Posts

Gouvernance des données

Data governance: trust it (or not?)

The original version of this article (in French) was published in the quarterly newsletter no. 20 (March 2021) of the Values and Policies of Personal Information (VP-IP) Chair.

On 25 November 2020, the European Commission published its proposal for the European data governance regulation, the Data Governance Act (DGA) which aims to “unlock the economic and societal potential of data and technologies like artificial intelligence “. The proposed measures seek to facilitate access to and use of an ever-increasing volume of data. As such, the text seeks to contribute to the movement of data between member states of the European Union (as well as with States located outside the EU) by promoting the development of “trustworthy” systems for sharing data within and across sectors.

Part of a European strategy for data

This proposal is the first of a set of measures announced as part of the European strategy for data presented by the European Commission in February 2020. It is intended to dovetail with two other proposed regulations dated on 15 December 2020: the Digital Services Act (which aims to regulate the provision of online services, while maintaining the principle of the prohibition of a surveillance obligation) and the Digital Market Act (which organizes the fight against unfair practices by big platforms against companies who offer services through their platforms). A legislative proposal for the European Health Data Space is expected for the end of 2021 and possibly a “data law.”

The European Commission also plans to create nine shared European data spaces in strategic economic sectors and public interest areas, from the manufacturing industry to energy, or mobility, health, financial data and green deal data. The first challenge to overcome in this new data ecosystem will be to transcend national self-interests and those of the market.  

The Data Governance Act proposal does not therefore regulate online services, content or market access conditions: it organizes “data governance,” meaning the conditions for sharing data, with the market implicitly presumed to be the paradigm for sharing. This is shown in particular by an analysis carried out through the lens of trust (which could be confirmed in many other ways).

The central role of trust

Trust plays a central and strategic role in all of this legislation since the DGA “aims to foster the availability of data for use, by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.” “Increasing trust”, “building trust”, ensuring a “higher level of trust”, “creating trust”, “taking advantage of a trustworthy environment”, “bringing trust” – these expressions appearing throughout the text point to its fundamental aim.

However, despite the fact that the proposal takes great care to define the essential terms on which it is based (“data“, “reuse”, “non-personal data”, “data holder”, “data user”, “data altruism” etc.), the term “trust,” along with the conditions for ensuring it, are exempt from such semantic clarification – even though “trust” is mentioned some fifteen times.

As in the past with the concept of dignity, which was part of the sweeping declarations of rights and freedoms in the aftermath of the Second World War but was nevertheless undefined –  despite the fact that it is the cornerstone of all bioethical texts, the concept of trust is never made explicit. Lawmakers, and those to whom the obligations established by the legal texts are addressed, are expected to know enough about what dignity and trust are to implicitly share the same understanding. As with the notion of time for Saint Augustine, everyone is supposed to understand what it is, even though they are unable to explain it to someone else.

While some see this as allowing for a certain degree of “flexibility” to adapt the concept of trust to a wide range of situations and a changing society, like the notion of privacy, others see this vagueness – whether intentional or not – at best, as a lack of necessary precision, and at worst, as an undeclared intention.

The implicit understanding of trust

In absolute terms, it is not very difficult to understand the concept of trust underlying the DGA (like in the Digital Services Act in which the European Commission proposes, among other things, a new mysterious category of “trusted flaggers“). To make it explicit, the main objectives of the text must simply be examined more closely.

The DGA represents an essential step for open data. The aim is clearly stated: to set out the conditions for the development of the digital economy by creating a single data market. The goal therefore focuses on introducing a fifth freedom: the free movement of data, after the free movement of goods, services, capital and people.  

While the GDPR created a framework for personal data protection, the DGA proposal intends to facilitate its exchange, in compliance with all the rules set out by the GDPR (in particular data subjects’ rights and consent when appropriate).

The scope of the proposal is broad.

The term data is used to refer to both personal data and non-personal data, whether generated by public bodies, companies or citizens. As a result, interaction with the personal data legislation is particularly significant. Moreover, the DGA proposal is guided by principles for data management and re-use that were developed for research data. The “FAIR” principles for data stipulate that this data must be easy to find, accessible, interoperable and re-usable, while providing for exceptions that are not listed and unspecified at this time.

To ensure trust in the sharing of this data, the category of “data intermediary” is created, which is the precise focus of all the political and legal discourse on trust. In the new “data spaces” which will be created (meaning beyond those designated by the European Commission), data sharing service providers will play a strategic role, since they are the ones who will ensure interconnections between data holders/producers and data users.

The “trust” which the text seeks to increase works on three levels:

  1. Trust among data producers (companies, public bodies data subjects) to share their data
  2.  Trust among data users regarding the quality of this data
  3. Trust among trustworthy intermediaries in the various data spaces

Data intermediaries

This latter group emerges as organizers for data exchange between companies (B2B) or between individuals and companies (C2B). They are the facilitators of the single data market. Without them, it is not possible to create it from a technical viewpoint or make it work. This intermediary position allows them to have access to the data they make available; it must be ensured that they are impartial.

The DGA proposal differentiates between two types of intermediaries: “data sharing service providers,” meaning those who work “against remuneration in any form”  with regard to both personal and non-personal data (Chapter III) and “data altruism organisations” who act “without seeking a reward…for purposes of general interest such as scientific research or improving public services” (Chapter VI).

For the first category, the traditional principle of neutrality is applied.

To ensure this neutrality, which “is a key element to bring trust, it is therefore necessary that data sharing service providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose”. This is why data sharing services must be set up as legal entities that are separate from other activities carried out by the service provider in order to avoid conflicts of interest. In the division of digital labor, intermediation becomes a specialization in its own right. To create a single market, we fragment the technical bodies that make it possible, and establish a legal framework for their activities.

In this light, the real meaning of “trust” is “security” – security for data storage and transmission, nothing more, nothing less. Personal data security is ensured by the GDPR; the security of the market here relates to that of the intermediaries (meaning their trustworthiness, which must be legally guaranteed) and the transactions they oversee, which embody the effective functioning of the market.

From the perspective of a philosophical theory of trust, all of the provisions outlined in the DGA are therefore meant to act on the motivation of the various stakeholders, so that they feel a high enough level of trust to share data. The hope is that a secure legal and technical environment will allow them to transition from simply trusting in an abstract way to having trust in data sharing in a concrete, unequivocal way.

It should be noted, however, that when there is a conflict of values between economic or entrepreneurial freedom and the obligations intended to create conditions of trust, the market wins. 

In the impact assessment carried out for the DA proposal, the Commission declared that it would choose neither a high-intensity regulatory intervention option (compulsory certification for sharing services or compulsory authorization for altruism organizations), nor a low-intensity regulatory intervention option (optional labeling for sharing services or voluntary certification for altruism organizations). It opted instead for a solution it describes as “alternative” but which is in reality very low-intensity (lower even, for example, than optional labeling in terms of guarantees of trust). In the end, a notification obligation with ex post monitoring of compliance for sharing services was chosen, along with the simple possibility of registering as an “organisation engaging in data altruism.”

It is rather surprising that the strategic option selected includes so few safeguards to ensure the security and trust championed so frequently by the European Commission champion in its official communication.

An intention based on European “values”

Margrethe Vestager, Executive Vice President of the European Commission strongly affirmed this: “We want to give business and citizens the tools to stay in control of data. And to build trust that data is handled in line with European values and fundamental rights.”

But in reality, the text’s entire reasoning shows that the values underlying the DGA are ultimately those of the market – a market that admittedly respects fundamental European values, but that must entirely shape the European data governance model. This offers a position to take on the data processing business model used by the major tech platforms. These platforms, whether developed in the Silicon Valley ecosystem or another part of the world with a desire to dominate, have continued to gain disproportionate power in light of their business model. Their modus operandi is inherently based on the continuous extraction and complete control of staggering quantities of data.

The text is thus based on a set of implicit reductions that are presented as indisputable policy choices. The guiding principle, trust, is equated with security, meaning security of transactions. Likewise, the European values as upheld in Article 2 of the Treaty on European Union, which do not mention the market, are implicitly related to those that make the market work. Lastly, governance, a term that has a strong democratic basis in principle, which gives the DGA its title, is equated only with the principles of fair market-based sharing, with the purported aim, among other things, to feed the insatiable appetite of “artificial intelligence”.

As for “data altruism,” it is addressed in terms of savings in transaction costs (in this case, costs related to obtaining consent), and the fact that altruism can be carried out “without asking for remuneration” does not change the market paradigm: a market exchange is a market exchange, even when it’s free.

By choosing a particular model of governance implicitly presented as self-evident, the Commission  fails to recognize other possible models that could be adopted to oversee the movement of data.  Just a few examples that could be explored and which highlight the many overlooked aspects of the text, are:

  1.  The creation of a public European public data service
  2. Interconnecting the public services of each European state (based on the eIDAS or Schengen Information System (SIS) model; see also France’s public data service, which presently applies to data created as part of public services by public bodies)
  3. An alternative to a public service: public officials, like notaries or bailiffs, acting under powers delegated by a level of public authority
  4. A market-based alternative: pooling of private and/or public data, initiated and built by private companies.

What kind of data governance for what kind of society?

This text, however, highlights an interesting concept in the age of the “reign of data”: sharing. While data is trivially understood as being the black gold of the 21st century, the comparison overlooks an unprecedented and essential aspect: unlike water, oil or rare metals, which are finite resources, data is an infinite resource, constantly being created and ever-expanding.

How should data be pooled in order to be shared?

Should data from the public sector be made available in order to transfer its value creation to the private sector? Or should public and private data be pooled to move toward a new sharing equation? Will we see the emergence of hybrid systems of values that are evenly distributed or a pooling of values by individuals and companies? Will we see the appearance of a “private data commons”? And what control mechanisms will it include?

Will individuals or companies be motivated to share their data? This would call for quite a radical change in economic culture.

The stakes clearly transcend the simple technical and legal questions of data governance. Since the conditions are those of an infinite production of data, these questions make us rethink the traditional economic model.

It is truly a new model of society that must be discussed. Sharing and trust are good candidates for rethinking the society to come, as long as they are not reduced solely to a market rationale.

The text, in its current form, certainly offers points to consider, taking into account our changing societies and digital practices. The terms, however, while attesting to worthwhile efforts for categorization adapted to these practices, require further attention and conceptual and operational precision.   

While there is undoubtedly a risk of systematic commodification of data, including personal data, despite the manifest wish for sharing, it must also be recognized that the text includes possible advances.  The terms of this collaborative writing  are up to us – provided, of course, that all of the stakeholders are consulted, including citizens, subjects and producers of this data.


Claire Levallois-Barth, lecturer in Law at Télécom Paris, coordinator of the VP-IP chair, co-founder of the VP-IP chair.

Mark Hunyadi, professor of moral and political philosophy at the Catholic University of Louvain (Belgium), member of the VP-IP chair.

Ivan Meseguer, European Affairs, Institut Mines-Télécom, co-founder of the VP-IP chair.