Op-Ed: “Business-to-government data sharing on the Data Act: between a rock and a hard place” by Barbara Lazarotto

This Op-Ed was originally published on the EU Law Live Blog and can be accessed here

 

The Data Act proposal is the latest Regulation of the European Data Strategy to have been proposed in February 2022, with the main objective of removing the obstacles to the circulation of data and creating value from it through business-to-consumers, business-to-business and business-to-government data sharing. The Proposal has gained attention due to its innovative proposition, which aims to address complex and different concerns related to the data economy depending on the area of regulation. The Act addresses the market dominance within the field of IoT products, cloud and edge computing and aims to advance the European data economy through data reuse, including the public sector. Yet, the trajectory of the Data Act proposal has been a bumpy ride with a lot of back and forth between pushing for more sharing of data and furthering restrictions on data access, mostly influenced by stakeholder positions when it comes to business-to-government data sharing. In this Op-ed, I will further explore the road of the Proposal so far and how the modifications throughout the legislative process still support the industry position, and what this means for the future of business-to-government data sharing in Europe.

A wrestle between public sector access and industry interests

Before reaching the Council, the Data Act Proposal was mostly focused on data access by consumers and further sharing of data for the purposes of enhancing market competition. Chapter V, fully dedicated to business-to-government data sharing, was heavily influenced by public health management during the COVID-19 pandemic, in which access to privately held data by the public sector was considered essential. However, the use of private data is not only advantageous in exceptional circumstances but can also be essential to support the public sector in policymaking, a hypothesis which was not fully addressed by the Data Act proposal.

Yet, when the Czech Presidency took over the rotating presidency of the EU Council from 1 July to the end of 2022, it took a pro-public sector approach by broadening the scope of the business-to-government data sharing beyond the original proposal, pushing it forward the circumstances of data access for the purposes of enacting public tasks. Prague pushed for stronger enactment of mandatory data-sharing regulation, although the text significantly reduced the scope of business-to-government data sharing to only the European Commission and the EU Agencies whereas before it applied to all EU institutions. Empowering clauses were enhanced, which allowed the public sector to challenge requests for compensation by organisations holding data. One of the main additions was the further specification of tasks in the public interest provided by law that might justify the request for privately held data, such as local transport, city planning and infrastructural services. This opened an avenue of possibilities for the use of private data for public purposes such as the development of smart cities.

 

Following the end of the Czech rotating presidency, Sweden took over in January 2023, and contrary to the previous Presidency, it turned to the industry segment by proposing the reduction of the scope of the act to all data processed via systems subjected to Intellectual Property rights or specific know-how of the data holder. Additionally, the possibility for data holders to deny the sharing of data based on any trade secret was introduced, strengthening the business position considerably. When it comes to business-to-government data sharing, the scope of data was restricted only to non-personal data, a request that was present in the EDPB-EDPS Join Opinion 02/2022 on the Data Act.

Once the Proposal reached the Parliament for the trilogues, business-to-government data-sharing regulation took a considerable step back again, following the industry organisations’ joint statement expressing the sector’s concern with the protection of trade secrets. Some hypotheses on the use of private data by governments for the fulfilment of tasks in the public interest were removed from Recital 57, although in my opinion the removal does not impact the interpretation of article 15(b) of the proposal. Most recently, a common position was reached by Coreper which has highlighted again the necessity to ‘fine-tune’ the terms of business-to-government data sharing regulation. (for more information, see the Council press release here)

Between a rock and a hard place

Following this retrospective analysis, it is possible to observe that the main objective of the Data Act is to empower consumers by giving them access to data generated by ‘smart devices’ and that the business-to-government data-sharing provisions are not the focus of the Regulation, in spite of the pro-public sector approach by the Czech Presidency. The European Parliament strengthened the industry pleas, by enhancing trade secrets protection and restricting the possibilities of data access by governments.

Therefore, one question remains. Given the abovementioned trajectory, what is the future of business-to-government data sharing in the EU?

The Data Act is a horizontal proposal which aims to propose basic data-sharing rules for all sectors, leaving room for a specific regulatory framework for specific sectors. A specific regulatory framework would need to fully address the challenges faced by the public sector when accessing privately held data due to its peculiarities and its public interest purpose. A specific regulation would be essential to coordinate how already existing regulations (e.g., General Data Protection Regulation 2016/679, Data Governance Act Regulation 2022/868, Data Base Directive 96/9/EC), Member States’ legislation (such as the French loi n° 2016-1321 du 7 octobre 2016) and future proposed regulations such as the Data Act will co-exist. Additionally, a specific regulatory framework would have to face challenges, such as how to involve the private sector in public matters without causing a ‘corporatisation’ of the public sphere while protecting public values such as transparency of administration and the interest accessing certain types of data for public purposes.

So far, I still cannot see the end of the tunnel. Due to the backseat position of business-to-government data sharing in the proposal, it is safe to affirm that the future of B2G does not depend greatly on the Data Act. At the same time, the regulatory measures brought by the proposal are too restricted to alter the status quo of business-to-government data-sharing agreements that are already taking place, and they definitely do not address the issues faced by the public sector when settling agreements, such as power imbalances, unfair contractual clauses, and restrictions on the use of data. Thus, there is only hope that a Regulation that addresses these points is in the Commission’s pipeline.

Barbara Lazarotto is a PhD researcher at the Vrije Universiteit Brussel, a member of the Law, Science, Technology and Society Research Group (LSTS) and a Marie Curie Action Fellow at the LeADS Project.

ESRs Fatma Doğan at seminar for young researchers and PhD students

 

ESRs Fatma Doğan participated in the seminar for young researchers and PhD students titled: “Current Challenges in Medical Law”. The seminar took place in Göttingen, between 3-4 May 2023. Fatma presented her study named “Re-use, Secondary use or further use of health Data: A dilemma placed in between legislations” on ‘Current Challenges related to Data & Research’ panel.

Fatma started her presentation with a quote from EU Commission Communication on data re-use from 2020. The commission states that: “The value of data lies in its use and re-use. Currently, there is not enough data available for innovative re-use, including for the development of artificial intelligence.” Her main research question was, how can we interpret the re-use of health d ata under current EU legislation. While seeking the answer to this question her research is divided into three parts. In the first part, she examined GDPR and it’s provisions about ‘further use’ as it is the main legal instrument. Secondly, Data Governance Act(DGA) and its provisions about ‘re-use’ and thirdly, the Proposal of European Health Data Space(EHDS) and its ‘secondary use’ provisions were examined. Her findings point out that both DGA and EHDS don’t offer a detailed explanation of what terms could entail. Moreover, all three of the legislations will be regulating an intersecting ground, thus, their differences have a possibility to create discrepancies. Her study sought to discuss the similarities and differences between the referred legislation in terms of the mentioned concepts and make sense of their interplay.

The seminar was full of enlightening presentations and interesting keynote speeches. Fatma also received valuable feedback and thought provoking questions after her presentation.

ESRs present their research at Institut cybersécurité de l’Occitanie workshop

 

On the 19th of April 2023, the workshop Journée scientifique du Défi Clef at the Institut cybersécurité de l’Occitanie at The Laboratory for Analysis and Architecture of Systems (LAAS-CNRS) took place in Toulouse, France.

The workshop was divided into three sessions the first Session focused on thesis presentations, Session 2 focused on presentations on the topic of cybersecurity and Session 3 was entered on material, logical and systemic security. Prof. Jessica Eynard, one of the supervisors of the LeADS Project, and Giorgia Macilotti one of LeADS collaborators presented their research in Session 2 the topic Sécurité(s) et identité(s) numérique(s).

Early Stage Researchers Cristian Lepore, Barbara Lazarotto and Louis Sahi also participated in the workshop on a poster session, where they presented the development of their research.

 

ESRs Fatma Dogan and Soumia El Mestari at Privacy Symposium 2023

ESRs Fatma Dogan and Soumia El Mestari attended the annual Privacy Symposium took place in Venice between 17-21 April. ESRs presented their paper which they have witten with Dr. Maria Botes from Centre for Medical Ethics and Law of Stellenbosch University.

Their paper titled “Technical and Legal Aspects Relating to the (Re-Use of Health Data when Repurposing Machine Learning Models in the EU” will be published in the conference book. In the study, they discussed technologies such as re-purposing machine learning models under EU data protection laws. The original point was that technologies like Al and loT are data greedy by their nature hence they need more datasets constanty. Machine learning technologies can reuse the existing machine learning models, also known as “knowledge transfer for other tasks”. However, this solution when examined under a legal lens becomes ambiguous because there is no exact equivalent of this term in current EU data protection laws. Even so, when this technology is used in health data tasks, the practice becomes even more complex. because health data qualifies as sensitive data which attracts stricter rules regarding its processing.

In the paper, they examined this topic from both a legal and a technical point of view. Their research considers the use of repurposing machine learning models and their application within the legal context of the secondary use and re-use of personal data. Their legal analysis includes the General Data Protection Regulation, Data Governance Act, and European Health Data Space proposal. The ESRs received questions and supportive feedback from the participants and also attended the
other enriching panels of the conference.

ESRs Fatma Dogan and Barbara Lazarotto at BILETA 2023

 

On April 13th 2023, ESRs Fatma Dogan and Barbara Lazarotto participated in the 38th Annual BILETA – British and Irish Law Education and Technology Association Conference. The Conference came back to The Netherlands after 22 years and had as a topic Cyberlaw: Finally getting its Act(s) together? held in Amsterdam Law and Technology Institute and online. (for more information consult the program of the conference). Fatma and Bárbara both presented their research at the Data Governance Panel, exploring the interaction between different EU Regulations.

Barbara presented her research titled The Right to Data Portability: An Holistic Analysis of GDPR, DMA and the Data Actin which she explored the interactions and overlaps when it comes to the right to data portability in the three Regulations and possible implications to data subjects’ rights. Barbara won the European Journal of Law and Technology best paper award with her paper.

  

Fatma presented her research titled Re-Use or Secondary Use: A Comparison between Data Governance Act and European Health Data Space, where she explored the re-use or secondary use of health data, making an analysis of the Data Governance Act and the European Health Data Space.

 

Both researchers received great questions and feedback from the participants which will enrich their research for future purposes.

Participation of ESR Aizhan Abdrassulova in two conferences in April 2023

Early Stage Researcher Aizhan Abdrassulova presented her research at III International Forum on Medical Law, which was held on April 6-7, 2023 in Ekaterinburg.  Her article’s title is «Some Aspects of medical ethics and Confidentiality in European Law». Aizhan outlined the basic principles of European medical ethics and its main directions of development. Participation in the conference was remote, materials will be published on the website and in print in June 2023.

Also on April 11-13, Aizhan was present offline at the 33rd Madrid International Conference on “Law, Education, Marketing and Management” (LEMM-23).

Aizhan’s topic “Data ownership: civil law aspect” is closely related to the topic of her dissertation. All papers of LEMM-23 will be published in the printed conference proceedings with a valid International ISBN number.

Each Paper will be assigned a unique Digital Object Identifier(DOI) from CROSSREF and the Proceedings of the Conference will be archived in DiRPUB’s Digital Library. Aizhan won the nomination for “Oral Best Paper Certificate”.

Clustering Workshop on Ethical and Legal Issues in Technology

The VALKYRIES project funded from the European Union´s Horizon 2020 research and innovation programme, conducted its third ethical and legal workshop titled “Dealing With Ethical Legal Issues Technology Development: The Current Approaches Adopted In Ongoing Projects” on March 3, 2023.

The workshop consisted of presentations by various EU projects such as VALKYRIES, 5GSOSIA, RESCUER, LeADS and FACILITATE, these presentations focused on the ethical and legal issues encountered and combatted during the course of their respective projects.

On behalf of the LeADS project, Prof. G. Comandé introduced the legality attentive data scientists project and discussed how the LeADS Project is aimed at bridging the gap between data science and law by training early-stage researchers who are involved in the project with technical prowess as well as legal expertise. Further, he mentioned that this has been made possible by the various partnerships with companies and government agencies that the LeADS Project has carved out for its early-stage researchers to create a balance between theoretical studies and practical implementations across sectors.

Prof. Paul De Hert and ESR Barbara Lazarotto at the Norface Governance Online Lecture Series

On 01 March 2023, Prof. Paul de Hert and ESR Barbara Lazarotto participated in the third NORFACE GOVERNANCE Online Lecture Series at the University of Luxembourg. They were joined by Prof. Jean-Bernard Auby, Emeritus Professor of Public Law, Sciences Po Paris – Former Director of “Mutations de l’Action Publique et du Droit Public” («Changes in Governance and Public Law»), Former Deputy Director of the Oxford Institute of European and Comparative Law. The online lecture series was a part of the dissemination practices for the governance program.

The lecture was titled Should the state be smart?“, and approached the concept of “smartness” as a buzzword that is sold by private companies to governments, which often adopt technology to micromanage individuals’ lives, confusing it with administrative effectiveness. The lecture explored possible alternative paradigms for governments for the future and their relationship with technology.

 

 

Going Beyond the Law or Back Again?

This blogpost was originally published on the Robotics & AI Law Society’s Blog at https://blog.ai-laws.org/going-beyond-the-law-or-back-again/

Abstract:

The relationship between law and ethics in the European Union’s regulatory policy of artificial intelligence remains unclear. Ambiguity persists specifically in whether ethics will be employed in a hard or soft fashion. Such an ambiguity creates fundamental problems in determining whether a given AI system is compliant with the proposed Artificial Intelligence Act (AIA), which is contrary to the objective of legal certainty cited by the AIA. This blog post is an attempt to uncover that problem which academic literature has not yet addressed.

The AIA is a product of the European strategy towards regulating AI which has developed over the past four years and has always embodied a peculiar relationship between law and ethics. In 2018, the European Commission released their Communication  outlining the beginnings of a European strategy for AI. Around that time, the High-Level Experts Group on AI (HLEG) was established with the goal of advising the Commission, and their 2019 Ethics Guidelines for Trustworthy AI , which took the fundamentals rights of the Charter to be the subject matter of both their ethical and legal approach, became central to the EU strategy. Then in 2020, the official White Paper on Artificial Intelligence was released, stating that the European approach “aims to promote Europe’s innovation capacity in the area of AI while supporting the development and uptake of ethical and trustworthy AI across the EU economy.” Later in 2020, the European Parliament formally requested the Commission to submit a proposal for a regulation specifically addressing ethical principles for the development, deployment, and use of artificial intelligence. And finally, in 2021, the Artificial Intelligence Act was proposed, and the Commission asserted that the Regulation ensures the protection of ethical principles.

The Distinction Between Hard and Soft Ethics

During those years, many AI ethics researchers had been concerned with the development of principles and struggled with their practical application to the problems of AI, while some others had taken the problem of application to be an irredeemable flaw with the principle-based approach and so called for a virtue ethics or question-based approach to be developed instead. That debate will continue to evolve and is not the direct subject matter of this post, nor are the ongoing debates about how best to operationalize ethics in SMEs or larger corporations. Instead, this blog is an effort to uncover the ambiguous relationship between law and ethics in the European Union’s regulatory policy of AI. That ambiguity can be traced back to a misapplication of Luciano Floridi’s “soft ethics” presented here, which asserted that governance should be composed of institutional governance, regulation, and ethics. He and others argued that ethics should play a role in governance because legal requirements are often necessary but not always sufficient to guide society toward a beneficial outcome, and that ethics can act as an anticipatory mechanism to identify and respond to the impacts of emerging technologies. According to his theory, digital ethics is constituted by hard ethics, which changes or creates law through the implementation of ethical values in legislation or judicial opinions; and soft ethics which considers what should be done “over and above the existing regulation, not against it, or despite its scope, or to change it, or to by-pass it.” In other words, while soft and hard ethics cover the same normative ground, the distinction between the two rests on their relationship to law.

Following that distinction between hard and soft ethics, compliance with a given law is equivalent to the compliance with the hard ethic that gave it shape, and thus the analysis used to determine whether some behavior is compliant is the legal method an attorney would use in a given jurisdiction. But, because ethics that are soft go “over and above” the law, a different methodology would presumably be required to determine whether some behavior is in alignment with a given set of values. When reading the forthcoming paragraphs keep this in mind: the relationship between hard ethics and law is characteristic of how scholars typically understand the cyclical nature of ethical norms being translated into regulation, similar to how the EU data protection acquis developed from shifts in the perceptions about and values of privacy in the public or how medical professional ethics developed in response to bioethics. The reader’s reaction then may be to assume that the exact same is happening in the EU regulatory approach to AI, that ethics is simply influencing regulators to act, and that they are embedding the values into the regulation (hard ethics). However, the policy outlined below suggests that compliance with the AIA may require a separate ethical analysis that takes the law as the starting point and goes beyond. It’s important to note that Floridi’s soft ethics approach was originally conceived as a “post compliance” tool (not a legal requirement), yet through the adoption of soft ethics in the regulatory policy, this blog will suggest that it may have (intentionally or unintentionally) taken on a new and confused life as a compliance mechanism.

The Cause of the Ambiguity: A Sketch of the EU Regulatory Development on AI

The consensus in the European Union has largely been that AI should meet both a legal and ethical requirement. In the HLEG’s Ethics Guidelines for Trustworthy AI, they state that AI should be legal, ethical, and technically and socially robust. The HLEG derived their ethical principles from the EU Charter of Fundamental Rights. Distinguishing between the legal and ethical requirements, the HLEG explained that after legal compliance is achieved, “ethical reflection can help us understand how the development, deployment and use of AI systems may implicate fundamental rights and their underlying values and can help provide more fine-grained guidance when seeking to identify what we should do rather than what we (currently) can do with technology.” The HLEG cited Floridi’s soft ethics approach, asserting that there “adherence to ethical principles goes beyond [emphasis added] legal compliance.” Yet, the question of which direction one should go beyond fundamental rights jurisprudence remains and is striking.

The demarcation between legal and ethical requirements carried on into the European Parliament’s Resolution C 404 , which distinguished between “legal obligations” and “ethical principles,” advising that high-risk AI systems be subject to the mandatory compliance of both. Yet, they also observed that “ethical principles are only efficient where they are also enshrined in law. . .” Note that if ethics is only efficient where it is enshrined in the law and compliance is mandatory with ethical principles by law, then the distinction between “legal obligations” and “ethical principles” collapses (hard ethics). However, the Parliament went on to call for common criteria to be developed for the granting of European certificates of ethical compliance, which suggests, again, that an ethical analysis (as opposed to a legal one) may need to be developed to satisfy ethical principles. Finally, the Parliament formally requested the Commission to submit a proposal for a regulation specifically addressing ethical principles for the development, deployment, and use of artificial intelligence.

The proposed AIA responded to that request and the Commission asserted that the Regulation ensures the protection of ethical principles. The general objective of the legislation was to “ensure the proper functioning of the single market by creating the conditions for the development and use of trustworthy artificial intelligence [emphasis added] in the Union.” The proposed minimum requirements for high-risk AI systems set out in Chapter II are based on HLEG’s work on Trustworthy AI. In the heart of the AIA, references to ethical principles are non-existent but references to fundamental rights abound. Remember that the ethical principles of Trustworthy AI are derived from fundamental rights.

Questions Going Forward

Thus, the question remains: does compliance of high-risk AI systems with Chapter II of the AIA require a separate ethical analysis, based on fundamental rights, that goes beyond legal compliance with fundamental rights law? Does the mandatory compliance mean that this creates a new philosophy for the interpretation of fundamental rights? And as inquired upon earlier, which direction does one go beyond to achieve compliance? Fundamental rights law must often strike a balance between rights, and the calculations in those decisions create the most controversial of legal judgements. Going beyond, especially obligatorily, has wide reaching consequences, and would likely be highly politically charged. Clarification and information for whether and how to go beyond must be given by policymakers.

What such an analysis might look like remains unclear. As mentioned at the top, AI ethics researchers are still debating how to best develop and apply principles or whether to even do so at all. The field is far from establishing consensus. Yet, underpinning AI ethics is the idea that law can benefit from ethics for various reasons. Yet, the opposite might also be true: that an ethical analysis or method could be modeled off the legal structure that allows for the application of normative propositions to specific sets of facts (perhaps something akin to Hart’s rule of recognition, change, and adjudication as a starting point).

LeADS Liaisons with the OpenMuse Consortium

The LIDER Lab at Sant’Anna School of Advanced Studies recently joined a consortium of music industry stakeholders and researchers from 12 European countries. The OpenMuse Consortium’s goal is to fill harmful data gaps in the European music ecosystem and provide artists with much needed data-driven tools to increase their success in the streaming environment.

ESR Robert Poe and post-doctoral researcher Pelin Turan recently represented Sant’Anna at the Kick-off meeting for this exciting new European project in Bratislava, Slovakia. Robert’s background in EU artificial intelligence law and AI ethics and Pelin’s background in cultural diversity and EU copyright law proved invaluable during the many coordination meetings that took place there. Sant’Anna will head up three deliverables for the Consortium including the development of a data management plan and policy recommendations involving fair machine learning techniques and topics in cultural diversity; research areas which present opportunities for the Legality Attentive Data Scientists to offer insightful contributions in the future. Sant’Anna is looking forward to a bright and productive collaboration between the two projects where there is sufficient overlap!