The New Law of the European Data Markets: Demystifying the European Data Strategy
-
Teodora Groza
and
Beatriz Botero Arcila
Abstract
The European Data Strategy, published in 2020, aims to turn the EU into a society empowered by data which captures its benefits to generate improvements in health, well-being, the environment, transparent governance, and convenient public services. This article examines the European Data Strategy, focusing on the Data Act and Data Governance Act, and situates them within broader data governance discussions. It argues that the Strategy has at its centre a tension between fostering a robust, fair data market versus scepticism towards market-based data governance mechansims, and analyses to what extent the regulatory techniques the Data Strategy proposes can address this tension.
1 Introduction
In 2020, the European Union set the goal to ‘become a leading role model for a society empowered by data to make better decisions – in business and the public sector (…) [and] to capture the benefits of better use of data, including greater productivity and competitive markets, but also improvements in health and well-being, environment, transparent governance and convenient public services.’[1] To do so, the European Strategy for Data (‘Data Strategy’ or simply ‘the Strategy’) seeks to create a single market for data by 2030 where personal as well as non-personal data is secure yet accessible, ‘boosting growth and creating value’ while being mindful of European values and fundamental rights.[2]
In a nutshell, the Data Strategy creates different rules and institutions that seek to improve and facilitate data access and enhance data utilisation. Its ultimate goal is to give rise to a data market that achieves two objectives which are difficult to reconcile: maximising the gains from data to enhance welfare on the one hand, and protecting the European values of equality and fundamental rights on the other.
This Article analyses the EU Data Strategy through its two main regulatory elements, the Data Governance Act (‘DGA’) and the Data Act (‘DA’). It intervenes in the academic and policy conversation about the governance of the data economy in the European Union and contributes to this literature in three main ways:
First, the Article is one of the first to present a comprehensive overview of the European Data Strategy and its main regulatory components to date – the DGA and the DA – and to situate it within the broader data governance literature.[3] It conceptualises the European Data Strategy as emerging from the EU’s historical inclination toward market-based approaches to achieve various objectives,[4] while also acknowledging concerns within the data governance literature about potential overreliance on market mechanisms for data regulation.[5]
Indeed, much of the contemporary academic discussion on the governance of data seems to take one of three rough perspectives. A first and baseline perspective aims for economic efficiency as a proxy for welfare. This strand of literature proposes that data markets’ operations should be improved ‘by transforming data into merchandisable private goods’ and offering legal certainty to parties providing and producing data.[6] A second perspective criticises this baseline approach on the ground that data market structures sustain the inequalities of the digital economy, participate in the erosion of corporate accountability and give rise to new forms of social control.[7] Legal scholars in this camp emphasise the role of law (private law, regulation, and the lack thereof) in enabling the accumulation of outsized power, resources and data in the hands of a few actors in the data economy.[8] A third approach focuses on imagining and developing institutional alternatives to de-concentrate data markets and democratise access. Scholars and organisations adopting this view often start from the nature of data as a non-rival economic good. They note that exclusive private data use – and relying on commodification and property law – may contribute to data being underutilised and argue, for example, that sharing data or making more data available can improve (public) services.[9] Thus, they propose institutions that are alternatives or complements to the market logic of current data exchanges, such as semi-commons arrangements.[10] In this piece, we leverage all these strands of scholarship to show how the Data Strategy learns from contemporary data governance scholarship to propose a new form of data markets.
Second, we show how the DA and the DGA seek to operationalize these modes of data governance through specific legal interventions aimed at streamlining data access and exchanges. We take seriously the legal-institutionalist insight that markets arise and operate through law – both public regulation and private law regimes – and are the result of complex and vast webs of legal and political choices and the path dependencies they give rise to.[11] Here, we show that these two regulations create specific entitlements, rights, and obligations over and about data, de facto creating a private law of non-personal data. The Article exposes how the Data Strategy constitutes a novel regulatory approach that interweaves conservative regulatory techniques of fixing market failures with an unorthodox vision of regulation as market structuring. From punctual interventions that seek to create incentives for data holders to share or trade their data, to bolder measures that aim to level the playing field by enhancing the bargaining power of small players, the acts display a wide spectrum of regulatory techniques.
Third and last, the Article analyses the opportunities and challenges of (re)shaping the structure of the European data market in a way that is both welfare-enhancing and respectful of European values. To do so, we draw both on cost-benefit analysis and distributive analysis to assess the different mechanisms adopted by the Strategy. We question, for example, whether enough incentives are indeed in place to share data, what the scope of application of data protection law should be in this context, and whether the Strategy, inadvertently, may not be hindering the opportunity to compete by newcomers. The final part suggests some avenues for future regulatory work and research.
The Article is divided into four sections. The first part presents the Article’s theoretical framework and methodology. The second part presents the legal and economic background on the economics of data, data markets, and data law in the EU. The third part presents the Data Strategy and analyses it, focusing both on what it aims to do and what it may end up doing in practice. The fourth part discusses the challenges the Strategy needs to address and how it fits within the broader European regulatory landscape.
2 Background: Data and Data Markets, Law and Economics, and Methodology
The Data Act and the Data Governance Act are part of the EU’s manifold regulations aiming to align the digital economy with EU values while at the same time enhancing innovation.[12] As its name implies, it is mostly concerned with the governance of data, notably access to data. In this section, we introduce the key conceptual tools for analysing the Strategy – data and data markets – and explain our theoretical framework and our methodology.
2.1 Key Definitions
2.1.1 Data
The DA and the DGA define data as ‘any digital representation of acts, facts or information and any compilation of such acts, facts, or information, including in the form of sound, visual or audio-visual recording.’[13] This definition, like most modern understandings of data, situates the digital context as the default setting for data governance. Similarly, the data governance and data economics literature typically understand and define data as a digital representation of information.[14]
It is generally accepted that data is a valuable resource. The Economist popularised the idea that ‘data is the new oil’ in 2017, a phrase first formulated in 2006 by mathematician Clive Humby.[15] In Humby’s original formulation the metaphor was meant to signify that data, like oil, is not useful in its raw state but needs to be refined and turned into something useful.[16] Relatedly, critically oriented scholars emphasise that metaphors that analogize data to natural resources seem to convey that data is a finished good that exists naturally in the world.[17] This is not the case. Data is a representation of information. Hence, both data generated intentionally – either by digitising some already available information or by immediately collecting digital data, as well as data collected by sensors – needs not only to be refined and turned into something useful but is also the result of human-created infrastructures and institutions.[18] Policy-makers and scholars highlight that these infrastructures and institutions (e.g. the technical capabilities required for data production and storage, data governance laws) give rise to the inequalities and challenges endemic to the digital economy: data produced is often not representative enough along gender, race or class dimensions;[19] some countries produce most of the data in the world, and, particularly, most data is produced and controlled by few technology companies.[20] The literature highlights that these inequalities also influence who benefits from the data economy.[21]
As an economic good, data is non-rivalrous, which means that its use by one individual does not prevent others from using it at the same or at any other time.[22] Despite the possibility of non-rival consumption, data is also generally an excludable good.[23] This is in no small part a function of technical and legal aspects and interventions – hence, of concrete choices. Data, when produced and collected, is automatically stored in devices or servers which usually belong to a legal person and are rarely publicly accessible. These parties collecting and storing data then rely on technical and legal interventions to cabin the universe of parties able to access data, such as blocking access technically via encryption, and / or legally via relying on trade secrecy laws.[24]
Legally, there is no concerted approach to data ownership, access, and control in Europe. Data is not physical (though it is stored in physical devices)[25] and therefore it is not clear whether it can be covered by rights in rem designed for corporeal entities, even if some argue that it would be possible.[26] It is also typically not covered by intellectual property laws because it fails to satisfy the criterion of originality.[27] We discuss at some length the different approaches proposed by the literature to govern data in Part 2. Here, however, it suffices to say that there is a patchwork of laws and rules creating entitlements over data that shape how data can be accessed, shared, and used. These include data protection laws, trade secret protections, sector-specific regulations covering issues like the disclosure of government-held data, and, importantly, private ordering via contract law.[28]
2.1.2 Data Markets
As an excludable good, data can be traded. The 2021–2023 European Data Market study published by the EU Commission defines data markets as ‘marketplaces where digital data and insights from data are exchanged as products or services that result from the elaboration of raw data.’[29] On the supply side of these markets, there are data-related digital products, services, and technologies such as credit scores, client profiles or insights on the traffic in a particular city. On the demand side, companies and governments acquire data or data insights to use in their decision-making processes and ultimately make their operations more efficient.[30]
It is worth highlighting that data markets are not that new: Data trading on a large scale was made possible at the latest in the 1990s by a confluence of widely available public records coupled with growing public and private interests in operationalizing and monetizing this information.[31] Choicepoint, a data broker, was already in 2001 selling ‘information in markets–insurance, business and government, and marketing’ which included ‘(…) history data, motor vehicle records, police records, credit information and modelling services, employment background screenings and drug testing administration services, public record searches.[32]
Despite their considerable history, data markets have been in the spotlight only over the last few years. After the Cambridge Analytica scandal and its possible role in the Trump election, as well as the Brexit vote in 2016, concerns that unrestrained data markets could represent a risk for democracy and political stability became prominent.[33] These have sparked a broader conversation on the risks that unrestrained data flows pose to fundamental rights such as privacy and data protection, and of the dominant role that the main technology companies play in dictating access to data and how it is used.[34]
It is worth noting that not all data markets are the same. Notably, in the EU, data markets look different from their American counterparts. The General Data Protection Regulation (GDPR) forbids the selling and sharing of personal data without a legal basis, thereby reducing the privacy risks associated with unregulated data markets.[35] The European Data Market Study reports that in the European data market, data related to individuals is anonymized, pseudo-anonymized or aggregated.[36] Nonetheless, despite being more privacy-friendly, this market remains highly concentrated. The prominent role a few non-European technology companies play in the European data landscape through unilaterally determining who has access to data has led both policy-makers and scholars to stress the importance of facilitating and encouraging data access to boost innovation and competition.[37] This dynamic shows that addressing privacy concerns is not a panacea. Furthermore, it raises questions as to potential trade-offs between enhancing privacy protection and deconcentrating markets, as well as how these should be resolved.
2.2 Law and Markets and the Economic Analysis of Law
In this Article, we use a mix of orthodox and heterodox law and economics tools to analyse the DGA and the DA, namely cost benefit analysis and distributional analysis. We rely on these methodological instruments to evaluate whether the proposed interventions of the acts achieve their goals in creating a different kind of data market. Given that our analysis is centred on the impact of legal rules on market dynamics, we begin by clarifying our position as to the role of the law in shaping markets.
2.2.1 Law and Markets
The departing point of our intervention is that markets are a legal construct, i.e. their functioning is heavily reliant on a combination of contract laws, property rights, and regulation.[38] This does not mean, however, that regulatory action or formal law is required for trading. As Richard Brooks describes, ‘people have been buying, selling, swapping and trading goods and services from time immemorial.’[39] There is a difference, however, between trade as an activity and markets as institutionalised arenas for trade. The emergence of markets requires the establishment of ‘rules of the game’ which provide market players with clarity as to who owns what, and under what conditions assets and services can be traded. Nonetheless, since trading customs evolve, and new assets – such as data – become tradeable, it is often the case that laws designed for pre-existing markets are stretched to regulate new assets or new trading arenas. Furthermore, regulatory tools which are not meant explicitly to influence trading can impact trading conditions. Think, for example, of the GDPR, which was meant as a data protection regulation, but has drastically changed the conditions under which data can be collected and shared.
The current data market is thus shaped by an amalgam of laws that condition who can access data. At the same time, the market practices of certain dominant market actors have had a deep influence on data trading. Due to their bargaining and market power, the big tech players managed to secure quasi-property entitlements over data by private ordering and reliance on technical capabilities.[40] For example, Amy Kapczynski documents how companies possessing technical control of large amounts of data have managed to exclude third parties from accessing and reaping the benefits of the data they hold, creating property-like regimes through ‘contracts with their vendors, customers, and collaborators that require data and algorithms to be kept secret or not shared.’[41]
Law and economics scholars point out that when the law does come forth to shape markets, it usually translates existing realities into what law and economic scholars have labelled as ‘entitlements.’[42] To give a simple example, property entitlements were initially granted to those who managed to secure physical control over assets.[43] Although there is no clear definition of what entitlements are, they can be understood as legal interests which prevail in the case of conflict. As Calabresi and Melamed put it, when allocating entitlements, the state ‘decide[s] which of the conflicting parties will be entitled to prevail.’[44]
Law, however, does not need to limit itself to translating existing realities into rules – it can also shape and steer markets towards certain outcomes. In this sense, we distance ourselves from monolithic understandings which portray markets as institutions that are necessarily destined to produce unjust distributional outcomes, exacerbate existing inequalities, and, when the traded asset is data, undermine human autonomy and agency.[45] The law can shape markets by authorising certain transactions and prohibiting others, making some transactions easier than others, and granting certain entitlements to certain parties and refusing them to others. In doing so, the law can alter market dynamics and direct them towards more fair distributional outcomes.[46] Briefly, different kinds of laws give rise to different kinds of markets. This is what we understand that the Data Strategy is ultimately trying to do.
As it will become obvious in the analysis of the next section, the Data Strategy tries to give rise to a different kind of data market by creating entitlements meant to facilitate data-sharing, trading and access. For example, while avoiding the vocabulary of property and ownership, the Data Act grants users of IoT devices the right to ask that the data their use generates be shared with third parties under certain conditions. Before the Data Act’s intervention, this data was held exclusively by manufacturers of IoT devices, preventing any other market players from using it to provide aftermarket services. This example shows that the Data Strategy is an effort to deconcentrate data markets and enable a fairer allocation of the value derived from data. As the analysis below shows, the pursuit of these comes at a cost, as they can diminish incentives to collect data and ultimately innovate. The Strategy navigates several such delicate trade-offs.
2.2.2 Methodology: Cost Benefit Analysis and Distributional Analysis
This Article analyses the DGA and the DA through the lenses of both orthodox and heterodox law and economics, namely through the tools of cost benefit analysis and distributional analysis.[47] By orthodox law and economics, we refer to the Chicago School and its aftermath. This line of scholarship is based on a commitment to markets as the best institutions for allocating resources, a narrow vision of regulation as limited to fixing market failures, and the belief that the goal of the entire legal system is to maximise social welfare. Under this view, legal rules are perceived as artificial interventions in ‘the market’ whose costs and benefits can be calculated.
While orthodox law and economics is easy to define as a movement, heterodox law and economics refers to a much looser aggregation of ideas. Since it never crystallised as a movement, it is much more difficult to identify any core tenets or shared assumptions. However, what we take out of it is an understanding of markets as being heavily influenced by laws, and a commitment to relying on laws as structural levers which can lead to markets that are more fair, less concentrated, and more egalitarian. Rather than theorising an idealised vision of ‘the market’, this scholarship views markets as institutions that arise through laws and can take a multitude of forms. Much of the literature adopting this approach is labelled as ‘private law theory’ rather than heterodox law and economics. Nonetheless, this literature takes a law and economics perspective in the sense that it views the law as an essential vector in dictating the shape of markets and assesses the desirability of legal rules in terms of the economic outcomes they give rise to.
The choice for combining two perspectives matches the ambition of the acts: aligned with the law and economics orthodoxy, the acts seek to provide efficient solutions for fostering data exchanges and data use and reuse, yet they are also committed to ensuring fairness in the allocation of resources and economic opportunities.
Cost benefit analysis requires assessing the costs and benefits of the rules at stake without factoring in any distributional impacts.[48] We use this tool to evaluate the relative efficiency merits of the new rules created by the acts. It is important to clarify that a frequent mistaken assumption regarding cost benefit analysis is that it is tied to the adoption of efficiency as the overarching goal of the legal system. Under this view, cost benefit analysis can only be used to assess whether a proposed intervention maximises social wealth, in the sense that resources are allocated to those who value them most.[49] We are aware that the pursuit of efficiency has undergone criticism, and that its use as a normative standard has become controversial.[50] Nonetheless, in this article, we follow the approach of heterodox law and economics scholars and dissociate cost benefit analysis from the pursuit of wealth maximisation.[51] As Eric Posner underscores, cost benefit analysis ‘helps analysts identify superior means for achieving a given goal in settings that are abstracted from moral and political questions that will nonetheless have to be answered before a policy is implemented.’[52] In simple words, cost benefit analysis allows us to identify the best tool to carry out a pre-established goal, but not to identify the relative worthiness of different goals, as the latter process would require the adoption of wealth maximisation as the benchmark of the assessment.[53] In this vein, this article relies on cost benefit analysis to assess whether the DGA and the DA are cost-effective tools for reaching their stated goals, and not whether they maximise societal wealth.
However, even decoupled from wealth maximisation, cost benefit analysis is blind to how the costs and benefits factored in the assessment are distributed between different stakeholders. Since one of the overarching objectives of the Strategy is to achieve a fairer distribution of the value derived from data, cost benefit analysis takes us only halfway through the assessment. To evaluate the acts’ distributional impact, we rely on the heterodox method of distributional analysis. Distributional analysis takes cost benefit analysis one step forward by identifying how the costs and benefits at stake are allocated between different stakeholders.[54] Since the acts target constituencies with very different entitlement and resource endowments – natural persons, SMEs, and big tech platforms – distributional analysis is particularly well suited for assessing their impact. Furthermore, distributional analysis reveals that there are tradeoffs involved in any legal move.[55] Enhancing data-sharing leads to a diminution in privacy and data protection. Companies that will be subject to mandatory data-sharing obligations will lose their exclusive control, whereas third parties that will benefit from this obligation will win access to a key competitive resource. Relying on distributional analysis highlights that there are ‘winners and losers’ of every proposed intervention. Here, we underscore that these actions involve a delicate balance of navigating crucial trade-offs.
3 Data Governance and the EU Data Market
This section situates the European Data Strategy within the literature on data governance and shows how the Data Strategy draws from it, and also calls for the strengthening of the data market.[56] The literature that seems to inspire the strategy focuses on alternatives to property rights, such as commons arrangements. To explain and conceptualise why reliance on property rights was not the alternative chosen in the Data Strategy we present in what follows the law that governs data markets today, and then the literature on data governance and data markets.
3.1 The Existing Law of Data Markets
Data markets are institutional arrangements where digital data and insights from data are exchanged as products or services.[57] Data markets assume, like all markets, the possibility to clearly define those products, goods and services. In the case of data, this is enabled by the fact that data is an excludable good.[58]
Standard economic and regulatory theory holds that property rights be established over goods to strengthen markets.[59] Property rights are legally enforceable rights to exclude others from using an owned thing, the privilege to reap the fruits of it, and the power to transfer it.[60] Economic analysis observes that property rights allow individuals in a given community to not have to negotiate over entitlements, reducing transaction costs and uncertainty, and therefore increasing the efficiency of markets.[61] Furthermore, traditional economic thinking proposes creating property rights over resources to generate investment incentives.[62] In the absence of property rights, too many individuals may use a resource without taking into account the costs of doing so, therefore depleting it and not investing in its maintenance or renewal, which leads to its exhaustion.[63]
Along this line of thought, some policy-makers and scholars in the EU and around the world have proposed that clear entitlements be created over data via property or intellectual property rights.[64] Preparatory documents for the EU Data Strategy the Commission considered, for example, the creation of ‘a new data producer right with the objective of enhancing the tradability of non-personal or anonymised machine-generated data as an economic good’ which ‘could be envisaged as a right in rem.’[65] Similarly, earlier policy discussions over the protection of data and how to create incentives for its productions led to the approval of the 1996 EU Database Directive. The Database Directive created full copyright protection for ‘databases which (…) constitute the author’s own intellectual creation shall be protected’ and a 15 years ‘sui generis right’ for ‘the maker of a database which shows that there has been qualitatively and/or quantitatively a substantial investment in (…) the obtaining, (…) of the contents (…) of that database.’[66] In practice, after some ECJ rulings, databases are only subject to IP protection in the very narrow circumstances where they constitute products of human creativity, but not, as in most circumstances, when data is created by digital appliances.[67]
The fact that data is not (yet) covered by property or IP law does not mean, however, that there are no rights or legal entitlements over it. Data protection law, for example, limits the grounds under which personal data can be processed and shared.[68] Relatedly, data holders have been known to try to argue that certain data is a trade secret to oppose data-sharing mandates.[69] A significant amount of scholarship studying the digital economy, especially in the US, has focused on the role of private ordering – e.g., contract law – in establishing entitlements to access and use data. Julie Cohen and Amy Kapczynsky have shown that the private ordering of the data market has an important role in giving rise to a very unequal marketplace, where users and other stakeholders are disempowered and subjected to the, often objectionable, data-processing practices of companies with outsize market power.[70] This occurs because the companies that control important amounts of data leverage ‘access-for-data’ contracts and non-disclosure agreements that create a network that simulates exclusivity over data, consolidating control over its use in their hands.[71]
These legal webs that simulate exclusion-like entitlements have led scholars like Cohen and Kapczynski to the conclusion that, if we accept that the key function of property rights is to set entitlements that govern people’s access to and control over resources, de facto property-like entitlements already exist over data.[72] Additionally, because large tech firms hold most data and they get to decide who can access it, markets are strongly biassed in favour of the main data holders.
3.2 The Proposals to Enhance Access to Data
Despite the existence of de facto property-like rights over data, and the policy proposals to create actual ownership rights over data, there is increasing consensus that data is an awkward fit for property and property-like rights. There are certain important differences in the objectives underlying property rights and the way data seems to be produced. First, it is unclear whether data ownership rights are required for the production of data, because data is often a by-product of already profitable economic activities, and thus its generation does not require additional incentives.[73] Second, as discussed above, data is made excludable through technical protection – unlike copyrighted material, which is meant to be distributed widely. Third, the value of data often resides in their immediacy and what is most valuable is not the data per se but the information and insights that can be drawn via data analytics and in relating different data with each other.[74] We elaborate on these strands below.
Several scholars thus criticise approaches that propose an ownership-based approach to data governance, primarily because given its non-rivalrous nature, many actors could benefit from processing data. Thus, using private data exclusively might result in the underutilisation of data. Néstor Duch-Brown et al. argue that the property law assumption that information production requires a financial incentive doesn’t hold in regard to data and, therefore, the claim that certain exclusive rights over data should be put over data to maximise welfare may not hold.[75] Thus they suggest that regulation should not be targeted at incentivizing data production or reasonable use but, rather, data-sharing and availability.[76] Betin et al. and other law and economics oriented scholars note that fully shared common data pools may face overutilization and the motivation to invest in data diminishes, but agree that intermediate semi-commons data governance solutions should be favoured.[77]
Commons arrangements are an alternative to private property arrangements when considering how to manage the risk of depletion of resources.[78] Elinor Ostrom famously showed that communities can manage shared resources successfully when group boundaries are clear, and when these groups have mechanisms to set up rules and change them to govern common goods in ways that adapt to local needs and conditions.[79] A second main school, focused on ‘open access commons’ showed that some commons could be open access, and that these were pervasive and successful in the digital networked environment.[80] Unlicensed spectrum, free and open source software, Wikipedia, open access publications and creative commons are all examples of open access commons that have yielded high degrees of value.[81] A characteristic of the resources that can be managed as open access commons is that they tend to be intangible, and thus non-depletable.[82] Commons scholars, such as Brett Frischman, have also shown that both open access and closed commons are pervasive in modern economies in the forms of ‘infrastructures’ and that they generate significant value when openly accessible – such as highways.[83] In conversation with this literature, data governance scholars and policymakers have developed frameworks to enhance and facilitate data access and sharing, while guaranteeing the protection of other interests such as data protection.
The debate on how to govern data came a few years after the literature on commons governance was developed, and adopted its arguments to suggest that data should be governed more as commons or infrastructure than as a private good. In Data-Driven Innovation: Big Data for Growth and Well-Being, an influential report published in 2015 by the OECD, data was described as a general-purpose good that should be regulated like an open commons.[84] The report advocated for open data access because, like with other infrastructures, individual willingness to pay reflects the value that individuals expect to realise themselves, but that value is difficult to estimate a priori and would not account for positive social externalities.[85] Later work, however, recognized that open access to data conflicts with other protected interests in data such as privacy rights.[86] In 2022, for example, the OECD seemed to tame its optimism for open access in another report, where it stated that ‘[d]ata access, sharing and reuse (‘data openness’) can generate significant social and economic benefits. (…) However, data openness also comes with risks to individuals and organisations. These include risks to privacy and data protection, intellectual property rights, and digital and national security.’[87] The report thus proposes technical, organisational, and legal approaches to effectively balance these interests, and to create incentives and possibilities for different parties to share data and ‘unlock’ its value, but to do so safely.[88]
Scholars and civil society have been proposing new technical, organisational and legal approaches to balance interests in data since at least the 2010s, though the earliest skirmishes go back as far as 2004.[89] These arrangements often look like intermediary bodies where participants exchange data to create public value, or where the intermediary body manages data rights on behalf of beneficiaries within a ‘consent based structure and towards a defined goal.’[90] Data trusts, for example, are bodies where an intermediary, the data trustee, has a fiduciary relationship towards the data subject to act and administer their data, in their best interest. They remain mostly a theoretical proposal as there is no legal framework enabling such fiduciary relationships. Other examples are pools of genomic data, where the intermediate body hosts the data and ensures that only authorised researchers can access it.[91] In this type of example, the intermediary is often a non-profit organisation that facilitates data collection and analysis while guaranteeing the protection of privacy or trade-secret rights, or simply provides the infrastructure for pooling together and analysing data coming from different sources.[92]
There are, however, relatively few data intermediaries in comparison to the size of the data economy.[93] Civil society and research organisations explain this as the result of not having the right institutional frameworks and coordination mechanisms.[94] This translates into difficulties amongst parties seeking to share and access data, in particular in negotiating how data should be handled. Contributing factors are also the lack of internal capacity and resources about how to share data, as well as an absence of common data standards and data interoperability.[95] The EU seems to be trying to address this with the Data Strategy, as we explain in the next section.
4 Enter the European Data Strategy
The European Data Strategy was published by the European Commission in February 2020. The Communication situates the Strategy in the wider context of the digital transformation of the economy and society and highlights the importance of placing the interests of individuals first in a society where they generate ever-increasing amounts of data. This should be done ‘in accordance with European values, fundamental rights and rules (…) At the same time, the increasing volume of non-personal industrial data and public data in Europe, combined with technological change in how the data is stored and processed, will constitute a potential source of growth and innovation that should be tapped into.’[96]
The two main implementing regulations of the Strategy are to date the Data Governance Act (DGA) and the Data Act (DA). The DGA, in force since May 2022, provides a regulatory framework for data intermediaries which enables the exchange of data between interested parties, including in the form of data markets, as well as rules for making data available for the public interest (‘data altruism’), and rules that ‘aim to increase trust’ and lower cost when sharing data in B2B and C2B transactions. The DA, adopted in January 2024, and which will enter into force in 2025, seeks to create incentives for data-sharing with the ultimate goal of ‘ensuring fairness in the allocation of value from data.’[97]
This section presents and analyses the main elements of the Strategy: the Communication, the DGA and the DA. These are all sufficiently complex documents to prevent us from summarising them exhaustively. We instead present their main elements and situate them in the broader context presented in the former section, and preliminarily examine the challenges and potential of the Strategy to meet its goals. As we present each of these elements, we also assess how they generate costs and benefits to data-sharing and exchanges, and analyse how these costs and benefits are distributed across different types of players in the data ecosystem.
4.1 The Communication for a European Strategy for Data
The Communication starts by explaining that the European Strategy for data is based on Art. 114 of the Treaty on the Functioning of the European Union (TFEU) on the harmonisation of laws to improve the functioning and integration of the internal market. It is a regulatory and policy package that seeks to harmonise the legal regime of data governance in the internal market. There is a sense of urgency in the acknowledgement of the EU’s potential to become a leader in the data economy of the future and vis-à-vis the notion of a need to catch up with competitors, such as China and the US, who have already made headways in innovating quickly when it comes to all things digital and data-related.[98] The EU’s solution is to address the underlying differences and fragmentation between Member States as it concerns data governance, which they see as currently inhibiting market players from leveraging the EU’s data potential.
The Strategy identifies eight important issues keeping Europe from realising the full potential of its data economy.[99] For this piece we only discuss the main non-technical ones:[100] (i) not enough data is available for innovative reuse; (ii) imbalances in market power, (iii) data interoperability and quality and (iv) data governance;[101] all within a wider landscape of regulatory fragmentation between Member States, where different States have started adapting their legal frameworks to allow the use of privately-held data by government or for scientific research.[102]
To address this, the Commission proposed four pillars of action, which include investing in infrastructure and skill building. Most importantly for our purposes, a key pillar is creating an overarching framework of horizontal measures for data access and use to avoid market fragmentation, as well as creating ‘common European data spaces in strategic sectors and domains of public interest.’[103] These data spaces are conceived in the strategy as infrastructures and platforms through which different actors can exchange and access data without undermining legitimate interests in that data and European values (such as privacy).[104] They strongly resemble alternative data governance bodies, such as data collaboratives, though the Communication leaves this for further exploration in ensuing legislation.[105] The main strategic line of work in this pillar is creating an enabling framework for those data spaces and engaging in legislative action to provide incentives for horizontal data-sharing.[106]
The DGA and the DA are to date the two key regulations enacted within the Strategy which develop the overarching mandate of establishing rules of access and incentivizing the creation of data-sharing spaces. The next sections present them and show how they draw from the data governance literature referenced above.
4.2 The Data Governance Act: Creating Legal Infrastructure for Data-Sharing
The Data Governance Act is a regulation that entered into force in June 2022 and started to apply in September 2023.[107] Its main objectives are (1) to improve the conditions for data-sharing in the internal market, notably through increasing trust[108] and (2) to create a competitive environment for data-sharing.[109] To do so, the Act creates a harmonised framework for a new category of players in the data economy labelled as ‘data intermediaries:’ market actors whose role is to facilitate data-sharing. These can take forms ranging from commercial data marketplaces to data altruism organisations.[110] In terms of scope, the Act applies to both personal and non-personal data, across all sectors.[111]
The Act is structured in 9 chapters. The first chapter, on general provisions, lays out the subject matter, scope and definitions, as described above. The second chapter discusses the reuse of certain categories of data held by public sector bodies. The third chapter discusses the requirements for data intermediation services, including data marketplaces. The fourth Chapter introduces data altruism organisations.[112] Chapters V, VII, VIII, and IX cover procedural, organisational and international access and transfer issues. Chapter VIII also creates a framework for the formation of a European Data Innovation Board.[113] We focus on Chapters III and IV, dedicated to the creation of new data intermediaries to enhance data-sharing.
4.2.1 Data Intermediation Services
The third chapter of the DGA lays down rules for the establishment of data intermediation services. This is a novel concept which refers to ‘services which aim to establish commercial relationships for the purposes of data-sharing between an undetermined number of data subjects and data holders on the one hand, and data users on the other.’[114] By data-sharing, the DGA refers to ‘the provision of data by a data subject or a data holder to a data user for the purpose of […] the use of such data, based on voluntary agreements […] or law, directly or through an intermediary, for example under open commercial licences subject to a fee or free of charge.’[115]
The preamble to the DGA clarifies that data intermediaries refer to ‘services which aim to establish commercial relationships for the purposes of data-sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other’ and gives as examples of data markets, ‘data-sharing ecosystems,’ and data pools licensed ‘in a manner that all participants receive a reward for their contribution.’[116] The Act envisages three possible designs for data intermediation services: (1) between data holders and potential data users, (2) between data subjects themselves and potential data users, and (3) data cooperatives which seek to strengthen the position of individuals in ‘making informed choices before consenting to data use and influence the terms and conditions of data user organisations attached to data use.’[117]
Despite the commitment to fostering the emergence of new businesses in the data economy, the requirements and obligations imposed on data intermediation service providers go well beyond what is expected of business players active in other sectors. First, to enter the market, service providers need to submit a notification to the competent national authority, which needs to include extensive information including legal status, ownership structure, and relevant subsidiaries.[118] Second, alongside this procedural requirement, data intermediation service providers need to satisfy several substantive conditions enshrined in Article 12. To begin with, the data intermediation services need to be completely separated from any other line of business in which the service provider may be active. This is reflected in several requirements: (1) the data intermediation services need to be provided through a separate legal entity; (2) the data that is being traded cannot be used for any other purposes by the service provider; (3) the meta-data collected through providing the data intermediation service can only be used for improving the intermediation service; and (4) the commercial terms offered to the service recipients shall not be dependent upon whether the service recipients use other services offered by the data intermediation service provider or by any other related entity.[119] All these requirements impose important costs on market players interested in providing data intermediation services, raising questions as to the efficiency of creating a legal framework which might discourage market entry.
Nonetheless, the DGA can not be confined to an efficiency discourse. It aims to facilitate the emergence of data intermediaries that operate differently from contemporary big tech platforms and is much in line with the data governance literature. There is a strong distributional orientation which seeks to empower small market players and tame the market power of the firms dominating the markets for digital services. Think, for instance, of the requirement that actors providing data intermediation services are obliged to separate these services from their other lines of business and are prohibited from deriving private benefits from the data traded.[120] The vision of data intermediaries put forward by the Act is one of channels that allow the interconnection of buyers and sellers, without being allowed to extract any value from the intermediation services apart from financial compensation for the provision of the intermediation services. This is reminiscent of the image of platforms that predominated up until the early 2010s: traditional marketplaces, warehouses, trading boards, etc. which were responsible for connecting buyers and sellers but derived no additional benefit than the fee charged for providing this infrastructural service.[121]
Additionally, strengthening its distributional ambition, the DGA demands more from data intermediaries than pure commercial neutrality. Article 12(m) requires that they should act ‘in the data subjects’ best interests […] in particular by informing, and where appropriate, advising data subjects […] about intended data uses by data users and standard terms and conditions attached to such uses before data subjects give consent.’[122] This requirement demands service providers to act like quasi-trustees vis-a-vis data subjects, going well beyond what is normally expected from commercial actors. In doing so, the DGA is opening pockets of non-market relationships in the data economy and strengthening the position of data subjects, who are, on average, much less knowledgeable than data collectors and traders about how their data is used. What is surprising about this design is that data intermediaries remain commercial actors, yet they are required to protect the interests of weaker parties and not just maximise their profits. This approach projects a very different kind of data market than the ones we are used to today.
4.2.2 Data Altruism
Further strengthening the view that the DGA opens up pockets for non-market relationships, chapter four of the Act provides rules for data altruism organisations. According to Article 2(16), data altruism means ‘the voluntary sharing of data on the basis of the consent of data subjects to process personal data about them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs they incur where they make their data available for objectives of general interest.’[123] Data altruism is, thus, characterised by (1) the lack of commercial incentives and (2) the pursuit of objectives of general interest such as healthcare, combating climate change, improving mobility, improving public services, etc.[124]
In contrast with providers of data intermediation services, data altruism organisations can choose to apply to be registered in a public national register.[125] To do so, they need to be established in the form of a legal person tailored to meet public interest objectives, must operate on a not-for-profit basis and be legally independent of any entity that operates on a for-profit basis, and they need to carry out data altruism activities through a structure that is functionally separate from any other activities.[126] In addition to registration requirements, providers of data altruism services need to abide by transparency requirements during their activities. In particular, they need to keep granular records concerning the identity of the parties allowed to process the data, the duration of data processing, the purpose of data processing, as well as any fees paid by the data receiver, and submit these records to the designated national competent authority.[127]
These procedural requirements are coupled with substantive requirements ‘to safeguard the rights and interests of data subjects and data holders about their data.’[128] Providers of data altruism services need to ‘inform data subjects or data holders before any processing of their data, of the objectives of general interest for which the data is being processed, and if personal data is at stake, the explicit and legitimate purpose for which personal data is to be processed.’[129] Crucially, they are ‘not allowed to use the data for any other purpose than the general interest objectives for which the data subject or data holder allows the processing’ and cannot ‘use misleading marketing practices to solicit the provision of data.’[130] In addition to this negative obligation, service providers need to actively empower data subjects and data holders concerning their data through ‘providing tools for obtaining consent from data subjects or permissions to process data made available by data holders’ and ‘tools for easy withdrawal of consent or permission.’[131]
4.3 The Data Act: Fair Access to and Use of Data
The Data Act is a regulation that entered into force on 11 January 2024 and will start to apply from 11 September 2025. It seeks to enhance access to data and achieve a fairer distribution of the benefits derived from data use and reuse. The chosen mechanism is creating certain mandatory, even if limited, obligations of data-sharing. The Act aims to maximise the value of data in the economy by ensuring that a wider range of stakeholders gain control over their data and that more data is available for innovative use while preserving incentives to invest in data generation.
The Act builds on the acknowledgement that increasing amounts of data are being produced daily and ‘a small number of very large companies have emerged with considerable economic power […] through the aggregation of vast volumes of data and the technological infrastructure for monetising them.’[132] Consequently, ‘start-ups and SMEs from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data.’[133] The Act sets out to change this by stimulating, and sometimes mandating, data-sharing, responding directly to the Data Strategy’s diagnosis that not enough data is available for innovative reuse. To do this, it lays down rules for business-to-customers, business-to-business and business-to-government data-sharing.
The specific objectives of the Act are (1) to facilitate access to and use of data by consumers and businesses, while preserving incentives to invest in generating data; (2) to give public sector bodies access to business data in exceptional circumstances; and (3) to create interoperability standards for data to be reused between sectors.[134] The text of the Act is structured in eleven chapters, providing rules on, amongst others, business-to-customers (B2C) and business-to-business (B2B) data-sharing, obligations for data holders, unfair contractual terms, business-to-government (B2G) data-sharing, and interoperability. The Act also contains chapters dedicated to switching between data processing services and international data transfers, which are not covered in this article.
The ambitious goals of the Act are balanced by its limited scope. When it comes to B2B data-sharing, the Act applies only to data generated by the use of Internet of Things (IoT) devices. Examples of such data are the number of times a smart fridge is opened, the size of a room vacuumed by a Roomba, or the errors of a smart speaker.[135] Importantly, the Act does not cover data generated by the use of devices which record, transmit, display or play textual, audio or audiovisual content.[136] Even though no longer specified in the Act, such devices include personal computers, tablets, and smart televisions.[137] The B2G data-sharing provisions of the DA are similarly narrow: businesses are obliged to share data with public authorities only where the data is necessary to respond to a public emergency, or where the lack of data prevents the public authority from fulfilling its tasks.
This Section dives deeper into (1) the B2C and B2B data-sharing, and (2) B2G data-sharing. In doing so, it follows the structure of the Act: Chapters I to IV deal with B2C and B2B data-sharing, whereas Chapter V lays down rules for B2G data-sharing.
4.4 B2C and B2B Data-Sharing
4.4.1 Creating Rights and Obligations over Non-personal Data
The preamble of the Act begins by identifying barriers to data-sharing which ‘prevent an optimal allocation of data to the benefit of society,’ mentioning, amongst others, the lack of incentives for data holders to enter voluntarily into data-sharing agreements, uncertainty about rights and obligations about data, transaction costs, and abuse of contractual imbalances concerning data access and use.[138] The Act aims to remove these barriers by laying down a framework specifying who, other than the manufacturer, is entitled to access the data generated by products or related services.[139] Note that data generated by IoT devices is overwhelmingly non-personal data, meaning that data protection law does not regulate how it can be collected, accessed, and used. One of the key interventions of the Act is, thus, the creation of legal entitlements over non-personal data.
First, Article 3 lays down an obligation for data holders – generally, the manufacturers – to make data generated by the use of products or related services accessible ‘by default, easily, securely, free of charge, in a comprehensive, structured, commonly used and machine-readable format, and, where relevant and technically feasible, directly accessible to the user.’[140] Users are defined as natural or legal persons, including data subjects, that own, rent, or lease a product or receive a related service.[141] In addition to the obligation to make data accessible to users, manufacturers are also required to provide them with comprehensive information on, amongst other things, how much data is collected and the purposes for which it is used.[142] This obligation is complemented by a right granted to users to access and use the data generated by their use of IoT devices, enshrined in Article 4. The underlying principle of this provision is that ‘data generation is the result of the actions of at least two actors, the designer or the manufacturer of a product and the user of that product:’[143] Since users are crucial to the data generation process, they should have the right to access that data, too. This obligation shows that the DA, too, has a redistributive ambition: it seeks to ensure that the benefits of data generation do not accrue solely to data producers.
This data is of little relevance to the users themselves, though: few, if any, natural or legal persons are interested in accessing the data collected by the smart fridges or tractors they own, lease, or use. However, the right of users to access the data brings us only halfway through the regime of rights created by the Act. The DA complements it with the right to share that data with third parties, enshrined in Article 5. According to the Article, ‘upon request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, of the same quality as is available to the data holder […].’[144] It is this provision that gives teeth to the right of users to access their data: whereas the data is quasi-worthless to the users themselves, it represents a vital resource for micro, small, and medium enterprises (‘MSMEs’) which seek to offer aftermarket services for IoT devices, such as repair and maintenance services.[145] In the absence of this data, any undertaking seeking to compete with the manufacturers themselves for aftermarket services would be placed at a competitive disadvantage: access to performance data enables manufacturers to offer services superior to those of any competitor.
4.4.2 Zooming in on the Qualified B2B Data-Sharing Regime
The crucial change of entitlements enacted by the Act is to allow third parties access to the non-personal data produced by manufacturers upon the request of the users. Interestingly, the Data Act does not frame the new data access regime as the right of third parties to access data, but as the right of users to share the data their use of the products generates. The Act does not establish a genuine B2B data-sharing mechanism, but rather a business-to-customer-to-business ‘B2C2B’ hybrid design which is intermediated by customers: even if the data flows directly from one business to another, it is the user who has to initiate the transfer.
We have expressed elsewhere our worries that this mechanism overly estimates the ability of users to manage their data and might consequently fail to achieve the goal of enhancing data-sharing.[146] A quick look suffices to show that this regime is costly for users and that the benefits might be too remote to be worth the costs. Even though critiques of data self-management are already mainstream in the data governance literature,[147] the DA builds on this model, relying on the establishment of a system of incentives to stimulate users to initiate data transfers. First, the Act puts forward an economic dependence argument: requesting the data to be shared leads to ‘a wider choice in aftermarket services,’[148] which ultimately means that consumers are no longer locked in the manufacturer’s ecosystem for obtaining aftermarket services. Second, there is an innovation incentive: enhancing data access for competitors leads to broader data-based innovation and the development of products or services unrelated to those initially purchased or subscribed to by the user. Both incentives build on a progressive vision of the economy in which customers and manufacturers are on a level playing field and in which customers are entitled to innovative products and services as a reward for their participation in data-generating activities. However, both of these rewards are long-term and structural, meaning that customers derive no immediate, personal, concrete benefits in exchange for incurring the costs of issuing data-sharing requests. Consequently, this design choice might prove to be a serious limitation to the effectiveness – and efficiency – of B2B data-sharing. A potential workaround might be for the interested undertakings themselves to find ways to incentivize users to prompt data-sharing requests.[149]
In addition to reliance on users as intermediaries, the B2B data-sharing regime comes with several other limitations. The most important ones are as follows. First, under Article 5(2), undertakings designated as gatekeepers in the meaning of the DMA cannot benefit from the right of users to request their data to be shared. This limitation is intuitive, given that these market players already have access to vast troves of data, and that two of the market failures that the Data Act and the Data Strategy more broadly seek to address is the existence of ‘bottlenecks impeding data access.’[150] It is also reflective of the broader redistributional orientation in that it strengthens the market position of small(er) players at the expense of the biggest ones.
Second, Article 6(2)(e) prevents recipients from using the data they receive ‘to develop a product that competes with the product from which the accessed data originates or share that data with another third party for that purpose.’[151] This limitation enshrines the objective of the Data Act to facilitate access to and use of data by consumers and businesses while preserving incentives to invest in ways of generating value through data. It also shows that, despite its redistributional orientation, the DA remains rooted in an efficient discourse. Nonetheless, the cost-benefit analysis underlying this rule is not bulletproof. Whereas the trade-off between facilitating data-sharing and preserving investment incentives is real, it may be overly expansive.[152] Prohibiting businesses who benefited from user data from developing competing products may have the undesired side-effect of entrenching the market power of the manufacturers Indeed, companies which are active in the aftermarket of repair and maintenance services are distinctly well positioned to enter the primary market for the products at stake given their knowledge of the industry and their commercial relationships with customers – preventing them for an indefinite time from entering the primary market might incidentally cushion the market position of manufacturers.
Third, under Article 5(9), trade secrets shall only be disclosed if it is strictly necessary to do so, and the third parties receiving such information are obliged to preserve confidentiality. Furthermore, the final version of the Act grants data holders the right to withhold or suspend the sharing of data qualified as trade secrets in other circumstances.[153] This reflects again the Data Act’s attempt at balancing data-sharing and access with other private interests in data. Fourth, according to Article 7, micro, small and certain medium-sized enterprises, as long as they are not linked to enterprises which do not enjoy the same qualification, are exempted from the obligation of sharing their users’ data with third parties.[154] This exemption resurfaces the DA’s redistributive aims: given that such enterprises are less likely to possess the technical means which would enable frictionless data-sharing with third parties, imposing data-sharing obligations on them is considered overly burdensome. The decision to insulate these players from data-sharing obligations reflects the Act’s commitment to improving the competitiveness of small market players, which demands not only positive action in the sense of imposing duties on data-rich companies but also negative action in the sense of refraining from burdening small players.
4.4.3 Making Data Available: A Complex Regime of Obligations
Chapter III of the Act lays down the regime of obligations imposed on data holders when carrying out their obligation to make data available. These obligations are very detailed and some of them are technical, thus we discuss only the most important ones for our purposes. First, under Article 8(1), data needs to be made available ‘under fair, reasonable and non-discriminatory terms and in a transparent manner.’[155] Second, data holders are not allowed to give more favourable treatment to any data recipients, in particular when these are enterprises with whom they have commercial links, and when there is any suspicion of positive discrimination, the burden of proof is on the data holder to demonstrate the lack thereof.[156] Third, under Article 9(1), data recipients can only receive ‘reasonable’ compensation for making the data available, and in case the recipient is an MSME, the compensation shall not exceed ‘the costs incurred in making the data available.’[157] Fourth, according to Article 10, any disputes between the data holder and the data recipient shall be settled by bodies certified by the Member States to meet the criteria of, amongst others, impartiality, independence, and expertise.
Chapter III is complemented by Chapter IV, which prohibits unfair contractual terms unilaterally imposed. Article 13(1) in conjunction with Article 13(3) specifies that contractual terms which have been unilaterally imposed on MSMEs are not binding if they are unfair in the sense that they ‘grossly deviate from good commercial practice in data access and use, contrary to good faith and fair dealing.’[158] According to Article 13(4), contractual terms are unfair if they either limit the liability of data holders, limit the remedies available to data recipients, or give data holders exclusive rights to assess whether the data provided is in conformity with the contractual terms.[159] Additionally, Article 13(5) contains a laundry list of contractual terms which are presumed unfair.
4.4.4 Semi-final Observations
The enactment of this web of entitlements displays an unorthodox regulatory technique, fitting with what Dagan and Kreitner call ‘the neglected half of regulatory theory.’[160] In enacting rights and obligations covering non-personal data,[161] the DA is de facto creating a novel regime of private law applicable to this data.[162] This regulatory choice is fit for the purpose of addressing the issues identified by the Act: instead of punctual market failures, the market in non-personal data is plagued by suboptimal trading and missed innovation opportunities due to uncertain allocations of rights. These are issues specific to novel industries and unregulated emerging markets, where it is unclear who holds entitlement to what resources and under what conditions trade is possible.[163] As Zingales and Rolnik put it, the preferred regulatory choice for intervening in emerging markets is to ‘reallocate rights to provide more incentives to trade.’[164] This is what the Data Act does. Recall that today, and before the intervention of the Act, the exchange structure of non-personal data works on the basis of a ‘rule of capture:’ whoever records the data gets to keep it and reap all the benefits from its use and reuse.[165] According to this rule, most data was de facto owned by big market players who have the customer bases and technical means required to capture, store, and process vast amounts of data.
Additionally, note how the Act adopts semi-commons arrangements and argues that ‘rights regarding access to and the use of data are preferable to awarding exclusive rights of access and use.’[166] Whether this reallocation of rights will allow the EU to realise the important economic benefits of data as a non-rival good is an empirical question which will be answered by the future evolution of the data economy.
5 Final Analysis: Considerations for the Future of the European Data Strategy
The Data Strategy lays down the vision of a European single data market that aims to be in sync with EU fundamental rights and values. The DA and the DGA intend to turn this into reality through concrete legal interventions designed to facilitate data access and exchanges and thereby enable businesses and the public sector alike to better capture the benefits of data. In doing so, the Strategy as a whole creates and alters certain data-entitlements and has the ambition of reshaping the European data market.
The in-depth analysis carried out in the previous section presented the Acts, assessed how they generate costs and benefits to data-sharing and exchanges, and how these costs and benefits are distributed across different types of players in the data ecosystem. For example, whereas the inability of gatekeepers to make use of the DA’s regime of accessing user data represents a cost to them, it represents a benefit to the market actors who can tap into this data. The preference for small(er) players at the expense of the gatekeepers displays a redistribution ambition aimed at strengthening the bargaining power of weaker parties.
Building on the granular analysis of the previous section, this section finishes by reflecting on the nature and challenges of these interventions by focusing on three main elements: (1) whether the friction created by personal data protection and information asymmetries has been eased by the proposed regulatory framework for data intermediaries; (2) what kind of regulatory techniques the DA and the DGA display, and to what extent they venture in promoting alternative, non-market based data governance mechanisms, and lastly (3) what are the limits and potential of the EU Data Strategy and how it aligns with other pillars of EU regulation of the digital economy.
5.1 Challenges Ahead: Legal Uncertainties and Information Asymmetries Unsolved
The main motivation of the European Data Strategy is that ‘the potential of data-sharing is not realised, [and] data-sharing remains limited in Europe.’[167] Despite the fact that they are not singled out in the Acts, two of the fundamental frictions to data-sharing seem to be the pre-existing European personal data protection rules and the lack of available information as to what data can be shared or traded, how, and by whom. In this section, we examine to what extent these issues are actually addressed by the Strategy.
5.1.1 Can Personal Data Now Be Exchanged?
The first challenge at issue is that the proposed new institutional frameworks for ‘data-sharing’ and ‘data intermediation’ established by the Acts may be at odds with data protection law. Recall that the DGA operates with the new notion of the ‘data holder,’ which means ‘a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question [and] which […] has the right to grant access to or to share certain personal or non-personal data.’[168] The notion of the data holder introduced by the DGA creates a new regime under which the data holder has the right to grant access to or share data concerning the data subject with an unlimited number of third parties, for purposes which cannot be (exhaustively) specified in advance.
In contrast, the GDPR only recognizes the notions of ‘data controller’ and ‘data processor:’ ‘data controller’ refers to a ‘natural or legal person […] which [… [ determines the purposes and means of the processing of personal data,’ whereas a ‘processor’ means ‘a natural or legal person […] which processes personal data on behalf of the controller.’[169] Under the GDPR, data controllers/processors can only process personal data if they comply with at least one of the legal bases enshrined in Article 6. It is unclear, thus, to what extent the notion of the data holder overlaps or conflicts with those of data controller or processor.
In their joint opinion issued on the basis of the draft version of the DGA, the European Data Protection Body (‘EDPB’) and the European Data Protection Supervisor (‘EDPS’) took the view that such processing would be incompatible with the framework of the GDPR. The two bodies argue that the DGA builds on a right of the data holder to grant access to data or to share it with third parties which implies, first, the existence of a right of the data subject to share their data with a third party, and second, a transfer of this right from the data subject to the data holder.[170] None of these rights are as of now articulated neither in the GDPR nor in the DGA.
We believe there are potentially two main ways to think about this potential conflict: Under the GDPR, data controllers/processors can only process personal data if they comply with at least one of the legal bases enshrined in Article 6. The GDPR narrowly defines the reasons for which personal data can be processed: to fulfil a contract with an individual, to comply with a legal obligation, to protect vital interests, to perform a task in the public interest, to pursue a legitimate interest that is not overridden by an individual’s rights and freedoms, or with the explicit consent from the individual.[171] In practice, a very frequent mechanism for satisfying this requirement is asking for the consent of the data subject or claiming that it is in the legitimate interest of the processor. One way to think about this, thus, is that the data subject grants consent only to the data controller at hand, and for specific purposes. Bringing the DGA and the GDPR together, thus, it is unclear whether individuals will or should be able to delegate their right to grant consent about the treatment of the personal data.[172] A second and alternative legal basis would be to argue that it pursues the legitimate interests of the (third-party) data processors. The challenge going forward would be how to construe this legal basis for it not to be overused.
The legal uncertainty about how the GDPR and the DGA work together may hinder certain players from engaging in the data transactions the DGA seeks to facilitate.[173] Gabriele Caravano and Michèle Finck have argued that digital intermediaries may face considerable tensions and legal uncertainty regarding data protection law that may hinder the achievement of the Data Strategy’s goals.[174] Caravano and Flinck similarly argue that data intermediaries that classify as providers of data processing services will bear significant obligations costly to comply with that may weaken their competitiveness.[175] But it is worth considering the effects of assuming that the Act created an implied entitlement of data holders to share personal data widely. One could think that the impacts of this intervention are limited: personal data already flows widely in the EU economy, not in an ‘open’ market, but in the hidden architecture of the digital services economy.[176] Ditfurth and Lienemann argue that the overall regulatory approach, while aiming to prevent competition risks, may be however adding compliance costs and preventing the full realisation of the benefits of data intermediation services in facilitating data-sharing markets. This may, in the end, reduce the value and incentives to provide data intermediation services.[177]
5.1.2 The Problem of Information Asymmetries
A second challenge is the problem of information asymmetries: ensuring the transferability of personal data does not suffice to achieve functional data intermediation and trading. Recall that economists have shown that though digital technology lowers information costs, it does not solve the problem of information asymmetries.[178] The Data Strategy addresses these challenges in several ways – from requiring or enabling the registration of data intermediaries to granting data subjects the right to be informed by data intermediaries about the uses of their data. Nonetheless, these steps might not be sufficient.
When it comes to the position of new market entrants interested in buying or accessing data, even after data intermediaries will be registered, the information costs of navigating the landscape of data holders are likely to remain significant. This will be a bigger problem in the DGA than in the DA, since the data-sharing schemes of the DA are rather specific and respond to end-user needs: if I want my IoT devices repaired by company X, I can ask Y, the manufacturer, to give X the needed information. The DGA’s mechanism for making information about data intermediaries available is the requirement that providers of data intermediation and data altruism services need to be registered in a public national register, which could be made open access. Nonetheless, the obligation to register is framed as a duty towards competent national authorities, and not as an effort at maximising transparency and ensuring that adequate information is available to potential data providers and receivers.
On the other hand, the Data Strategy seeks to significantly strengthen the information endowments of data subjects. A couple examples suffice to prove this point. Under the Data Act, all users of IoT devices – including natural persons – are granted the right to access all the data their usage generates. Under the Data Governance Act, data subjects have the right to be informed by data intermediaries as to the intended uses of their data. What remains unclear, though, is to what extent data subjects will be able and willing to exercise these rights.
5.2 Regulatory Technique: From Fixing Market Failures to Structuring Markets
The previous section has shown that the context in which the acts intervene is one in which there are plenty of frictions preventing data exchanges from reaching the welfare-maximising level. Alongside the issues of personal data protection and information asymmetries, the acts mention a series of obstacles which impede data-sharing: lack of incentives for data holders to enter voluntarily into data-sharing agreements, unclear rights and obligations over data, transaction costs, high level of fragmentation in data silos, and bottlenecks impeding data access. Whereas some of these barriers to data-sharing fall into the category of textbook market failures (e.g. lack of incentives, transaction costs), others are endemic to the data economy (e.g. unclear rights and obligations over data, data bottlenecks) and warrant legal interventions that go beyond traditional regulatory techniques that merely remedy market failures. The Acts do not shy away from using unorthodox regulatory instruments to tackle these issues. For example, the DA prohibits unfair terms in data-sharing contracts, thereby actively shaping the bargaining power of the transacting parties. In doing so, the Act moves from redressing market failures to structuring the data market by equalising the level playing field between large and MSMEs.[179] A further case in point is the DGA’s prohibition of operators of data marketplaces from using the data they trade in their other lines of business, presumably in ways which increase profitability.[180] The ambition here is to ensure that providing data intermediation services cannot be leveraged as a competitive advantage in adjacent markets, seeking to break the vicious cycle of digital platforms expanding their market power across related markets.[181]
As this Article has shown, the EU Data Strategy pursues a more radical goal than merely fixing punctual market failures: it aims to redress the inability of existing data markets to promote the best interests of society while protecting fundamental rights.[182] To do so, the Acts rely on two innovative regulatory techniques: (1) creating new entitlements and rearranging existing ones and (2) opening up pockets of non-market relationships. First, the acts create new rights and obligations over data which change the status quo in which big businesses have de facto exclusive access to the data they capture. From granting users the right to request that the data they generate is shared with competitors, to creating trusted intermediaries for data exchanges, the acts are about democratising access to data through stimulating data-sharing. The intent is to go from a deeply unequal data economy in which data is captured and locked in the ecosystems of dominant players to a more democratic data market where data is treated as a societal good that should deliver welfare for all actors in the economy, from citizens to MSMEs. It is interesting to note, however, that the path taken is outright pro-market: the mechanisms chosen are underlined by an implied idea that sometimes repairing the imbalances of markets requires relying on even more market mechanisms, not less. This approach – of proposing more market-based mechanisms to fix faulty markets – aligns with the views of scholars such as Posner and Weyl, who note that ‘our supposedly competitive market economy is actually plagued by monopolised and missing markets’ and seek to expand markets to achieve a fairer distribution of resources.[183] This is what the EU seems to be doing with the Data Strategy: injecting vitality in data markets to give everyone a stake in the data economy.
However, the Data Strategy is not all about market-based mechanisms. In a very European fashion, the Strategy seeks to avoid a sum-zero game in data governance where the outcome would be either ensuring data protection through preventing data-sharing or an unregulated data economy. The EU is decidedly a pro-market entity, yet European markets are more protective of consumers and individuals, more regulated, and more fair than their American counterparts, where much of the literature on data governance comes from. Thus, alongside the commitment to structuring markets through rearranging entitlements, it opens up pockets for non-market relationships through proposing alternative data governance mechanisms. The DA’s section requiring businesses to share data with governmental authorities in cases of public emergencies, and the DGA’s legal framework for data altruism reflects Dagan and Markovits’ vision of markets with incomplete commodification: despite the fact that the data economy is primarily markets-based, it retains the space for interactions which maintain a non-commercial and public-interested aspect.[184]
5.3 From Data Law to Market Law: The European Data Strategy in Its Broader Context
Lastly, it is worth noting that despite its ambitious goal of revamping the European data economy, the Data Strategy does not intervene on a blank slate. As the previous section has shown, the extent of data-sharing is already pre-configured by the GDPR. Nonetheless, data protection regulation is not the only legal regime influencing data-sharing: Competition law, IP law, the novel DMA and DSA, and internal market law impact what kind of data can be shared and how. In the parlance of legal institutionalists, these legal instruments form the ‘background rules’ or the exchange structure which configure data-sharing, even if they are not directly targeted at regulating it.[185] Analyses of new regulations often take these background rules for granted and fail to address how pre-existing legal rules impact novel regulatory instruments.[186] However, to properly assess the role of the Data Strategy in shaping the European data economy, it is necessary to briefly put it in dialogue with the background regime in which it intervenes.
Looking at the EU’s broader new regulatory toolkit dedicated to digital markets, it appears that whereas the dominant narrative is that the DMA seeks to fix market failures that could not be addressed by existing legal instruments,[187] the DGA and the DA reflect a forward-looking ambition to structure an emerging data market differently. The preamble of the DMA is rooted in acknowledging two layers of institutional failure. On the one hand, the Act mentions that in the digital economy ‘market processes are often incapable of ensuring fair economic outcomes.’[188] On the other hand, it acknowledges that existing legal instruments have failed to ‘ensure the contestability and fairness for the markets in the digital sector in general,’ and hence a regulatory instrument dedicated to achieving this aim was necessary.[189] Consequently, the DMA proposes rules that seek to remedy harms already observed in digital markets. To home in on this, take the example of Article 5(2)(b), which prohibits gatekeepers from combining personal data they gather through providing intermediation services with personal data gathered from any other services.
The ambitions of the DGA and DA are different. This is made clear by the preamble of one of the acts: the aim is to foster ‘the emergence of new data-driven ecosystems independent of any player with a significant degree of market power, while allowing non-discriminatory access to the data economy.’[190] Recall the DGA’s requirement imposed on providers of data intermediation services to separate data intermediation services from any other lines of business. This obligation reflects the wisdom gathered through observing how businesses active in the platform economy have evolved,[191] achieving dominance through combining several lines of business and leveraging the power secured in one market to monopolise adjacent markets.[192] The DGA and DA intervene at a moment in which the data intermediation economy is still in its infancy and aim to ensure ex ante that this novel economic sector will not replicate the structural imbalances we have witnessed in the other digital markets. In this sense, the Acts are akin to an infrastructural project that seeks to facilitate the emergence of a data market that looks different from contemporary digital markets.
This approach – of using regulation as infrastructure – is distinctly European: The single market was also facilitated by piecemeal regulatory efforts, from the Single European Act to the liberalisation directives and the introduction of the Euro.[193] Whether the same approach will be successful in the data economy is an open question, though. Time will tell if we are witnessing the emergence of a fifth freedom of movement, alongside goods, services, capital and people, or if this is the failed constitutional moment of the data economy.
6 Conclusions
This Article has analysed the European Data Strategy and its main implementing acts – the Data Governance Act and the Data Act – by relying on a mix of orthodox and heterodox law and economics tools and leveraging the literature on data governance and data markets. In sum, the Data Strategy displays a European approach to data markets – committed to respecting the privacy of data subjects and to achieving public interest objectives – but is still a pro market Strategy.
The analysis revealed that the Data Strategy puts forward a novel approach to data governance, for several reasons. First, it constitutes a break from the EU’s previous exclusive emphasis on the protection of the fundamental rights of data subjects. Whereas the GDPR has placed the interests of data subjects at the heart of data governance, the Data Strategy introduces the imperative of tapping into the societal potential of data, seeking to strike a balance between fundamental rights and values, and unlocking the potential value of data-sharing and trading. Second, the Strategy deploys a unique mix of regulatory techniques that seek to create the requisite legal infrastructure for the emergence of a data economy that looks different from existing digital markets. From provisions seeking to prevent the emergence of outsize market power, to efforts at equalising the bargaining power of small and big players, and the injection of non-market, altruism-based institutional frameworks for data-sharing, the Strategy puts forward an unorthodox legal toolkit for facilitating the emergence of a different kind of data economy. Third, in leveraging the power of regulation to inject vitality into data trading and sharing, the Strategy revitalises the European approach of using regulation as a market-building mechanism, which was deployed for the erection of the internal market in goods, services, workers, and capital.
Whether the Data Strategy will achieve its ambitious goals remains an open question. Important questions on legal certainty, information asymmetries and how efficient the emerging markets will be are yet unanswered. However, regardless of the factual outcomes, we highlight that the Strategy represents an impressive project of legal infrastructure which has the potential to reshape the global academic discussion on data governance. It symbolises a step ahead from the polarised literature on data governance which tends to be silo-ed in two camps: one focusing on the many privacy and democratic risks of data-sharing and the digital economy, and the other emphasising the many potential benefits of unrestrained data-sharing, trading, and markets. Through proposing a vision of thoroughly regulated data markets, it suggests that there is potential for law and regulation to shape markets that are not plagued by the ills of excessive concentration and unchecked power accumulation at the top.
Acknowledgments
The authors would like to thank Giovanna Hajdu Hungria Da Custódia for her helpful research assistance, and two anonymous reviewers and the participants at the ‘Commodification and the Law’ conference organized at EUI in December 2022 for their helpful comments and feedback.
© 2024 the author(s), published by De Gruyter, Berlin/Boston
This work is licensed under the Creative Commons Attribution 4.0 International License.
Articles in the same Issue
- Frontmatter
- Research Articles
- Law, Commodification, and the Distribution of Resources
- Patriarcapitalism? Towards an Intertwined History of Inheritance law and Capitalism from the Middle Ages to the Industrial Revolution (c. 1350–1850)
- Capitalising on Uncertainty: Exploring the Failure of International Law to Address the Risk Generated by the Proliferation of Space Debris
- Data as a Contested Commodity
- The New Law of the European Data Markets: Demystifying the European Data Strategy
Articles in the same Issue
- Frontmatter
- Research Articles
- Law, Commodification, and the Distribution of Resources
- Patriarcapitalism? Towards an Intertwined History of Inheritance law and Capitalism from the Middle Ages to the Industrial Revolution (c. 1350–1850)
- Capitalising on Uncertainty: Exploring the Failure of International Law to Address the Risk Generated by the Proliferation of Space Debris
- Data as a Contested Commodity
- The New Law of the European Data Markets: Demystifying the European Data Strategy
