EU’s Data and AI Regulations – How to Prepare for the Coming Changes

Overview

A use of data, its significance for both the corporations and the consumers, has been increasingly important topic since its value has been recognized. Among other uses, with enough relevant data, the type of advertisement shown to the consumer can be tailored very precisely to meet individual needs. As a practical example of this, the users of Facebook or Instagram may have found that the advertisements tend to showcase products meeting their exact criteria, while their friends never encounter those same advertisements. This is because the corporations are either buying or gathering multiple kinds of data that enable them to produce well-targeted ads based on the individual’s behavior and preferences. This has a direct monetary upside, as when the advertisements find the correct customer segment, they are more likely to be bought. This way, it could be argued, both the consumers – that find the products they need – and the corporations – which make more money by having their products bought – win.

However, there are related concerns as well. The predatory practices, such as gathering personal data without acquiring consent from the consumers, have demonstrated that there is a need for regulative action. This was one of the reasons for introducing the General Data Protection Regulation (GDPR). At the same time, the data held by companies holds a great potential which could be harnessed for greater innovation and benefit by having a more flexible legal framework. For example, during Covid-pandemic, the authorities were in a desperate need of various kinds of data from both public and private entities which could not share them due to the legal challenges. It has been estimated that with more flexible data sharing it would be possible to save approximately €120 billion a year in the EU health sector.[1] The more effective data sharing could also help the companies to optimize their supply chain management by providing real-time data on inventory levels, production schedules, and delivery times. This could help to reduce waste, improve efficiency, and lower manufacturing costs. With these benefits and concerns in mind, the EU has launched multiple proposals, the most important of which are the focus of this article.

First of these is the Data Act (DA), which focuses on improving access to and reuse of both private and public sector data across the EU by regulating who can access data. At the same time, the Data Governance Act (DGA) establishes a common framework for the cross-border exchange and sharing of data, particularly non-personal data, in the European Union by setting out rules and procedures for the creation of data-sharing mechanisms, data intermediaries, and data spaces. It intends to establish mechanisms to facilitate the reuse of the public sector data that cannot be made available as open data[2] and setting up rules for data sharing services (data intermediaries) which are going to play an important role in the data economy. To summarise, while the DGA creates the processes and structures to facilitate data, the DA clarifies who can create value from data and under which conditions.[3] For example, the manufacturer has to design the product in a manner enabling an easy data access, and the data holder is obligated to make the data available for third party if requested by the user[4]. With these in place, the users can authorise the data holder to provide access to the data to third party service providers, such as providers of aftermarket services. The DA and DGA are supplemented with the Digital Markets Act (DMA) and the Digital Services Act (DSA) which place the large online platforms, such as Amazon, Google, Apple and Facebook, under tighter regulation. Notably, the DMA requires them to provide access to certain types of data – such as data generated by the users – to the businesses using their platforms and prohibiting self-preferential practices. Finally, the Artificial Intelligence Act (AIA) establishes a common standard for the algorithms and places them under different risk categories, notably relevant with the recent surgency of the AI technology. Together these new data and AI regulations are meant to fulfil the EU’s digital strategy aims, leveling the playing field and creating an internal market based on the European values where the data can move freely, fostering growth and innovation.

Thus, unlike it is commonly feared by the small and mid-sized companies (SMEs) struggling with the existing regulations, these new data and AI regulations do not merely establish additional compliance requirements: on the contrary, they will be the primarily beneficiaries as the regulation aims to make the data equally available for all the market participants and ensure that the dominant entities do not abuse their market position. The goal, among others, is to enable SMEs to compete on the even ground with these large platform service providers and other big players on the market. This article will next showcase these benefits and other major takeaways which could prove to be especially helpful for the SMEs, but also touches on the various obligations that these give raise to.

The main benefits and issues

The starting point should be understanding what is actually meant by data. Its definition may differ depending on the regulation in question, but generally it refers to any information that can be processed by electronic means, including personal data and non-personal data. Personal data refers to any information that can be used to identify a living individual, such as a name, address, email address, or IP address. Non-personal data refers to any data that is not related to an identified or identifiable natural person, such as data on business operations or machine-generated data. Machine-generated data, in turn, refers to data that is generated automatically by devices, sensors, or software systems (such as data from social media platforms or web analytics tools). The new AI and data regulations are mainly concerned with the non-personal industrial data and try to protect the personal data. For example, the DGA and the DA elaborate on the concept of data portability first established by the GDPR, which refers to an ability to transfer these various types of data between different services, applications, environments or cloud services, but rule that in the event of overlap, the GDPR will prevail[5].

Then, what practical benefit could the companies extract from the available data? Under the DA, the data holder shall make available to the user the data generated by the use of a product or related service. As stipulated by Article 4(1) of the DA, this shall be done on the basis of a simple request through electronic means where technically feasible.[6] No longer manufacturers may design machines while keeping an exclusive access to the data generated by those machines. The mechanism introduced by the DA enables an equal access for other companies which, in turn, can create more innovative products and services by combining of different sets of data in addition of enhancing existing ones. For example, this could enable the user to share the data generated by the use of the car’s engine and system to the parties other than the original manufacturer, valuable information for the car maintenance service providers. Furthermore, a machinery owner could choose to share data generated by the machine’s use with the insurance company and such data from numerous users could be used to identify the products entailing high risk of accidents[7]. At the same time, under Article 6(1) of the DMA, the companies would be entitled to request a broad range of potentially valuable information from the large platform service providers: this includes data related to the business users’ products or services offered on the platform. In practical terms, this could also include data such as pricing information, performance and ranking, as well as data related to transactions taking place on the platform. With this data, the businesses could adjust the prices of their own products accordingly and maximize the profits. The overall argument is that with this access to the data, the innovation and competition is strengthened with the companies gaining deeper insights into their operations. As demonstrated, this enables more effective decisions about resource allocation, pricing, product development, and strategic planning, among other uses.

The stakeholders have raised multiple issues with the proposals. The general criticism is that the EU is trying to do contradictory tasks by trying to enhance protection of the data while at the same time forcing the business and authorities to share it, all while claiming this would enhance the free flow of data. As stated previously, to counter this, it has been ensured that in the event of overlap, the GDPR would prevail. Additional issue is that the new AI and data regulations establish multiple technical requirements for the companies, such as the format and transmission mechanisms. The worry is that the smaller businesses may lack the resources to invest in the necessary infrastructure. The counterargument is that the compliance could actually turn out to be both stronger and cheaper as the DA and the DGA establish a common technical standard for data sharing and interoperability, ensuring high quality and absolving the companies from the need of having a varied infrastructure. This is further accounted for by DA, which establishes conditions under of which the companies may apply for the compensation for making data available. The stakeholders further claim that the definitions on type of the data covered by new AI and data regulations need to be more formulated more precisely. The worry is that the scope of data covered by proposals in their current form would be too broad and force the companies to give up valuable information related to the trade secrets and intellectual property rights. The authorities have addressed this in the DGA, under of which the companies can withhold data if its disclosure would harm their legitimate interests, though the companies would have to be able to prove that such harm would occur. It should also be noted that both the DGA and the DA in their current form recognize that not all data can or should be shared, and the companies must assess the risks associated with sharing particular data sets and put appropriate measures in place to mitigate those risks.

Overall, the new AI and data regulations would reduce barriers of entry for companies of all sizes by providing an equal access to data, in contrast to the current state of things where only a handful of big players are able to use it for their advance.

Other benefits and obligations

While the data can be used to enhance the business operations of the companies, there are also other benefits stemming from these new proposals. For example, the DSA aims to harmonize rules for digital services across the EU, which could reduce the complexity and costs of complying with multiple sets of rules in different member states, benefiting the companies that operate across borders. Under the DMA, the large platform service providers are prohibited from engaging self-preferential treatments of their products by recommending them over the competitor’s products, placing the products of SMEs and other business users on a level playing field within the platforms. Meanwhile under the DA, the SMEs will be protected against unfair contractual terms imposed by a party with stronger market position and with the Commission providing model contract clauses.[8] Also, under the DA, the customers have a right to switch between different providers of data-processing services: in practical terms, as stipulated in Preamble (72) of the DA, the customer could port all its digital assets, including meta data, to the concerned other provider and to continue the data in the new environment while benefitting from functional equivalence (meaning a minimum level of functionality after switching).[9]

There could also be possible benefit for the companies struggling with meeting various compliance requirements, such as those related to ESG. The new AI and data regulations could help and boost the green transition by providing legal structure and framework for collecting, analyzing and transferring of data. By setting common rules, roles, rights and responsibilities the regulation might be an enabler for a whole new field of industry. For example, the de-carbonization and ESG Scope 3 reporting (indirect emissions that occur in a company’s value chain) is seen to be a challenging task as the data attributes demonstrating the start and the end of point of the emission needs to be generated, which is something that the companies may avoid sharing with each other since they worry it could reveal their trade secrets. Due to DA, in the future the users of product or service could require the manufacturers or service providers to share the industrial data to third parties operating in a data ecosystem (ESG data service providers) which would then collect, analyze and calculate the information in a more accurate and standardized way. Additionally, to alleviate the stakeholders´ worries regarding the trade secrets, in the DA proposal there is a provision which prevents developing a product or related service that would compete with the original data-generating product.[10]

There are also compliance obligations that may touch a larger number of companies stemming from these proposals. While this article does not concentrate on their implications, it is useful to briefly touch on them. First, the DSA requires that the companies that provide online services need to comply with obligations related to new, stricter content moderation, transparency, and user safety. They are now responsible for the content on their platforms. For example, these companies may need to implement mechanisms to quickly detect and remove illegal content, provide more information to users about how their data is used, and take measures to prevent abuse and harassment on their platforms. However, it is important to note that this obligation is subject to the size of the company in question – as a thumb rule, larger the platform, stricter the applicable restrictions. Secondly, under the DA and the DGA, as previously elaborated, the companies have obligations such as need to provide data upon a request from other company or public authority while simultaneously strengthening their cyber security capacities. Most importantly within the context of the recent AI boom, the companies need to comply with new requirements related to transparency, fairness, and safety, such as ensuring that AI system do not discriminate, a factor which could prove to be a challenge with any kind of scoring system.

Key takeaways – how to prepare?

The new AI and data regulations are currently being discussed and are either approved or in a process of being approved, but the companies would benefit from starting the necessary preparations in order to be ready when they officially come into force. The DGA entered into force on 23 June 2022 and, following a 15-month grace period, will be applicable from 27 September 2023 while the DA was approved by the European Parliament 14 March 2023. DMA and DSA have likewise already entered into force with their respective benefits and obligations at time of writing this article while AIA was approved by the European Parliament on June 14, 2023.  Our recommendation is to start following procedures to be adequately prepared for the coming changes:

1. The companies should complete an internal review whether they are in the scope of these proposals;
2. If they are, start to implement necessary changes related to infrastructure and the operations;
3. Whether they are or not, they should assess whether they could benefit from these proposals in their operations, such as by combining different data sets to create an innovate products or services;
4. Finally, they should ensure that they are in compliance with the new obligations stemming from the proposals.

The changes are numerous, and this article has only lightly touched on some of them. It may mean that the companies need to secure additional resources to ensure that their infrastructure, operations, services and products are in compliance with the new regulations. Ultimately, the reformations that need to be implemented could turn out to be only a few, depending on the size and the type of the company: however, all businesses should examine how they could benefit from the broader data access. It is the companies that first utilize these new resources which will also reap the largest profits.

For more information, please contact:

Riikka Vaajamo

Director

Send email

Markus Porkka

Associate

Send email

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R0868

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R0868

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN

[4] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN

[5] The Data Governance Act and Data Act both stipulate that they shall be without prejudice to the GDPR, and that they shall be interpreted and applied in accordance with the GDPR. Therefore, in case of any conflict or overlap with the GDPR, the GDPR shall prevail.

[6] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN

[7] https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_1114

[8] https://digital-strategy.ec.europa.eu/en/policies/data-act

[9] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN

[10] https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_1114