By Kristof Van Quathem

Yesterday, the European Commission launched its “Digitising European Industry” package, a series of industry related initiatives aimed at “updating Europe’s digital infrastructure”, see press release here, Q&A here and homepage here.  The package includes reports and proposals addressing cloud computing, ICT standardization, eGovernment, Internet of Things (“IoT”), quantum technologies and high performance computing / big data.

Below we summarize the data protection aspects of the key communications published yesterday.

Cloud computing — launch of the European Science Cloud

Building on the European Cloud Strategy, the Commission announces a European Cloud Initiative.  The initiatives focuses on the creation of a European Open Science Cloud and a European Data Infrastructure.  It will be complemented by actions under the Digital Single Market strategy, including in relation to cloud contracts, switching cloud services and the proposed Free Flow of Data initiative.

The Commission points out that there are five reasons why the EU fails to reap the full potential of data: (i) lack of openness in public funded research; (ii) lack of interoperability; (iii) fragmentation of data infrastructures; (iv) lack of high performance computing infrastructure; and (v) an ill-adapted regulatory framework for the re-use of data.

The European Open Science Cloud is intended to “offer 1.7 million European researchers and 70 million professionals in science and technology a virtual environment, free at the point of use, open and seamless services for storage, management, analysis and re-use of research data, across borders and scientific disciplines.”  While this Cloud will start by bringing together existing scientific data infrastructures, several additional steps need to be taken to make the Science Cloud truly European and open.  Among other things, more data must be open by default, there should be incentive structures to share data, and interoperability must be improved.  According to the Commission, the initiative may help address issues such as data clearance and data protection through the development of anonymization services, “personal data spaces”, and other privacy by design and default tools and processes.  In this context, the Commission intends to adopt an Action Plan by the end of 2017 on scientific data interoperability, including ‘meta-data’, specifications and certification.

In addition to the European Open Science Cloud and appropriate infrastructure, the Commission also wants to widen access to the data and build the required trust.  The intention is to incorporate much of the public data and to gradually open this up to users from industry.  The Commission realizes that this will only work if the cloud infrastructure meets high standards of quality, reliability and confidentiality.  In this respect, it intends to start working as of 2016 on certifications and standards, in particular on security, data portability and interoperability, including a certification approved pursuant to the mechanism in the new General Data Protection Regulation.

According to the Q&A, access to the Science Cloud would be limited to universities and research institutes at the outset, but it would be widened to private and public bodies as more resources become available.  As of 2016, as part of the Horizon 2020 program, the Commission will explore the governance and financing mechanisms of the Science Cloud in cooperation with stakeholders and the Member States.

ICT standardization

In its Communication on ICT standardisation, the Commission has identified five priority areas for standardization: 5G, the IoT, cloud computing, cybersecurity and data technologies.  Standard setting bodies in these areas will draft reports outlining best practices and gaps to be addressed by the end of 2016.  This is likely to lead to prioritized standardization in eHealth, smart energy, smart cities and connected cars.  In addition, the Commission has proposed a high-level political process to validate, monitor, and – where necessary – adapt the list of priorities.  The standardization efforts are focused on interoperability, safety, security and privacy as well as increased collaboration between standard setting bodies at a European and global level.

Based on the degree of uptake and progress by the end of 2017, the Commission will consider adopting a recommendation regarding the integration of cyber security and application of privacy and personal data protection requirements including data protection-by-design and data protection-by-default.  The Commission will also encourage the development of cybersecurity risk management guidelines for organizations and audit guidelines for authorities or regulators with oversight responsibilities.

eGovernment

The Communication on the EU eGovernment Action Plan 2016-2020 sets out a number of principles that forthcoming initiatives in the area of eGovernment should observe and aims to join up efforts in removing existing digital barriers and to prevent further fragmentation in the context of the modernization of public administrations.  The Action Plan is guided by an ambitious vision of public administrations and EU institutions providing open, efficient, borderless, personalized, user-friendly, end-to-end digital public services to all citizens and businesses in the EU by 2020.

The Action Plan sets out a number of underlying principles that initiatives under the Action Plan should observe, including Digital by Default, the Once only principle (so that the same information only needs to be supplied once and can be re-used), Openness & Transparency, Interoperability, Trustworthiness & Security.

In terms of Policy Priorities, the Action Plan sets out twenty concrete actions in the following three areas:

  • Modernising public administration with ICT, using key enablers — actions include supporting the transition towards full e-procurement, acceleration of the take-up of eIDAS services and developing a prototype for a European Catalogue of ICT standards for public procurement. Additional actions could include the re-use of data and services between public administrations and encouraging the use and sharing of cloud, data and computing infrastructures as well as the promotion of the usage of big data or the IoT.
  • Enabling cross-border mobility with interoperable digital public services — actions include the proposal for a Single Digital Gateway, developing the European e-Justice Portal and European Case Law Identifier search engine, mandatory interconnection of all Member States’ business and insolvency registers, facilitating the use of digital solutions in particular in relation to online registration procedures and electronic filing of company document, as well as information and support of Member States in the development of cross-border eHealth services.
  • Facilitating digital interaction between administrations and citizens/businesses for high-quality public services — actions include assessing the application of the once-only principle for citizens in a cross-border context, creating a platform for public authorities to open their data and services, a “government as a Service” base for the EU, and accelerating the deployment of spatial data.

The actions are to be launched in 2016 and 2017 and further actions may be developed in addition.

Digitizing Industry and the free flow of data initiative

The Commission plans measures to encourage investment (along with industry and EU partners) in “digital hubs”, preparing the European job market for the digital transformation and a framework for coordination of national and regional initiatives.

The Commission will also propose measures to create the right regulatory conditions to encourage digitization in industry.  With the support of industry and Member States, the Commission will:

  • Propose an initiative on free flow of data in 2016 within the EU in order to remove or prevent “unjustified” data localization requirements.  This will involve examining data ownership, access, interoperability and re-use rules, including as regards data in an industrial context and especially data generated by sensors and other collecting devices.  While personal data is covered and protected by EU rules, there are no clear guidelines for other types of data such as sensors gathering climate information, satellite imagery, digital pictures and videos, purchase transaction records, or GPS signals;
  • Explore the legal frameworks for autonomous systems (such as drones and self-driving cars) and IoT applications, in particular safety and liability rules and the legal conditions to allow large-scale testing in real-life environments; and
  • Examine whether there is a need for further legislation needed in relation to the safety of applications and other non-embedded software.

Internet of Things

Internet of Things (“IoT”) gives people the opportunity to always be connected to all their personal devices, which has the potential to lead to more surveillance or more profiling by public authorities and private entities.  In its staff working document on the Internet of Things, the Commission acknowledges that some data processed by IoT is personal data, within the meaning of data protection law.

Under the new General Data Protection Regulation (“GDPR”) the Commission expects that ‘data protection by design and by default’ principles, using anonymized or pseudonymized data together with data protection impact assessments, data protection certifications, seals and marks, will  ensure consumer trust in the IoT.

In addition to the GDPR provisions applicable to the IoT, the Commission is considering:

  • The adoption by the IoT industry of specific data protection codes of conducts and certification schemes;
  • The further development and elaboration of new Data Protection Impact Assessment frameworks and guidance;
  • Research and development activities for privacy by design and by default technologies and solutions, and the creation of a viable European market for these technologies; and
  • Specific IoT related provisions in the ePrivacy Directive, which is in the process of being reviewed.

The Commission is also exploring ways to ensure “context based security and privacy” for IoT (e.g., emergency crisis, home automation), trustworthy identification of users and devices and security protection solutions like Trusted Computing or Cryptography in Cyber-Physical systems and IoT hardware.

Trusted IoT Label

The Commission has created a “trusted label” for the IoT to promote security, liability, privacy and data protection in the IoT.  The Network Information Security (“NIS”) Directive will require operators in critical sectors to take proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems they use in their operations.  In this staff working document, the Commission suggests that operators using the IoT should adopt the Trusted IoT label as a demonstration of compliance with the NIS Directive’s requirements.

The Commission is also launching initiatives to support the quantum technology industry.