Europe: the third way to data management


Pepe listens to his favorite playlist on the Sfotipy streaming platform every morning when he wakes up. He uses his Bitfit wristband and the app installed on his Android device to manage his daily exercise routine before breakfast. Afterwards, he takes a shower and eats a breakfast suggested by an app that suggests a daily paleo menu. He drives to work, using Gogloe Maps to avoid traffic jams along the way. When he arrives at his office, he checks his mail, including the newsletter of a newspaper and a leisure agenda. He reads various news suggested in both newsletters, also opens an email because he is offered a discount on the purchase of food for his cat, valid only today, and a tempting subject in a Ryonair promotion makes him look for another flight to Paris.

It’s not even 10 a.m. and Pepe has already generated thousands of sweet data for travel companies, hotels, car rentals, media, pet stores, fitness companies, insurance companies… And all of this free of charge for these companies and with the consent given by Pepe by accepting the terms of use of each of these applications. He did not use any social network. However, these platforms are the ones that tend to keep the user hooked for the longest time, watching content that leaves a more than appetizing trail of thousands of useful data for their advertisers. 

Over the past decade, the amount of data generated has grown tremendously. It is projected to reach 175 zetabytes by 2025. That’s more than five times the amount generated in 2018.

How is this data controlled? And who manages it? There are two models of data management outside of Europe. The US model and the Chinese model.


China and the United States, two contrasting models

The US model, which, despite recent and imminent changes, has failed to focus on privacy and thus on the protection of citizens. Although there are some laws that are applied sectorally, in the health or financial sectors, and some states have begun to apply specific laws, the control of data is in the hands of the companies. The only US law that most closely resembles the GDPR is the California Consumer Privacy Act (CCPA), which applies to consumers residing in California. 

The Chinese model is “data nationalization. The Chinese Communist Party wants preferential access to it, and one sign of this is its pressure on private tech giants to share consumer data with the authorities. It is also continuing its efforts to manage the tons of personal information it obtains from citizens to ensure its social and political control, not only within its borders. It also seeks to control public opinion, gather intelligence, and acquire foreign technology. 


The third way of data management

The EU Charter of Fundamental Rights establishes data protection as a fundamental right and this is a very important fact with regard to the European Data Strategy, a document published by the European Union in 2020. Within the framework of this strategy, several instruments will be put in place. One of them is the European Common Data Spaces. But Europe does not want to lose sight of the economic and knowledge potential of this rich “raw material”.

If managed efficiently, data have the potential to reveal patterns that can help improve care for rare disease patients and facilitate the development of more effective medicines. In addition, data has great commercial value, driving revenue for companies such as Google and Meta through targeted advertising. Even smaller amounts of data have great value, for example in the efficient operation of supply chains and smart cities. In all these cases, however, secure and sovereign mechanisms are needed for their exchange, which respect the GDPR and put citizens’ privacy at the heart of regulating their management.


The Data Economy

The European Data Strategy is a key component of the European Union’s broader digital strategy. It aims to make Europe a leader in the “data economy”. This concept implies that data is perceived as a highly valuable economic resource and is strategically managed, stored, processed and used to generate economic value. In order to achieve this, the Commission will, for example, create the conditions for the implementation of European Common Data Spaces. These spaces will include tools and services for organizations to share, process and aggregate data, as well as cloud capabilities and governance structures. But, as we mentioned, always with the perspective of citizen sovereignty of data, with the protection of user privacy as a fundamental key. To achieve this, they will be regulated by European standards:

The latter regulation not only deals with cybersecurity certification in information and communication technologies, but also gives a permanent mandate to the European Cybersecurity Agency (ENISA).

But there is more legislation underpinning this third EU data management track. The European Union has recently enacted legislation, governance and powers for data management:

The Data Governance Act

The Data Governance Act establishes mechanisms to facilitate the re-use of certain categories of protected public sector data, increase trust in data brokerage services, and promote data altruism across the European Union. This legislation also establishes a framework to enable the secure re-use of certain categories of public sector data that are subject to third party rights, such as trade secrets, personal data and intellectual property.

Digital Markets Regulation

The Digital Markets Regulation aims to contribute to the proper functioning of markets in the digital sector. It also seeks to guarantee the rights of users of “gatekeepers”, large companies that provide basic platform services and have accumulated great economic power. 

Digital Services Regulation

The purpose of the Digital Services Regulation is to harmonize the rules applicable to providers of certain digital services at a distance, by electronic means and at the request of an individual recipient. The Regulation aims to create a safe, predictable and trustworthy online environment, while addressing the distribution of illegal content online and the risks associated with it. 

Directive (EU) 2022/2555 or the NIS2 Directive 

Finally, the NIS2 Directive aims to improve the current state of cybersecurity in the European Union. It defines measures such as the creation of the cyber crisis management structure, CyCLONe, the harmonization of security requirements and reporting obligations to ENISA. It also identifies areas where national cybersecurity strategies should be strengthened.

The European regulatory framework provides an environment conducive to the flourishing and efficient use of data, without prejudice to the right to data protection as enshrined in the Charter of Fundamental Rights. However, in order to optimize the use and secure exchange of data within this framework, experts in cybersecurity, intelligent systems and networks are essential. This is the context in which we at Gradiant have been working for years. Among other things, we accompany companies in our environment and help them to strengthen their data-driven digitization processes, as our colleague Rafael Martinez explained in the article “The importance of data governance and data quality for digital transformation” published on this blog a few weeks ago. 

In our next article, we will analyze the European Common Data Spaces. Within this analysis, we will look at ongoing initiatives as well as technical specifications, including reference architectures and open source components that are under development.





Author: Helena Fernández López, Head of Data Innovation