Papers
Comprehensive Review of Data Regulation: The Past and the Future of European Union Data Sharing Legislation
1. Introduction
Within a seminar-based overview on data regulation and policies, this paper represents the choral work of six LLM candidates in European Business and Social Law at Bocconi University.[1] Given the recent innovations on the technological side, data-driven activities play a pivotal role in the development of efficient business strategies. The implementation of regulations and policies in this field has progressively become an arduous challenge to be accomplished by business actors. For these reasons, this paper aims to provide a clear, organic and consistent review of what is the current legislation available in this sense, what are its advantages and disadvantages, as well as how to apply that legal framework. Collecting and analysing the academic contributions of many prestigious scholars, this work is meant to represent an overview of the implementation of the pre-existing legislation. Nonetheless, the ultimate goal of this paper is to provide an innovative approach in order to inspire future modifications and improvements in the European Union (EU) system. In order to do so, three main pillars of data regulation and policies will be taken into account: business-to-government (B2G) data sharing, business-to-business (B2B) data sharing and data portability.
2. Business-to-Government (B2G)
B2G data sharing is defined as the process in which a company or other private organisation transfers its data to the public sector for a public interest purpose.[2] B2G data sharing and its public benefits progressively became more and more relevant, as the modern world challenges seem to be only solvable by using real-time big data. Since a government cannot produce this kind of information and it is institutionally obliged to solve large problems, it is only reasonable that it aims to increase B2G data sharing. Among the many benefits for the government is the ability to make data-informed decisions and predictions that affect the citizens. It helps increase efficiency not only in response to drivers such as financial crises, pandemics, ecological disasters but also in planning urban development or fighting crime. Furthermore, the harmonisation of this sector constitutes the biggest step to be taken towards a single digital market which, in turn, represents one of the most arduous challenges for the European Commission but a crucial aim, nonetheless. From the private sector side, there is a benefit to businesses in improving Corporate Social Responsibility (CSR) index and employer branding. As will be discussed later, businesses might also benefit financially from such exchange.
Despite these clear benefits, current obstacles exist – such as lack of structural support and oversight of B2G data sharing, lack of willingness of companies to share data due to cultural and organisational reasons, lack of clearly defined incentives, large legal and compliance costs, and dissimilar conditions prevalent in each Member State.
The paper gives an outline of the major issues that businesses point out in the Data Act consultation when explaining why they do not currently share data.[3] The goal of the future Data Act proposal is to provide a harmonised framework for data sharing, conditions for access by public bodies, international data transfers, cloud switching, and interoperability.
3. EU Data Strategy
The European Union intends to acquire a leading role in the data economy, an achievement that could benefit both businesses and the public sector. Data protection, fundamental rights, and cybersecurity will be the pillars of a strong legal framework.[4] The European Commission’s communication on the data strategy outlines policy measures and investments which, coupled with a better use of data, could lead to greater productivity, improvements in well-being, environment, transparent governance, and convenient public services.[5] Data usage can benefit several aspects of daily life, ranging from more conscious energy consumption and product, material and food traceability, to healthier lives and better healthcare. The Data Governance Act proposal (2020)[6] seeks to strengthen various data-sharing mechanisms. The goal is to promote the availability of data in order to power applications in artificial intelligence, personalised medicine, green mobility, smart manufacturing, and numerous other areas. Moreover, every public body allowing this kind of reuse would be technically equipped to ensure privacy and confidentiality. The proposal would also bolster data altruism, making voluntary data sharing easier for companies and individuals. Ad hoc entities, such as data altruism organisations, could be established in order to collect data for common interest purposes. A thriving data economy will indeed boost European competitiveness on the world stage. As of now, few Big Tech companies hold a large part of the world’s data, possibly reducing incentives for data-driven businesses to emerge. The EU lags behind big players like the US and China. The Commission’s data strategy aims at finding the right balance in order to preserve safety, privacy and ethical standards. Since 2014, many steps have been taken in this direction: the Regulation on the free flow of non-personal data (FFD)[7], the Cybersecurity Act (CSA)[8], the Open Data Directive[9], and, most notably, the General Data Protection Regulation[10] (GDPR).
4. Shortcomings of the Current Framework
Within the scope of B2G data sharing, there is a lack of public trust for several reasons. For the purpose of this paper, the lack of technical resources and human capital will be analysed. Furthermore, the incentives to fix the aforementioned shortcomings will be discussed in order to reach a conclusion.
4.1 Lack of Technical Resources
Firstly, the absence of technical resources to ensure a safe space gives rise to many different issues. Currently, B2G data sharing is done through contractual agreements. However, these are somehow restrictive and limit the way data can be used, as well as complicate the process of tracking down and monitoring the usage of businesses’ data. Also, other actions may be prohibited such as merging, structuring, cleansing, and decompiling.[11] These agreements often miss fair compensation on investments, which can be due to the operational barriers.[12] Given that it is very complex to set up these contractual agreements,[13] the costs end up being very high; moreover, as there are not specialised governmental units to cover these costs, businesses are not willing to take part in these contracts.
Furthermore, B2G data-sharing agreements are not sustainable initiatives but rather standalone pilot projects given that there is no institution to tackle them. This means that the experience is not shared, thus entailing that new entrants into these partnerships will have to invest time and money in restructuring and addressing operational and legal issues that may have already been addressed by others. The absence of a comprehensive and integrated framework leads to a lack of European culture of data sharing that promotes experts and role models. Currently, some Member States are beginning to put in place structures and procedures that provide guidance for both businesses and governments of how this data can be shared in a way that is beneficial to both parties involved.[14] However, this is not a consistent approach, leading to the issue of lack of harmonisation, as previously discussed.[15]
Looking at more than just the agreement, sharing data entails many risks to businesses, such as the possible leakage of the data provider’s trade secret, which can potentially open a window to cyberattacks. Moreover, companies may be violating the customer's privacy rights if there is no system to ensure a safe transfer of data. This implies that the existence of trust between the private company and the public sector when transferring the data is necessary and thus a reliable system for exchange of information is needed in the Member States.
The magnitude of this issue has led to many discussions on how to solve it. The obvious choice is for Member States to create specialised bodies in charge of supporting both public organisations and private companies when entering into data sharing partnerships and facilitating the sharing of good practises. The idea is that these bodies potentially become third parties in the agreements. This also means that the costs are covered to an extent by the institution, which incentivises businesses to enter into these agreements, as they will not have to cover such high costs. These bodies will also be responsible to ensure that the collection of data is done legally, without damaging either the company or the public interest. Lastly, these structures are important in the case that a dispute arises with each party. Through the use of this specialised body to deal with such disputes, businesses will feel more safeguarded to enter into agreements and will avoid costs. Furthermore, in order for B2G collaborations to work, governments should be clear about their existence and purpose. In particular, data sharing agreements, as well as B2G algorithms and results, should be easily accessible. To this end, the European Commission has already created the Support Centre for Data Sharing (SDCS). The SCDS is a new initiative funded by the European Commission to further support the development of the Digital Single Market. Its goal is to allow data sharing, either as a free or paid service, among different public and private organisations which will increase trust between the parties.
4.2 Human Capital
The lack of digital skills necessary to carry B2G data sharing transactions in both the public and private sectors is a big concern and creates a lack of public trust for many different reasons.
The International Data Corporation (IDC) reported that there were 7.2 million data professionals in 2018, representing 4.3% of the EU workforce.[16] It has been predicted that there will be over 1.5 million unfilled positions in the 27 Member States by 2025.[17] These figures show the lack of preparation and personnel available to deal with B2G data sharing issues. The absence of an authoritative figure and public and private sector professionals with the relevant skills to work towards the achievement of a safe environment for B2G data sharing transactions makes it not appealing for companies to take part in it. Research carried out by CapGemini Consulting showed that 76% of companies have not fully integrated their data sources in their organisation and of those only 35% have solid processes for data curation, validation, retention and capture. Moreover, 54% of companies do not have joined teams where business and IT executives collaborate on the establishment of data initiatives. Lastly, 46% followed a decentralised model for analytics or have dispersed resources.[18] Looking at this data, the lack of care and attention to data sharing initiatives in companies can be seen. This leads to inefficient data sharing from businesses to governments due to the absence of experience and centralised systems. In order to properly engage in B2G data sharing collaboration, professionals from both ends need to be skilled.
Technical tools and methodologies are paramount in implementing B2G data sharing. In this regard, the need for the players involved in B2G data sharing to acquire digital skills in order to make use of these tools and methodologies is critical. A solid starting point would be to create teams of data stewards with experts in order to facilitate and coordinate B2G data sharing. Member States should recognize the function of data stewards, which would be in charge of systematising the process of partnering and helping scale efforts when there are fledgling signs of success. Even though some of these tasks may already be carried out by employers internally, it is important that Member States provide such data stewards to further guide them and ensure a fully qualified team. They should work within companies and in the private sector to maximise transparency and efficiency of B2G data sharing. Through this, businesses will feel like their data is protected and be able to share it freely without concerns of breaching privacy rules or putting themselves in a risky position against competitors.
Finally, unless there are professionals with the appropriate digital skills, public-sector bodies will not be able to reap the benefits from the use of private-sector data and develop a safer and more trusted system for businesses.
4.3 Public Trust
B2G data sharing entails cooperation between public and private sectors, which heavily relies on goodwill and transparency. Rules about transparency shall be set out in terms of how governments decide to engage with private entities or choose a specific data provider. At the same time, private companies and civil society need to be open and straightforward about the kind of data available for B2G data sharing. This mainly focuses on observed data (data that has been obtained by the controller while the data subject uses the service or the device) and inferred data (data that is generated by the data controller as part of processing). In the current situation, transparency cannot be achieved because of both lack of trust and the absence of widespread information on the matter. Society is generally unaware of B2G data sharing potential. As a result, businesses are reluctant to take part in such a collaboration. Lack of transparency can also lead to misinformation, which could further damage the reputation of all public parties involved. It is worth noting that people are not fully aware of how much data they produce and their rights over personal data (i.e., art. 20 GDPR).
It is evident that mutual trust is an essential component of a functioning public - private partnership. Success of data sharing depends on good practices, technology, and legal frameworks. The European Commission should therefore settle on common good ethical standards for the collection and handling of data. In doing so, the Commission can draw inspiration from the UN development group[19] or the FATEN (fairness, accountability and autonomy, trust and transparency, equality and beneficence, non-maleficence) principles. Digital ethics is a relatively new field and, as of now, ethical use of data can only lean on uneven national initiatives. So far, these actions have not been replicated at EU level. On one hand, common guidelines on ethical data sharing could help governments pursue public interest; on the other, there is a risk of data bias. If no ethical framework on B2G exists, the collection and transfer of data could be used to benefit groups or individuals. In conclusion, B2G guidelines should focus on ensuring the security and privacy of all shared data.
5. Incentives for the Private Sector
In light of economic barriers, it is no surprise that business-to-government data sharing is staggering; coupled with the issues covered above, businesses simply do not see clear motivations and purposes in sharing data. Adding to the mix the liability in case of sharing erroneous or private data, the risk-to-benefit ratio is skewed towards risk.[20] Notwithstanding the goodwill of companies, without a precise incentive scheme in place, one can expect no significant progress in B2G sharing in the years to come. However, as Klein and Verhulst point out, there are at least 5 tangible benefits for companies originating from B2G sharing, such as generating additional revenue, learning new statistical skills, meeting regulatory compliance, improving reputation, and proving corporate social responsibility.[21]
5.1 Monetary Incentives
Monetary incentives are the most apparent and foolproof method of encouragement used for balancing any risk-to-benefit ratio. It shall come as no surprise, therefore, that a straightforward payment to businesses is an often-cited approach concerning B2G data sharing. Data is an asset and as such, it has a transactional value; companies incur costs to make data available to governments and should be compensated for its generation. There is little that hinders governments from viewing data as an object of government procurement. Indeed, some governments are already acquiring data from private businesses.
For instance, Telefonica, a Spanish multinational telecommunications company, implemented a licence-based Smart Steps’ sharing program that delivers – for an appropriate fee – anonymous aggregated mobile data from its network of operators. Even though Smart Steps is aimed at sharing data with other businesses, according to Klein and Verhulst public infrastructure agents “use Telefonica’s data analysis to improve policy”[22] in demographic segmentations or commute patterns.
Likewise, according to the Department of Treasury of the United States of America, the Internal Revenue Service (IRS) Criminal Investigation’s unit has been purchasing GPS location data from Venntel, a computer service company based in Virginia. Similarly, as the Wall Street Journal reports, the Trump administration bought access to commercial databases mapping the movements of millions of mobile phones in America to enforce US law at the border and monitor immigration.[23] Surprisingly, the firms entering B2G transactions are not necessarily large entities. In 2020, a Muslim prayer and Quran app with more than 98 million downloads worldwide sold their data to the counterterrorism and overseas special forces US military divisions.[24]
The legal difficulties stemming from the above-specified cases arise from the violation of the Fourth Amendment and the Patriot Act which require the police to obtain a warrant to collect historical mobile site location information. Notwithstanding the legal particularity of the data purchased, however, it is clear that B2G money-incentivized transactions already take place, albeit at a low scale. The Venntel case mentioned above consisted of a one-year subscription for $19,872; compared to the estimated economic value of data, this is just the tip of the iceberg. Yet the European Union can learn from these cases – if there is money to be made, it will be made. If the EU is seeking to correct a market failure, one way is to pay. Despite the clear benefits to enterprises, government procurement for data implies some obstacles; potential issues currently stem from the limited number of suppliers.
Firstly, because data is an intangible asset, its price can be derived in numerous ways. In a business transaction, the value of a dataset is the market price which takes into consideration the ultimate use of the data; if the buyer’s use is essential to its service, the bargaining power lies with the supplier and the price is inflated accordingly.
Accordingly, the final report prepared by the High-Level Expert Group on Business-to-Government Data Sharing admits that in instances of highly specialised datasets, only one supplier might be in the possession of such data and as such can impose monopoly prices.[25] This may be more accurate for data than any other kind of product or service which begs the question of whether the government should pay the market price, the marginal cost, or should get a preferential rate below the market price. Any solution should keep in mind that businesses incur a cost to generate data and make it available; as such data production is no different than that of a pen or paper, and it is not market practice to offer products at discount to the government.
Yet, the preceding discussion relies on a limited supplier pool in the market. Whereas it may be reasonable for highly specialised datasets to be generatable by one and only one company, data overall is considered a replicable asset. Perhaps just as in cases of electric cars, once the demand and clear incentive schemes are in place, the supply will follow.
5.2 Tax Incentives
Bearing in mind the previous discussion, one may additionally look towards non-monetary benefits the government might use to boost B2G data sharing. Among the many proposals put forward by the High-Level Expert Group on Business-to-Government Data Sharing, tax incentives and “public-recognition programs enhanc[ing] a company’s reputation” are relevant.[26] They are, at least in theory, able to achieve the same level of encouragement of monetary benefits without creating an undue expenditure for the government. However, that is not to say that monetary and non-monetary incentives cannot go hand in hand.
Indeed, utilisation of tax incentives to promote new areas of economic activity is not new. In 2006, the Commission released a communication intended to support R&D investment and innovation. The Commission recognised that “well-designed tax incentives are [...] simpler and more predictable than grants”[27] and asserted that “«tax incentives have grown to become one of the major instruments used by many Member States to increase business”.[28] Despite tax incentives being an important policy tool, tax regimes cannot be harmonised at the EU level. The Commission may identify and promulgate best practises, but it is upon each Member State to internalise such guidelines and put forward satisfactory tax incentives in national law. As the European Law Institute concludes, currently existing R&D incentives are not always adequate, and different national definitions lead to an uncertain legal environment.[29]Considering that the first Commission’s communication on R&D tax incentives was over 15 years ago, it is understood that an adequate tax framework for B2G data sharing is lightyears away from us.
5.3 Corporate Social Responsibility
Even though CSR started as a “voluntary form of private regulation, governments [have] gradually become more involved”.[30] Because of its soft-law capabilities, the government can encourage companies to meet higher than minimum standards. One of the incentives may be CSR awards constituting incentives for the private sector, insofar as they elevate the corporate image and reputation of the winner.
Despite the link between CSR and a firm's value being unclear, many large companies follow CSR guidelines to shape a positive image of their brand that creates a “reservoir of public goodwill, [...] that is particularly valuable in times of corporate crises”[31].
Admittedly, according to Directive 2014/95/EU[32],since 2014 all large public-interest companies with more than 500 employees – that is, about 12,000 companies in the EU – have to produce annual CSR reports. Bearing in mind that in April 2021 the Commission has adopted a Proposal[33] to amend the previous Directive, which – if adopted – would effectively extend the obligation to all large entities, CSR incentives could prove to be beneficial to increasing the amount of B2G data sharing. Indeed, there have already been successful government-induced CSR initiatives, for instance in preventing discrimination and promoting equal pay.
Additionally, public-recognition programs could work in conjunction with the CSR reporting to provide an elevated corporate image. Similarly to the European Capital of Innovation Awards, which aims at rewarding the most innovative city practises, or the European Public Sector Award, rewarding public sector entities, one can imagine an award for companies meeting the highest standard of B2G data sharing.[34] Indeed, there are already public-recognition programs aimed at private rather than public entities such as the European Business Awards for the Environment or the general European Business Award about which the former EU Trade Commissioner said: “it is important that we showcase our most exceptional businesses, share knowledge and generate debate around the creation of a stronger European community”.[35] Following this stream of thought, it seems more than conceivable to develop an award specific to B2G data sharing.
6. Interim Conclusion
6.1 Lack of Knowledge of Businesses
Even if one can assume all incentives for the private sector are in place and businesses are prepared to share data with the government, it is reasonable to imagine they are unaware of the possibility to do so. Mass media informational campaigns are usually considered to be powerless in achieving substantive outcomes; however, there is little debate that public information campaigns might be, in the present case, a valid policy tool. With this in mind, government-sponsored communication campaigns could be executed to make businesses aware of the opportunity to share data. Such campaigns should clearly describe benefits for the private sector and consultations with members of the target population should precede any operations. Despite the shortage of data, it is reasonable to expect that a joint effort with professional associations aimed at small and medium-sized enterprises focused on partnerships with strictly business-oriented media channels could be a reliable approach to raise awareness of B2G data sharing among private sector players.
To conclude, B2G data sharing is currently plagued by the general lack of data-sharing culture and the absence of a uniform EU framework harmonising the fragmented legislations applicable in each Member State. Despite these obstacles, adequate incentives schemes coupled with efforts to increase visibility and transparency of B2G data sharing can overcome these challenges.
7. Business-to-Business (B2B)
Another powerful tool to increase overall digitalisation of the EU is represented by B2B data sharing. B2B has strong similarities to B2G data sharing, such as the great potential to impact the digital economy and rather complicated and fragmented legislation and the even more obscure implementation of these legislations.
B2B data sharing is defined as the process in which a company shares data with another company for its own business purposes.[36] As mentioned in the general introduction, data has lately become the lifeblood of economic development. However, a study for the European Commission by a consultancy agent, Everis Benelux, found that European businesses were not taking into account the full value of data.[37] Only thirty nine percent of European Businesses were realising the potential of sharing data for economic growth and to address specific market failures. To address the major obstacles of B2B data sharing, such as cultural concerns regarding sharing data of (perceived) rivalrous nature and the associated absence of certainty of undistorted competition, the Union has set up a strong legal framework for this essential area of business development. The following section will explore this framework and the potential for improvements by comparison with developments in other jurisdictions.
7.1 B2B Data Sharing in the Data Governance Act
The European Commission has sought input on the Data Governance Act,[38] a proposal that, among other things, aims to increase data sharing, potentially including sectoral data sharing between companies. This proposal for regulation stems from the experiences lived during the Covid-19 pandemic in terms of the essential role of data use for crisis management. The Commission wishes to encourage more data sharing in order to ensure that both public and private actors benefit from techniques such as Big Data and machine learning. In this regard, the Commission has conducted studies on how to accelerate the growth of the data economy and support the development of business-to-business platforms in Europe, mainly focusing on two sectors: automotive and healthcare. Small and medium-sized enterprises could take full advantage of the so-called fourth industrial revolution to maximise innovation and ultimately foster growth and employment.
7.2 B2B Data Sharing in the Context of Consultations of the Data Act
European lawmakers are also examining ways to unlock the latent value of shared data. The EU's data strategy aims to establish practical, fair and clear rules on data access and use. B2B data sharing is growing in Europe, several challenges still need to be overcome to fulfil the Union’s potential and to become a global leader. In December 2019, the European Round Table for Industry launched the B2B Data Sharing Taskforce in order to deepen its cross-industry understanding of data sharing and the use and reuse of that data in a B2B context. The Task Force's mission is to explore the business potential and business model of industrial data sharing, identify bottlenecks to its development in Europe and provide recommendations to overcome them. The Commission has also proposed the creation of data spaces, arguably the most interesting B2B data sharing mechanism in development, for crucial sectors like health, energy, and agriculture. To this end, two policy measures that seek to encourage B2B data sharing are working their way through the European legislative process: the aforementioned Data Governance Act and the Data Act. In particular, the consultation on the Data Act proposal’s content seeks to address specific issues concerning new prospects in B2B data sharing:
a) specific transparency obligations for manufacturers of connected objects on the rights to access and use non-personal data of users;
b) B2B fairness rules for access and use of data, possibly complemented by model contract terms recommended by the Commission;
c) data access permitted on the basis of fair, reasonable, proportionate, transparent and non-discriminatory terms for non-personal data;
d) harmonisation of general principles for data access, while potential sector-specific data access would be established by sector-specific rules;
e) adaptations of the Database Directive (Directive 96/9/EC) to facilitate data access and use, in particular clarification of the relationship between the sui generis rights and machine-generated data;
f) technical specifications for portability rights under the GDPR (e.g., makers of home appliances, wearables and home assistants could be obliged to provide technical interfaces that allow real-time portability of data collected by their devices);
g) introduction of safeguards for easy cloud service portability by prescribing Standard Contractual Clauses or providing legal requirements;
h) definition of essential requirements for smart contracts;
i) protection of data in cloud computing against access from non-EU governments by introducing an obligation to: notify users of a request for access to data by foreign authorities; inform the Commission of different laws of non-EU jurisdictions with extraterritorial effect; take appropriate measures to prevent access to non-personal data of EU companies from third countries’ governmental authorities.
In conclusion, the Data Act’s main objectives are the promotion of fairness, legal certainty, and data portability. The Commission is carrying consultations in order to get responses from the full spectrum of stakeholders concerning the issues identified by the Inception Impact Assessment[39]. The results will help the Commission strike the balance between rights and interests of data users and data holders on the one hand and competitiveness in the EU single market on the other hand. The consultation includes:
a) questions about the factors relevant when determining fair, reasonable, proportionate, transparent and non-discriminatory conditions to increase data sharing;
b) questions exploring the contractual ability of the owners/users of connected objects and manufacturers to use data generated by connected objects;
c) questions which explore the relevance of laws of trade secrets and rights under the Database Directive to access and use third-party data or protect own data;
d) questions on whether and how portability between cloud service providers should be facilitated.
8. B2B Data Sharing Mechanisms
8.1 The Need for Intermediaries
With a growing availability worldwide, data has a key position in B2B interactions and more generally in every industry sector. The COSIP framework provides a good example of the wide range of data transactions that take place in the specific case of B2B trade processes: contract (C), order (O), shipment (S), invoice (I) and payment (P). In this context, data-sharing mechanisms facilitate data flow between companies while ensuring the reuse and efficient process of the generated and accumulated data.
B2B data-sharing is a much-needed interaction between businesses that has several assets. Among those assets lies an important competitive aspect. In fact, by sharing their data, businesses will be able to create new business models, reduce costs as well as improve their services. To that end, the Commission has recognised that “Given the specificities of online platforms, it is necessary to both continue enforcing competition rules and to complement and complete the toolbox to make the most out of online platforms and the data economy”.[40]
But by nature, competition “encourages companies to offer consumers goods and services on the most favourable terms. It encourages efficiency and innovation and reduces prices. To be effective, competition requires companies to act independently of each other, and subject to the pressure exerted by their competitors”.[41] As a consequence, competition brings along a fair share of distrust from businesses regarding B2B data sharing.
In order to address the issue, better information about businesses is certainly necessary. Mostly, however, the EU has brought into relief the place of intermediaries in its Digital Governance Act of 2020. Data intermediaries can be defined as third parties that offer B2B data-sharing services or personal data spaces through platforms. As third-party enablers they can play an important role in B2B transactions by ensuring safe and secure collection, storage and sharing of data. If well-framed, these platforms can be a functional solution to the lack of trust. However, framing such intermediaries is not free of challenges.
In fact, B2B data-sharing intermediaries are an abstract concept that is not yet precisely defined. It appears that platforms aimed to B2B data-sharing do not correspond to platforms as they are intended for platform-to-business relations by the Regulation (EU) 2019/1150. As such, what are the elements that distinguish B2B data-sharing platforms and thus which regulations come into effect? B2B data-sharing platforms can take a wide variety of forms and can have different roles with regard to B2B data-sharing. Technically, they can be private or governmental. In the same way, the business models followed by these platforms can be different. In fact, some platforms could make revenue from data exchanges, from fees or from the technical assistance they provide to companies that wish to share data, while others may contribute to B2B data sharing for free. Given the extent of this notion, the lack of definition of B2B data-sharing platforms can be seen as a legal obstacle that provides uncertainty.
Additionally, to enable efficient B2B data sharing, those platforms need to go through standardisation, which refers to the process of converting data to a common format to allow users to process and analyse it. Building standards is, along with the lack of trust and the definitional shortcomings, one of the main challenges in B2B data-sharing. In fact, it has been pointed out that standardisation can be too general or that the standards’ development is a too long process when compared to the rapid evolution of technologies. In the final report of the study on data sharing between companies in Europe prepared for the European Commission DG Communications Networks, Content & Technology by Everis, several companies such as HERE, Enedis or Airbus affirmed that the lack of data standardisation and interoperability was a blocking factor to B2B data-sharing since it made difficult and costly for them to combine the available datasets and be able to extract their value efficiently.
So, intermediaries will be a good solution for B2B data-sharing at the EU scale but only if the EU successfully manages to frame those intermediaries, considering that new approaches to B2B data sharing may still emerge. The EU has put forward the idea of intermediaries in the form of certified data spaces. Even though in its Data Strategy the Commission has limited data spaces to 9 key domains (including Mobility, Health, Finance and Energy), it will be interesting to see how those spaces will be framed to (i) respect the fundamental European values; (ii) create transparent and efficient data-sharing mechanisms and (iii) address the above-mentioned technical and legal challenges. The limitation to 9 sensitive sectors is an interesting first step that, if successful, will be helpful to implement these mechanisms in other sectors.
A legislative framework for the governance of common European data spaces will allow the creation of transparent and efficient data-sharing mechanisms in order to benefit from the data economy.
8.2 The European Data Spaces
Data spaces are defined as “a type of data relationship between trusted partners, each of whom apply the same high standards and rules to the storage and sharing of their data. However, of key importance to the concept of a data space is that data are not stored centrally but at source and are therefore only shared (via semantic interoperability) when necessary”.[42]
In order to develop such data spaces, the European Commission has provided fundings to various projects through Horizon 2020, the EU’s financial instrument oriented at sustaining innovation. These innovative propositions tackle the challenges expressed earlier while taking into consideration the various regulations and recommendations that transversally apply to data spaces.
One of the European projects is Trusted Secure Data Sharing Space (TRUSTS). This intermediary can be defined as a marketplace for data exchange that aims at allowing personal and non-personal data to be “traded and exchanged in a trustworthy and secure way providing clear legal and ethical frameworks.[43]
Another project that can be mentioned is KRAKEN (BroKeRage and MArKet platform for pErsoNal data) which focuses on personal data by creating a user-centric platform. However, a data marketplace implies data monetisation and, in this case, personal-data monetisation. This can look like property rights over personal data, which is not allowed under the GDPR. This raises the question of how the EU would implement such a platform in its forthcoming regulations. Each of the propositions offers a different structural model of data space but they all respond to the EU data strategy which aims at increasing trust in data sharing. With that in mind it is important to stress that these platforms need to be (i) neutral and (ii) compliant with EU regulations.
Even though there is still no data space regulatory framework, there are some transversal measures that have been adopted in the EU. One of them is the General Data Protection Regulation. But it is also interesting to mention the eIDAS Regulation (Electronic IDentification, Authentication and Trust Services), the PSD2 (Payment Services Directive), the European Blockchain Service Infrastructure and Context Broker.
Nonetheless, the legal compliance requested from European data spaces could be challenging as it implies that the platform can be subject to EU regulations. For example, the GDPR applies to (i) companies or entities which process personal data as part of the activities of one of their branches established in the EU, regardless of where the data is processed and (ii) companies established outside the EU that offer goods or services or that are monitoring the behavior of individuals in the EU. But a potential regulation on common European data spaces would also include non-personal data. So, would companies established outside the EU that process non-personal data of individuals in the EU be subject to EU regulations? This level of protection is understandable in the context of personal data, but non-personal data cannot necessarily justify the extraterritorial application of EU law. So, the idea of at least having a representative of the data space in the European Union if the platform is not physically installed in the Union could be a good compromise and a guarantee of legal certainty.
9. Comparative Analysis with Other Legal Systems
Although the causes for Europe losing its competitive advantage in the digital sector and Artificial Intelligence and Machine Learning space is beyond the scope of the paper, one of such reasons can be identified as lack of culture of B2B data sharing. Even though no country is an expert in incentivizing B2B data sharing,[44] we may look at other economies in digital markets and examine what could be replicated in Europe.
9.1 India - An Example of Data Nationalisation
In 2020, the Ministry of Electronics and Information Technology of India issued a report by the Committee of Experts on Non-Personal Data Governance Framework.[45] The resulting recommendation calls for “enabl[ing] members of the public, start-ups, researchers, the government and other entities to request companies’ data for national security, economic, and public interest purposes”.[46] The underlying idea of data nationalisation is that near-monopolies in the digital sphere currently deny access to their databases to competitors due to fears of losing their competitive advantage and in hopes of securing their dominant position in the market. By using highly data-driven technologies and establishing strong network effects, they can ensure that no new entrant meets the industry’s high barriers to enter. As was previously established, however, data has the particular characteristic of having the ability to be reused for completely different purposes by various market players. Therefore, such fears are largely unfounded; B2B business sharing can be most beneficial when non-competitors share data. With the introduction of mandatory B2B data sharing in India, smaller businesses could benefit from having access to larger businesses’ databases, and large companies would gain access to government data. The idea of mandatory data sharing is not new: it has been empirically proven that mandatory open data policies can increase both the frequency and quality of data sharing; yet, borrowing this idea from the realm of scientific research to check replicability of results and extending it to B2B data sharing is new.[47] Mandatory data sharing, according to the report, will spur innovation in the market, promote the growth of smaller enterprises, and maximise overall welfare.
Even so, it is currently understood that the European Commission does not want to regulate the B2B data sharing market directly and has a strong preference for non-binding guidelines and incentives programs. This can be inferred from the lack of an enforceable regulatory framework, be it in progress or already established.[48] It seems, however, that the approach of India may prove to be beneficial for understanding different concepts of B2B regulation. It is indeed theorised that data is a public good and as such should not have legal restrictions on access. India’s approach might be one way to make theory practice. Despite this, the data nationalisation program has been met with criticism – data spaces are largely considered to be optimal when voluntary and it is hypothesised that indeed mandatory distribution of data to competitors may destroy value for businesses and ultimately make some countries less appealing to foreign investors.[49]
9.2 Possible Developments in the United States
With the growth of the sharing economy, numerous traditional smaller firms are either struggling or, in part due to the pandemic, declaring bankruptcy. The concern is that companies operating in the sharing economy tend to be large and, due to their market size and exploitation of consumer data, the concentration trend is progressing. An adequate example might be UberEats: restaurants that traditionally knew their clients and were able to predict and adjust to consumer preferences are being replaced by the algorithms of UberEats and other food-delivery services that collect and monetize data about their customers.
To oppose this trend, some jurisdictions in the United States, including California and New York City, suggested forcing the tech food delivery platforms to share some of the data they collect. This would mean that, for example, UberEats would have to share data with participatory restaurants.
Accordingly, the NYC bill was enacted in August 2021 and states that: “This bill would require third-party food delivery services, entities that provide food service establishments with online order and delivery services, to share monthly information on customers who have placed a food or beverage order with an establishment, if that establishment requests the information”.[50]
Similarly, the California bill, when introduced in February 2020, had a provision on mandatory data sharing if requested by a participating food facility.[51]Both of these bills were introduced with the hope of limiting the concentration trends in the tech industry and letting smaller businesses breathe. However, as Eff points out, “these policies would make it so that sharing data with one company means that data will automatically end up in the hands of several downstream parties» which may be a concern from a personal data point of use”.[52]
Nonetheless, such proposals are currently directed at specific market segments. There have been no data nationalisation programs like in India. On the contrary, it seems that the purpose of such B2B mandatory sharing requirements in the US is to stop tech giants from unduly exploiting smaller restaurants rather than to spark innovation as is the case in the EU. Despite this, it is clear that some forms of mandatory data sharing are already on legislators’ minds.
However, this is not to say that concentration trends are not worrisome for European regulators. For example, the German Federal Ministry of Finance asked researchers from the University of Tilburg and CenterData to “develop a suitable approach to data governance” and “develop a methodology for measuring the data-driven nature of a market”.[53] In data-driven markets, the researchers suggest, an introduction of mandatory data sharing of raw user-generated data for all providers with a market share of at least 30% would result in a maximum of three providers per market that have to share data. This shows that, despite the general goal of innovation, competition concerns in tech / data-driven markets are important to European regulators.
9.3 Health Data for Research Purposes in the EU
Despite the general lack of regulatory pressure in the EU for B2B data sharing, a harmonised approach towards mandatory health data sharing might be on the cards. As was evident during the Coronavirus-19 (Covid-19) pandemic, health data-sharing can significantly contribute to research and drug development, introduce new services, and speed-up high-level decision-making. The Commission recognised the need for a harmonised approach and, indeed, the creation of a European Health Data Space is one of its priorities for 2019-2025.
Artificial intelligence and machine learning models are only possible with a vast amount of data. A testing set and a training set are required to perform any kind of analysis and such testing of the algorithm can only be achieved by continuously feeding it new kinds of data. Despite great algorithms that can detect dermatological issues or predict schizophrenia, data sharing in the health sector is limited. Jeremy Rollison (senior director of EU affairs at Microsoft) stated “It’s very unlikely that any one entity on their own has enough data to be successful at artificial intelligence development”.[54]
Unlike the eHealth Digital Service Infrastructure (eHDSI), which aims at G2G data sharing for ePrescription, for instance, the kind of algorithms described previously are often developed by innovative and fast-growing private businesses (start-ups). Therefore, as it stands, the health data used by the artificial intelligence is subject to a secondary use for the scientific and historical research; secondary since the personal health data was data initially collected for another purpose. This kind of data sharing between researchers based in not-for-profit organisations and researchers based in industry or commercial research organisations can be classified as B2B data sharing. Surprisingly, GDPR may not be a strong limitation if Article 6(4), setting out the purpose limitation principle, is read in conjunction with Article 5(1)(b), which establishes a privileged position for research. Nonetheless, a major source of uncertainty for the industry is the appropriate legal basis for processing data in the absence of explicit consent.[55] Generally, due to the Covid-19 pandemic, it can be expected that a European Health Data Space will be developed as one of the first data spaces.
9.4 Interim Conclusion
In light of Covid-19, the need for data-sharing has become more evident than ever. The European Union has used the opportunity to accelerate the data economy and explore the potential business models that can be taken through the Data Governance Act and the Data Act.
The range of data sharing mechanisms and modern business needs through the COSIP framework has highlighted the necessity for intermediaries to reduce costs and increase efficiency. Despite the benefits of intermediaries, they can also bring legal challenges due to the lack of definition of B2B data sharing platforms and standardisation. This being said, the creation of the data spaces and KRAKEN and TRUSTS projects mitigates some of the aforementioned problems. The level of protection required is significant and potentially unrealistic. Therefore, it is necessary to look to other jurisdictions for comparative points. India’s Data Nationalisation projects and the US’s markets show the difficulties and potential benefits that different strategies can bring, depending on the business structures and economic makeup of a nation.
10. Data Portability
The right to data portability is one of the most important rights under the EU General Data Protection Regulation (GDPR).[56][57] Under this right, individuals are able to obtain and reuse their personal data for their own purposes across different services.[58] This means that individuals are allowed to move, copy, or transfer personal data easily from one place to another in a safe and secure way. This translates into individuals having greater control over their data and greater competition between companies and, therefore, into promoting innovation and the development of new Services.[59]
The right to data portability is relatively new within the EU data protection framework, given that there are no references to it in the Data Protection Directive[60] or in any other areas of law.[61]
11. Relevance of the Right to Data Portability
In the recent guidelines on the right to data portability of Article 29 Working Party (WP29), the potential benefits to individuals between these types of portability and the new personal data portability are highlighted.[62] Within the field of personal data protection, portability has been encouraged previously to the approval of the GDPR. The WP29 believes that data portability has the potential to enable businesses and data-subjects to maximise the benefits of big data in a more balanced and transparent way. Furthermore, it will also minimize unfair and discriminatory practices while reducing the risks of the use of inaccurate data for decision-making purposes. Data portability can be used as an additional safeguard applied by data controllers with the purpose of empowering data subjects, allowing for a successful balancing test between data controller’s legitimate interests and data protection rights of subjects. The WP29 emphasised the importance of data portability by stating that it should be part of the general availability of workable mechanisms for the data subjects to access, modify, delete, transfer or otherwise further process their own data.[63]
The WP29 further highlighted that data portability should not only be a data protection right but also an economic right. Other benefits of a full portability of personal data includes the empowerment of data subjects, the increase of a more competitive market environment, and, lastly, the development of additional value-added services by third parties who may be able to access the customers’ data at the request and with the consent of the consumers. Thus, it can be seen that data portability is not only important in the area of data protection but also for competition and consumer protection[64]. With this in mind, the European Data Protection Supervisor also saw this right as a strategic element, as it is the gateway in the digital environment to the user control which individuals are now realising they lack.[65]
12. What is the Current Regulation: Article 20 GDPR
Article 20 of the General Data Protection Regulation lays out the definition of the right to data portability. This states that “[T]he data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.[66]
This article reflects that within the right to data portability there are three rights: the right to receive data concerning data subjects which they have provided,[67] the right to transmit those data to another controller[68] and the right to have the personal data transmitted directly from one controller to another.[69] The three requirements under Article 20(1), are used to facilitate the interoperability of the data provided by the data controller. The use of the words machine-readable can be inferred from the field of public sector information, and has brought many issues, which will be later discussed. Furthermore, the European Commission defined interoperability of systems as the ability of disparate and diverse organisations to interact towards mutually beneficial and agreed common goals, involving the sharing of information.[70] This definition and the problems that arise from it will be further discussed in the paper. It is also important to understand that under this article, unless there is consent from third parties, the scope of data portability is limited only to the data concerning exclusively the data subject. Article 20(3) states a prevalence of the right to erasure on the right to data portability. It clarifies that data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The root of this is the necessity to empower control rights of individuals in the private sector, where competition among private data controllers is present. Lastly, paragraph 4 states that the rights in paragraph 1 shall not affect the rights and freedoms of others. However, it does not grant full prevalence of other rights on data portability, rather only a non-prevalence rule between conflicting rights.
13. Definitional Concerns
As briefly mentioned above, the definition provided by Article 20 of the General Data Protection Regulation for data portability is highly controversial and rather unclear. This definition appears to be of general scope and leaves many questions unanswered, including which data must be shared with the provider in case of request and what is the actual meaning of the machine-readable formula. Given the lack of definitions of GDPR in this sense, WP29 attempted to answer these (and more) questions by sharing guidelines to help the comprehension of the regulation. EU-wide Article 29 Data Protection Working Party has now been replaced by the new European Data Protection Board (EDPB) and, in the case of the UK, by the UK’s Information Commissioner’s Office (ICO). However, the lecture of the GDPR cannot prescind from the WP29’s guidelines.
13.1 The Structured, Commonly Used and Machine-Readable Format
One of the first points touched by Article 20 of the GDPR and, consequently, by the WP29’s guidelines, is the “structured, commonly used and machine readable” requirement for data portability.[71]Beside this wording, the GDPR does not provide any explanation of what criteria should data satisfy in order to be machine-readable and, thus, be valid under the provision of the GDPR. In this circumstance, the WP29’s guidelines come to our rescue specifying that this requirement, together with the terms structured and commonly used, consists in a “set of minimal requirements that should facilitate the interoperability of the data format provided by the data controller”.[72] However, this specification is still very broad, so it is necessary to resort to Recital 21 of the Directive 2013/37/EU which defines machine-readable as: “[A] file format structured so that software applications can easily identify, recognize and extract specific data, including individual statements of fact, and their internal structure. [...] Machine-readable formats can be open or proprietary; they can be formal standards or not. Documents encoded in a file format that limits automatic processing, because the data cannot, or cannot easily, be extracted from them, should not be considered to be in a machine-readable format”.[73]
In order to complete this eclectic framework, it is essential to mention Regulation 1025/2012 Annex II which provides, for the EU system, a standard setting based on a few principles including “openness”, “consensus”, and “transparency”.[74] Additionally, a further (and maybe better) overview on what is considered a machine-readableformat comes from the UK. Specifically, the Open Data Handbook states that machine-readable data is “[d]ata in a data format that can be automatically read and processed by a computer”.[75]
Furthermore, Regulation 2 of the Re-use of Public Sector Information Regulations 2015 provides ulterior details, stating: “A file format structured so that software applications can easily identify, recognise and extract specific data, including individual statements of fact, and their internal structure”.[76] Moreover, the UK’s independent authority ICO opens the machine-readable data to the possibility of being directly available to applications that request that data over the web. This is undertaken by means of an application programming interface (API).[77]
However, this combination of different sources only gives partial foundation to the enforcement of data portability, given that the machine-readable requirement must be read in combination with the two other requirements mentioned by Article 20 of the GDPR: structured and commonly used. For both these terms, the GDPR does not provide any clear explanation but, once again, the WP29 intervenes to clarify the extent of those requirements. By requiring data, the GDPR means that “data controllers should provide as many metadata with the data as possible at the best possible level of granularity, which preserves the precise meaning of exchanged information”.[78] Furthermore, the WP29 indicates, as an example, how a .pdf is considered not sufficient because it does not guarantee the effective re-use of data. Moving on our second requirement, it is possible to extract a definition of what it is considered “commonly used” by interpreting the words of Article 20 of the GDPR, in the sense that as long as the format makes the transmission of data from one controller to another “technically feasible”,[79] it must be considered commonly used. However, practically speaking there are no concrete examples in the EU system to show data controllers what data should look like when subject to portability. Once again, it is the ICO that suggests three data formats: Comma Separated Values (CSV), JavaScript Object Notation (JSON), Extensible Markup Language (XML), thus specifying that this is not an exhaustive list.
It goes without saying that, on one hand, the same typology of examples we find in the English system is desirable on a EU level, in order to give data controllers a useful guideline to base their actions on. However, on the other hand, such specification could potentially constitute an infringement of the rule of technological neutrality. In essence, should laws be technology specific or technology neutral?[80]Acknowledging the impossibility of providing an univocal answer to this question, it must be recognized that, beside the disadvantages that a technology neutral rule brings, in the EU system it was specifically designed to cover new technologies as they develop.[81] To sum up, data portability requires specific technologies for its implementation but so far only little guidance has been provided to data controllers with regards to compliance. Even regarding interoperability, Article 20 is lacking a mandatory provision although WP29 states that “interoperability and the production of interoperable systems are only desired outcomes”.[82]
As a matter of fact, making data interoperable across different platforms is a key step to reach the actual implementation of data portability. At the moment, the only foundation to interoperability is constituted by the framework directive 2002/21 EC rec. 31[83] which, dealing with interoperability of digital interactive television services and digital television equipment, was rather outdated and therefore, abrogated by the Directive (EU) 2018/1972. Following the EU Decision 2015/2240, interoperability is defined as: “[T]he ability of disparate and diverse organisations to interact towards mutually beneficial and agreed common goals, involving the sharing of information and knowledge between the organisations, through the business processes they support, by means of the exchange of data between their respective ICT systems”.[84]
Although the structure of interoperability in the EU is quite embryonic, an actual development in this sense is pivotal in order to promote competition by allowing various systems to communicate with one another. This could be potentially done through real-time data sharing across services (e.g., having a single account log-in across multiple different online services).[85]Advancing the awareness of businesses and consumers on interoperability and portability is expected to greatly benefit both the market and the consumer protection and it is, therefore, more than desirable.
13.2 What Data Fall within the Scope of Application of the GDPR?
Briefly recalling the guidelines provided by EU-wide Article 29 Data Protection Working Party (WP29), it must be observed how they provide a broad range of data that are supposed to be included in a potential response to the request of a data provider. Pursuant to Article 20, three conditions must be satisfied to see those principles of interoperability and portability - we have largely discussed - applied:
a) personal data concerning the data subject;
b) data provided by the data subject;
c) shall not adversely affect the rights and freedoms of others.
Specifically, the first condition implies that only personal data are subject to data portability.[86] The term personal data and its definition are key issues to the application of the General Data Protection Regulation. The term is defined in Article 4 (1) as “any information which are related to an identified or identifiable natural person”.
The second condition narrows the application of Article 20 to those data “actively and knowingly provided by the data subject as well as data gathered by virtue of the use of the data controller’s service or servicing device”.[87] Traditionally, we identify those data as account data (e.g., mailing address, user name, age). However, those personal data that are generated by and collected from the activities of users must be included.[88]
What is clearly missing in this description is the category of inferred data. Inferred data (or derived data) are typically not considered as “provided by the data subject” and include personal data that are generated by a service provider (e.g., algorithmic results).[89] Certainly, the lack of this kind of data reduces the scope of the GDPR but, nonetheless, its inclusion would constitute an infringement of companies’ right to property.
Moving to the third condition, it is stated in order to avoid the transmission of data belonging to non-consenting data subjects. Even whenever personal data of third parties are included in the data set with consent, transmitted from a data subject to a data controller, another legal process must be identified.[90]
All the conditions mentioned above are expressly meant to protect both the actors of data portability; however, in order to complete the framework of consumers’ rights, it is worth mentioning the right to transparency. As a matter of fact, consumers should have knowledge of how the data is processed. Companies that are transparent about the information they gather and how they process them give customers control and awareness of their personal data. Making the exchange transparent will be increasingly important in building trust between consumers and company, paying off – on the long term – with a greater loyalty to the company and the service offered.[91]
14. Efficacy of Data Portability
14.1 Data Subjects’ Awareness
As it was already mentioned in the introduction to this chapter, Article 20 of the GDPR states that the right to data portability allows individuals to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”. [92]As a consequence, the awareness of the individual subject to this right is the key to an efficient portability. In fact, data subjects can greatly be empowered by data liquidity. Not only will they be able to strengthen their control over the data they share with companies, but they will also, by exercising this right, promote competitiveness, innovation, and security.
By definition, data portability is tightly linked to the users’ ability to obtain and transfer their personal data in an organised and machine-readable format to another data controller. So, contrary to interoperability that refers to the ability of software and computer systems to exchange information, portability has a strong human dimension and must be user-proof (Users being generally understood as humans that don’t have a legal and technological background).
In a study in 2019, scholars from the University College London reviewed 160 privacy policies across the world from Internet of Things vendors to “est the availability of information provided to users on the RtDP”.[93] Such policies should specify which data are being collected, on what basis (justification), how they are processed and how long they will be held. Additionally, and always on the basis of the GDPR, vendors should inform the users of their right to have the data removed or provided to them and consequently they should tell the users who can be contacted. Finally, the information provided to users on the RtDP needs to be understandable. The study shows that only 63% of the 160 privacy policies referenced to data portability explicitly and among those, 56 stated that the users had a RtDP without further development. And if 23 of those 63 privacy policies mentioned the right to transmit data to another data controller under Article 20 of the GDPR, none of them gave further information about how to request this transmission. The analysis concluded that data subjects’ awareness was limited by the lack of clear information and the use of complex legal language directly copied from the GDPR most of the time.
Given the fact that a lot of users don’t read privacy policies, it would be interesting to make a first step toward not only making the privacy policies GDPR-compliant but also toward building interest and trust by, for example, publishing portability impact assessments. In fact, a lack of interest and trust from users could damage companies in the long run since “preserving [this] right (…) requires providers to keep switching costs for consumers low, while data portability implementation and maintenance costs for online services rise”.[94] To conclude, enforcing data portability implies taking user-centric legal and technical measures but also addressing the challenges encountered by companies.
14.2 Enforcement: How to Strengthen It
With 331 breach notifications per day and a total of 158.5 million euros between January 2020 and January 2021,[95] DLA found that the compliance culture to GDPR is positively evolving. In fact, the efficiency of portability is first and foremost linked to culture and so, more generally, to awareness and information. The first step to increase efficiency and make progress is thus to educate companies (codes of conduct and impact assessments) and mostly small and medium enterprises and start-ups, as they have less revenue and may not see the benefits of implementing portability. Information campaigns should also aim at educating data subjects as they are the centre of portability.
Other soft measures include preparing GDPR-compliant templates that ensure a clear and transparent information of users and the development of new portability-related human figures. With the birth of GDPR new roles have been created and should be implemented in relation to portability. The Data Protection Officer mentioned in the GDPR is a good example of the new figures that are needed to advise companies and supervise the application of the GDPR. A growing number of training courses are preparing individuals to be certified data protection officers. Certification of these new actors could be an added value in the portability process as it can increase the trust of data subjects as well as warrant a human interaction in this process.
In order to strengthen data portability and attract users, legal measures should also be taken to clarify the definitional limits mentioned earlier. However, regulations and legislative measures also need to develop how data portability interacts with other fields of law such as property law, which varies greatly between the Member States of the EU.
However, to enhance data portability and truly benefit from data liquidity, technical enforcement measures also need to be taken. The Data Transfer Project (DTP) is a good example of technologies developed to increase secure and direct transfer of data between two service providers. This project uses open-source code to transfer the data from one platform to another, thus enabling a RtDP at the click of a button. This idea of a simpler user-experience in terms of portability has been pushed further with the proposition of a “continuous data portability”.[96]
Such mechanisms would ensure real time data transfer and attract consumers but on the condition that proper standards are developed. Furthermore, portability compliance and particularly the technologies mentioned above require considerable expenses due to staffing and technology costs. As a consequence, economic incentives to companies in the form of aids or a reduction in taxes would be a considerable additional measure.
14.3 Interim Conclusion
As it was detailed above, the EU General Data Protection Regulation grants the right to data portability. The ability to move, copy and transfer personal data represents a revolutionary step towards data interoperability since it creates a society where individuals have greater control and innovation is propelled by companies competing. Article 20 GDPR and WP29 show the right to data portability is not only concerned with data protection, but also economic rights. Therefore, it is a powerful tool for European citizens which is, however, not yet properly developed. To enforce data portability, technical measures must be taken - for example, the Data Transfer Project, which increases the security and efficiency of data transactions through an open source which features data portability between online platforms, but it is currently partnered by a limited number of companies.
In conclusion, it is certainly easy to agree that a similar system would create a simpler user experience. However, the current portability rules are insufficient and must be further clarified on their application before actually providing benefits through their enforcement.
15. Conclusion
The aim of this paper was to consistently argue on three of the main issues in the regulation of data driven activities: B2G and B2B data sharing, as well as data portability. The analysis of the current regulatory framework led the authors of this paper to acknowledge and, in turn, highlight the main lacks and uncertainties in such regulations, which still hold a notable margin of improvement before being effective in their enforcement. On a general point of view, what is common to these three fields is certainly the lack of data culture. Most of the actors of the data scene are still not perfectly aware of their rights and duties as well as the potential of data transactions. In particular, in relation to data sharing, the European Union is attempting to ensure that European businesses are up to date with the economic opportunities available with data sharing. The Data Act and the Data Governance Act are meant to ensure fairness, legal certainty and data portability in relation to all stakeholders. However, the need for standardisation and lack of a legal definition for data-sharing platforms and intermediaries has caused shortcomings. Data space projects such as KRAKEN and TRUSTS have offered an interesting structural model for increasing trust in response to the EU data strategy and regulations, but they are still not properly regulated. Looking at other jurisdictions mentioned in the paper, India’s unique Data Nationalisation and, on the other side, the US’s push to control large companies show the international need for legally semi-mandatory data sharing systems which could inspire (given the fact that they cannot be fully adopted in our continent) a proper European system. As a matter of fact, by comparing these systems, the Union can come to a conclusion about the direction of its own data sharing approach. In conclusion, business to government data sharing and business to business data sharing can bring a large array of potential public benefits which has been shown to aid governments in response to ecological and metrological crises, as well as national health crises like Covid-19. However, not only do nations and their citizens benefit from data sharing, but so do businesses, both in the B2B and B2G formula. The private sector can benefit both financially and from an innovation point of view, as a result of the data shared.
At the present moment, businesses point towards issues (that are evident from the Data Act consultation) in relation to why they do not share data. The fear of a distorted competition resulting from this practice and a consequent loss for the business itself still hold companies from committing to data sharing. However, despite media information campaigns, it is questionable as to whether businesses are correctly informed on why and how to share data. The lack of knowledge on the best practises to safely and profitably exchange data, prevent many companies from engaging in data exchanges, or at least limits this exchange to those companies which have the financial and legal means to actually implement this practice. A similar lack of knowledge is also acknowledged in the data portability field, where most of the data subjects are not aware of this right granted to them by the GDPR, as well as companies are not aware or do not know how to implement their duty towards data subjects on data portability. Certainly, it would be useful to educate companies and mostly small and medium enterprises and start-ups (through codes of conduct and impact assessments) to the implementation of data portability, but this issue, in addition to the definitional concerns largely discussed in the paper, makes data portability hardly applicable at the moment.
In conclusion, many steps must still be taken towards the concrete application of all the various possibilities that data driven activities offer. However, the authors of this paper strongly believe that the current activity of the European Union is headed in the right direction: to finally overcome the issues analysed above and create an environment in which data’s potential is exploited at its maximum.
16. Ex-Post Review
An addition must be added to this paper concerning the Data Act Proposal. Since the writing of this paper, there has been a vital update to data regulation within the European Union. The European Union responded to the position of the private sector through the Proposal on harmonized rules on fair access to and use of data[97] published on the 23rd of February 2022.
The Data Act Proposal addresses how, and which stakeholders can access data produced in all economic activities within the European Union. This draft is complemented by the Data Governance Act.[98]The Data Act Proposal harmonizes the rules on fair access to and use of data. It ensures maximization of the economic value of data through ensuring control over one’s own data and by enabling data to be used for innovative purposes. To reach this goal there needed to be fair access to and use of data, this proposal addresses this concern particularly by increasing regulation on data generated from smart devices. Smart connected devices such as mobile phones, electric cars and laptops are the most common data producing devices. This builds onto a key area of an ideal multiple-sector governance framework. It would encourage data sharing horizontally between private economic actors and the Union or member state governments, meaning that the data can be used in legislating on issues impacting these private economic actors. The draft legislation would aim to pinpoint data transfers to non- Member State governments, making them illegal. The regulation may prohibit this type of sharing however it will push economic actors, such as Tech Giants, to share more data. As such, this would create a ‘rulebook’ for economic actors in relation to data.[99] The Commission puts forward that, the rights of those using the smart connected devices will be increased by ensuring additional rules are placed on the corporations which control and own the creation of such devices. The users will gain more access to the data generated by their devices, more control over whether third parties can access such data, and if so, which third parties are allowed. This ensures that the user, or data generator has full say and knowledge of where their data is used. Users can disallow an unknown third party but can consent to others such as repair services. In this way the aim of fairness is achieved.
The proposal has been met with opposition from tech giants and lobbyists such as Brussels tech lobby CCIA and German engineering lobby VDMA. They stress the lack of contractual freedom for companies, and the economic pitfalls of the regulation disallowing sharing in the event of an access request from Non-member state countries. For example, a study done by CCIA found that these restrictions could cost 0.6% of the European Unions’ GDP.[100] On the other side, this proposal is not only achieving the aim of fairness, but it also increases quality of data. Despite the opposition by tech lobbyists, it is particularly necessary when considering B2G data sharing in the case of emergencies.[101] In light of, the COVID-19 Pandemic, the European Union must consider how best to prepare for pan-European disasters. In this digital world, if another disaster on the scale of the pandemic occurred, consider if the Ukrainian-Russian war impacted European Member States, then effective B2G data sharing is essential. Therefore, despite the concerns of lobbyist the Commission has continued with this proposal.
Overall, the proposal aims to unlock the data potential of the Union.[102] It allows for non-binding contractual terms for startups and small companies to ensure the allowance of innovation and good competition. It creates better clarity on data from smart connected devices. It sets rules for member states to ensure that all Union members are governed by the same regulatory framework. Therefore, this proposal is a welcomed step in the European data regulation framework and serves towards the goal of efficient data portability.
* LLM Candidates in in European Business and Social Law at Bocconi University.
**Adjunct Professor at Bocconi University.
[1] ‘Data Regulation and Policy’, Prof. L. Zoboli, seminar offered within the LLM in European Business and Social Law at Bocconi University.
[2] ‘Business-to-government data sharing: Questions and answers’, European Commission, 18 November 2021, available at https://digital-strategy.ec.europa.eu/en/faqs/business-government-data-sharing-questions-and-answers#ecl-inpage-business-to-government-(b2g)-data-sharing.
[3] ‘Public Consultation on the Data Act’, European Commission, available at https://digital-strategy.ec.europa.eu/en/public-consultation-data-act-summary-report.
[4] The European Union has already undertaken steps in the G2B sector. Directive 2019/1024 on open data and the re-use of public sector information, also known as the Open Data Directive, encourages Member States to share material held by public sector bodies at national, regional, and local level. This includes material held by ministries, state agencies, municipalities, and organisations under the control of public authorities. The Directive’s scope falls within three main areas: data which public undertakings make available for re-use, research data resulting from public funding, and transparency requirements for public–private agreements (as to avoid exclusive arrangements). So far, 19 Member States (Belgium, Bulgaria, Czech Republic, Spain, Estonia, Croatia, Ireland, Italy, Cyprus, Latvia, Luxembourg, Hungary, Netherlands, Austria, Romania, Slovenia, Slovakia, Finland, and Sweden) have not yet implemented the Directive. On September 30, 2021, the European Commission sent a letter of formal notice, the first step in the infringement procedure, to the Member States in question. The Open Data Directive also requires the adoption by the Commission, via a future implementing act, of a list of high-value datasets to be provided free of charge.
[5] ‘A European Strategy for Data’, European Commission, available at https://digital-strategy.ec.europa.eu/en/policies/strategy-data.
[6] Proposal for a Regulation of the European Parliament and of the Council on European data governance, COM/2020/767 final, (2020).
[7] The FFD (Regulation 2018/1807) aims at removing obstacles to the free movement of non-personal data across Member States and IT systems in Europe. The purposes of the Regulation are the following: i) incentivizing the free movement of non-personal data across the EU; ii) making data available for regulatory control; iii) facilitating the switch of cloud service providers for professional users; iv) being consistent with the Union’s cybersecurity package.
[8] The CSA (Regulation 2019/881) grants a permanent mandate to ENISA, the agency tasked with helping the Commission and the Member States in meeting requirements of network and information security and gives it more resources and new powers. ENISA also assists Member States and coordinates EU response to large-scale cyberattacks.
[9] Directive 2019/1024.
[10] Regulation (EU) 2016/679.
[11] ‘Towards A European Strategy on Business-To-Government Data Sharing for The Public Interest’, European Commission, available at https://op.europa.eu/en/publication-detail/-/publication/d96edc29-70fd-11eb-9ac9-01aa75ed71a1.
[12] ETNO policy position on the European strategy for data (European Telecommunications Network Association 2020).
[13] J. Debussche, J. Césae, ‘Data-related legal, ethical and social issues’, Two Birds, August 2019.
[14] H. Richter, ‘The Law and Policy of Government Access to Private Sector Data (‘B2G Data Sharing’)’, Max Planck Institute for Innovation and Competition, 2020.
[15] G. Ramazzoti, ‘Prospects of ‘Business to Government’ data sharing in Europe: Insights from Covid-19 and political philosophy’, International Development Research Network, 2020.
[16] IDC, The Lisbon Council, The European Data Market Monitoring Tool: Key facts & figures, first policy conclusions, data landscape and quantified stories, 2016.
[17] ibid.
[18] M. Colas et al., ‘Cracking the Data Conundrum: How Successful Companies Make Big Data Operational’, Capgemini Consulting, 2014, available at https://www.capgemini.com/consulting/wp-content/uploads/sites/30/2017/07/big_data_pov_03-02-15.pdf.
[19] UN Development Group, ‘Data privacy, ethics and protection. Guidance note on big data for achievement of the 2030 agenda’, available athttps://www.unglobalpulse.org/policy/privacy-and-data-protection-principles/#:~:text=The%20Guidance%20Note%20on%20Data,offerings%2C%20and%20shared%20with%20UNDG.
[20] L. Romanoff, ‘Privacy and ethics in international public sector’, UN Global Pulse Workshop on Data Ethics, 2019.
[21] T. Klein, S. Verhulst, ‘Access to New Data Sources for Statistics: Business Models and Incentives for the Corporate Sector’, PARIS21, Discussion Paper No. 10, March 2017, available at https://ssrn.com/abstract=3141446.
[22] W. B. Werther, D. Chandler, ‘Strategic Corporate Social Responsibility as Global Brand Insurance’, Business Horizons, 2005.
[23] B. Tau, M. Hackman, ‘Federal Agencies Use Cell Phone Location Data for Immigration Enforcement’, Wall Street Journal, 2020, available at https://www.wsj.com/articles/federal-agencies-use-cellphone-location-data-for-immigration-enforcement-11581078600.
[24] Aljazeera ‘US Military Buys Location Data of Popular Muslim Apps: Report’, 2020, available at https://www.aljazeera.com/news/2020/11/17/report-us-military-buying-location-data-on-popular-muslim-apps.
[25] European Commission, ‘Towards A European Strategy on Business-To-Government Data Sharing for The Public Interest’, 2020.
[26] ibid.
[27] ‘Investing in European Research - Tax Incentives for Research’, Ec.europa.eu, 2006, available at https://ec.europa.eu/invest-in-research/policy/tax_incentives_en.htm.
[28] ibid.
[29] G. Cavalier, ‘For A European Approach To R&D Tax Incentive(S)’, European Law Institute, 2021, available at https://europeanlawinstitute.eu/projects-publications/completed-projects-old/tax-law/.
[30] L. Kinnear, ‘Does Government Have a Role to Play in Corporate Social Responsibility?’, Giving Force, available at https://www.givingforce.com/does-government-have-a-role-to-play-in-corporate-social-responsibility/.
[31] W. B. Werther, D. Chandler, ‘Strategic Corporate Social Responsibility as Global Brand Insurance’, Business Horizons, 2005.
[33] Proposal for a Directive of the European Parliament and of the Council amending Directive 2013/34/EU, Directive 2004/109/EC, Directive 2006/43/EC and Regulation (EU) No. 537/2014, as regards corporate sustainability reporting, available at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0189.
[34] European Innovation Council, ‘The European Capital of Innovation Awards’, , 2021, available at https://eic.ec.europa.eu/eic-funding-opportunities/eic-prizes/european-capital-innovation-awards_en.
[35] European Business Awards, ‘Get the recognition your Business deserves’, 2021, available at https://www.businessawardseurope.com/about.
[36] ‘EC D-G, Study on data sharing between companies in Europe’, Everis Benelux, 2018.
[38] Data Governance Act, COM/2020/767 final.
[39] European Commission, ‘Data Act & amended rules on the legal protection of databases’, 2021, available at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13045-Data-Act-&-amended-rules-on-the-legal-protection-of-databases/public-consultation_en.
[40] European Commission, ‘Directorate-General for competition, communication from the commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the regions. A competition policy fit for new challenges’, 2021, available at https://ec.europa.eu/transparency/documents-register/detail?ref=COM(2021)713&lang=en.
[42]Gaia-x, ‘What is Gaia-x’, 2021, available at https://www.data-infrastructure.eu/GAIAX/Navigation/EN/Home/home.html
[43] TRUSTS, ‘Motivation & Objectives - TRUSTS'’, available at https://www.trusts-data.eu/motivation-objectives/.
[44] H. Richter, P.R. Slowinski, ‘The Data Sharing Economy: On the Emergence of New Intermediaries’, International Review of Intellectual Property and Competition Law volume, 4–29, 2019, available at https://doi.org/10.1007/s40319-018-00777-7.
[45] Report By the Committee of Experts on Non-Personal Data Governance Framework, 2020, available at https://ourgovdotin.files.wordpress.com/2020/07/kris-gopalakrishnan-committee-report-on-non-personal-data-gover nance-framework.pdf.
[47] T.E. Hardwicke et al.., ‘Data Availability, Reusability, And Analytic Reproducibility: Evaluating the Impact of A Mandatory Open Data Policy at The Journal Cognition’, Royal Society Open Science, 2018.
[48] L. Zoboli, ‘'Fueling the European Digital Economy: A Regulatory Assessment of B2B Data Sharing’,
European Business Law Review, 31, Issue 4, pp. 663-692, 2020, available at https://kluwerlawonline.com/journalarticle/European+Business+Law+Review/31.4/EULR2020026
[49] N. Pahwa, ‘Nationalisation of Data Will Destroy Value for Businesses, Investors’, Times of India, 2020, available at https://timesofindia.indiatimes.com/blogs/toi-edit-page/nationalisation-of-data-will-destroy-value-for-businesses-investors/.
[50] The New York City Council ‘A Local Law to Amend the Administrative Code of The City Of New York, In Relation to Data on Orders Placed Through Third-Party Food Delivery Services’, 2021, available at https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4951001&GUID=4CB11989-5925-418B-9627-B2AED230D67F.
[51] ‘AB-2149. Food Delivery Platforms’, California Legislative Information, 2020, available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB2149
[52] B. Cyphers, H. Tsukayama, «Why Data-Sharing Mandates Are the Wrong Way to Regulate Tech», Electronic Frontier Foundation, 2021, available at https://www.eff.org/deeplinks/2021/08/why-data-sharing-mandates-are-wrong-way-regulate-tech.
[53] J. Prüfer, «Mandatory Data Sharing», Tilburg School of Economics and Management, available at https://prufer.net/2021/02/04/mandatory-data-sharing-development-of-a-test-governance-structure/.
[54] Support Centre for Data Sharing, ‘Mandatory Data Sharing Vs. Data Sovereignty: How to Connect Global Data Dots?’, 2021, available at https://eudatasharing.eu/news/mandatory-data-sharing-vs-data-sovereignty-how-connect-global-data-dots.
[55] ‘Assessment of the EU Member States’ Rules on Health Data in The Light Of GDPR’, Publications Office of the European Union, 2021.
[56] Regulation (EU) 2016/679.
[57] P. De Hert et al., ‘The right to data portability in the GDPR: Towards user-centric interoperability of digital services’, Computer Law & Security Review, 2018, available at https://www.sciencedirect.com/science/article/pii/S0267364917303333.
[58] ‘Right to data portability’, Information Commissioner’s Office, 2021, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/.
[59] L. Irwin, ‘The GDPR: Understanding the right to data portability’, IT Governance, 2020, available at https://www.itgovernance.eu/blog/en/the-gdpr-understanding-the-right-to-data-portability.
[60] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[61] P. De Hhert et al., ‘The right to data portability in the GDPR: Towards user-centric interoperability of digital services’, Computer Law & Security Review, 2018, available at https://www.sciencedirect.com/science/article/pii/S0267364917303333.
[62] ‘Article 29 Data Protection Working Party: Guidelines on the right to data portability’, European Commission, WP 242 rev.01, supra p 4.
[63] ‘Opinion 03/2013 on purpose limitation’, European Commission, Article 29 WP, WP 203, p. 46-47.
[64] ‘European Commission Staff Working Document on the free flow of data and emerging issues of the European data economy accompanying the document communication building a European data economy’, European Commission, 9 final, 2017, p. 47.
[65] EDPS recommendations on the EU’s options for data protection reform, (2015/C 301/01).
[66] Regulation (EU) 2016/679.
[69] Regulation (EU) 2016/679.
[70] Annex 2 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions ‘Towards interoperability for European public services’, European Commission, COM/2010/0744 final, 2010.
[71] Article 29 Data Protection Working Party: Guidelines on the right to data portability’, European Commission, WP 242 rev.01.
[73] Amending Directive 2003/98/EC on the re-use of public sector information.
[74] Regulation (EU) n. 1025/2012.
[75] ‘Machine-Readable’, Open Data Handbook, 2018, available at https://opendatahandbook.org/glossary/en/terms/machine-readable/.
[76] The Re-use of Public Sector Information Regulations (2015), no. 1415.
[77] ‘Right to Data Portability’, Information Commissioner’s Office, available at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/.
[78] ‘Article 29 Data Protection Working Party: Guidelines on the right to data portability’, European Commission, WP 242 rev.01,
[79] J. Wong, T. Henderson, ‘The right to data portability in practice: exploring the implications of the technologically neutral GDPR’, International Data Privacy Law, Vol. 9, No. 3, 2019.
[80] B.A. Greenberg, ‘Rethinking Technology Neutrality’, Minnesota Law Review, Vol. 100, p. 1495, 2016, available at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2748932
[81] Communication from the Commission to the European Parliament and the Council ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation’, European Commission, COM (2020) 264 final, Brussels, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52020DC0264&rid=5
[82] ‘Article 29 Data Protection Working Party: Guidelines on the right to data portability’, European Commission, WP 242 rev.01.
[83] Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services (Framework Directive).
[84] Decision (EU) 2015/2240 of the European Parliament and of the Council of 25 November 2015 establishing a programme on interoperability solutions and common frameworks for European public administrations, businesses and citizens (ISA2 programme) as a means for modernising the public sector, [2015] OJ L318/1, art 2.
[85] ‘Data portability, interoperability and competition’, OECD, 2021, available at https://www.oecd.org/daf/competition/data-portability-interoperability-and-competition.htm
[86] ‘Article 29 Data Protection Working Party: Guidelines on the right to data portability’, European Commission, WP 242 rev.01.
[87] ‘Article 29 Data Protection Working Party: Guidelines on the right to data portability’, European Commission, WP 242 rev.01
[90] ‘Article 29 Data Protection Working Party: Guidelines on the right to data portability’, European Commission, WP 242 rev.01.
[91] T. Morey et al., ‘Customer Data: Designing for Transparency and Trust’, Harvard Business Review, 2015, available at https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust.
[92] Regulation 2016/679, Article 20 (1).
[93] S. Turner, J. Galindo Quintero, J. Lis, L.M. Tancczer, ‘The exercisability of the right to data portability in the emerging Internet of Things (IoT) environment’, New Media & Society, 23(10), 2021, pp. 2861-2881.
[94] E. Sydmoudis, S. Mager, S. Kuebler-Wachendorff, P. Pizzinini, J. Grossklags, J. Kranz, ‘Data Portability between Online Services: An Empirical Analysis on the Effectiveness of GDPR Art. 20’, Proceedings on Privacy Enhancing Technologies, 2021, pp. 351-372.
[95] DLA Piper. GDPR fines and data breach survey: January 2021.
[96] J. Krämer, P. Senellart, A. De Streel, ‘Economic implications and regulatory challenges’, Centre on regulation in Europe, June 2020.
[97] Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) Brussels, 23.2.2022 COM (2022) 68 final 2022/0047 (COD).
[98] Proposal for a Regulation on European data governance (Data Governance Act) 25/11/2020 COM (2020) 767.
[99] P. Haeck, «EU unveils industrial data rulebook», Politico, 2022.
[100]«EU Data Policy Update. Dr2 consultants», CCIA, 10 March 2021, available at https://dr2consultants.eu/dr2-consultants-launches-new-eu-data-policy-services.
[101] Schechner, Mackrael, «Tech Giants to Be Forced to Share More Data Under EU Proposal», 2022.
[102] Fitouri, «Data Act: Right ambition to unlock data potential, but obligations would hold back Europe’s data-driven recovery», DigitalEurope, 2022.
