Opinion of the European Economic and Social Committee on ‘Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions – A European strategy for data’

(COM(2020) 66 final)

(2020/C 429/38)

Rapporteur:

Antonio GARCÍA DEL RIEGO

Referral	European Commission, 22.4.2020
Legal basis	Article 304 of the Treaty on the Functioning of the European Union
Committee Bureau decision	18.2.2020
Section responsible	Transport, Energy, Infrastructure and the Information Society
Adopted in section	23.7.2020
Adopted at plenary	18.9.2020
Plenary session No	554
Outcome of vote (for/against/abstentions)	216/0/2

1.   Conclusions and recommendations

1.1.

The EESC welcomes the Commission's proposal for a Data Strategy that sets cross-sectoral data sharing as a priority and to improve the use, sharing, access and governance of data with legislative, sector-specific action. An ambitious Data Strategy can address the critical need to enhance EU data capabilities.

1.2.

The EESC endorses the Commission's proposal for the overall design of EU data architecture to further enforce individuals' rights regarding the use of their data, the protection of and their control over their data, as well as their awareness, and to empower them through ‘personal data spaces’, with clearer safeguards and the enhancement of the portability right for individuals under Article 20 of the GDPR (1).

1.3.

The EESC calls on the Commission to deploy a clearer strategy to advance its data framework. It should be built to combine high standards of data protection, cross-sectoral and responsible data sharing, clear criteria for sector-specific governance and data quality, and greater control of data by individuals. The EESC also proposes further clarification of the Strategy's funding approach and recommends ways to close the skills gap.

1.4.

The EESC is of the view that the development of data-driven platforms in Europe should reflect European values, including by focusing on individuals. The EESC believes that the current consumer-centric approach should extend to a ‘human-in-command’ approach that integrates an ethical dimension with respect to the use of data.

1.5.

The EESC regrets that two years after it came into force, the GDPR is not properly enforced and discrepancies remain. The Commission should solve these issues, including by incentivising Member States, to ensure all individuals across the EU can fully benefit from their rights.

1.6.

The EESC is of the view that the completion of the single market is an essential priority for common data spaces to work.

1.7.

Given the sensitivity of the data shared, the EESC insists on the need to guarantee safeguards to individuals' data privacy through consent, control, sanction and oversight mechanisms, and to ensure that data will be anonymised (and cannot be de-anonymised).

1.8.

The EESC recommends that the Commission define in the Strategy the option it recommends for the concept of data ownership. The ongoing legal debates currently create uncertainty for individuals to identify which demands they can raise.

1.9.

The EESC advocates for stronger dialogue with civil society and recalls the need to provide SMEs with clearer guidance on data sharing mechanisms, as both aspects will be key to broad participation in data spaces.

1.10.

The EESC reiterates that a single market for data should ensure personal data is not subject to the same rules governing goods and services, i.e. does not gradually come to be seen as non-personal data (2).

1.11.

The Commission should ensure that the legal framework enables equal access to data among all companies, large and small, and addresses the market power of dominant platforms. Overall, the Commission should come up with a much clearer and concrete proposal regarding the controls and governance of data spaces, including how stakeholders will share data.

1.12.

The EESC underlines that it is essential to address the impact of personalised products on individuals (such as discrimination) and of data sharing on companies. The framework should uphold high security standards and intellectual property rights. Inferred data should be protected and not subject to mandatory access and transfer.

1.13.

The EESC insists on the urgent need to improve digital skills and literacy through education and training, including by building on the Digital Competence Framework and encouraging Member States to improve lifelong education for the skills that will be most in demand, at all levels of education (3). This is what will ensure that individuals become data-savvy actors, with greater awareness of and control over their data, big data applications and data governance, and understand their digital environment and its risks (e.g. personalisation) (4).

1.14.

The EESC invites the Commission to clarify and strengthen the role of competent authorities, consumer organisations and independent bodies, which is relevant in the governance of sectoral initiatives and to ensure business compliance and user guidance, advice and training.

2.   General comments: The right strategy for data

2.1.

The EESC concurs with the Commission's emphasis on data, key to individuals' lives and business activity. Digitalisation and technological improvements have increased the scope and frequency of data generated, and facilitated data storing, processing, analysis and transfer. Data-driven services enhance customer convenience and address their expectations, and improve existing industrial processes.

2.2.

The EESC agrees that data-driven innovation is a critical driver of European economic growth and competitiveness, and that its role is constrained by the lack of availability of industrial and user-level data for the EU. The EESC agrees with the Commission's proposal to address this and improve cross-sectoral data use, sharing and access through common data spaces in strict compliance with GDPR standards, with a shared set of technical and legal rules and standards and through complementary measures.

2.3.

The EESC believes that the Data Strategy will be key to supporting the EU's technological sovereignty to guarantee safe and secure data sharing and access, to strengthen Europeans' control over their data, and unlock benefits for individuals and firms.

2.4.

The EESC agrees that a sector-specific approach to data access is the most appropriate to target specific solutions that can tackle each sector's specificities and market failures while ensuring the strongest safeguards for consumer protection (5).

2.5.

The EESC shares the Commission's concerns that the EU's ability to leverage and share data is constrained by information systems' significant interoperability issues. The COVID-19 crisis demonstrated the need for and usefulness of a complete data ecosystem, as data is not limited to the boundaries of specific sectors, including to develop solutions for individuals’ safety (e.g. geolocalisation and health data) and to avoid silos. In healthcare, researchers could use data of public health importance collected by various sectors to accelerate drug development and better understand diseases.

2.6.

The EESC agrees that data-driven innovation is constrained by a skills gap, a lack of data-literate workers in the EU and low digital literacy. The EESC welcomes the Strategy's aim to create ‘a common European skills data space’ and the forthcoming update of the Commission's Digital Education Action Plan.

3.   Advancing the EU data framework: General comments

Regarding the further development of the EU data framework, the EESC points out the essential issue of ethics. The study Ethics of Big Data (6), commissioned by the EESC in 2016, addresses this issue, taking into account an individual's need for privacy and self-determination, from several angles: awareness, control, trust, ownership, surveillance and security, digital identity, tailored reality, de-anonymisation, digital divide and privacy. The EESC recommends considering these as guiding principles for any policies.

3.1.   Data protection standards

3.1.1.

The EESC calls on the Commission to stress that data should remain under individuals' control, as data collection and sharing have implications for their privacy and equality. Cross-sectoral data use allows firms to feed and improve their existing processes, deliver insights more effectively, and provide consumers with new, personalised products and experiences. In particular, user-level data provides insights into intrinsic traits, needs and behaviours not captured by anonymised data and with positive spillover effects well beyond the sector in which the data was originally generated. In the financial sector for instance, cross-sector data sharing could improve risk analysis and cash flow prediction, address fraud detection, and enhance the ability of individuals to manage over-indebtedness, foster financial inclusion and financial education. However, personalisation can lead to risks for vulnerable consumers, such as discrimination, abuse and manipulation.

3.1.2.

The Commission should address the insufficient and fragmented implementation of GDPR, diverging legal interpretation, and lack of resources of DPAs. The GDPR, drafted in 2012, voted on in 2016 and enacted in 2018, is not fit to address the proposed framework. The EESC recommends that the Commission update the GDPR appropriately and carry out impact assessments, as it needs to work hand in hand with the new approach of common data spaces. The EESC also calls on the Commission to tackle the limitations of data portability rights in the GDPR. These were developed when switching services would only happen once, while today data is being reused multiple times and is useful in real time.

3.1.3.

Even though the EESC believes the tools proposed could help individuals decide ‘what is done with their data’ (7), in order to decrease legal uncertainty, the Commission should define in the Strategy the option it recommends for the concept of data ownership, to clarify in general who owns the data and, for example, what it is and what happens to this data in cases when it is generated by IoT home appliances.

3.1.3.1.

There is a difference, and it should be made clear, between data rights for individuals and data ownership.

3.1.4.

Given that providing data to receive free services amounts to a form of payment, the EESC calls on the Commission to state which text or criteria it is referring to when it invokes ‘public interest’, and to say what its purpose is in this area. The Committee also recommends that the Commission provide a definition of data donation without direct reward (or ‘data altruism’) and that it ensure appropriate measures to prevent data collectors from failing to uphold their obligations.

3.2.   Responsible framework of data sharing

3.2.1.

The Commission should clarify how it intends to provide guidance to individuals, so they understand how ‘personal data spaces’ work. Without this awareness, the right of individuals to have access to these spaces will be meaningless, and enforcement of the proposal will lack efficiency and undermine the goals the Strategy means to further.

3.2.2.

The EU recognised the need for a sharing right and established practical mechanisms in particular sectoral initiatives, such as for data processing service providers (FFDR (8)) and data held in payment accounts (PSD2 (9)). But, except for a few particular cases, individuals (data users, consumers, citizens) lack the skills, literacy and the tools to claim access to, or to easily and effectively share their personal and non-personal data.

3.2.3.

To enhance portability with ‘stricter requirements on interfaces for real-time data access,’ guarantee personal data spaces, and ensure providers act as ‘neutral brokers’ (10) the EESC refers the Commission to the use of cases for secure sharing mechanisms such as personal digital identification schemes which could be adopted by private and public organisations and expanded for accelerated cross-sectoral data sharing. e-ID applications in the financial sector such as Itsme (a mobile identity for digital transactions) provide cases of successful, mutually beneficial use, including between banks and mobile operators. They create significant value for firms (cost savings, increased sales, reduced fraud and identity theft), offer more choice, preserve user privacy, improve consumer trust, provide individuals with strong authentication measures and tools to manage their rights and exert control, and enable secure, convenient, time-efficient digital processes like onboarding.

3.2.4.

The EESC refers the Commission to the experience of PSD2 (enabling third party providers to use banks' consumer data, with their consumers' consent, to innovate) and other use cases (such as using geolocalisation data and transaction data) which can serve as an inspiration for the broader data sharing framework. Those principles should be applied equally across sectors and in a similar timeframe to guarantee a level playing field among different market participants.

3.2.5.

The EU should build on GDPR to enable cross-sector user data sharing, and replicate such existing initiatives in different sectors to facilitate secure data sharing, provide benefits to individuals and value to businesses. This should guarantee end-users the right to request that their provided (inputted, e.g. name, address) and observed personal data (e.g. geolocation) be transferred directly from one data holder to another, in a standardised way using real-time APIs (11). For example, a person could ask Spotify to provide Deezer with access to the playlists they have listened to. This would provide security to ensure GDPR privacy principles, allow users to maintain full control over the process and to leverage their data's value, and make the right to portability of personal data truly effective, dynamic, timely and transparent, while extending the same principles to certain non-personal data.

3.2.6.

Both companies and users should be able to securely share their own data independently of who has collected it, to choose and to manage who they share the data with and how the shared data is used.

3.2.7.

The system and functioning of common data spaces should have the quality level of a public register; data providers should ensure the seamless quality of the data themselves and the continuity of this infrastructure. These ‘data stewards’ should not create bottleneck effects to data sharing, but enhance it. This is key to robust, seamless data management and the availability of high quality data. The EESC finds that in the Strategy, data quality lacks emphasis and merits clarification. In addition, the EESC recommends setting up a minimum threshold of obligations to ensure quality of data and individuals' rights for all firms, regardless of their size. As data quality can be expensive and not all stakeholders can access the technologies required, these threshold criteria should be realistic for all enterprises, particularly SMEs: they may face difficulties in complying with these criteria due to limited resources and should be supported, so that no excessive costs are imposed on them (12).

3.2.8.

Data-driven platforms are the most highly valued firms because of their strategic importance within digital markets and their oligopolistic control of specific datasets. But the limited availability of data to EU firms limits the extent to which they can leverage data to power innovation. The winner-takes-all focus which characterises digital markets means that a few large firms sit at the crossroads of online data flows which provide them with information unavailable to other providers. Even where data assets are more widely distributed, they are rarely available across industry boundaries, reducing innovation opportunities for cross-sectoral innovation by industry and other entities. As no platform is obliged to build a data pool, end-users are unable to combine and aggregate the data they generate across industries. The EESC urges the Commission to look at how to improve their control of data by business users and individuals tackling systemic platforms (Big Tech) as a priority. The EESC also suggests the creation of an EU-backed platform that centralises and aggregates all of EU public data available on the market of companies that request the service.

3.3.   Governance of Data Spaces

3.3.1.

The EESC proposes the following criteria to govern sectoral data spaces. First, intervention in the form of data access should aim to tackle market failures leading to higher consumer prices, less consumer choice and less innovation. Second, data access must foster the development of consumer-centric innovation. Third, operators handling personal data should be held to high data safety and security standards. Fourth, individuals should be offered technical solutions for control and management of personal information flows. Fifth, individuals should be allowed to object to the sharing of their personal data and have access to redress when principles are not respected (the EESC supports the principle of ‘human in command’).

3.3.2.

Not all data should be open or made public. Different rules should apply to B2B, B2C, B2G or Me2B data. Inferred data should be protected and its access and transfer should not be mandated.

3.3.3.

Data sharing across data spaces will involve mixed datasets (personal and non-personal data) e.g. in the healthcare and financial spaces. The collection and use of sensitive and personal data for surveillance or localisation purposes should require individual consent. Safeguards should ensure the combination of personal data points (e.g. financial and health information) does not lead to lock-in, abuse or discriminatory effects, for instance on individuals' access to employment.

3.3.4.

Stakeholders (companies and individuals) lack access to and knowledge of the identification, authentication and authorisation mechanisms that enable privacy-protective transfers of data, particularly in healthcare, which hinders data sharing. The EESC recommends the use and implementation of a common healthcare dataset similar to the European Single Electronic Format (ESEF).

3.3.5.

There should be conditions for access to data for R&D by third parties. For instance, if healthcare researchers and municipality departments use free data, this should be governed by the GDPR.

3.3.6.

The EESC underlines that as not all companies are digitalised (i.e., in traditional industries, and many of Europe's SMEs), and not all companies get to reap the value of data, which means the level playing field is affected in the single market. Voluntary data sharing is a good, but insufficient tool to ensure equal access to data. The Commission should address this lack of balance between digitalised and non-digitalised companies, and between large and small companies. The EU's SME Strategy and the Industrial Strategy are a good place to start.

3.3.7.

The EESC underlines that despite the EU's progress towards convergence, its single digital market is still far from homogeneous: its rules remain fragmented. This makes it difficult and ineffective for companies to scale and compete against their US and Chinese counterparts, who are governed by a truly single regulatory framework and buy out their EU rivals, as seen with Skype and Booking.com. EU startups' founders eventually relocate to the US or more business-friendly markets to benefit from larger single markets and superior venture capital. To be efficient, a common infrastructure supporting data spaces should also reflect the multilingual characteristic of the single market (13).

3.4.   Funding

3.4.1.

The Strategy tables EUR 4-6 billion of funding, in which both EU Member States and industry are expected to co-invest. The Commission should clarify how it aims to mobilise funding, establish clear criteria to ensure and evaluate its fair allocation.

3.4.2.

To secure sufficient private investment and the continuity of existing services provided to many EU businesses, the EESC considers it essential to preserve foreign providers' participation in the project (in compliance with EU rules). Public funding such as through Horizon Europe and Digital Europe is also key. But the EU budget will be subject to budgetary priority in light of the recovery, and has been reduced compared to the Commission’s first proposal put forward in May. Notably, while the overall funding allocation to Europe's key strategic digital capacities has increased compared to the previous multi-annual financial framework, the Digital Europe programme's budget was reduced from EUR 8,2 billion to EUR 6,76 billion.

3.5.   Closing the skills gap

3.5.1.

The economic crisis may lead to modifications in the hierarchy of jobs deemed useful for the community, but will likely not reduce the need for technical skills. Automation can lead to job and task redefinitions (requiring more soft skills) and rather than mass unemployment, to mass redeployment of occupations (14).

3.5.2.

For big data jobs, the following skills seem to be the most in demand (15): analytical skills, data visualisation, familiarity with business domain and big data tools, programming, problem-solving, Structured Query Language (SQL), data mining, familiarity with technologies, public cloud and hybrid clouds, and hands-on experience. Some of these can be taught in schools, some need to be acquired and developed throughout life, in a ‘life-long and life-wide’ approach, via continuous, non-formal and informal learning (16).

3.5.3.

To seize this opportunity, as education remains a national competence, the EESC invites the Commission to encourage Member States to enact stronger policies enhancing digital literacy, addressing the data skills gap and its concentration to tackle inequalities across the EU, and reducing loss of knowhow.

3.5.4.

The EU should rewire training and education programmes in depth. All too often, STEM (17) subjects are not sufficiently integrated in curriculums across education levels. This particularly impacts women, which the Commission fails to emphasise despite its President's recommendations on gender equality (18). In this area, the EESC considers the Digital Competence Framework for citizens (19) a useful tool which should be more widely promoted and implemented. We invite the Commission to encourage Member States to proactively launch and accelerate initiatives within this framework.

3.5.5.

The EESC suggests the Commission strengthen the role of consumer organisations, relevant for the provision of user training, education, and independent advice regarding the tools individuals can use (e.g. to get information about the use and sharing of data, who has their data, how to appeal and put forward a complaint). To enhance digital literacy, initiatives like Finland's online course ‘Elements of AI’ (now accessible for all, for free, in every EU language) could be expanded to diverse educational modules.

---

(1)  https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, p. 20.

(2)  OJ C 14, 15.1.2020, p. 122

(3)  See footnote 2.

(4)  Although they are increasingly aware of their rights, it remains difficult for them to find out how their data is used and shared across organisations: 81 % of Europeans feel they have no or partial control over it. See Eurobarometer (June 2019), https://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/survey/getsurveydetail/instruments/special/surveyky/2222

(5)  See https://ec.europa.eu/info/sites/info/files/communication-europe-moment-repair-prepare-next-generation.pdf (pages 9 and 10).

(6)  See EESC Study The ethics of Big Data: Balancing economic benefits and ethical questions of Big Data in the EU policy context (2017).

(7)  Tools such as ‘consent management tools, personal information management apps, including fully decentralised solutions’ are the right instruments. https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, p. 10.

(8)  Free Flow of Data Regulation: https://ec.europa.eu/knowledge4policy/publication/regulation-free-flow-non-personal-data_en

(9)  The Second Payment Services Directive: https://ec.europa.eu/info/law/payment-services-psd-2-directive-eu-2015-2366_en

(10)  https://ec.europa.eu/info/sites/info/files/communication-european-strategy-data-19feb2020_en.pdf, p. 20

(11)  OJ C 62, 15.2.2019, p. 238.

(12)  See footnote 11.

(13)  OJ C 75, 10.3.2017, p. 119.

(14)  For every job lost in the future as a result of digitisation, 3,7 new jobs could be created. See https://www.agoria.be/en/Agoria-Without-a-suitable-policy-there-will-be-584-000-unfilled-vacancies-in-2030. https://newsroom.ibm.com/2019-10-30-MIT-IBM-Watson-AI-Lab-Releases-Groundbreaking-Research-on-AI-and-the-Future-of-Work; See EESC opinions TEN/705 (see page 77 of this Official Journal), OJ C 13, 15.1.2016, p. 161.

(15)  Utkarsh Singh, Top 10 In-Demand Big Data Skills To Land ‘Big’ Data Jobs in 2020 (upGrad blog, December 24, 2019), https://www.upgrad.com/blog/big-data-skills/

(16)  See footnote 2.

(17)  Science, technology, engineering, and mathematics.

(18)  EESC Opinion TEN/705 (see page 77 of this Official Journal).

(19)  EU Science Hub, DigComp: Digital Competence Framework for Citizens (European Commission), https://ec.europa.eu/jrc/en/digcomp