The EU’s Data Strategy: Can Regulation Create Different Kinds of (Data) Markets?

The European Union’s Data Strategy, published in 2020, aspires to turn Europe into ‘a leading role model for a society empowered by data to make better decisions—in business and the public sector.’ The two main regulatory elements of the strategy are the Data Governance Act (‘DGA’), proposed in 2020, and the Data Act (‘DA’), proposed in 2022. Both acts share the ambition of creating a single market of data by making more data available and fostering data exchanges. 

This signals a turn in the EU’s data governance approach. Up until the publication of the Data Strategy in 2020, the emphasis of EU institutions was almost exclusively on the protection of data subjects’ privacy rights. But the EU’s new strategy of bolstering data exchanges and data markets may be driven by a heavy dose of competitive pragmatism at a difficult time: Digital markets are dominated by mostly foreign companies with market shares up to 90%, records of antitrust infringements, and data collection practices which erode privacy and are contrary to data protection law. The Data Strategy thus seeks to reconcile the economic goal of strengthening Europeans firms’ participation in the digital economy with European fundamental rights and values. How does the Strategy attempt to do that?

The Strategy is underlined by the belief that a European data market does not have to share the ills—facilitating surveillance, for example—of the well documented but not regulated US data market. The DGA and the DA share a regulatory philosophy according to which adequate legal interventions can give rise to different kinds of markets, in which data can be made available for a broader range of stakeholders while still being respectful of fundamental rights. To illustrate in broad strokes the mechanics of the acts, let’s take them one by one. 

The DGA, which entered into force in June 2022 and will be applicable from September 2023, aims to ‘increase trust in data sharing’ and ‘ increase data availability.’ To do so, the Act creates a legal framework for ‘data intermediaries,’ third parties that will be tasked with making data accessible while ensuring it is used in ethical ways. The term encompasses all ‘services which aim to establish commercial relationships for the purposes of data sharing between [...] data subjects and data holders and data users.’ Similar services already exist in the European Union: An example is Dawex, which runs a data exchange platform. But it is unclear what legal regime they operate in. The added value of the Act is not only to create legal certainty for these services and to increase trust in using them, but also to (heavily) regulate their functioning. 

Data intermediaries under the DGA will have several obligations to guarantee their trustworthiness. These go well beyond what is expected of commercial players active in other sectors: first, to enter the market, service providers have to submit a notification to the competent national authority, which includes extensive information on their legal status, ownership structure, and relevant subsidiaries. Second, they need to satisfy a number of substantive requirements. Fundamentally, data intermediation services need to be completely separated from any other line of business in which the service provider may be active. This is reflected in several requirements: 1) the data intermediation services need to be provided through a separate legal entity; 2) the data traded cannot be used for any other purposes by the service provider; 3) the meta-data collected through providing the data intermediation service can only be used for improving the intermediation service; and 4) the commercial terms offered to service recipients cannot depend on whether they use other services offered by the data intermediation service provider or by any related entity. 

Through these requirements, the DGA seeks to facilitate the emergence of data intermediaries that operate differently from contemporary big tech platforms. The vision of data intermediaries put forward by the Act is one of channels allowing the interconnection of buyers and sellers but not being allowed to extract any value from the intermediation services apart from financial compensation for providing them. This brings us back to the image of platforms that predominated until the emergence of big tech: Traditional marketplaces or trading boards which were responsible for connecting buyers and sellers but derived no additional benefit than the fee charged for providing the intermediation service. 

The DGA goes even further than demanding commercial neutrality: One of its provisions requires data intermediaries to act in the data subjects’ best interests ‘by informing, and where appropriate, advising data subjects [...] about intended data uses by data users before data subjects give consent.’ This requirement demands service providers to act like trustees vis-a-vis data subjects, surpassing what is expected from regular commercial actors. 

The DA, still a proposal at the time of writing, seeks to enhance access to data and to achieve a fairer distribution of the benefits derived from data. To do so, the Act creates mandatory obligations of data sharing, albeit limited to data generated by the use of IoT devices. The cornerstone of the DA is an obligation for producers of IoT devices to make data generated by the use of their products accessible to users easily and in real time.  But this data is of little relevance to the users themselves. What gives teeth to this provision is the users’ right to request this data to be shared with interested third parties: use data represents a vital resource for SMEs seeking to offer aftermarket services for IoT devices, such as repair and maintenance. In the absence of this data, undertakings trying to compete with manufacturers for aftermarket services are placed at a competitive disadvantage. 

The DA has a unique approach to data governance. First, it puts forward a vision of data as co-created by the interaction between the user and the device, as opposed to belonging exclusively to device manufacturers. Second, it seeks to transform this data into a resource for all market players, except for the very large ones: The Act prohibits undertakings providing core platform services in the meaning of the DMA from benefiting from the right of users to request their data to be shared. This limitation is unsurprising, given that these marketplayers already have access to vast troves of data, and that one of the  market failures that the DA and the Data Strategy more broadly seek to address is the existence of ‘imbalances in market power.’ Third, there is an idea that the data can only be used fairly: It cannot be leveraged for developing products that competes with the product from which it originates.

Only time will tell whether the Data Strategy will succeed in changing the power dynamics of data-based ecosystems. However, European law makers should pay attention to at least two issues that remain unresolved: The relationship of the Acts with pre-existing European personal data protection rules and the high information costs of navigating the landscape of data intermediaries, especially for newcomers.

First, the DGA assumes that data subjects can give data intermediaries the right to share their data with unlimited third parties for unspecified purposes. This contrasts with the GDPR, which relies on  individual consent granted to data controllers for specific purposes only. Given this tension between the two frameworks, harmonization or further clarification are required to strike a balance between data privacy and facilitating data sharing.

Then comes the question of the strategies to facilitate access to information about which data is available. Economists have shown that though digital technologies lower information costs, they do not solve the problem of information asymmetries: these may be exacerbated when the volume of data and data holders grows exponentially. The DGA requires data intermediaries to register, but this requirement prioritizes compliance rather than promoting transparency and providing adequate information to potential data providers and receivers. When it comes to the DA, as we discuss elsewhere, it’s even less clear how interested third parties can get information about which users are willing to have their data shared. Strategies must be devised to facilitate access to data about the data being made available.

Teodora Groza is a PhD student in competition law at Sciences Po Law School and Editor-in-Chief of the Stanford Computational Antitrust Journal.

Beatriz Botero Arcila is an Assistant Professor of Law at Sciences Po and an Affiliate at the Berkman Klein Center at Harvard University.