Fran Burwell / Nov 2022
During the past two years, the European Union has put forward a comprehensive roster of new legislation aimed at governing the growing digital economy and managing the potential excesses of emerging technologies. As these legislative proposals turn into law, the fundamental importance of implementation has become clear. The EU should establish a European Data & Technology Agency (ETDA), so that implementation of these new rules can be both effective and credible.
With the passage of the Digital Markets Act (DMA) and Digital Services Act (DSA), the EU has established a huge new body of regulation. Although the European Commission’s Competition directorate (DG COMP) is experienced in determining who is a dominant market player — and thus a “gatekeeper” — the Commission has less experience in uncovering how algorithms are used to determine self-preferencing, reviewing reports on identifying content to be removed, and tracking the use of third-party data. The proposed AI Act and Data Act will create significant demands for technical expertise in data management and AI governance once they are both passed, probably by the end of 2023. Although the recently adopted Data Governance Act is more focused on the public sector rather than restraining the behavior of major tech companies, it also will require significant expertise in data management, privacy, and cloud service security.
All these legislative initiatives have included sections on enforcement and implementation. In some cases, they call for member states to established coordinators, review boards, or some other body. Developing this capacity will be challenging for even the large member states and will be far beyond the administrative and technical resources of the smaller ones. The result will be uneven and differentiated implementation among the member states, leading to “venue shopping” by companies when approvals or rulings are required. In some small member states, the need to recruit national experts into oversight bodies could cause even more labor-force shortages for the private sector.
The DMA and DSA also see a role for the European Commission, especially in policing the activities of the gatekeepers and “very large online platforms.” In response, the Commission is already hiring hundreds of experts and technologists. Yet implementation is not the best role for the Commission which is an inherently political body. It is the initiator and designer of legislative proposals and then negotiates with the Council and Parliament to achieve its objectives through the law. Its best people are concerned with determining strategy and policy, and its personnel system supports that rather than the development of deep technical expertise. For the Commission to turn from a political and policy-oriented body after a regulation or directive is passed to become a neutral, technical arbiter that can ensure effective implementation of very detailed regulations is too much to ask.
Instead, the EU should follow the example of the European Medicines Agency, the European Food Safety Agency, European Banking Authority and establish an agency with a mandate to ensure implementation of EU rules concerning data and emerging technologies. Such an agency should have a workforce of technical and legal experts, not policy wonks. Its main tasks should be:
- to clarify the ambiguous elements of legislation in a way that is as technically neutral as possible;
- to establish processes for reviews, audits, and investigations;
- to carry out the reviews and other implementation measures specified in the legislation; and
- to provide initial advice and rulings for companies (who would still be able to seek legal remedies).
By assigning these tasks to an independent agency, the EU will serve notice that the implementation of these new rules should be removed from the political hothouse of Brussels and the main EU institutions. This will make the implementation more credible to stakeholders, both companies and NGOs, as well as non-EU governments that may be suspicious of the Commission’s ability to be neutral. A single EU-wide agency will reduce the duplication of effort and personnel among the Commission and the member states, at a time when the EU as a whole has a serious shortage of tech workers. It will provide a “one stop shop” for companies trying to implement the rules across several member states — something of great importance to European SMEs and start-ups. Crucially, such a unified approach will reinforce the Digital Single Market rather than disaggregate it.
A dedicated agency staffed with real technologists will also be better at judging when rapidly changing technologies have outpaced the regulations. Its personnel are more likely to recognize innovative efforts to use technology to circumvent the regulations versus honest attempts to develop safeguards by design. As more radical technologies develop at an ever faster pace, the agency may also provide the technical expertise to judge whether further legislation is needed.
The time to launch such an agency is now. The AI Act and Data Act will add significantly to the burden of implementing new EU tech rules. Under the current situation, the Commission and member states will be quickly overwhelmed. While it is never easy to set up a new agency — even determining its location will require tough negotiations — a dedicated organization with genuine expertise in algorithms, AI, and data management will be more effective from the beginning.
The EU is now widely seen as the leading regulator in the data and tech arena. But regulation requires effective and credible implementation. Continuing the decentralized, member-state implementation of the past, or relying on the policy-oriented Commission, will only erode the EU’s reputation. An independent European Data & Technology Agency will be an important step toward ensuring effective and credible implementation.