A Novel, European Act of Data Governance

The European Commission is proposing the world’s most ambitious data governance architecture — but it still ignores familiar, fundamental problems.

December 15, 2020
Margarethe Vestager speaks during a press conference on the Data Governance Act on November 25, 2020. (Reuters/Martin Bertrand)

The European Commission’s recently proposed Data Governance Act is — as it urges in its own preamble — “a novel, ‘European’ approach.” The act is sophisticated and proposes a number of leading-edge, technocratic policy architectures for achieving its stated aim — which is restoring Europeans’ trust in data systems. And, at the same time, it focuses primarily on commercial rights, securing markets while leaving member states to manage the political and social fall-out. Counter-intuitively, the social impacts of large concentrations of commercial and political power, exerted through data and digital service markets, is often at the root of public mistrust. The market-first, figure out the social impacts later approach is, indeed, uniquely European — and is on full display in the Union’s political fragmentation, from the fallout surrounding Brexit, to the human rights tensions with Hungary and Poland, among others. The Data Governance Act is sophisticated, technocratically innovative, and very unlikely to resolve the foundational rights and infrastructure issues that build public trust and equity in digital systems.

The Data Governance Act offers a framework that leverages access to publicly held data, as an incentive to register local representatives, articulate ownership information down to the service level, and assume the types of liabilities that accompany fiduciary duties. The Data Governance Act creates explicit architecture for a range of absolutely critical digital rights infrastructure: purpose limitations in data licences (including for derivative metadata), the ability to assign consent for some digital rights (a critical element of building any kind of pluralistic system) and the introduction of “best interests of the rights holder” duties for organizations that broker public data. Importantly, the local registration requirements for service providers also find a way to interject a pathway to accountability without upending existing markets. The Data Governance Act lays bold foundations in a few critical areas and, importantly, is likely to positively influence a number of other jurisdictions.

The Data Governance Act is sophisticated, technocratically innovative, and very unlikely to resolve the foundational rights and infrastructure issues that build public trust and equity in digital systems

Beyond European novelty, however, the Data Governance Act elides a lot of the harder challenges in data governance and recycles a lot of the thinking that created the distrust in the first place. The reasons that people don’t trust data systems are rarely because their commercial rights are imperfectly enforced, and registries for “altruists” wanting access to continental data, while important, are woefully insufficient to adjudicate the issues likely to arise. The underlying implication of the Data Governance Act is that maybe, if we make data exchanges bigger, we will finally realize the value (or is it altruism?) that digital capitalism has been hiding all along. As if to make the point, the Data Governance Act also reifies established, obviously problematic data policy models, such as “personal” and “non-personal” data categorizations, anonymization as a privacy protection, and consent. Each of these frameworks has contributed to the current state of public trust in data. It’s against that backdrop — one of waning trust and politicized enforcement — that the Data Governance Act suggests focusing investment on a continental data exchange. The approach is something like trying to extinguish a fire with gasoline and, ultimately, it ignores, nationalizes, and/or relies on the market to adjudicate the political consequences of the increased data sharing it aspires to achieve. This type of broad market integration, like financial globalization, places heavy and uneven strain on domestic institutions, which can become a source of significant instability and delegitimization. Indeed, this is a very “novel, ‘European’ approach” to policy, and that’s what it looks like, with a particular application to data and digital rights. 

That said, the Data Governance Act is something all too rare in the modern policy environment — a negotiated, multi-stakeholder act of binding data governance. That, alone, is quite a victory for the foundations of international data governance.

A Backdrop on Enforcement

First things first, it’s worth remembering Europe’s geopolitical context; it’s a large, primarily consumer, market for data and technology. While being closest to the capital has historically made it easier for governments to regulate market access, the European Union has led the world in new regulation (notably, Council of Europe’s Convention 108+ and the General Data Protection Regulation, or GDPR) and successfully levied record-setting fines, but it has failed to command much audience when it comes to trying to change foreign companies’ behaviour. While the European Union has been aggressive in creating rights for its residents, it hasn’t been as successful at enforcing judgments that go beyond assessing fines and compelling, elaborate workarounds.

While there are lots of theories about why European authorities don’t have the same sway as others, there’s a growing (and growingly rare) transatlantic consensus that one answer comes down to company size. In the United States — the country some of the more problematic tech giants call home — the government is focused on managing markets through antitrust regulation, which includes the possibility of breaking companies apart. This provides one explanation for the number of announcements of backend consolidation across major tech products: for example, last year’s announcement of Nest and Google Home’s merger into Google Nest, and this year’s more recent announcement about integrating WhatsApp’s and Facebook Messenger’s infrastructures. While European and American approaches may agree on the problem, there are major differences between their enforcement authorities — and there’s very little to suggest that American anti-trust actions factor in international interests in any meaningful way.

The European Union’s approach, to date, has relied largely on the patchwork of national enforcement of the GDPR and the gradual adoption of data protection officers; these efforts are only the first baby steps toward the significant change management projects that are necessary to support meaningful digital rights. It is true that the European Union is leading the world in envisioning digital rights, and it is also true that the rights’ implementation work has barely begun. That is the backdrop against which the Data Governance Act arrives.

Caught in the Act

The European Commission’s proposed Data Governance Act is an impressive assertion of continental market power, carefully pre-empting both national and global mechanisms for similar market regulations. At its core, the Data Governance Act attaches contextual liability to data use by requiring local registration for data intermediaries and, interestingly, by imposing fiduciary duties. The fiduciary duties are themselves legally unique in a number of European legal contexts, and nascent — albeit growing — in the Union’s mainstay economies. While both of those measures are interesting and progressive data rights architecture, they are offset by the fundamental intent of the act, which is to amplify data exchange while nationalizing and commercializing fundamental human rights protections.

The Data Governance Act prioritizes data transfer over the effective administration of data subjects’ rights, meaning that the priority is to increase trust in the system by increasing practice and documenting association — not, necessarily, by increasing the protections required to run the system. While this opens the door to privatized markets around enforcement, these are only a subset of the rights necessary to protect people from the exchanges proposed. Perhaps more telling, the Data Governance Act defines the rights implicated in high-volume, continental data sharing through data protection and commercial interests, without meaningfully acknowledging or addressing the significant bases of more political and contested rights. The Data Governance Act gives more direct reference to “the underutilisation of such data” (preamble, para. 5) than to articulating conditions that realistically support public participation or accountability in data systems. The Data Governance Act makes the mistake of presuming that the harms of data exchange can be contained, resolved or remunerated through data management systems.

International law is often deferential to domestic legal approaches and, as a result, is silent or unspecific on critical areas — and the Data Governance Act is similarly quiet on what constitutes valid claims to data rights. The Data Governance Act is explicit about the primacy of commercial and data protection rights, listing them as the specific bases for this proposal, but without any facility for managing their conflict. This is especially acute, considering the number of headline-creating conflicts between data policies and political rights, among many others. When, for example, participation in data systems becomes a requirement for accessing other rights, like the ability to move or access public services, it creates two conflicting imperatives and introduces significant inequalities. If this conflict seems hypothetical, consider that at least one member of the European Union is experimenting with immunity passports, which will have to equate data across a range of immunity types and sources, vaccine type and administering health system — among many others. And, in the United States, the White House is already being accused of extortion by state officials, for making COVID-19 vaccine access contingent on participation in a national patient registry.

Even countries with aggressive regulators and clear leverage over technology companies have struggled with political influence, often with both sides of the ideological spectrum complaining of bias and mistreatment. Even more concerning than the performative approach to data governance is the stark reality that regulators ultimately address only a small percentage of the total number of claims made, and an even smaller percentage of claims that should be made. That is, of course, what the Data Governance Act is trying to fix, but it does so without the kinds of clarity or investment in public adjudication infrastructure that could credibly address the volume of issues created.

That is an all-too-predictable stance from a piece of EU data regulation, unfortunately, but it may be the only one available to data and technology importer markets. It does, however, fall prey to five of the classic data governance blunders. In no particular order:

Data “management” is not governance. The Data Governance Act is explicit about reliance on local institutions and rights to adjudicate the issues that arise out of, but are not covered by, the act. Approaches to data governance that focus on data management over participatory governance externalize the responsibility for peacefully resolving the political complexity they create, often in ways that overwhelm and delegitimize local institutions.

Data rights are based on categories. To put it bluntly, personal data is not a term that means anything. Almost all data can, in combination with other data, be used to re-identify an individual in a context. More concerning, it’s inherently flawed to base a person’s rights in a digital ecosystem on their data’s potential for use, not only because that potential is unknowable, but because it changes all the time. The Data Governance Act’s resurrection of data categorizations perpetuates the dangerous fiction of their adequacy and places it at the centre of commercial data rights enforcement.

It is risky to build on definitional quicksand. There are a lot of terms in the Data Governance Act, from what “data use” means, to how to adjudicate “altruism,” to what constitutes public data exchange that doesn’t infringe on commercial rights, that hide complexity and increase the likelihood of political conflict. On the latter, for example, there are a number of actors and industries focused explicitly on using intellectual property rights to enclose historically public spaces. While the Data Governance Act aims to harmonize practice through the constructive advocacy of the European Data Innovation Board, it does so seemingly without native authority. Without stronger conceptual foundations, or at least mechanisms to govern the inevitable political disputes over interpretation, the Data Governance Act risks significant unintended consequences.

Accountability is determined through registration. Clear, transparent supply chains around data use are critical, but do very little to meaningfully curb the international data sharing abuses executed through jurisdictional arbitrage. The Data Governance Act addresses this in two ways: first, it requires local registration for providers’ data services (although it’s not clear what assets or liabilities that registrant is required to hold, to be accountable to national law). And second, it creates a complaint-based challenge system as a component of each country’s national registry of altruistic data users. The approach is an elegant way to approach localization through intermediation, but, like most European data rights enforcement, it is also exceptionally limited compared to the potential for abuse.

It embeds norm-based fragility. The Data Governance Act relies on the multi-stakeholder, representative nature of the European Data Innovation Board to exert soft power as a way to encourage the evolution and adoption of best practices. Essentially, the Data Governance Act is relying on soft power and, perhaps, norms to ensure cohesive practice between actors’ interpretations of data rights. This has proven to be a risky approach in international institutional design.

The Data Governance Act is a proposal, not an act meant to absolve the entirety of European data legislation, and so it’s important to recognize the reasonable limitations of what it can accomplish. The European Union is, after all, a trade union. Within those limits, the Data Governance Act is impressively sophisticated and explicitly creates the foundations for a narrow and interesting set of legal and digital architectures. Riddling those foundations, however, is a significant dependence on domestic institutions and markets. And that dependence is the source of a lot of mistrust in governance, data or otherwise.

The Access-to-Justice Gap in Data Governance

The fundamental assertion, and flaw, at the centre of this approach is philosophical — that EU member states have institutions capable of adjudicating, or supporting markets designed to adjudicate, the issues that emerge from substantially increasing data exchange. As the Data Governance Act states: “Companies and data subjects should be able to trust that the re-use of certain categories of protected data, which are held by the public sector, will take place in a manner that respects their rights and interests” (preamble, para. 14).

The obvious problem is that those groups are large, and their interests often conflict or are competitive with each other. And that conflict gives rise to a huge diversity of disputes. For most people, court systems aren’t an accessible or practical way to solve problems. For a sense of scale, the World Justice Project estimates that 5.1 billion people have significant, unmet legal needs – which is roughly the same number of people with access to the Internet. The gap in service design between justice systems and the kind of disputes that populations face is the subject of significant scholarship and, more importantly, leads to further large gaps in the ways that people are able to peacefully resolve their disputes.

The Data Governance Act doesn’t explicitly mention the expected impact on member state courts or public institutions, instead, it focuses on supporting market infrastructure. The absence of access to justice or additional rights protections suggests that most European authorities still believe that the best way to realize digital rights is the market, not, ironically, governance. In paragraph 15, while describing the conditions for future adequacy for third-party countries, the European Commission authors tip their hand: “The existence of effective legal remedies for data holders, public sector bodies or data sharing providers in the third country concerned is of particular importance in the context of the transfer of non-personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remedies.”

The absence of access to justice or additional rights protections suggests that most European authorities still believe that the best way to realize digital rights is the market, not, ironically, governance.

It’s not exactly clear how many members of the European Union could be said to meet this standard. The EU’s approach is world-leading and aspirational, but divorced from institutional reality to a degree that evokes willful negligence. The dirty “secret” of most modern public rights protection systems is that they fail to operationally reach or represent most people, and, more often than not, get instrumentalized in service of commercial interests and power consolidation. As the World Justice Project’s Rule of Law Index demonstrates, less and less of the world has meaningful access to justice, especially in the protection of their fundamental freedoms. Whether you’re looking at analogue or digital rights, the European Union’s justice systems are, at best, uneven. And, as the United Kingdom’s struggles with EU adequacy for data transfers suggests (post-Brexit), a lot of EU member states may not live up to the standard they’re trying to project when it comes to enforcing digital rights, either.

The Data Governance Act helpfully mandates that public bodies need the infrastructure to be able to ensure data rights holders’ interests, but at approximately that level of detail, which is challenging from a proposal so likely to create burdens for domestic policy and dispute resolution institutions. The Data Governance Act goes on to explicitly create a “right to judicial remedy,” but, as described above, saying it does not necessarily make it so. The proposal also gives data rights holders the ability to challenge an organization’s place in the nationally maintained registry of data altruism organizations, but this is unlikely to meaningfully protect a subjects’ rights. The text, essentially, leaves standards of implementation open-ended, while focusing significant attention on the means by which more data should be exchanged.

The Data Governance Act takes this approach one step further, raising the prospect of “fiduciary duties” twice in the preamble, but ultimately fiduciary-ish abstractions, like duties, for transparency and to the “best interest of rights holders” standard. As noted by scholar Julie Cohen, fiduciary duties, like any approach to building trust, often scale badly, especially when applied to subjective abstractions like “public” or “general” or “altruistic” interest. Similarly, the Data Governance Act’s focus on commercial rights suggests that data intermediaries should be using the commercial rights created by public data sets in the best interests of the public, which is at best convoluted and, more likely, self-defeating. Beyond raising concerns about creating an inherently uneven distribution of the value of public data, most European member states practise civil law and don’t have a tradition of fiduciary duties — let alone the norms or institutions to interpret their exercise in digital ecosystems. Said a slightly different way, while it inevitably sounds nitpicky, fiduciary relationships are like directions — they work narrowly, when well-articulated, with a specific destination in mind — and this approach to data fiduciaries has a lot of clarifying to get there.

Consultation as Conclusion

The European Commission is currently accepting comments on the Data Governance Act proposal, and you should contribute. This proposal is, at the very least, a clear signal that the European Commission is ready to build market infrastructure around meaningful data governance, and that devolved, localized accountability is, for the first time, practical and on the table. That accountability, here, is constructively tied to specificity, limitation and ongoing access to the proposed data ecosystem. The digital rights community should celebrate the language of proportionality, implementable assignment of commercial data rights, and fiduciary duties, however broadly stated, as they portend the potential for contextual, collective and relational approaches to data rights — which is extraordinarily exciting.

Ultimately, the Data Governance Act proposal is reminiscent of a passage by Evgeny Morozov in his review of Shoshana Zuboff’s Surveillance Capitalism, entitled “Capitalism’s New Clothes”: “This analytical error has also led many clever, well-intentioned people to insist that Silicon Valley should — and could — repent. To insist, as these critics do, that Google should start protecting our privacy is, for Zuboff, ‘like asking Henry Ford to make each Model T by hand or asking a giraffe to shorten its neck.’”

The problem, as Morozov goes on to say, is not that surveillance is changing capitalism, but that it is a manifestation and a requirement of it. The biggest challenge of data governance isn’t convincing the public to trust data systems but the difficult, structural work of designing systems that reliably and continuously earn trust as they undergo digital transformation. The Data Governance Act lays the foundation for a lot of promising architecture, but it does so rooted in commercial rights and dependent on member states’ already overwhelmed justice institutions. The Data Governance Act also creates a pathway for private markets to intervene, both in internationally commercializing publicly held data and in enforcing commercial data rights. The proposal’s deference to national practice on issues of political and social importance, however, overlooks the significant increase in need for governance, and does not seriously address ways to support the fundamental, non-commercial rights and adjudication requirements likely to arise. Said a different way, data governance proposals that rely on legal systems but don’t credibly address access to justice issues are just “governance’s new clothes.

The Data Governance Act proposal is novel and uniquely European — it is prone to commercial exploitation, weaponized ambiguity and aspiration verging on willful negligence — and it is the most ambitious and realized act of its kind in the world.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Sean Martin McDonald is a CIGI senior fellow and the co-founder of Digital Public, which builds legal trusts to protect and govern digital assets.