The data regulations in the European Union (EU) have recently received significant attention specifically due to the advent of the General Data Protection Regulation and the rulings around Schrems II—whereby the Court of Justice of the European Union found that the protection of personal data had limitations due to domestic law in the United States—as well as the access and use by US public authorities of personal data transferred from the EU, and recent developments such as e-privacy.
While these developments have led to major changes in data privacy, one of the other goals of the regulation—to establish a market for data and facilitate data exchange between companies—has not been reached to date.
This lack of action has led to the potential for further regulatory activity to define an agenda for how to uplift the data capabilities of European companies, create a market for data, and regulate activities around AI. These activities are typically summarized as the EU digital strategy. While regulation adds further requirements and obligations to any data-enabled business, it also creates an opportunity for competitive advantages for those that best derisk their data transformations.
The EU digital strategy offers organizations both challenges and opportunities, but these regulations will likely continue to evolve, so organizations should remain aligned with the regulatory process.
The EU digital strategy
The EU digital strategy comprises several acts:
- The Data Governance Act creates a new way of managing data to increase trust in and facilitate data sharing.
- The Digital Markets Act creates fair and contestable markets for innovation, growth, and competitiveness in the digital sector.
- The Digital Services Act creates a safer digital space where the rights of all users of digital services are protected.
- The Data Act regulates access to data in B2B, B2C, and B2G (business-to-government) relationships and while switching between cloud providers.
- The AI Act enacts stringent regulations of (high-risk) AI systems and prohibition of certain practices.
According to current plans, these acts will only become effective during or after Spring 2023, but an end to the alignment process is foreseeable. While the five acts are currently in draft status and further changes to the regulation can be expected, there is a clear trend toward stricter regulatory guardrails for data and AI.
New possibilities from the digital strategy
While the new EU data strategy states a number of requirements with potential administrative and compliance burdens, there are also possibilities from the new digital strategy that should not be underestimated:
- The possibility of data sharing and portability opens new ways to attract customers on a new platform and ensure that the services they have been expecting in the past can easily be provided and no natural advantage is created through the impossibility of transferring end-user data. In many cases, users are hesitant to change platforms because of the inability to access previous order history, photos, and other personal data.
- The possibility to reduce the market power of gatekeeper platforms reduces the risk associated with moving big parts of the existing infrastructure to one of the large cloud providers without easily being able to change to another provider or being faced with the challenge that the services provided can be canceled at any point in time.
- The protection of end-user rights associated with AI creates a new market where identifying possible algorithms that are not forbidden or high risk becomes a paramount goal and, therefore, creates new market possibilities, even in areas where traditionally the companies had already created the relevant legacy algorithms.
The combination of these three possible avenues to generate additional business out of the new regulatory guidance in the EU digital strategy could allow many companies to benefit from the change that is going to come.
The benefits from the new regulatory regime
Several benefits arise from the new regulatory regime, specifically for data sharing and portability and the possibility of reducing gatekeeper platforms. This is specifically so with social-media platforms and also when it comes to insurance contracts and other services.
For example, for banking, there is a strong lock-in because customer information needs to be transferred manually or requires significant effort to be transferred, so transfers seldom happen.
This lock-in effect can now be weakened significantly due to the full requirement to easily transfer the required information and thereby reduce the burden for the customer. This should make it easier to set up new business propositions in this space and set up new digital attackers for existing businesses.
This is even further enforced by the reduction of the power of incumbents to increase competition in the digital platform space. Going forward, these platforms may be forced to allow competitors to exchange data with them to ensure that competitors will strive. For example, with social-media platforms, search engines, or provision of cloud-based infrastructure, these decisions should lead to increased competition.
The challenges from the new regulatory landscape
Companies will also experience increased user rights when it comes to AI. This could affect businesses such as credit bureaus, insurers, or banks that are using AI to assist with decision making or customer rating. Traditionally, organizations and their digital platforms have seen little concern in using AI on customer data when it comes to their core business processes as with target marketing, for example. This perception is significantly questioned in the new guidance, and organizations should consider new methods to inform customers and to ensure a sustainable operating model.
Three keys to navigating the EU digital strategy
First, companies may need to assess the impact of the EU digital strategy on their business and their business model and need to identify where changes are required and where additional care needs to be taken with respect to current processes. This specifically applies to the four acts concerning data governance, digital services, AI, and data.
Second, companies may need to investigate the possibilities for the applicability of the acts within their organization. This includes possible access to markets that other competitors led in the past through their access to end-user data.
Finally, as the EU digital strategy continues to evolve, organizations may be able to further collaborate with governing bodies on the interpretation of the regulations. Specifically, in the case of AI, there are several companies that may find it very challenging to work with their current model in the new guidance.
Mitigating the impact of these regulations is therefore still possible, and the actions should be actively shaped by companies, including clarifying the consequences of certain actions and making sure that the decision process takes these into account.
Additionally, companies should revisit their current processes for data collection and AI. They should also identify where personal data is required, and where it isn’t, to identify the priority use cases where additional consent or safeguards would be required.
Following these three aspects as well as the mitigating actions should leave companies in a better state once the final rules and regulations around the EU digital agenda have been published.