Saturday, November 23, 2024

The EU Data Act: The Long Arm of European Tech Regulation Continues

Must read

As recently as the 1980s, most U.S. trading partners sought to adopt U.S.-style regulations governing business, manufacturing, and consumer safety. However, the dominance of U.S. regulatory practices in the global tech sector has given way due to the ascendancy of the European Commission. Brussels’s growing global regulatory influence marks a tectonic shift: European regulators are increasingly succeeding in demanding changes in the business methods of U.S. tech companies as the price of doing business in Europe, and Europe’s influence is spreading beyond the continent as a result.

Although elements of European tech regulation in the pursuit of digital sovereignty threaten the success of U.S. businesses in global markets, U.S. officials have hesitated to insist on fair treatment in Europe. A case in point is the latest Trade and Technology Council meeting and declaration. Meanwhile, the administration under U.S. president Joseph Biden is bending the language of regulations under the Inflation Reduction Act beyond what Congress intended to accommodate Europe’s objection to discriminatory aspects of the legislation.

Large internet platforms—mostly U.S.-based tech businesses—have led the way in global tech innovation from Web 2.0 to artificial intelligence, despite Europe having a roughly comparable gross domestic product (GDP), population, and talent pool of educated workers. Most game-changing large language models have been developed by U.S. digital services firms competing with one another, not European firms. Even with the success of the light-touch U.S. regulatory environment, Europe believes, to the contrary, that more heavy-handed regulation will nurture the growth of aspirational European tech champions.

Regulatory Costs for U.S. Companies

The EU Data Act makes clear that if Europe intends to impose regulations that slow down U.S.-based tech companies through targeted “gatekeeper” designations and asymmetric data sharing requirements and limitations so that European firms have space to catch up, it will do so.

Europe’s General Data Protection Regulation (GDPR) law, implemented in 2018, is shaping data protection laws beyond Europe in countries such as India, Indonesia, and Colombia, which are emulating Europe as the first mover in regulation. The GDPR has caused an 8.1 percent decline in business profits and a 2.2 percent drop in sales, according to a new estimate by researchers at the Oxford Martin School, which is consistent with estimates made before the implementation of the GDPR.

In implementing the Digital Markets Act (DMA) and the Digital Services Act (DSA), Europe is putting in place discriminatory provisions aimed directly at large U.S. platforms. For example, the DSA initially designated 19 entities as Very Large Online Platforms (VLOPs) or Very Large Online Search Engines (VLOSEs), 16 of which are U.S.-based private entities, 2 of which are Chinese, and only 1 of which is based in the European Union. Recently, CSIS published a study estimating the significant economic costs of the DMA, DSA, and other new tech regulations that U.S. and EU companies will bear. For U.S. service providers, the estimated cost of compliance is in the range of $22–$50 billion. CSIS analysis also shows that U.S. global services exports could decrease by 2 percent. Going forward, weighing the steep costs for innovation and productivity against the aspirational benefits of these laws should be a more transparent part of EU deliberations.

While Europe has declined to fix discriminatory provisions in the DMA and DSA, several impactful pieces of legislation still in the drafting stage may be written more in line with international trade obligations of nondiscrimination and national treatment that do not favor domestic businesses to the detriment of foreign firms. Such acts include the Data Act, the European Cybersecurity Certification Scheme for Cloud Services, and the Artificial Intelligence Act. All of these proposed laws deserve attention because of the significant changes they would require in routine U.S. business practices and the attendant impact on U.S exports and jobs.

The Data Act

Intent

The overall intent of the proposed Data Act is to achieve more competition in the European cloud services market; give users of connected devices such as cars, refrigerators, and smart phones control over their data, guarding against vendor lock-in (forcing consumers to buy products or services from particular vendors); and enable governments to access data controlled and generated by private companies in emergencies.

EU concern over the lack of European-based data processing service providers, as articulated by EU political leaders, has been clear for some time. U.S.-based companies supply over 70 percent of cloud services in Europe, a figure EU politicians and regulators seek to reduce. According to Margrethe Vestager, executive vice president of the European Commission, “One of the main reasons that U.S. tech companies are popular in Europe is that their products are good. . . . Market forces are more than welcome, but we do not leave it to market forces to have the final say.”

The European Union adopted its overall European strategy for data in 2020, which recognizes that data are an essential resource for innovation and economic growth. The document envisions enhancing European competitiveness and data sovereignty by establishing a “single European data space.” The goal of this space is ensuring that more data are available in Europe “while keeping the companies and individuals who generate the data in control.” Director general for data at the Directorate-General for Communications Networks, Content and Technology (DG Connect) Yvo Volman has said, “Europe should be able to benefit from the value of its industrial data, and we need to act now to make it happen,” which would be transformational for production and manufacturing.

Stretching credulity, the European Commission estimates the new data rules will create €270 billion in additional GDP by 2028. European industrial policy will combine policy, legal actions, and financing mechanisms under an overarching plan to coordinate different elements of the strategy. The Data Act stipulates who must relinquish data—a novel government power as seen from the U.S. side of the Atlantic—as well as who can access data, how data can be used to create value in the European Union, and for what purposes.

The Data Act aims to ratchet up the value of data in the European Union controlled by Europeans, specifically to reduce EU reliance on U.S. companies for data. The regulation targets U.S. tech firms operating in the European Union by forcing the sharing of proprietary data and intellectual property with their European and Chinese competitors. Under Articles 4(3) and 5(8), trade secrets must be disclosed to users and third parties so long as “all specific necessary measures pursuant to Directive (EU) 2016/943 are taken in advance to preserve their confidentiality.” In a world where U.S. trade secrets are regularly lost to theft, enforcing this requirement, particularly on third parties, will prove extremely difficult.

Latest article