A brief history of European data regulation

Introduction

The word “data” refers to facts likely to be recorded, and which have an implicit meaning (Elmasri et Navathe, 2016). “Data” can be personal (date of birth, phone numbers), non-personal (anonymized, weather data), industrial (customer list, schedule of a transport service) etc. Data can be therefore thought as a medium from which it is possible to extract information. This information can then be processed in an automated or non-automated way to generate economic value i.e., training algorithms, better control of a supply chain, medical innovation etc.

The information and the data that underlies it has a characteristic of being non-rival. Indeed, taken isolated, the use of data by one party does not alter the ability to use the same data by another agent, given the seemingly zero marginal cost of reproducibility (Jones & Tonetti (2020)). This paradigm argues for the broadest possible data access regime; however, this does not extend to explain all types of data, nor does it capture the competitive issues associated with data sharing. The use of data may be contrary to the interests of some parties – for instance because of sensitive data, privacy concerns, etc. – which imply a lot of costs of conforming to standards (Campbell et al. (2015)). Moreover, the complementarity of the data along with the need to carry out certain ex-ante processing (organizing, aggregating) can be obstacles to data collection and sharing. In this way, the collection and processing of data by third parties can generate transaction costs that are greater than the marginal value of each dataset, but less than the value that an agent could derive from combining them (Buchanan & Yoon (2000)).

In summary, the asset represented by data constitutes an increasingly important opportunity to create value, but by its nature, and its economic characteristics, the data economy suffers from market failures. These two arguments make explicit the need for regulation of the data industry. It is the European Union, and more precisely the European Commission, that has imposed itself as the regulator of data. Although the very idea of regulating "data markets" appeared after the first directive on the subject. Indeed, it is not the economic reasoning that is at the origin of the first directive of the European Commission. The European Union initially saw regulation as a means of operationalizing pre-existing human rights and protecting citizens against potential abuses. It was only later that the EU adopted regulation as a means of stimulating and protecting European economic interests in the data-intensive digital sector.

1. The right to privacy, the first pillar of European data regulation:

**Data Protection Directive (DPD) **

The first European Union directive on data is the Data Protection Directive, adopted in October 1995. Its purpose is to operationalize the right to privacy guaranteed by Article 8 of the European Convention on Human Rights. This text provides the first typology of data by creating two distinct categories, personal data and non-personal data. With a definition of personal data “personal data shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

Moreover, it defines the different actors of the data, data controllers, the data subject, and the processor of the data.

• Controller shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law
• Processor shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. -The person to whom the personal data refers. This directive establishes 7 principles that dictate how personal data should be established. It applies to data processed within the Union and relating to individuals located in one of the Member States. Responsibility for compliance with these requirements rests with the data controllers. • Notice – individuals should be notified when their personal data is collected. • Purpose – use of personal data should be limited to the express purpose for which it was collected. • Consent – individual consent should be required before personal data is shared with other parties. • Security – collected data should be secured against abuse or compromise. • Disclosure – data collectors should inform individuals when their personal data is being collected. • Access – individuals should have the ability to access their personal data and correct any inaccuracies. • Accountability – individuals should have a means to hold data collectors accountable to the previous six principles.

This directive was repealed in 2018 by the entry into force of the General Data Protection Regulation.

**General Data Protection Regulation (GDPR) **

On April 27, 2016, the European Union adopts one of the most famous regulations at the international level regarding personal data protection. This text is an extension of the 1995 DPD, it extends the field of application of this directive, by including in the definition of personal data the characteristics relating to the digital personality of persons (pseudo, IP address, location data). The other channel of extension of the 1995 directive is geographical, this text will apply as soon as the subject of the data is resident of the EU, no matter his nationality or the location of the data controller, or data processor. Moreover, the latter also becomes responsible for its compliance with the text. In terms of priority GPDR applies to a whole dataset if there is even a minority of personal data.

The text becomes more protective in a direct way by advocating privacy by default, but also an expression of necessary consent (no more default permissions) as soon as an actor wants to collect personal data. It is also one of the first texts to address the protection of minors online by setting a maximum age for consent to the collection of personal data, which is 16 years. In addition to strengthened obligations for firms, the GDPR creates new rights for European residents.
• Right to notification in case of hacking of one's personal data: the data subject must be promptly notified by the data controller, except in certain situations (e.g. data already encrypted). • Group action: any person can mandate an association or an organization active in the field of data protection to file a complaint or an appeal and obtain compensation in case of a data breach. • Right to compensation for material or non-material damage: any person who has suffered such damage because of the breach of the GDPR may obtain compensation from the data controller or processor. • Right to data portability: any person must be able to retrieve the data he or she has provided to one platform and transfer it free of charge to another (social network, etc.). The right of portability opens the door for the second key principle of European regulation of data: free flow of data.

2. Unlocking business opportunities, second pillar of European data regulation:

**1st and revision of public services information directive **

The first EU project to maximize the economic potential of data was that of public data. This directive of November 17, 2003, aims to encourage and regulate the re-use of public sector data. These data are defined by this directive as "any content whatever its medium" emanating from the public sector body i.e. "means the State, regional or local authorities, bodies governed by public law and associations formed by one or several such authorities or one or several such bodies governed by public law".

This text establishes a body of principles inherent to this reuse. It must be thought from the production of the data and must be encouraged without distinction of the final potential beneficiary. Moreover, this text puts a point of honor to the unification of the license system in order to accentuate the standardization as well as the accessibility to the data. Finally, the text also defines data sets with a high potential of valorization and recommends the implementation of programming interfaces (API) to make these data as accessible as possible and in real time.

In June 2013 the directive is updated by the commission, remaining in the logic of the first directive it intends to increase the scope and strengthen the principles set. We note for example: • The extension of the data concerned to the data held by private companies in charge of public services (related to the public service)
• The principle of free provision is the one, the potential costs are restricted to the marginal cost of provision.
• Strengthen the obligation of publication for high value data set
• Fight against exclusive agreement between public and private sector
• Involve state member to improve availability of data (through data portal for instance)

**Open data directive **

On July 16, 2019, the EU completes the 3rd step of opening and re-using public data via the open data directive. This directive strengthens the PSI directive by extending its scope to research data, transport, and energy sectors. Moreover, it sets more requirements on the availability of high value datasets and provides a list of datasets falling into this category. Finally, it further restricts the possibility of imposing fees on the provision of data, and clearly frames exclusive data agreements between a public entity and another actor.

**Non-personal data regulation **

On November 9, 2018, the European Commission enacts the Non-Personal Data Directive. This directive is the counterpart to GDPR for, the latter promulgated the principle of free movement of personal data upon request of the data subject. The directive of 2018 prohibits all legal requirements set by a member state when it comes to the location of non-personal data. In addition, this text reinforces the right to portability, especially between cloud service providers. We also note the strengthening of regulatory authorities in fact another provision guarantees the availability of data for regulatory control: public authorities will be able to access data for examination and control purposes wherever they are stored or processed in the EU.

**European data strategy **

In February 2021 the European Commission publishes a communication entitled "A European Data Strategy". This communication is intended to be the first step towards a harmonization of existing regulation, in addition to the desire to have a pro-active regulation to stimulate the data economy as well as to protect European interests against foreign actors, especially American. This strategy is materialized, at the data level, by the Data Act and the Data Governance Act.

Data Act

On February 23, 2022 the Commission publish the first draft of the Data Act. This text is intended as the first stone of a regulation in favor of data sharing. It is also the first text that focuses on a regulation for commercial purposes for industrial data including personal data (still under the authority of the RGPD).

An important area of the Data Act is the sharing of data from the Internet of Things (IoT), it establishes the principle of sharing free data between the user of the connected object and the data holder (the one who collects the data from the object). Moreover, it protects the user by specifying that the use of data from the object must be subject to contractual clauses and prohibits anti-competitive behavior. In other words, the data holder cannot use the user's data to compete with him.

This text also focuses on the usual provisions of the commission by facilitating data portability and lowering the costs of changing operators for cloud and edge services. We also note in the same logic the strengthening of interoperability standards for data to facilitate its reuse. Finally, the Data Act opens the possibility for public authorities under certain conditions to request private data (for example for crisis management).

**Data Governance Act **

On June 23, 2022 the Commission adopted the main text of its new data strategy, the Data Governance Act. This text is global, it intends to cover non-personal and personal, industrial, and public data. The text revolves around the mechanism of data sharing.

For public data, we note among other things, the prohibition of exclusive agreements on data. Moreover, a change of tone when it comes to public personal data or data with high strategic stakes, it is no longer a question of exempting them from the Open Data Directive, but of recommending to public authorities to anonymize them before publishing them.

Regarding the sharing of industrial data, the DGA intends to set up data intermediation services. These neutral actors must facilitate on all levels the sharing of bilateral data. They must be economically and legally separate from any other data sharing stakeholder and base their business model on data sharing. They will be able to report to the competent national authorities to be labeled "data intermediation service".

Another major contribution of the DGA is "Data Altruism" i.e., the voluntary sharing by individuals and companies of the data they have generated - without receiving a reward - so that it can be used for general public interest purposes. To achieve this goal, the DGA introduces a common European data altruism consent form that will facilitate the collection of data in all member states in a uniform format, while ensuring that consent can be given and withdrawn easily. This should provide legal certainty for researchers and companies wishing to use such data and create a framework of trust that will encourage data altruism and facilitate data sharing for societal purposes.

In the end, the DGA is the last legal text of the EU when it comes to regulation of data, and it truly symbolizes the legislative path of the commission. It started by operationalizing pre-existing rights, to protect consumers and to create a public data service. Then, in view of the technological progress, the commission brings a global regulation that aims at reinforcing the creation of value behind data sharing. The objectives behind the European regulation are not only commercial, but also aim at creating the trust necessary to establish viable ecosystems, as well as reinforcing the role of data to fulfill social and economic objectives.