This article is part of our special report What to expect in EU policymaking in 2022.
The EU’s ambitious digital policies face a moment of truth in 2022. EURACTIV takes a closer look at what is coming up.
“Digital is the make or break issue,” the European Commission President Ursula von der Leyen said in her annual State of the Union speech in September.
Indeed, the Commission has grand ambitions in this policy area, and the 2022 digital agenda could hardly be more packed:
Landmark platform regulation is approaching the finishing line, the European data strategy is taking its first steps, intense policy discussions on the AI rulebook, brand new rules for the gig economy, initiatives on cybersecurity and semiconductors…
Here is what you need to know to make sense of all the noise.
In December 2020, the Commission presented the Digital Markets Act (DMA) and Digital Services Act (DSA), two sister proposals to regulate the digital space. If anyone had said that such complex legislation would be adopted in the European Parliament and Council in just one year, the statement would have raised more than one eyebrow. Yet here we are.
Member states adopted both files in November. Lawmakers finalised their position on the DMA in December, and the DSA is expected to follow suit in January. The French, who will negotiate the files during their EU Council presidency, have made it no secret that they want to reach an agreement before the French presidential elections in April.
For Paris, brokering these EU laws would be a strong campaigning point, but that leaves only two months to reach an agreement. If one had to place a bet, a deal on the DMA is much more likely, simply for the nature of the regulation that targets Big Tech. The DSA, being horizontal legislation, might take more time and possibly end up on the desk of the Czech EU Presidency that starts in June.
Data governance, data sharing, data protection
The recently adopted data governance law is due to enter into force at the start of the year and will have to live up to its ambition to establish a ‘Schengen of data’. The rules aim to provide favourable conditions for businesses to share their data with data marketplaces, but the scheme’s success will depend on the industry uptake.
The Data Governance Act was only the first legislative milestone of the European Data Strategy. The second and more delicate step will be the Data Act, whose adoption was delayed to 23 February after failing an internal review. The data law will touch upon sensitive issues such as data-sharing obligations, data monetisation, and data access for public bodies.
Meanwhile, the discussions around the GDPR, the EU’s privacy law, might continue to heat up. Pressure is on the Irish data protection authority to take decisive action on Big Tech, while the European Data Protection Supervisor is organising a conference in June to reassess the state of enforcement.
Thorny negotiations on a new Privacy Shield with the United States are still to find a legal expedient that can withstand judicial review.
The fifth element: Artificial Intelligence
Since the European Commission presented the draft AI Act last April, the legislative progress has been sluggish.
Partially because the file is very technical, policymakers have had a hard time understanding the implications of the legal provisions. The AI regulation also interacts with various other EU laws, from data protection to product safety via law enforcement.
This is why the Slovenian presidency provided only a limited rewrite of the proposal but still tried to shape it in some critical aspects before passing the ball to the French. While regulating AI may seem sexy, Paris is primarily looking for quick wins, and this regulation is unlikely to provide one.
The struggle until now was mainly political on the Parliament’s side, as MEPs squabbled for six months over who was to take the lead.
The final arrangement entails a co-lead between committees on civil liberties (LIBE) and consumer protection (IMCO), following an agreement between liberal and progressive lawmakers that side-lined a heavyweight from the conservative European People’s Party (EPP), MEP Axel Voss.
The EPP seems isolated on the highly contentious point of biometric recognition technologies. However, Voss still has cards to play as he will shadow the file in LIBE and is likely to be the opinion rapporteur in the legal affairs committee (JURI). Dual leadership already means much slower decision-making, and these political divisions are likely to delay the file further.
Gig economy rulebook
On 9 December, the European Commission presented a long-waited draft directive to regulate the gig economy. The crux of the legislation is that it would turn online platforms from the providers of casual services to proper employers for as many as 4.1 million people.
The proposal would introduce harmonised rules to what has been a Wild West of legislative void and conflicting judicial decisions across the bloc. The text is likely to receive strong support in Parliament as MEPs adopted a similar resolution in September with consensus from across the aisle.
The proposal also received broad support from EU countries, based on an open letter signed by the relevant ministries of Belgium, Spain, Portugal, Germany, and Italy. Despite this consensus, a swift adoption at the EU level might take some time to enter into force, as member states would have to transpose directives into national law.
The revision of the Network and Information Security Directive, NIS2 in short, is likely to hit the post at the beginning of next year, as the first trilogue, a three-way talk between Parliament, Council, and Commission, is expected to take place in mid-January.
The legislation aims to establish minimum cybersecurity requirements for businesses and organisations that play an essential role in society.
The Parliament’s text is extensive in scope, which is likely to be resisted by member states. Still, recent disruptions in major infrastructures and the situation on the EU’s Eastern border have made cybersecurity a top concern among EU governments.
The Cyber Resilience Act, a new cybersecurity law, is also expected by the third quarter of 2022. The focus, in this case, is on establishing minimum cybersecurity standards for connected devices to prevent cyber threats in the growing market of the Internet of Things.
While policymakers agree more cybersecurity is a priority, operationalising that with governments that jealously guard their competencies in terms of national security is another topic.
Several structures and cooperation mechanisms are already present at the European level, explaining the EU countries’ cold reception of the Joint Cyber Unit proposal.
The global chip shortage has put semiconductors at the centre of the Commission’s drive toward strategic autonomy. These small but essential components for electronic devices provide perhaps the ultimate example of the risk related to external dependencies.
In September, the EU executive announced its proposal for a European Chips Act, now planned for the second quarter of 2022. The Chips Act is expected to focus on capacity building, research and international partnerships.
[Edited by Zoran Radosavljevic/ Alice Taylor]