Smart fridges collect IP addresses, location data, personal descriptions and interests, and payment information. Health apps gather sensitive medical records. Personal assistants such as Amazon’s Alexa know what questions you are asking.
Under European Commission proposals designed to free up data sharing, outsiders may gain access to such sensitive information. Critics including the EU’s own Data Protection Board worry about the risk to privacy. Increased data sharing could conflict with sector-specific rules governing industries that range from finance to transport – and, perhaps most dangerous of all, present dangers to national security.
No one doubts the good intentions behind Europe’s proposals; data sharing is the digital equivalent of Schengen free travel. Just as the 1986 Schengen Agreement allows Europeans to cross borders without showing their passports, the European Commission aims to facilitate friction-free data sharing across borders and industries. In November 2020, it proposed a Data Governance Act to ease access to public data. In December 2021, it unveiled the Digital Markets Act, requiring Big Tech gatekeepers (tech companies with a market capitalization above EUR75 billion) to share much of their data with potential competitors. And in February 2022, it moved onto the Data Act, designed to secure access to private sector industrial data, extending the danger to smart fridges, health apps, and personal assistants.
But free data sharing is proving no easier to achieve than free personal travel.
Privacy concerns are paramount in the proposed Data Act. Although the proposal is designed to apply to nonpersonal, industrial data, the distinction between ‘nonpersonal’ and ‘personal’ data is porous. Data generated by a connected toaster can be used to determine when you are eating breakfast.
Or consider healthcare. Europe aims, particularly after COVID-19, to facilitate cross-border flows of medical data. Even with the data anonymized, hackers would have an easy time gaining “full access to patients’ email accounts, messages, and reports,” according to a 2020 analysis. Hospitals or doctors could request manufacturers to share data without the consent or even knowledge of the patient.
Or take household appliances. In 2019, recordings of Google Assistant users leaked to Belgian media; the data allowed some individuals to be identified. While Google suspended manual reviews of audio snippets after the attack, personal assistants continue to collect personal data. Under the Data Act, third-party sharing would be extended, potentially making it easy for malign actors to access a wealth of sensitive information.
In addition to threatening privacy, the Data Act could endanger national security. While the law supposedly wouldn’t apply when national security is at stake, it is difficult to say what this will mean in practice. Shared data could be reverse engineered to obtain trade secrets and valuable know-how, including the designs of weapon systems or cutting-edge semiconductors. Critical infrastructure, such as power plants or telecommunication networks, represents particular risks. Increasing access to sensitive data could multiply the number of potential weak links.
A specific danger centers on the auto industry. Cars, truffled with sensors and cameras, amass impressive amounts of data, journalist Justin Ling notes. Mapping companies such as TomTom or Google routinely gather data and license it to public sector bodies to pursue road maintenance or other tasks. An invading army could potentially gain access to and leverage the data to speed its progress.
The Data Act authorizes public authorities to force organizations to hand over their data in case of ‘public emergencies, such as pandemics and natural disasters. The precise conditions under which this can happen have yet to be defined. Companies worry that their valuable data could be shared with their competitors. Business Europe urges lawmakers to “narrow down the “exceptional need” situations.”
The new rules are complex – and possibly contradictory. Different departments of the European Commission are coming up with conflicting initiatives. While a directorate-general of the Commission has authored the Data Act, another has come up with specific legislation for automobile data sharing. It is unclear to what extent the two will differ; legal uncertainty may become an issue.
Enforcement represents another considerable challenge. Each EU member state is required to appoint a digital regulator, opening the door to different interpretations in each of the 27 member states. Unlike the GDPR, for which enforcement has been problematic, the Data Act does not envisage the creation of an authority to facilitate cooperation between these national regulators. This calls into question the effectiveness of monitoring and investigating cross-border data sharing.
These challenges will need to be worked out in the coming months. Both the European Parliament and the Council of the EU representing national governments need to agree on versions of the Data Act. The different versions then must be reconciled. It is essential to ease the flow of data. But this goal must be balanced against privacy and security concerns.
Grace Endrud and Charles Martinet are interns at CEPA’s Digital Innovation Initiative. Bill Echikson edits Bandwidth.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions are those of the author and do not necessarily represent the position or views of the institutions they represent or the Center for European Policy Analysis.