EU Digital Single Market – New Initiatives for Cloud Computing and Internet of Things


Yesterday, the European Commission launched its “Digitising European Industry” package, a series of industry related initiatives aimed at “updating Europe’s digital infrastructure”, see press release here, Q&A here and homepage here.  The package includes reports and proposals addressing cloud computing, ICT standardization, eGovernment, Internet of Things (“IoT”), quantum technologies and high performance computing / big data.

Below we summarize the data protection aspects of the key communications published yesterday.

Cloud computing — launch of the European Science Cloud

Building on the European Cloud Strategy, the Commission announces a European Cloud Initiative.  The initiatives focuses on the creation of a European Open Science Cloud and a European Data Infrastructure.  It will be complemented by actions under the Digital Single Market strategy, including in relation to cloud contracts, switching cloud services and the proposed Free Flow of Data initiative.

The Commission points out that there are five reasons why the EU fails to reap the full potential of data: (i) lack of openness in public funded research; (ii) lack of interoperability; (iii) fragmentation of data infrastructures; (iv) lack of high performance computing infrastructure; and (v) an ill-adapted regulatory framework for the re-use of data.

The European Open Science Cloud is intended to “offer 1.7 million European researchers and 70 million professionals in science and technology a virtual environment, free at the point of use, open and seamless services for storage, management, analysis and re-use of research data, across borders and scientific disciplines.”  While this Cloud will start by bringing together existing scientific data infrastructures, several additional steps need to be taken to make the Science Cloud truly European and open.  Among other things, more data must be open by default, there should be incentive structures to share data, and interoperability must be improved.  According to the Commission, the initiative may help address issues such as data clearance and data protection through the development of anonymization services, “personal data spaces”, and other privacy by design and default tools and processes.  In this context, the Commission intends to adopt an Action Plan by the end of 2017 on scientific data interoperability, including ‘meta-data’, specifications and certification.

In addition to the European Open Science Cloud and appropriate infrastructure, the Commission also wants to widen access to the data and build the required trust.  The intention is to incorporate much of the public data and to gradually open this up to users from industry.  The Commission realizes that this will only work if the cloud infrastructure meets high standards of quality, reliability and confidentiality.  In this respect, it intends to start working as of 2016 on certifications and standards, in particular on security, data portability and interoperability, including a certification approved pursuant to the mechanism in the new General Data Protection Regulation.

According to the Q&A, access to the Science Cloud would be limited to universities and research institutes at the outset, but it would be widened to private and public bodies as more resources become available.  As of 2016, as part of the Horizon 2020 program, the Commission will explore the governance and financing mechanisms of the Science Cloud in cooperation with stakeholders and the Member States.

ICT standardization

In its Communication on ICT standardisation, the Commission has identified five priority areas for standardization: 5G, the IoT, cloud computing, cybersecurity and data technologies.  Standard setting bodies in these areas will draft reports outlining best practices and gaps to be addressed by the end of 2016.  This is likely to lead to prioritized standardization in eHealth, smart energy, smart cities and connected cars.  In addition, the Commission has proposed a high-level political process to validate, monitor, and – where necessary – adapt the list of priorities.  The standardization efforts are focused on interoperability, safety, security and privacy as well as increased collaboration between standard setting bodies at a European and global level.

Based on the degree of uptake and progress by the end of 2017, the Commission will consider adopting a recommendation regarding the integration of cyber security and application of privacy and personal data protection requirements including data protection-by-design and data protection-by-default.  The Commission will also encourage the development of cybersecurity risk management guidelines for organizations and audit guidelines for authorities or regulators with oversight responsibilities.

eGovernment

The Communication on the EU eGovernment Action Plan 2016-2020 sets out a number of principles that forthcoming initiatives in the area of eGovernment should observe and aims to join up efforts in removing existing digital barriers and to prevent further fragmentation in the context of the modernization of public administrations.  The Action Plan is guided by an ambitious vision of public administrations and EU institutions providing open, efficient, borderless, personalized, user-friendly, end-to-end digital public services to all citizens and businesses in the EU by 2020.

The Action Plan sets out a number of underlying principles that initiatives under the Action Plan should observe, including Digital by Default, the Once only principle (so that the same information only needs to be supplied once and can be re-used), Openness & Transparency, Interoperability, Trustworthiness & Security.

In terms of Policy Priorities, the Action Plan sets out twenty concrete actions in the following three areas:

The actions are to be launched in 2016 and 2017 and further actions may be developed in addition.

Digitizing Industry and the free flow of data initiative

The Commission plans measures to encourage investment (along with industry and EU partners) in “digital hubs”, preparing the European job market for the digital transformation and a framework for coordination of national and regional initiatives.

The Commission will also propose measures to create the right regulatory conditions to encourage digitization in industry.  With the support of industry and Member States, the Commission will:

Internet of Things

Internet of Things (“IoT”) gives people the opportunity to always be connected to all their personal devices, which has the potential to lead to more surveillance or more profiling by public authorities and private entities.  In its staff working document on the Internet of Things, the Commission acknowledges that some data processed by IoT is personal data, within the meaning of data protection law.

Under the new General Data Protection Regulation (“GDPR”) the Commission expects that ‘data protection by design and by default’ principles, using anonymized or pseudonymized data together with data protection impact assessments, data protection certifications, seals and marks, will  ensure consumer trust in the IoT.

In addition to the GDPR provisions applicable to the IoT, the Commission is considering:

The Commission is also exploring ways to ensure “context based security and privacy” for IoT (e.g., emergency crisis, home automation), trustworthy identification of users and devices and security protection solutions like Trusted Computing or Cryptography in Cyber-Physical systems and IoT hardware.

Trusted IoT Label

The Commission has created a “trusted label” for the IoT to promote security, liability, privacy and data protection in the IoT.  The Network Information Security (“NIS”) Directive will require operators in critical sectors to take proportionate technical and organisational measures to manage the risks posed to the security of networks and information systems they use in their operations.  In this staff working document, the Commission suggests that operators using the IoT should adopt the Trusted IoT label as a demonstration of compliance with the NIS Directive’s requirements.

The Commission is also launching initiatives to support the quantum technology industry.


© 2024 Covington & Burling LLP
National Law Review, Volume VI, Number 111