others might now be brought down by a few clicks from the user. Quite an evolution from the current regime of cookie banners and dubious privacy notices…
If that wasn’t troublesome enough for Big Tech, the Data Act contains similar requirements for manufacturers of IoT devices. Customers must be given easy electronic access to all the data these products generate, with the aim that third party businesses can plug it into their services. As pointed out by Breit and others on the day, currently 80% of data from connected devices in an industrial context lies un-used in silos.
The Data Governance Act (DGA) opens the door for legitimate data intermediaries, which we and others are calling data unions to make sense of all this newly-liberated data. They can build the necessary structure, standards and kickstart the new data economy which the EU wants to create
The basic concept of a data union is that people download an app or click on some controls allowing them to share their data with an organisation that offers to represent them and fellow members, rather like a co-operative.
The more people join the union, the more rich (and valuable) that data set becomes to buyers and researchers. Because the information has been structured by the data unions it’s usable at scale by third parties like an online insurer, airline or ad server. When that data sells, the proceeds are redistributed among the members, with the organisers (such as Pool) also getting their cut.
Given all the late night negotiations, Vestager and her colleagues may not be able to enjoy their snacks, but what does now seem certain is that conditions are set for previously disconnected elements of personal data protection and ownership to come together in the form of a new data economy. This will be regulated by the suite of interlocking laws, orchestrated by data unions and supported by €2billion of funding for the new ecosystem.
The world outside Europe was also in attendance in Brussels; US representative Keith Sonderling declared that “all of us in the US are studying the EU very closely”, while the UK government has its own mission to make data a key part of growth post Brexit. “We need to build confidence in data - creating standards with industry, and data trusts are a way to do this” said Sam Cannicott, Deputy Director at the UK government's Centre for Data Ethics and Innovation.
All of this activity is resulting in unprecedented interest around data unions, which are attracting investment and members in the order of millions across the world.
If you’d like to know more about the upcoming regulations and how data unions fit in, we have a guide to them published soon - sign up to our email newsletter list at the bottom of the Resources page and you’ll be the first to know!