To succeed, data commons advocates must address privacy concerns head-on

March 2, 2023

This week, the European Parliament’s Industry, Research, and Energy (ITRE) Committee, which has been leading the EP’s work on the Data Act, published its report on the proposal for the Data Act. The report will be voted on in the next plenary session of the European Parliament and will then become the basis for the European Parliament’s negotiations with the co-legislators.

We have been following the Data Act with a particular focus on the proposed measures to enable business-to-government (B2G) data sharing.  The initial European Commission’s proposal for the Act had introduced a narrow B2G data-sharing mandate, limited only to situations of public emergency and exceptional need.

In our reaction to the proposal, we emphasized that, despite being a positive step, the proposed measures fell short of creating a framework for “data sharing for the public good.” In Public Data Commons. A public-interest framework for B2G data sharing in the Data Act, we described a complementary mechanism to the Data Act proposal that would ensure a broader B2G data sharing mandate in the public interest. Our proposal extended the scope of B2G data-sharing provisions and included the creation of the European Public Data Commons. This body would serve as a recipient and clearinghouse for data made available to third parties working to achieve societal goals.

The Pushback Against More Robust B2G Data Sharing

The report adopted by the ITRE committee contains several amendments to Chapter V on B2G. Most of the amendments go in the opposite direction to what we were advocating for, limiting the B2G framework rather than strengthening it, for example, by setting further conditions for requests for data.

The amendments proposed in the report  are indicative of the pushback that the idea of B2G data sharing has faced. The reasons for this pushback reflect two major types of arguments against a more robust B2G framework.

The first category of objections includes privacy and personal data protection concerns. The opponents of more substantial B2G data sharing are concerned that giving public sector bodies access to data held by private entities will jeopardize users’ rights. Privacy considerations have been reflected, for example, in the amendments specifying that Chapter V only applies to non-personal data and the explicit clarification that the chapter shall not apply in the context of law enforcement.

Concerns about B2G harming business, competition, and private innovation fall under the second category of objections. These concerns have materialized in the form of a prohibition for public sector bodies to use the data to develop a product or a service that competes with the product or service from which the accessed data originates and the strengthening of the protection for trade secrets that the shared data might reveal.

Further restrictions on the use of shared data have been imposed by drastically reducing its potential use in scientific research. Initially, a public sector body that requested the data would be allowed to share it with individuals or organizations conducting scientific research or analytics compatible with the purpose for which the data was requested. In the revised version, such sharing will be permitted only when the research is necessary to achieve the goal.

The concept of a public data commons was caught between two of the EU’s policy objectives – the protection of fundamental rights and the strengthening of the internal market. This tension is, of course, not new to digital policymaking. Policy interventions in this area have tended to be well aligned with one of these concerns and at odds with the other. But not in this case. Our proposal for a more robust framework for B2G data sharing and a public data commons has generated opposition from both proponents of strong data protection and privacy safeguards (on the progressive side of the political spectrum) and opponents of restrictions on private market actors (on the conservative side of the political spectrum). This has resulted in opposition to these proposals across broad swaths of the political spectrum, leaving no room for the idea of a B2G data-sharing framework in support of a public data commons.

Finding Common Ground for Data Commons and Digital Rights Advocates

How, then, should advocates of more meaningful B2G rules and, more generally, data commons proceed in light of such strong opposition from different sides of the political spectrum?

The first step is acknowledging the different objections that strengthening B2G data sharing evokes. Finding common ground on shared objectives with digital rights activists who advocate for privacy and data protection rights should be the next step. The failure to convince more civil society actors that a more robust B2G framework would benefit society as a whole demonstrated that implementing the idea of data commons will be difficult unless the issue of personal data protection is addressed more directly.  Data commons proponents will be unable to shift the narrative on data sharing away from market-oriented solutions and toward mechanisms in the public interest if the ideas keep being perceived as clashing with the need to protect fundamental rights.

What can finding common ground with digital rights advocates look like in practice?

The goal of this effort must be to show that establishing data commons and protecting privacy are not mutually exclusive or antagonistic. On the contrary, the idea of data commons provides privacy advocates with a positive vision of the future where data processing is carried out outside the control of commercial entities that extract value and exploit users, which is often the root cause of fundamental rights violations. Instead of treating data as property, data commons treats it as a shared resource that can be stewarded to benefit society.

One practical suggestion for showing that data commons and the protection of personal data are not antagonistic is to clarify that when talking about data commons, we are referring to anonymized data unless the data subject explicitly consents it not to be. When data anonymization is not feasible, establishing data commons must entail implementing all available technical and organizational measures to protect the rights of data subjects.

In addition, it is essential to show that establishing data commons might alleviate some of the current concerns arising from the lack of transparency on how data is governed and processed. For example, we know that using biased, non-representative data for AI training leads to harmful impacts. Still, there are few concrete policy proposals for dealing with the problem. Empowering society to participate in data governance by establishing data commons might be a way to change the current situation, where much of generated data resides in the private sector and is controlled and monetized by private entities, which benefits no one but the companies themselves. Changing the status quo is a shared desire of digital rights advocates and proponents of data commons. We simply need to make this clear.

Zuzanna Warso