The data regulations in the European Union (EU) have recently received significant attention specifically due to the advent of the General Data Protection Regulation and the rulings around Schrems II—whereby the Court of Justice of the European Union found that the protection of personal data had limitations due to domestic law in the United States—as well as the access and use by US public authorities of personal data transferred from the EU, and recent developments such as e-privacy.
While these developments have led to major changes in data privacy, one of the other goals of the regulation—to establish a market for data and facilitate data exchange between companies—has not been reached to date.
This lack of action has led to the potential for further regulatory activity to define an agenda for how to uplift the data capabilities of European companies, create a market for data, and regulate activities around AI. These activities are typically summarized as the EU digital strategy. While regulation adds further requirements and obligations to any data-enabled business, it also creates an opportunity for competitive advantages for those that best derisk their data transformations.
The EU digital strategy offers organizations both challenges and opportunities, but these regulations will likely continue to evolve, so organizations should remain aligned with the regulatory process.
The EU digital strategy comprises several acts:
The Data Governance Act creates a new way of managing data to increase trust in and facilitate data sharing.
The Digital Markets Act creates fair and contestable markets for innovation, growth, and competitiveness in the digital sector.
The Digital Services Act creates a safer digital space where the rights of all users of digital services are protected.
The Data Act regulates access to data in B2B, B2C, and B2G (business-to-government) relationships and while switching between cloud providers.
The AI Act enacts stringent regulations of (high-risk) AI systems and prohibition of certain practices.
According to current plans, these acts will only become effective during or after Spring 2023, but an end to the alignment process is foreseeable. While the five acts are currently in draft status and further changes to the regulation can be expected, there is a clear trend toward stricter regulatory guardrails for data and AI.
Several benefits arise from the new regulatory regime, specifically for data sharing and portability and the possibility of reducing gatekeeper platforms. This is specifically so with social-media platforms and also when it comes to insurance contracts and other services.
For example, for banking, there is a strong lock-in because customer information needs to be transferred manually or requires significant effort to be transferred, so transfers seldom happen.
This lock-in effect can now be weakened significantly due to the full requirement to easily transfer the required information and thereby reduce the burden for the customer. This should make it easier to set up new business propositions in this space and set up new digital attackers for existing businesses.
This is even further enforced by the reduction of the power of incumbents to increase competition in the digital platform space. Going forward, these platforms may be forced to allow competitors to exchange data with them to ensure that competitors will strive. For example, with social-media platforms, search engines, or provision of cloud-based infrastructure, these decisions should lead to increased competition.
Three keys to navigating the EU digital strategy
First, companies may need to assess the impact of the EU digital strategy on their business and their business model and need to identify where changes are required and where additional care needs to be taken with respect to current processes. This specifically applies to the four acts concerning data governance, digital services, AI, and data.
Second, companies may need to investigate the possibilities for the applicability of the acts within their organization. This includes possible access to markets that other competitors led in the past through their access to end-user data.
Finally, as the EU digital strategy continues to evolve, organizations may be able to further collaborate with governing bodies on the interpretation of the regulations. Specifically, in the case of AI, there are several companies that may find it very challenging to work with their current model in the new guidance.
Mitigating the impact of these regulations is therefore still possible, and the actions should be actively shaped by companies, including clarifying the consequences of certain actions and making sure that the decision process takes these into account.
Additionally, companies should revisit their current processes for data collection and AI. They should also identify where personal data is required, and where it isn’t, to identify the priority use cases where additional consent or safeguards would be required.
Following these three aspects as well as the mitigating actions should leave companies in a better state once the final rules and regulations around the EU digital agenda have been published.
Source:McKinsey