10. February 2023 By Christian Hammer and Lilian Do Khac
What legislative initiatives will change and the expected effects it will have on our AI and data projects
Data is the basis for all business processes as well as a company’s value chain. This understanding has become more and more firmly established in our consciousness in recent years, which is why we instinctively react to the previous sentence with approval. We believe that using data in a designated and targeted manner should be done – as a matter of fact, must be done – according to clear rules and in pursuit of strategic goals.
A company must become data-driven in order to achieve this. To make this happen, the technologies to be employed as well as the architectures to be used are derived from the designated data strategy, and numerous roles are additionally introduced as part of a broad data governance initiative. This approach comes with the promise of being able to use data wisely and as requested. From the decision-maker to the data worker, information is available with a high degree of flexibility, transparency and traceability and in a form that is tailored to the needs of the target group. The focus in recent years has particularly been on application-driven use and refinement within individuals’ own departmental boundaries and much less often on the boundaries of the company or the group.
In this context, (carefully) handling data is not an end in itself, as doing so promises the company increasing revenues. However, at the moment, only a scant few companies have already discovered data monetisation for themselves. Being well acquainted with the market and customers via observation and data analysis undoubtedly creates a direct competitive advantage in the competitive market. The competitive disadvantage, however, may be much more serious if this specific knowledge is not gathered from data.
But, through daily contact with social media or search engines (or even increasingly popular language models such as GPT or ChatGPT), we also understand how important our own data has become in the meantime. Who has not been shocked to discover that Google Maps, to use a rather mundane example, ‘knows’, without any input from us, where we live, work and what our regular routines are when we move around? That which is unsettling to individuals is bristling with potential for companies. Especially with the example of social media, we see that the one in charge of the data set has interesting things to offer its advertisers: everything from detailed customer data including important geo-information to preferences of all kinds. No matter whether it is someone’s favourite music, colour or type of wine, everything is stored and can be called up on demand. Purchasing customer data records now makes it possible to place highly customised, targeted product offers, which increases conversion rates and subsequently sales – especially since addressing the target group promises higher completion rates.
This is exactly where digital regulation comes in to play. It is necessary to protect consumers against having their data arbitrarily stored and subsequently used as well as against decisions made on the basis of aggregated or individual data sets. That being said, it is not primarily about a general ban, but rather it is about demanding high quality requirements. In digital regulation, or in regulation in general, a regulatory framework is defined that simultaneously acts as a guideline for market participants and thereby removes uncertainties. What is more, European regulation is intended to bring about overarching harmonisation so that fragmentation within the European Economic Area is avoided.
We recognise types of regulation in various forms. In order to better categorise them, the hierarchy is concisely portrayed in what is known as a pyramid of norms.
Brief introduction to the pyramid of norms
A pyramid of norms facilitates understanding, reduces the complexity of regulations and sketches out their relations to one another (Figure 1). Whereas legislation is shown at the top of a pyramid of norms, the world of standardisation is depicted as the pyramid descends. The framework defined by a law is significantly more strict, whereas regulations and standards are more open to interpretation and define a more open framework.
EU law, the German constitution and other laws have a legally binding character, which means that breaking these laws results in punishment. The exact measures that must be taken to comply with these laws are not prescribed legislatively, but rather they evolve in response to things such as the development of norms and standards when a new law is put in place. Norms and standards are developed by private organisations and set standards regarding quality. Unlike laws, they are not necessarily legally binding, but rather they represent the state of the art and thus constitute metrics for quality measures. Such quality measures can in turn result in feedback on the legislation and refine legislative texts. To provide a concise example, we would like to highlight the development of light bulbs. Standardising and deriving efficiency measures made it possible to make quality differences measurable. This has not only led to an increase in quality among manufacturers but ultimately also to the specific legal exclusion of non-efficient, environmentally unfriendly light sources.
We created an example for this specific blog post in the following chart. We will deal solely with the developments of the legally binding standards in a future post.
Let us take a look back and stop to consider a very particular law that most of us should have already heard of: the General Data Protection Regulation, or GDPR for short.
What can be learned from ten years of the GDPR?
The General Data Protection Regulation – GDPR for short – was presented by the European Commission more than ten years ago on 25 January 2012. There were still four years to go until the regulation came into force in May 2016: four years in which most companies had to overhaul their corporate identity in terms of dealing with personal data and implementing legal requirements – four years in which we often read about obstacles to innovation, overregulation and a lack of competitiveness in comparison to that of other countries. Faced with high penalties and having no experience interpreting the GDPR (especially not judicially), many companies from a wide range of industries were surprisingly reluctant to comply. There was certainly a lack of many things at that time, experience being one of them: software (whether tool or routines), legally compliant wordings (whether in contracts or the legal notice), roles, processes or control instances.
Now, at the beginning of 2023, we have long since closed these gaps and gained security as well as the knowledge that the GDPR is actually being regulated. We know exactly how we as a company (have to) make our homepage GDPR-compliant and which (ready-made) forms we as consumers have to send to a company in order to find out whether and for what purpose they have stored data from us. Looking at it from this perspective, the change has greatly empowered the consumer, although the same period of time saw the emergence of companies whose passion is collecting data and then refining personal data sets that have been thoroughly analysed and segmented. But is the knowledge of how to deal with personal data really already firmly anchored in us and in companies? That is doubtful – at least until the next major project is faced with the question of whether the entire CRM solution should be hosted by one of the three (American) hyperscalers (Amazon Web Services – AWS, Google Cloud Platform – GCP or Microsoft Azure) due to the inexorable advance of digitalisation and the accompanying economic factors or until the question is raised in this context as to which laws data stored in the US or China, for example, are subject to.
Having the current knowledge that both the European and regional parliaments have – and indeed must have – the protection of their citizens in mind, the regulations outlined below and coming into force in the next few years should not be taken lightly and should be built into application architecture and business processes at an early stage. That is why we are looking forward and dedicating ourselves to the future developments that await us in terms of digital legislation.
What is in store for us in the next ten years?
From a European perspective, the five years from 2020 to 2025 constitute a formative period during which a wide range of laws regulating data and data-related applications are and will be drafted and adopted at EU level. These laws are initially designed horizontally and form the basis for sectoral legislation, such as that for banking, insurance or the medical industry.
Data Governance Act (DGA): The Data Governance Act provides a framework that encourages data sharing. The Data Governance Act came into force on 23 June 2022 and will become pertinent as law in September 2023 after a 15-month grace period.
Digital Services Act (DSA): The Digital Services Act addresses e-commerce activities and is intended to prohibit the misuse and misrepresentation of information. The Digital Services Act came into force on 4 October 2022 and will become pertinent as law on 1 January 2024.
Digital Markets Act (DMA): The Digital Markets Act sets standards for online platforms so that information monopolists (such as Facebook) are unable to exploit their power and fairness on online platforms is able to be ensured. The Digital Markets Act came into force on 1 November 2022 and will become pertinent as law on 2 May 2023.
Data Act (DA): The Data Act sets principles and guidelines for using and accessing data so that data is more readily available. The Data Act proposal became published on 23 February 2022.
EU AI Act: The EU AI Act is the first legislative proposal on regulating AI applications to ever be presented to the world. The last round of reviews for the EU AI Act took place on 6 December 2022. Since then, it is has been undergoing preparation for the trialogue between the three European legislative institutions. The EU AI Act is expected to enter into force in 2024/2025. The grace period ends in 2024/2025.
What are the expected implications for AI and other data-driven enterprises now?
Just as with the GDPR, there is a consistently resounding claim in the wake of the new laws and regulations that a climate that is hostile to innovation has been created, or is being created, which is overwhelmingly inconvenient for any company in globalised competition. This statement most notably resonates with uncertainty. Standards-based sets of rules guarantee (apart from different charger plugs from different mobile phone manufacturers) the existence of reasonably fair competition, especially when compared internationally – regardless of whether it is in the financial market or the manufacturing industry. When specifically looking at artificial intelligence, it is more than desirable if this ethically questionable decision is not made or at least appropriate supervisory bodies are involved. And the data these decisions are based on also has to be trustworthy. This is even more so the case in times of the Internet of Things (IoT/XIoT) because not all data available on the Internet is necessarily intended for decisions to be based on it, especially against the backdrop of digital data marketplaces.
I have a question for those who nevertheless insist on creating a climate that is hostile to innovation: Would then ‘emigration’ be a better option to avoid this? In transnational law, there is talk of what is termed the Brussels Effect. This states that the scope of European legislation extends beyond the borders of the EU and has a significant effect on other countries. This shows that the global economy is oriented towards meeting the highest standards, such as the EU’s strict protection regulations (for consumers, their data or the environment). We have already been able to observe the initial implementations inspired by the current version of the EU AI Act at large non-European companies.
The desire many companies have to streamline decision-making processes and keep the time it takes to gain the initial data-based insights to a bare minimum is not something the new and expected conditions satisfy in the short term. A more equitable environment is being created to accomplish this, one in which trust in data-driven decisions can be established.
Would you like to learn more about exciting topics from the world of adesso? Then check out our latest blog posts.