On February 19, 2020, the Commission unveiled its strategy to “shape Europe’s digital future.” This strategy identifies three key objectives: invest in technology that works for people (which includes investment in connectivity, discussions over a framework for AI, cybersecurity, and data literacy), develop a fair and competitive economy (which focuses on the creation of a single market for data and the use of competition law policies to level the playing field), and create an open, democratic, and sustainable society.
The Commission sought to make the digital strategy roadmap more concrete through the publication of two, more detailed, documents: a communication on the Commission’s European data strategy (the “Communication”), and a White Paper on its proposed European approach to artificial intelligence (the “White Paper”). Both documents are currently open to public consultations until May 31, 2020 through an online questionnaire and an invitation to upload a position paper.
The Communication sets out the Commission’s concrete investment plans and legislative proposals along with suggested implementation timeframes. It aims to create and regulate a single market for data. The White Paper, on the other hand, seeks to open a policy discussion, rather than to announce a specific roadmap. It describes in broader terms the Commission’s proposals to both promote the development of, and create a legislative framework for, artificial intelligence.
The European data strategy communication
The Communication on data strategy is the more advanced of the two publications. It focuses on the second goal of the Commission’s digital strategy, namely to bring about a “fair and competitive economy.” The communication is organized in two parts. First, it sets out the problems identified by the Commission regarding data. It then sets out “key actions” for the Commission to take between now and 2027. It is rumored to have been shaped by Thierry Breton, the current Commissioner for Internal Market and Services.
The Communication starts off by identifying several issues “holding the EU back from realising its potential in the data economy.” Its focus is on perceived imbalances in data access for European small and medium enterprises. The Commission links this concern to a lack of interoperability and the need for clearer governance over the access and use of data. The Communication also deplores the EU’s limited cloud infrastructure and its ensuing dependence on non-EU cloud service providers. The Commission also reflects on both the perceived shortage of data and analytics skills in the EU workforce and the lack of technology to help individuals exercise their privacy rights.
The Communication then formulates proposals to respond to these concerns. The Commission has devised a strategy that combines funding, policy measures, and legislation to “realise the vision for a genuine single market for data.” This strategy, itself a sub-part of the Commission’s broader digital strategy, is articulated around four pillar proposals: a governance framework for data access and use, European investment in data infrastructures, the development of data literacy, and the creation of that which the Communication describes as “common European data spaces” in certain strategic economic sectors.
The Communication then translates these four pillars into a series of upcoming measures. In particular, the Communication highlights the following concrete proposals, for which it proposes clear implementation time frames:
- A Memoranda of Understanding between Member States on cloud federation and data- sharing initiatives (Q3 2020);
- A Commission proposal for a legislative framework on data access and data use, which may include standardization and interoperability requirements, specifications on what considerations are relevant when selecting datasets for scientific research, and tools for individuals to consent to the use of their data for the “public good” (Q 4 2020);
- An “Implementing Act,” to be adopted by the Commission, identifying high-quality public sector data and requiring that these be available in machine-readable format via APIs (Q1 2021);
- A “Data Act,” to be proposed by the Commission, to create incentives for data-sharing both within and between the private and public sector, strengthen portability rights, and request compulsory access to data in sectors where market failures are identified or foreseen (2021). The scope of this proposal remains On some interpretations, this proposal could lead to burdensome and invasive requirements on private companies. It is not clear how the requirement would interplay with the GDPR, or how it would balance out its possible negative effect on user privacy and on companies’ legitimate ability to use the data they collect from users without being compelled to share it with their rivals;
- The creation of “data pools” and a “data exchange infrastructure” for certain strategic sectors (industrial, Green Deal, mobility, health, finance, energy, agriculture, public administration, skills) (2021–2027);
- An EU regulatory cloud rulebook, to consolidate existing cloud codes of conduct and certifications and create common European standards and requirements (Q2 2022); and
- A cloud services marketplace, with requirements in data protection, security, data portability, energy efficiency, market practice, and transparent and fair contract conditions (Q 4 2022).
In addition to the specific proposals outlined in the Communication, the Commission is also expected to publish a Digital Services Act package later this year, following a commitment in Ursula von der Leyen’s political guidelines to upgrade the EU’s liability and safety rules for digital platforms, services, and products.
The White Paper
The White Paper focuses on the “technology that works for people” strand of the Commission’s Digital Strategy. Unlike the Communication, it does not set out a roadmap of key actions, nor does it list potential, upcoming legislation. Rather, it seeks to draw out the contour of the policy discussion around AI, and presents a potential framework for AI “based on excellence and trust.”
The White Paper nonetheless adopts the same format as the Communication in that it seeks to identify areas of concern, and proposes initial ideas as to possible solutions.
In the first part of the Paper, the Commission identifies two sets of risks associated with AI: First, the impact that AI could have on European consumers’ fundamental rights (most notably, personal data and privacy protection, and non- discrimination). Second, that certain new safety risks for users may not be captured by the existing EU and national liability regimes (on the basis that flaws in the design of AI technology, problems with the availability or quality of data, or other problems stemming from machine leaning, create or aggravate certain safety risks without legal certainty as to liability).
The White Paper then sets out an initial approach for dealing with these concerns. This approach, similar to that in the Communication, is articulated around four key pillars: the amendment of existing European legislation to account for new AI-based products and services (and most notably product safety regulation and the underlying concepts of risks and safety), the creation of a standards and labelling system in order to build trust, the establishment of a European governance structure, and the creation of a new European regulatory framework for AI.
In relation to this potential new regulatory framework, in particular, the White Paper advocates a risk assessment approach, in order to limit regulation to “high risk” AI applications. The Commission then suggests two cumulative criteria to identify such applications.
First, the AI application is employed in a sector where, “given the characteristics of the activities typically undertaken, significant risks can be expected to occur.” The at-risk sectors identified by way of example in the Paper are healthcare, transport, energy, and parts of the public sector (asylum, migration, border controls, judiciary, social security, and employment services).
Second, the AI application is used in a manner that means that “significant risks are likely to arise,” based on the impact on the affected parties. The White Paper provides examples suggestive of a relatively high threshold, namely AI applications with legal or similar effects on rights of an individual or company, risks of injury, death, or significant material or immaterial damage.
In addition, the Commission also suggests applying a stand-alone two-stage test to capture “exceptional instances where, due to the risks at stake, the use of AI applications for certain purposes is to be considered as a high risk as such.” The only examples the Paper includes under this per se category are recruitment processes and use cases impacting workers’ rights, and remote biometric identification and other intrusive surveillance technologies.
The Commission’s plans outlined in the White Paper envision this regulatory framework impacting both the design stage and the point of sale.
- At the design stage, the Commission suggests regulating training data (with requirements to use sufficiently broad, representative datasets and keep records of such datasets, their use to train AI systems, and how they were selected), while also requiring the use of operational constraints to guarantee human oversight (whether it be to validate a system, or to review or intervene in AI-generated decisions).
- The White Paper then suggests requirements to demonstrate a certain level of robustness and accuracy, as well as transparency measures to ensure that clear information on AI systems’ capabilities and limitations is provided at the point of sale, and that citizens are informed when interacting with an AI
The tech sector at the intersection of competition and regulation tools
These two announcements provide an initial insight into how the Commission proposes to develop the Digital Strategy into concrete initiatives. They showcase the Commission’s work in identifying problem statements with respect to both data and AI. The announcements also outline initial ideas to alleviate the perceived concerns. These suggestions nonetheless remain initial, particularly with respect to AI.
The Commission will likely need to engage in the difficult trade-offs inherent in forcing access to data and creating new oversight in a burgeoning fast-moving area such as AI. In a context where the Commission already deplores the lack of European players in these sectors, obtaining the correct balance will be critical in not fettering future growth. The Commission’s request for input is therefore a welcome opportunity for industry participants to help shape these initiatives.
 Communication, p.12.
 Ibid., p.15.
 Ibid., p.20.
 Ibid., p.21.
 As the Communication pre-dated the Covid-19 pandemic, it seems likely these timeframes will slip.
 Communication, p.18.
 Ibid., p.12.
 Ibid., p.13.
 Ibid., p.13.
 Ibid., p.26.
 Ibid., p.18.
 Ibid., p.19.