espacios de datos

One of the main objectives of Regulation (EU) of the European Parliament and of the Council of 13 December 2023 on harmonised rules for fair access to and use of data (Data Regulation) is to promote the development of interoperability criteria for data spaces, data processing services and smart contracts. In this respect, the Regulation understands interoperability as:

The ability of two or more data spaces or communication networks, systems, connected products, applications, data processing services or components to exchange and use data to perform their functions.

It explicitly states that 'interoperable and high quality data from different domains increase competitiveness and innovationand ensure sustainable economic growth', which requires that 'the same data can be used and reused for different purposes and in an unlimited way, without loss of quality or quantity'. It therefore believes that "a regulatory approach to interoperability that is ambitious and inspires innovation is essential toovercome the dependence on a single provider, which hinders competition and the development of new services".

Interoperability and data spaces

This concern already existed in the European Data Strategy where interoperability was seen as a key element for the valorisation of data and, in particular, for the deployment of Artificial Intelligence. In fact, interoperability is an unavoidable premise for data spaces, so that the establishment of appropriate protocols becomes essential to ensure their potential, both for each of the data spaces internally and also in order to facilitate a cross-cutting integration of several of them.

In this sense, there are frequent standardisation initiatives and meetings to try to establish specific interoperability conditions in this type of scenario, characterised by the diversity of data sources. Although this is an added difficulty, a cross-cutting approach, integrating several data spaces, provides a greater impact on the generation of value-added services and creates the right legal conditions for innovation.

According to the Data Regulation, those who participate in data spaces and offer data or data services to other actors involved in data spaces have to comply with a number of requirements aimed precisely at ensuring appropriate conditions for interoperability and thus that data can be processed jointly. To this end, a description of the content, structure, format and other conditions of use of the data shall be provided in such a way as to facilitate access to and sharing of the data in an automated manner, including in real time or allowing bulk downloading where appropriate.

It should be noted that compliance with technical and semantic standards for interoperability is essential for data spaces, since a minimum standardisation of legal conditions greatly facilitates their operation. In particular, it is of great importance to ensure that the data provider holds the necessary rights to share the data in such an environment and to be able to prove this in an automated way

Interoperability in data processing services

The Data Regulation pays particular attention to the need to improve interoperability between different data processing service providers, so that customers can benefit from the interaction between each of them, thereby reducing dependency on individual providers.

To this end, firstly, it reinforces the reporting obligations of providers of this type of services, to which must be added those derived from the general regulation on the provision of digital content and services general regulation on the provision of digital content and services. In particular, they must be in writing:

• Contractual conditions relating to customer rights, especially in situations related to a possible switch to another provider or infrastructure.
• A full indication of the data that may be exported during the switching process, so that the scope of the interoperability obligation will have to be fixed in advance. In addition, such information has to be made available through an up-to-date online registry to be offered by the service provider.

The Regulation aims to ensure that customers' right to free choice of data service provider is not affected by barriers and difficulties arising from lack of interoperability. The regulation even contemplates an obligation of proactivity so that the change of provider takes place without incidents in the provision of the service to the customer, obliging them to adopt reasonable measures to ensure "functional equivalence" and even to offer free of charge open interfaces to facilitate this process. However, in some cases - in particular where two services are intended to be used in parallel - the former provider is allowed to pass on certain costs that may have been incurred.

Ultimately, the interoperability of data processing services goes beyond simple technical or semantic aspects, so that it becomes an unavoidable premise for ensuring the portability of digital assets, guaranteeing the security and integrity of services and, among other objectives, not interfering with the incorporation of technological innovations, all with a marked prominence of cloud services.

Smart contracts and interoperability

The Data Regulation also pays particular attention to the interoperability conditions allowing the automated execution of data exchanges, for which it is essential to set them in a predetermined way. Otherwise, the optimal operating conditions required by the digital environment, especially from the point of view of efficiency, would be affected.

The new regulation includes specific obligations for smart contract providers and also for those who deploy smart contract tools in the course of their commercial, business or professional activity. For this purpose, a smart contract is defined as a contract that

a computer programme used for the automated execution of an agreement or part thereof, which uses a sequence of electronic data records and ensures their completeness and the accuracy of their chronological order

They have to ensure that smart contracts comply with the obligations of the Regulation as regards the provision of data and, among other aspects, it will be essential to ensure "consistency with the terms of the data sharing agreement that executes the smart contract". They shall therefore be responsible for the effective fulfilment of these requirements by carrying out a conformity assessment and issuing a declaration of compliance with these requirements.

To facilitate the enforcement of these safeguards, the Regulation provides for a presumption of compliance where harmonised standards published in the Official Journal of the European Union are respected the Commission is authorised to request European standardisation organisations to draw up specific provisions.

In the last five years, and in particular since the 2020 Strategy, there has been significant progress in European regulation, which makes it possible to state that the right legal conditions are in place to ensure the availability of quality data to drive technological innovation. As far as interoperability is concerned, very important steps have already been taken, especially in the public sector public sector where we can find disruptive technologies that can be extremely useful. However, the challenge of precisely specifying the scope of the legally established obligations still remains.

For this reason, the Data Regulation itself empowers the Commission toadopt common specifications to ensure effective compliance with the measures it envisages if necessary. However, this is a subsidiary measure, as other avenues to achieve interoperability, such as the development of harmonised standards through standardisation organisations, must be pursued first.

In short, regulating interoperability requires an ambitious approach, as recognised by the Data Regulation itself, although it is a complex process that requires implementing measures at different levels that go beyond the simple adoption of legal rules, even if such legislation represents an important step forward to boost innovation under the right conditions, i.e. beyond simple technological premises.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). The contents and points of view reflected in this publication are the sole responsibility of its author.

The publication on Friday 12 July 2024 of the Artificial Intelligence Regulation (AIA) opens a new stage in the European and global regulatory framework. The standard is characterised by an attempt to combine two souls. On the one hand, it is about ensuring that technology does not create systemic risks for democracy, the guarantee of our rights and the socio-economic ecosystem as a whole. On the other hand, a targeted approach to product development is sought in order to meet the high standards of reliability, safety and regulatory compliance defined by the European Union.

Scope of application of the standard

The standard allows differentiation between low-and medium-risk systems, high-risk systems and general-purpose AI models. In order to qualify systems, the AIA defines criteria related to the sector regulated by the European Union (Annex I) and defines the content and scope of those systems which by their nature and purpose could generate risks (Annex III). The models are highly dependent on the volume of data, their capacities and operational load. 

 AIA only affects the latter two cases: high-risk systems and general-purpose AI models. High-risk systems require conformity assessment through notified bodies. These are entities to which evidence is submitted that the development complies with the AIA. In this respect, the models are subject to control formulas by the Commission that ensure the prevention of systemic risks. However, this is a flexible regulatory framework that favours research by relaxing its application in experimental environments, as well as through the deployment of sandboxes for development.

The standard sets out a series of "requirements for high-risk AI systems" (section two of chapter three) which should constitute a reference framework for the development of any system and inspire codes of good practice, technical standards and certification schemes. In this respect, Article 10 on "data and data governance" plays a central role. It provides very precise indications on the design conditions for AI systems, particularly when they involve the processing of personal data or when they are projected on natural persons.

This governance should be considered by those providing the basic infrastructure and/or datasets, managing data spaces or so-called Digital Innovation Hubs, offering support services. In our ecosystem, characterised by a high prevalence of SMEs and/or research teams, data governance is projected on the quality, security and reliability of their actions and results. It is therefore necessary to ensure the values that AIA imposes on training, validation and test datasets in high-risk systems, and, where appropriate, when techniques involving the training of AI models are employed.

These values can be aligned with the principles of Article 5 of the General Data Protection Regulation (GDPR) and enrich and complement them. To these are added the risk approach and data protection by design and by default. Relating one to the other is ancertainly interesting exercise.

Ensure the legitimate origin of the data. Loyalty and lawfulness

Alongside the common reference to the value chain associated with data, reference should be made to a 'chain of custody' to ensure the legality of data collection processes. The origin of the data, particularly in the case of personal data, must be lawful, legitimate and its use consistent with the original purpose of its collection. A proper cataloguing of the datasets at source is therefore indispensable to ensure a correct description of their legitimacy and conditions of use.

This is an issue that concerns open data environments, data access bodies and services detailed in the Data Governance Regulation (DGA ) or the European Health Data Space (EHDS) and is sure to inspire future regulations. It is usual to combine external data sources with the information managed by the SME.

Data minimisation, accuracy and purpose limitation

AIA mandates, on the one hand, an assessment of the availability, quantity and adequacy of the required datasets. On the other hand, it requires that the training, validation and test datasets are relevant, sufficiently representative and possess adequate statistical properties. This task is highly relevant to the rights of individuals or groups affected by the system. In addition, they shall, to the greatest extent possible, be error-free and complete in view of their intended purpose. AIA predicates these properties for each dataset individually or for a combination of datasets.

In order to achieve these objectives, it is necessary to ensure that appropriate techniques are deployed:

• Perform appropriate processing operations for data preparation, such as annotation, tagging, cleansing, updating, enrichment and aggregation.
• Make assumptions, in particular with regard to the information that the data are supposed to measure and represent. Or, to put it more colloquially, to define use cases.
• Take into account, to the extent necessary for the intended purpose, the particular characteristics or elements of the specific geographical, contextual, behavioural or functional environment in which the high-risk AI system is intended to be used.

Managing risk: avoiding bias 

In the area of data governance, a key role is attributed to the avoidance of bias where it may lead to risks to the health and safety of individuals, adversely affect fundamental rights or give rise to discrimination prohibited by Union law, in particular where data outputs influence incoming information for future operations. To this end, appropriate measures should be taken to detect, prevent and mitigate possible biases identified.

The AIA exceptionally enables the processing of special categories of personal data provided that they offer adequate safeguards in relation to the fundamental rights and freedoms of natural persons. But it imposes additional conditions:

• the processing of other data, such as synthetic or anonymised data, does not allow effective detection and correction of biases;
• that special categories of personal data are subject to technical limitations concerning the re-use of personal data and to state-of-the-art security and privacy protection measures, including the pseudonymisation;
• that special categories of personal data are subject to measures to ensure that the personal data processed are secured, protected and subject to appropriate safeguards, including strict controls and documentation of access, to prevent misuse and to ensure that only authorised persons have access to such personal data with appropriate confidentiality obligations;
• that special categories of personal data are not transmitted or transferred to third parties and are not otherwise accessible to them;
• that special categories of personal data are deleted once the bias has been corrected or the personal data have reached the end of their retention period, whichever is the earlier;
• that the records of processing activities under Regulations (EU) 2016/679 and (EU) 2018/1725 and Directive (EU) 2016/680 include the reasons why the processing of special categories of personal data was strictly necessary for detecting and correcting bias, and why that purpose could not be achieved by processing other data.

The regulatory provisions are extremely interesting. RGPD, DGA or EHDS are in favour of processing anonymised data. AIA makes an exception in cases where inadequate or low-quality datasets are generated from a bias point of view.

Individual developers, data spaces and intermediary services providing datasets and/or platforms for development must be particularly diligent in defining their security. This provision is consistent with the requirement to have secure processing spaces in EHDS, implies a commitment to certifiable security standards, whether public or private, and advises a re-reading of the seventeenth additional provision on data processing in our Organic Law on Data Protection in the area of pseudonymisation, insofar as it adds ethical and legal guarantees to the strictly technical ones.  Furthermore, the need to ensure adequate traceability of uses is underlined. In addition, it will be necessary to include in the register of processing activities a specific mention of this type of use and its justification.

Apply lessons learned from data protection, by design and by default

Article 10 of AIA requires the documentation of relevant design decisions and the identification of relevant data gaps or deficiencies that prevent compliance with AIA and how to address them. In short, it is not enough to ensure data governance, it is also necessary to provide documentary evidence and to maintain a proactive and vigilant attitude throughout the lifecycle of information systems.

These two obligations form the keystone of the system. And its reading should even be much broader in the legal dimension. Lessons learned from the GDPR teach that there is a dual condition for proactive accountability and the guarantee of fundamental rights. The first is intrinsic and material: the deployment of privacy engineering in the service of data protection by design and by default ensures compliance with the GDPR. The second is contextual: the processing of personal data does not take place in a vacuum, but in a broad and complex context regulated by other sectors of the law.

Data governance operates structurally from the foundation to the vault of AI-based information systems. Ensuring that it exists, is adequate and functional is essential.  This is the understanding of the Spanish Government's Artificial Intelligence Strategy 2024  which seeks to provide the country with the levers to boost our development.

AIA makes a qualitative leap and underlines the functional approach from which data protection principles should be read by stressing the population dimension. This makes it necessary to rethink the conditions under which the GDPR has been complied with in the European Union. There is an urgent need to move away from template-based models that the consultancy company copies and pastes. It is clear that checklists and standardisation are indispensable. However, its effectiveness is highly dependent on fine tuning. And this calls particularly on the professionals who support the fulfilment of this objective to dedicate their best efforts to give deep meaning to the fulfilment of the Artificial Intelligence Regulation.  

You can see a summary of the regulations in the following infographic:

Content prepared by Ricard Martínez, Director of the Chair of Privacy and Digital Transformation. Professor, Department of Constitutional Law, Universitat de València. The contents and points of view reflected in this publication are the sole responsibility of its author.

The European Union has devised a fundamental strategy to ensure accessible and reusable data for research, innovation and entrepreneurship. Strategic decisions have been made both in a regulatory and in a material sense to build spaces for data sharing and to foster the emergence of intermediaries with the capacity to process information.

European policies give rise to a very diverse ecosystem that should be differentiated. On the one hand, there is a deepening of open data reuse policies. On the other hand, the aim is to cover a space that has been inaccessible until now. We are referring to data that, due to the guarantee of the fundamental right to data protection, intellectual property or business secrecy, was inaccessible. Today, anonymization technologies, as well as data intermediation technologies, make it possible to process them with due guarantees. Finally, the aim is to provide resources through the promotion of data spaces, initiatives that propose federative models, such as Gaia X, or the European digital infrastructures (EDIC) promoted by the European Commission and the Digital Innovation Hubs aimed at promoting business and government in this field.  This scenario will boost different types of use in research, invocation and entrepreneurship.

This article focuses on the agreement signed by the National Statistics Institute (INE), the State Tax Administration Agency (AEAT), different Social Security bodies, the State Public Employment Service (SEPE) and the Bank of Spain to boost access to data, which is part of this EU strategy whose principles, rules and conditions must be explained in order to place it in context, underline its importance and understand the implications of the agreement.    

Competing by guaranteeing our rights

The EU competes at a structural disadvantage vis-à-vis the US or the People's Republic of China. On the North American side, the development processes of disruptive technologies in the context of the Internet and, particularly, the deployment of search engines, social networks and mobile applications have favoured the birth of a data broking market in which a few companies have an almost monopolistic power over data. The great champions of the digital world manage information on practically all sectors of activity, thanks to a business model based on the capitalisation or commoditisation of our privacy and their entry into sectors such as health or activity bracelets. Every time a user did a search, sent an email, commented on a social network or dictated a message to a mobile phone, it fuelled that position of dominance and underpinned the development of large language models in artificial intelligence or the deployment of algorithmic tools linked to neuroemotional marketing.

On the Chinese side, there is a closed internet model under state control, with a position of participation and surveillance over the large local multinationals in the sector and a global dominance over 5G network traffic. It is a vigilant state that has become the first power in the deployment of artificial intelligence through video surveillance and facial recognition and has a very clear state policy on the deployment of artificial intelligence (AI), creating advantages to compete in this race.

The EU starts from an apparently disadvantageous position. It is not at all a question of lack of talent or high abilities. Much of the Internet and IT ecosystem has been developed in Europe or by European talent. However, our market has not been able to generate conditions that would allow the emergence of major technological champions capable of supporting the entire value chain, from cloud infrastructures to the availability of large volumes of data that feed this ecosystem. Moreover, the EU adopted an ethical, political and legal commitment to freedoms, equity and democracy. This position, which has operated as a kind of barrier in terms of costs and processes, integrates within it the essential requirements for a democratic, inclusive and liberty-guaranteeing digital transformation.

The Data Governance Act

The legal substratum of data sharing is integrated by a complex modular structure integrating the General Data Protection Regulation (GDPR), the Open Data and Re-use of Public Sector Information Directive, the Data Governance Act (DGA), the Data Act (DA) and, in the immediate future, the artificial Intelligence Act and the European Health Data Space Regulation (EHDS). The rules should facilitate the re-use of data, including those under the scope of data protection, intellectual property and business secrecy. Several factors must operate to make this possible, which are set out below:

1. Data sharing from government should grow exponentially and generate a data market that is currently monopolised by foreign companies.
2. Digital sovereignty in legal terms will also be a growth driver insofar as it defines market rules based on the philosophy of the European Union centred on the guarantee of fundamental rights. This should have an immediate consequence when defining processes aimed at producing safe and reliable products.
3. Digital sovereignty will in turn have important technological consequences. Public data spaces, whether promoted from digital hubs or federations of nodes, such as Gaia X, should make data available to the individual researcher or start-up, including application dashboards and technical support.
4. The result of the regulation is to accelerate and increase the possibilities for freeing and sharing data. The EU and the convention under discussion seek to release data subject to trade secrecy, intellectual property or, in particular, the protection of personal data, in a secure manner through intermediation processes in secure data environments. This matter has occupied, among others, the Spanish Data Protection Agency and the European Cybersecurity Agency (ENISA). This implies a commitment to anonymisation and/or quasi-anonymisation environments through technologies such as differential privacy, homomorphic encryption and homomorphic encryption or multi-party computing.

All of this is based on the guarantee of fundamental rights and the empowerment of people. GDPR, DGA, DA and EHDS should make it possible to achieve the dual objective of creating a European market for the free movement and re-use of protected data. This ensures that individuals and organisations can exercise their rights of control and, at the same time, share these rights, while also encouraging data altruism. Moreover, the GDPR, DGA, EHDS and the artificial Intelligence Act define precise limits through prohibitions on use, regulated access conditions and ethically and legally sound design procedures. With an idea that should be considered central, there is a dimension of public or common interest that, beyond the epic battles of COVID, reaches the small but essential aspirations of the individual researcher, the disruptive entrepreneur, the SME trying to improve its value chain or the Administration innovating processes at the service of people.

Spain commits to the digital transformation of data spaces

The 2025 Plan, the Artificial Intelligence Strategy, the efforts of the Next Generation funds through its Strategic Projects for Economic Recovery and Transformation (PERTES in Spanish), the AI Missions and the Digital Bill of Rights exemplify Spain's alignment and leadership in this field. To make these strategies viable, secure data and process environments are essential. Now, the National Health Data Space has been joined by the agreement between the INE, the AEAT, different Social Security bodies, the SEPE and the Bank of Spain. As its explanatory memorandum states, it constitutes a first and encouraging step towards the deployment of DGA in our country.

They understand not only the scientific and business value of the statistical information they handle, but also the significant growth in demand and need for it. On the other hand, they take on a qualitatively relevant issue: the interest derived from the interconnection of datasets from the point of view of the value they bring. They therefore declare their willingness to maximise the added value of their data by allowing cross-referencing or integration when research is carried out for scientific purposes in the public interest.

The keys to the agreement to provide statistical data to researchers for scientific purposes in the public interest

Some of the questions that may arise with regard to this agreement are answered below.

• How can the data be accessed?

Access to data goes through a cross-information access request that must be individually accepted by each institution. This takes into account certain assessment criteria regarding the nature of the data and the interest of the proposal.

Facilitating this access implies for the signatory institutions an effort of de-identification and cross-checking carried out by each of them directly or through trusted third parties. The result, "depending on the security level of the resulting file", will entail:

• A direct and autonomous access.
• A processing of the data in one of the secure rooms or centres made available by the signatory entities.

Some of the rooms currently available are:

• INE
• Social Security (SS)
• Bank of Spain (BE)

Also noteworthy is the creation of ES_DataLab, which facilitates access to microdata in an environment that guarantees the confidentiality of the information. It allows cross-referencing data from different participating institutions, such as the INE, the AEAT, the Secretary of State for Social Security and Pensions, the Social Security General Treasury (TGSS), the National Social Security Institute (INSS), the Social Marine Institute (ISM), the Social Security IT Management (GISS), the State Public Employment Service and the Bank of Spain.

In implementation of the DGA 's plans, the Single National Information Point" (NSIP), managed by the General Directorate of Data, has been set up, from where citizens, business people or researchers can locate information on protected public sector data. This item is available at datos.gob.es.

• What data is shared?

The volume and typologies of data they handle are truly significant. The press release presenting the agreement stated that it would be possible to access "the microdata bases owned by the INE, the AEAT, the SS and the BE, with the necessary guarantees of security, statistical secrecy, personal data protection and compliance with current legislation. In addition to statistical databases from its surveys, INE may also provide access to administrative registers, both those compiled or coordinated by INE and those under other ownership but which INE uses to compile its statistics (in the latter case consulting all requests for access to the holders of the corresponding registers)".

• Who can access the data?

In order to grant access to the data, the confidentiality regime applicable to the data requested and its legal framework, the social interest of the results to be obtained in the research, the profile, trajectory and scientific publications of the principal investigator and associated researchers or the history of research projects of the entity backing the project, among other aspects, shall be taken into account.

One of the issues envisaged by the DGA in this area consists of establishing economic considerations that ensure the sustainability of the system. In any case, the third clause of the agreement provides for the possibility of receiving financial consideration from applicants for the services of preparing and making available the data contained in the databases owned by them, in accordance with the provisions of statistical legislation (Article 21.3 of the Law 12/1989 of 9 May 1989 on the Public Statistical Function - LFEP) and in the regulations governing each institution.

• What challenges do data access requesters and signatories face?

Regardless of the scientific conditions of the research proposal, it is essential to appeal to the deploying institutions to significantly increase the quality of their data protection and information security compliance processes. But this will not be enough, the deployment of artificial intelligence requires the incorporation of additional processes that we can find in the document of the Conference of Rectors of Spanish Universities CRUE ICT 360º, addressed in 2023 for the assumption of the university. While it is true that the artificial Intelligence Act proposes a scenario of less regulation in basic research, it also requires a high level of ethical deployment. And to do so, it will be essential to apply principles of artificial intelligence ethics, with the model ALTAI (Assessment List for Trustworthy Artificial Intelligence) or an alternative model, and to the Fundamental Rights Impact Analysis (FRAIA). This is without neglecting the high legal requirements for the development of market-oriented systems. Beyond the formal declarations of the Convention, the lessons learned from European projects affirm the need for a procedural framework of evidence-based legal and ethical verification of research projects and the capacities of institutions requesting access to data.

From the point of view of the signatory institutions, in addition to the challenge of the economic sustainability of the model, foreseen and regulated in the agreement, the need for a regulatory investment strategy seems evident. We have no doubt that each data repository and the processes underpinning them have been subject to a data protection impact assessment and security methodologies linked to the National Scheme. Data protection by design and by default or compliance with the recommendations on anonymisation and data space management mentioned above will be further elements considered. This translates into processes, but also into people - chief data officers, data analysts, other mediators such as data protection officers, etc. - together with a high level of security requirements. On the other hand, the duty of transparency vis-à-vis citizens will require efficient channels and a very precise risk management model in the event of a possible mass exercise of a right to object to processing, without prejudice to its feasibility.

Finally, the Spanish Data Protection Agency should approach this process in a proactive and promotional way without renouncing its role as guarantor of fundamental rights, but contributing to the development of functional solutions. This is not just any agreement but an essential test bed for the future of data research in Spain.

In our opinion, the most exciting statement of these institutions consists of understanding the agreement "as the embryo of the future System of access to data for research for scientific purposes of public interest, which must be in accordance with the Spanish and European strategy on data and the legislation on its governance, within a framework of development of public sector data spaces, and respecting in any case the autonomy and the legal regime applicable to the Banco de España".

Content prepared by Ricard Martínez, Director of the Chair of Privacy and Digital Transformation. Professor, Department of Constitutional Law, Universitat de València. The contents and points of view reflected in this publication are the sole responsibility of its author.

Building the European Health Data Space is one of the challenges of our generation. The COVID 19 pandemic put us in front of the mirror and brought back at least two images. The first was none other than the result of the application of formalistic, bureaucratised and old-fashioned models of data management. Second, the enormous potential offered by data sharing, collaboration of interdisciplinary teams and the use of health information for the common good. The European Union is clearly committed to the second strategy. This article examines the challenges of building a National Health Data Space as an instrument to enhance the reuse of health data for secondary uses from a variety of perspectives.

The error of focusing on formalist visions

The data processing and sharing scenario prior to the deployment of the European data strategy and its commitment to data spaces produced not only counter-intuitive, but also counter-factual effects. The framework of the General Data Protection Regulation (GDPR) instead of favouring processing operated as a barrier.  Strict enforcement was chosen, based on the prevalence of privacy. Instead of seeking to manage risk through legal and technical solutions, the decision was made not to process data or to use technically complex anonymisations that are unfeasible in practice.

This model is not sustainable. Technological acceleration forces a shift in the centre of gravity from prohibition to risk management and data governance. And this is what Regulation of the European Parliament and of the Council on the European Health Data Space (EHDS) is committed to: finding solutions and defining guarantees to protect people. And this transformation finds Spain's healthcare sector in an unbeatable situation from any point of view, although it is not without risks.

Spain, a pioneer in the change of approach

Our country did its homework with the seventeenth additional provision on the processing of health data in Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD, in Spanish acronyms). The regulation circumvented most of the problems affecting the secondary use of health data and did so with the methodology derived from the GDPR and the jurisprudence of the Constitutional Court. To this end, he opted for:

• A clear systematisation and normative predetermination of use cases.
• A precise definition of treatment entitlements.
• Procedural, contractual and security guarantees.

The Provision was five years ahead of the EHDS in terms of its aims, objectives and safeguards. Not only that, it puts our healthcare system at a competitive advantage from a legal and material point of view.

From this point of view, the National Health Data Space as the backbone is a project that is as essential as it is unpostponable, as reflected in the National Health System's Digital Health strategy and the Recovery, Transformation and Resilience Plan. However, this assertion cannot be based on uncritical enthusiasm. Much work remains to be done.

Lessons learned and challenges to overcome

European research projects managed by the ecosystem of health foundations at the Carlos Tercero Institute, university and business, provide interesting lessons. In our country we are working on precision medicine, on the construction of data lakes, on mobile applications, on high capacities of pseudonymisation and anonymisation, on medical imaging, on predictive artificial intelligence..., and we could go on. This ecosystem needs a layer of governance innovation. Part of it will be provided directly by the EHDS. Data access bodies, the supervisory authority and cross-border access structures shall ensure the lifecycle from the formation of catalogued and reliable datasets to their actual processing. These governance infrastructures require an organisational and human deployment to support them. Previous experience helps to anticipate the risks that a stress test may pose for the whole value chain:

1. The training of human resources in crucial aspects of data protection, information security and new ethical requirements is not always adequate in terms of format, volume and profile segmentation. Not 100% of the workforce is trained, while voluntary continuing education for health professionals is of a high legal standard, causing an effect that is as counterproductive as it is perverse: curtailing the capacity to innovate. If instead of empowering and engaging, we offer an endless list of GDPR obligations, research staff end up self-censoring their ability to imagine. The content and the training target are confused. High-level training should focus on project managers and technical and legal support staff. And in these, data protection officer plays a vehicular role, as it is the person who must provide non-binary advice - of the legal or non-legal type - and cannot transfer all the responsibility to the research team.
2. Governance of treatment resources and processes needs to be improved. In certain research areas, and universities are the best example of this, information systems are segmented and managed at the smallest project or research team level. These are insufficient resources, with little control over risk management and security monitoring, including support for the management and maintenance of the treatment environment. Moreover, data access procedures are based on rigid models, anchored in the case study or clinical trial. Thus, more often than not, we handle datasets in very specific environments outside the main data processing centres. This multiplies the risk, and the costs, in areas such as data protection impact assessments or the deployment of security measures.

Lack of expertise can pose systemic risks. To begin with, Ethics Committees are confronted with issues of data protection and artificial intelligence ethics that overwhelm their habits, customs and knowledge, and mothball their processes. On the other hand, what we commonly refer to as big data is not something that happens by magic. Pseudonymisation or anonymisation, annotation, enrichment and validation of the dataset and the processes implemented on it require highly skilled professionals. 

Effects of EHDS

We should reflect on whether our leading position in digitisation could also be our Achilles' heel. Few countries have a high degree of digitisation of every level of healthcare, from primary to hospital. Virtually none have regulated the use of pseudonymised data without consent, nor the broad consent model of our LOPDGDD. In this sense, under the umbrella of the EHDS there could be two effects that we need to manage:

• New opportunities in research projects. Firstly, as soon as Spanish health institutions publish their data catalogues at European level, requests for access from other countries could multiply. And, therefore, the opportunities to participate in research projects as information providers, data holders, or as data users.
• Boosting the ecosystem of innovative companies. Moreover, the wide range of secondary uses foreseen by the EHDS will broaden the profile of actors submitting data access requests. This points to the possibility of a unique ecosystem of innovative companies for the deployment of health solutions from wellness to artificial intelligence-assisted medical diagnostics. 

This forces those responsible for the public health system to ask themselves a rather simple question: what level of availability, process capability, security and interoperability can the available information systems offer? Let us not forget that many trans-European research projects, or the deployment of Artificial Intelligence tools in the health sector, are backed by budgets running into millions.  This presents enormous opportunities to deepen the deployment of new models of health service delivery that also feed back into research, innovation and entrepreneurship. But there is also the risk of not being able to take advantage of the available resources due to shortcomings in the design of repositories and their processing capabilities.

What data space model are we pursuing?

The answer to this question can be found very clearly both in the European Union's data space strategy and in the Spanish Government's own strategy. The task that the EHDS attributes to data access bodies, beyond the mere granting of an access permit, is to support and assist in the development of the processing. This requires a National Health Data Space to ensure service level, anonymisation or pseudonymisation standards, interoperability and information security.

In this context, individual researchers in non-health settings, but especially small and medium-sized innovative companies, do not possess the necessary muscle and expertise to meet ethical and regulatory requirements. Therefore, the need to provide them with support in terms of the design of regulatory and ethical compliance models should not be neglected, if they are not to act as a barrier to entry or exclusion. 

This does not exclude or preclude regional efforts, those of foundations or reference hospitals, or nascent data infrastructures in the field of medical imaging of cancer or genomics. It is precisely the idea of a federation of data spaces that inspires European legislation that can bear fruit of the highest quality here. The Ministry of Health and public health departments should move in this direction, with the support of the new Ministry of Digital Transformation and Public Administration. The autonomous communities reflect and act on the development of governable models and participate, together with the Ministry of Health, in the governance model that should govern the national framework. Regulators such as the Spanish Data Protection Agency are providing viable frameworks for the development of data spaces. Entire hospitals design, implement and deploy information systems that seek to integrate hundreds of data sources and generate data lakes for research. Data infrastructures such as EUCAIM lead the way and generate high-quality know-how in highly specialised areas.

The work on the roll-out of a National Health Data Space, and each and every one of the unique initiatives underway, show us a way forward in which the federation of effort, solidarity and data sharing ensure that our privileged position in health digitisation stimulates leadership in research, innovation and digital entrepreneurship. The National Health Data Space will be able to offer differential value to stakeholders. It will provide data quality and volume, support advanced compute-intensive data analytics and AI tools and can provide security in software brokering processes for the processing of pseudonymised data with high requirements.

It is necessary to recall a core value for the European Union: the guarantee of fundamental rights and the human-centred approach. The Charter of Digital Rights promoted by the Spanish government proposes successively the right of access to data for scientific research, innovation and development purposes, as well as the right to the protection of health in the digital environment. The National Health Data Space is called to be the indispensable instrument to achieve a sustainable, inclusive digital health at the service of the common good, which at the same time boosts this dimension of the data economy, promoting research and entrepreneurship in our country. 

Content prepared by Ricard Martínez, Director of the Chair of Privacy and Digital Transformation. Professor, Department of Constitutional Law, Universitat de València. The contents and points of view reflected in this publication are the sole responsibility of its author.

The Council of Ministers approved in February this year the Sustainable Mobility Bill (PL), a commitment to a digital and innovative transport system in which open mobility data will play a key role.

Inaddition to regulating innovative solutions such as on-demand transport, car sharing or temporary use of vehicles, the regulation will encourage the promotion ofopen data by administrations, infrastructure managers and public and private operators. All this, as stated in Chapter III Title V of the Draft Law "will bring enormous benefits to citizens, e.g. for new mobility and their contribution to the European Green Pact".

This Bill is aligned with the European Data Strategy, which has among its objectives to create a single market for data that ensures Europe' s global competitiveness and data sovereignty through the creation of common European data spaces common European data spaces in nine strategic sectors. In particular, it foresees the creation and development of a common European mobility data space to put Europe at the forefront of the development of a smart transport system, including connected cars and other modes of transport. Along these lines, the European Commission presented its Sustainable and Intelligent Mobility Strategywhich includes an action dedicated to innovation, data and artificial intelligence for smarter mobility. Following in Europe's footsteps, Spain has launched this Sustainable Mobility Bill.

In this post we look at the benefits that the use of open data can bring to the sector, the obligations that the PL will place on data, and the next steps in building the Integrated Mobility Data Space.

Benefits of using open data on sustainable mobility

The Ministry of Transport and Sustainable Mobility, in the web section created for the Law, identifies some of the benefits that access to and use of open transport and mobility data can offer both to the business community and to public administrations and citizens in general:

• Encourage the development of applications that enable citizens to make decisions on the planning of their journeys and during the course of their journeys.
• Improve the conditions of service provision and the travel experience .
• Incentivise research, create new developments and businesses from the data generated in the transport and mobility ecosystem.
• Enable public administrations to have a better understanding of the transport and mobility system in order to improve the definition of public policies and the management of the system.
• Encourage the use of this data for other public interest purposes that may arise.

Ensuring access to open mobility data

In order to make good use of these data and thus take advantage of all the benefits they offer, the Draft Law determines a strategy to ensure the availability of open data in the field of transport and mobility. This strategy concerns:

•  transport companies and infrastructure managers, which must drive digitalisation and provide a significant part of the data, with specific characteristics and functionalities.
• administrations and public entities were already obliged to ensure the openness of their data by design, as well as its re-use on the basis of the already existing

In short, the guidelines for re-use already defined in Law 37/2007 for the public sector are respected, and the need to regulate access to this information and the way in which this data is used by third parties, i.e. companies in the sector, is also included.

Integrated Mobility Data Space

In line with the European Data Strategy mentioned at the beginning of the post, the PL determines the obligation to create the Integrated Mobility Data Space (EDIM) under the direction of the Ministry of Transport and Sustainable Mobility, in coordination with the Secretary of State for Digitalisation and Artificial Intelligence. In the EDIM, the aforementioned transport companies, infrastructure managers and administrations will share their data, which will optimise the decision making of all actors when planning the implementation of new infrastructures and the launch of new services. 

The Draft Law defines some characteristics of the Integrated Mobility Data Space such as the modular structure, which will include information in a systematic way on different areas of urban, metropolitan and interurban mobility, both for people and goods.

Specifically, the EDIM, according to Article 14, would collect data "in digital form in a free, non-discriminatory and up-to-date manner" on:

• Supply and demand of the different modes of transport and mobility, information on public transport services and mobility services under the responsibility of the administrations
• Financial situation and costs of providing services for all modes of public transport, investments in transport infrastructure, inventory of transport infrastructure and terminals, conditions and degree of accessibility.
• Other data to be agreed at the Sectoral Conference on Transport.

It identifies examples of this type of data and information on the responsibility for its provision, format, frequency of updating and other characteristics.

As referred to in the CP, the data and information managed by the EDIM will provide an integrated vision to analyse and facilitate mobility management, improving the design of sustainable and efficient solutions, and transparency in the design of public transport and mobility policies. In addition, the Law will promote the creation of a sandbox or test environment to serve as an incubator for innovative mobility projects. The outcome of the tests will allow both the developer and the administration to learn by observing the market in a controlled environment.

National Bimodal Transport Access Point

On the other hand, the Bill also provides for the creation of a National Bimodal Transport Access Point that will collect the information communicated to the Ministry of Transport and Sustainable Mobility in the framework of the priority action "Provision of information services on multimodal journeys throughout the Union" of Directive 2010/40/EU which refers to the transport of goods and/or persons by more than one means of transport.

This information will be freely accessible and will also serve to feed the EDIM in the area related to the characterisation of transport and mobility of persons, as well as the National Catalogue of Public Information maintained by the General State Administration.

The Bill defines that the provision of services to citizens using transport and mobility data from the National Multimodal Transport Access Point must be done in a fair, neutral, impartial, non-discriminatory and transparent manner. It adds that the Ministry of Transport and Sustainable Mobility will propose rules for the use of such data within 12 months after the entry into force of this law.

The Sustainable Mobility Bill is currently in parliamentary procedure, as it has been sent to the Spanish Parliament for urgent processing and approval in 2024.

Between 2 April and 16 May, applications for the call on aid for the digital transformation of strategic productive sectors may be submitted at the electronic headquarters of the Ministry for Digital Transformation and Civil Service. Order TDF/1461/2023, of 29 December, modified by Order TDF/294/2024, regulates grants totalling 150 million euros for the creation of demonstrators and use cases, as part of a more general initiative of Sectoral Data Spaces Program, promoted by the State Secretary for Digitalisation and Artificial Intelligence and framed within the Recovery, Transformation and Resilience Plan (PRTR). The objective is to finance the development of data spaces and the promotion of disruptive innovation in strategic sectors of the economy, in line with the strategic lines set out in the Digital Spain Agenda 2026. 

Lines, sectors and beneficiaries

The current call includes funding lines for experimental development projects in two complementary areas of action: the creation of demonstration centres (development of technological platforms for data spaces); and the promotion of specific use cases of these spaces. This call is addressed to all sectors except tourism, which has its own call. Beneficiaries may be single entities with their own legal personality, tax domicile in the European Union, and an establishment or branch located in Spain. In the case of the line for demonstration centres, they must also be associative or representative of the value chains of the productive sectors in territorial areas, or with scientific or technological domains. 

Infographic-summary

The following infographics show the key information on this call for proposals:

Would you like more information? 

• Access to the grant portal for application proposals in the following link. On the portal you will find the regulatory bases and the call for applications, a summary of its content, documentation and informative material with presentations and videos, as well as a complete list of questions and answers. In the mailbox espaciosdedatos@digital.gob.es you will get help about the call and the application procedure. From this portal you can access the electronic office for the application. 
• Quick guide to the call for proposals in pdf + downloadable Infographics (on the Sectoral Data Program and Technical Information)
• Link to other documents of interest:

  • Action plan for the deployment of data spaces by Data Office.

  • How to evaluate and design 'use cases' for data spaces: guides to ease the way 

• Additional information on the data space concept 

The growing importance of data goes beyond the economic and social spheres at state level to a multinational dimension that raises the challenges, opportunities, threats and uncertainties surrounding the development of the Data Economy to a global scale. In the case of the European Union, the issue has been on the institutional agenda in recent years, as evidenced by the profusion of specific and cross-cutting regulations already adopted or in progress; or the promotion of multilateral initiatives both within the framework of the Union and beyond its borders. In July 2022, this global political dimension took a major qualitative leap forward with the adoption by the EU Council of what it called 'Conclusions on EU Digital Diplomacy'Conclusions on EU Digital Diplomacywhich aimed to set out priority actions to strengthen EU action in international digital affairs.

These conclusions - updated in July 2023 - are, in a way, a milestone in that they give the concept of 'digital diplomacy' a legal status. They recognised, on the one hand, the need for "stronger, strategic, coherent and effective" EU policy and action on digital issues; and detailed, on the other hand, priority actions to respond to that need.         

Three ways to engage with third countries

Under the title 'The European Data Strategy from a multidimensional perspectivethe think tank network PromethEUs1 published in June 2023 an analysis that breaks down the European Data Strategy from two main perspectives: the political and regulatory aspects, and the geopolitical aspects.. The analysis of the latter was prepared by Raquel Jorge Ricart of the Real Instituto Elcano, and explains that the EU has been addressing the way in which its goods, services, assets and personal data relate to third countries through various channels:

The analysis of the latter was carried out by the whose researchers explain that the EU has been addressing how its goods, services, assets and personal data relate to third countries through various channels:

1. The regulatory route, which, as they say, "has been closely followed by most stakeholders". 
2. Through multilateral initiatives, "coalitions of the willing" and international meetings.
3. "Through the importance of digital diplomacy, as a policy area to institutionalise the geopolitics of data, along with other technological challenges". In this sense, the term 'digital diplomacy' is used to bring together in a single 'box' all the initiatives that, independently, would have been carried out to date.

Further information on each of these pathways is provided below.

Regulatory pathway

In relation to the regulatory approach, the main challenge for the EU to deploy the regulatory tool as a geopolitical asset lies, according to the Elcano researchers, in influencing other countries to follow the same approach. "It is not just a matter of imposing standards on those who already interact with the EU, but of encouraging others to do the same with theirs," they say. Likewise, they add, "another challenge for the geopolitical instrumentalisation of these regulations is to understand that geopolitical strategies must vary according to the country and the type of technology company", as they may have different geopolitical approaches.

But, the authors conclude, regulation, while important, is not the only approach on which the EU should build its data geopolitics. The other two approaches are as important as they are strategic.

Multilateral initiatives

With regard to international forums for dialogue, the following stand out:

• Those maintained through institutionalised and long-standing organisations and spaces, e.g. G7, UN, OECD, etc.
•  More recently established issue-specific coalitions, such as the Quadrilateral Security Dialogue (involving the US, Australia, India and Japan), Digital Economy Partnership Agreement (with Chile, New Zealand and Singapore) or the proposed Data Free Flow with Trust DFFT-2019 (driven by Japan).

Digital diplomacy

Regarding the third approach - the promotion of digital diplomacy - Elcano analysts highlight as positive the various regional technological partnership initiatives that the EU has deployed in recent years, and stress that already in 2019 'the EU began to see technology through the lens of ethics' and as a political and geopolitical issue. In this respect, they underline that the Conclusions of the European Council on Digital Diplomacy (July 2022) are the starting point "with which the EU institutionalised all aspects related to the external agenda in third countries and digital policy as a unique aspect of EU foreign policy". And that is why the goal of digital diplomacy deployed by the EU through its External Action Service is none other than to "secure the EU's global role in the digital world, protect its strategic interests and promote its dynamic and people-centred regulatory framework for an inclusive digital transformation".

The latter is, moreover, a crucial factor, as revealed by the priority actions set out at the initial European Council meeting in July 2022, revised in july 2023. The EU, says the Council, must promote a human rights-based and people-centred digital transformation, which translates, for example, into:

• Regular and thorough" human rights due diligence practices and human rights impact assessments.
• Pay special attention to the protection of the rights of vulnerable or marginalised people.
• Bridging the gender digital divide.
• Promote an open, free, neutral, global, interoperable, reliable and secure Internet.

The Spanish Charter of Digital Rightslaunched in July 2021, and the European Declaration on Digital Rights and Principles for the Digital Decadeare a clear example of the vocation with which the European Union wants to provide itself with an internal or domestic reference, while establishing a shared framework for its action in the field of digital diplomacy.

The EU's challenges

In any case, from the analysis of the different actions established by the EU in this area, the Elcano Institute's researchers identify three major challenges:

1. How to address the role of member states in EU data geopolitics, as most foreign and security policy provisions depend on the unanimity of all 27 countries, and this "may make it difficult for certain activities related to data governance to be approved".
2. How to partner with developing countries "or, particularly, with non-aligned countries", a concept that could be undergoing some revitalisation and which, they argue, "should be an area for further work". The global Gateway initiative would be in this area and, in fact, is one of those that the EU wants to promote by also broadening private sector participation.
3. How to "pay attention to certain technologies that are still underdeveloped, notyetwidely commercialised or not yet deployed, but which could generate a great deal of competition between countries".

In short, the development of digital diplomacy is already a crucial vector in the development of the Data Economy and, in fact, the EU Council will return to this issue before the summer of 2024, two years after the issuing of the Conclusions and one year since the first review. Indeed, until then, the Council "invites the High Representative, the Commission and Member States to assess progress on a regular basis and to continue to report regularly to the Council on the implementation of digital diplomacy". To take its diplomacy to the next level, they stress, "the EU must act with a Team Europe approach - that is, EU institutions and EU member states, together with other partner actors - jointly protecting its strategic interests and promoting its people-centred approach to the digital transition".

Economic security

The aforementioned link between digital diplomacy, the Union's strategic interests and the Data Economy underlies the European Economic Security Strategy a joint communication adopted by the Commission and the High Representative on 20 June 2023.  The strategy is based on a three-pillar approach:

• Promoting the EU's economic base and competitiveness
• Protection against risks
• Partnering with as many countries as possible to address common concerns and interests.

Fostering (competitiveness); preserving (economic security); and cooperating (with each other and with others) are the vectors that the Strategy defines to address the four risks it identifies. Namely:

1. Risks related to the resilience of supply chains.
2. Risks to the physical and cyber security of critical infrastructures.
3. Risks related to technology security and technology leaks.
4. Risks of economic dependencies being used as a weapon or economic coercion.

As a first follow-up to the Strategy, the Commission adopted on 3 October 2023 a Recommendation on critical technology areas for EU economic security, identifying ten critical technology areas, four of which are identified as "highly likely": advanced semiconductors, artificial intelligence, quantum technologies and biotechnologies.

In order to make immediate risk assessments on these areas, the Commission will deploy an intensive dialogue with Member States with results expected by spring 2024. A dialogue in which the Data Economy, with an increasingly relevant weight in European productive ecosystems, will be omnipresent. And Spain, as an international hub and secure destination for information flows and data storage, should pay special attention to aspects such as guaranteeing the correct integration of the different data infrastructures; guaranteeing interoperability between the different actors; and reinforcing its cybersecurity, especially in view of the vulnerability of the supply chain and the need to guarantee effective competition and diversity of suppliers.

A data space is the place where value is generated around data through voluntary sharing in an environment of sovereignty, trust and security. The data space enables you to determine who accesses what data and under what conditions, thus facilitating the deployment of different use cases to meet different business needs. The data space functions as an open and heterogeneous environment of providers and consumers of data products, with no dominant players and no disproportionate barriers to entry and exit.

The data space is the place for sustainable value generation around data, a catalyst for innovation and business growth, allowing to identify market opportunities, anticipate trends, make better informed decisions, increase operational efficiency, develop transformative products and services or personalise customer experiences.

Within the concept of data space, and beyond a bilateral exchange of information, there is room for both centralised environments of information aggregation and generation of value-added services, with or without financial compensation, and more innovative data sharing environments (typically federated and distributed). The former can be seen as fundamental building blocks for the latter, and in any case, full interoperability of the deployed solutions and their future scalability should be sought.

The data space is the ideal scenario for deploying a variety of advanced technologies to efficiently explore data sets and turn them into information. This creates an environment conducive to innovation and process optimisation, resulting in a landscape in which information becomes a strategic resource for growth and informed decision-making. The data space enables the use of advanced analytics tools (business intelligence, big data, machine learning, deep learning, etc.), generative algorithms (LLM, GPT), process automation (RPA), and/or advanced data preservation techniques (DLTs).

In practice, a data provider (formally incorporated in the corresponding data space) will make its data products accessible through a catalogue, managed according to the indications of the data space promoter. When a participant wishes to access a product, it will look for the availability of such information, studying its conditions of access and use, as well as the appropriateness of its semantics and vocabulary. If the characteristics detailed in the catalogue meet his/her expectations, he/she will establish the appropriate negotiation and proceed to establish an effective transfer between supplier and consumer, in accordance with the technical conditions set out in the catalogue.

What does the data space offer to each type of participant?

There are four types of participants in a data space:

1)    Data space promoter:

It is the driver of the sharing and operating environment, and will therefore be responsible for its governance and management (and may delegate some operational parts). It will therefore be the guarantor of the generation of community around the data space, articulating different business models and seeking and attracting new participants, thus dynamising innovation and the development of new value-added services.

Different business models can be generated within the data space. These include:

• Monetisation of data on a bilateral basis.
• Markets as a meeting point between suppliers and consumers.
• The marketing of software products or services for data analysis and exploitation.
• The facilitation of technological solutions to mediate the identification of participants or the exchange between them.
• The development of industrial platforms integrating the value chain.
• Making data openly available altruistically.

2) Providers of data sets and services:

They offer  data products (both sets and services) within the contours of rights and obligations defined by the data space developer .

Thanks to cybersecurity and the sovereignty capabilities it provides, the barriers and risks associated with sharing are lowered, thus facilitating the generation of value and the return on the investment involved in making resources available. Moreover, the technological uncertainties linked to the deployment of innovative business models are partially mitigated by the use of standard frameworks and solutions (provided by the technology specifier and the technology provider, respectively).

Providers of data sets and services can opt for different revenue generation models, such as:

• Provide free access to the data, thus seeking to generate a high volume of traffic to attract sponsors or advertisers.
• Deploy a type of freemiun access free of charge for specific data and services, but at a cost for specific or higher quality services and data.
• Establish temporary or continuous licensing agreements.
• Define dynamic costing systems linked to timely demand or complexity of access
• Deploy a collaborative sharing system where access to other people's data is linked to sharing one's own data ( quid-pro-quomodel).

3) Consumers of data sets and services:

They consume data products within the contours of rights and obligations defined by the data space developer.

It allows them to benefit by incorporating the value of third-party data (from different suppliers) into their system by consolidating or combining it with their own data. The information and knowledge generated from this shared data makes it possible to solve business problems that would be unmanageable on an individual basis, adding value to the business itself.

The value proposition of the data consumer can go through:

• Acting on one's own behalf, for personal consumption and profit.
• Acting as a data broker, connecting organisations with fewer resources or maturity, and thus offering trust.
• It plays the role of a reuser, which is able to generate value-added services on the data space by reworking the information provided.

Precisely in the sense of risk mitigation and confidence building, the use of standard solutions (provided by the technology provider of the data space, which we will see below) serves to ensure service levels(business continuity) and the reduction of technological risks, as well as to avoid registration on multiple platforms or the management of complex and diverse authorisation and access processes.

4) Technology provider:

It is in charge of integrating and operating the technical solution that enables the deployment of the data space infrastructure (on behalf of, under the governance and management of the developer). This provider will carry out the development, configuration and parameterisation to implement the technical solution to deploy the data space, practically as a service ready for consumption. For this purpose, a basic physical infrastructure will be used, on top of which technological components will be added to enable adequate management of participants' identities, as well as all other functionalities that characterise the data space in question (and which will typically follow a reference architecture).

The provider will therefore make precise use of different enabling technologies for the governance and management of the data space, from the deployment of privacy-enhancing technologies to ensure the proper treatment of protected information, to tools to automate contractual compliance and guarantee sovereignty.

It is important to note that this figure of the "data space technology provider" does not coincide with that of the data technology service provider within the already operational data space itself. The former deploys and operates the technologies necessary to shape the ecosystem, within which the latter operates, offering ad-hoc solutions (which could in any case include the former organisation, as permitted by the competition regulations of the sector in which the data space operates, as well as its specific governance).

Data has become the great transforming power of society. Beyond the more mercantilist view, its capacity to generate knowledge, drive innovation and empower individuals and communities is undeniable. Indeed, it is a resource with which to address, from an innovative perspective, major environmental, social and health challenges, enabling collaboration between actors, driving innovation and improving accountability.

Following European guidelines such as the European Data Strategy, the challenge now is to promote the circulation of data for the benefit of all, by pooling data in key sectors with the creation of  common and interoperabledata spaces. A data space is an ecosystem where the voluntary sharing of its participants' data takes place within an environment of sovereignty, trust and security, established through integrated governance, organisational, regulatory and technical mechanisms. Data spaces are key to the development of the data economy, enabling access, exchange and legitimate re-use, positioning data as a non-rivalrous resource, whose utility grows as its use becomes more widespread, in a clear example of the network effect.

What are the Coordinated Support Actions (CSA)?

In order to foster the development of data spaces, the European Commission's Digital Europe Programme (DIGITAL) is funding a series of Coordinated Support Actions (CSA) to foster their development. Most of these actions have a funding of around one million euros per project and a duration of approximately one year, with an expected completion date in the fourth quarter of 2023. Their results should contribute to the objectives of the DIGITAL programme, which aims to bridge the gap between research and deployment of digital technologies, and to facilitate the transfer of research results to the market, to the benefit of European citizens and businesses, especially small and medium-sized ones.

Each concrete action focuses on a particular sector of economic activity seeking, based on a mapping of the data landscape of each sector concerned, to contact and connect relevant stakeholders, seeking to collaboratively develop a shared strategic roadmap. This shared roadmap ultimately aims to eventually build up the corresponding sectoral data spacesin subsequent phases. During the process, clear objectives and key results are defined to inspire, support and motivate all stakeholders to contribute and use high quality sectoral data as a basis for innovation and value generation.

In order to carry out this roadmap, a comprehensive inventory of existing platforms that already share relevant data has been drawn up. In addition, each CSA project has focused, through different working groups and stakeholder workshops, on developing recommendations on governance models for data spaces and digital business models for their sector. The aim is to identify key success factors and outline how a data space can create value and benefits not only for the sector in question but also for other sectors with which it is interlinked. In addition, plans to address the technical and organisational challenges that drive the use of interoperability standards are made in the different projects in close collaboration with the Data Spatial Support Centre (DSSC) in order to align with the European Technological Framework for Data Spaces.

Where can I find up-to-date information on CSAs?

Concrete information on the state of play of the different coordination and support actions can be found on their websites through the following links:

	DATES (Tourism)
	Tourism Data Space (Tourism)
	DS4SKills (Skills)
	PrepDSpace4Mobility (Mobility)
	AgriDataSpace (Agri-food)
	Great (Environmental)
	DataSp4ce (Industrial)
	DS4SSCC (Smarts Cities)

The outcome of these coordinated support actions will provide the information and the basis for the correct execution of the projects for the development and implementation (\"deployments\") of the Common European Data Spaces, which will be supported by different European programmes. This will catalyse the creation of a single data market, based on reliable and quality data, which will enable the digitisation of industries' value chains. Moreover, its effective development will support the European Union's objectives of achieving a green transition and a digital transformation, and of strengthening its resilience and strategic autonomy.

Building Europe's digital infrastructure of tomorrow

As a global technology race unfolds, Europe is deploying the regulatory framework and investments needed to foster innovation and technological leadership in areas such as online platforms, artificial intelligence, data, cloud, quantum technologies and virtual worlds. In today's rapidly changing economic context, a state-of-the-art telecommunications infrastructure is a key pillar for growth, innovation and job creation.

For this technological revolution to succeed, says EC Internal Market Commissioner Thierry Breton, it must be ensured that European networks are up to the task in terms of transmission speed, storage capacity, computing power and interoperability. To this end, it will seek to promote a Digital Networks Act that will serve to redefine the DNA of Europe's telecommunications sector.

Exploratory consultation on the future of the electronic communications sector and its infrastructure

From 23 February to 19 May 2023, the European Commission conducted an exploratory consultation on the future of the electronic communications sector and its infrastructure. The aim was to gather views from different stakeholders, in particular on the technological and market changes affecting the sector, as well as the types of infrastructure and investments that Europe is expected to need to lead the digital transformation in the coming years. The consultation was divided into four areas: (i) technological and market developments, (ii) fairness for consumers, (iii) barriers to the single market and (iv) fair contribution of all digital actors.

The Commission received close to 500 responses to the consultation from different interest groups such as companies (including network providers as well as large traffic generators), business associations, citizens, non-governmental organisations, academic institutions, consumer organisations and trade unions, as well as comments from public authorities. Most of the responses came from the EU, although there were also participants from other invited countries such as the United States and the United Kingdom.

From the exploratory consultation on the future of the electronic communications sector and its infrastructure, the following conclusions can be drawn:

• The need for innovation and efficient investment in technologies such as network virtualisation, artificial intelligence, open networks and perimeter cloud (in that order of importance), recognising that these will have a substantial impact on the sector in the coming years by driving cost reductions. Network virtualisation is expected to be the technology with the greatest impact by enabling greater flexibility and improved network efficiency, offering a great opportunity to develop new business models. In terms of investment, most respondents expect that a significant part of their annual revenues in the coming years (up to 50% of revenues) will have to be spent on investments in connectivity infrastructure and replacement of devices from providers considered high risk. Public funding is seen as crucial, but questions remain as to whether it will be enough and how to attract more private investment.
• The second conclusion, relating to consumer equity, is that the majority of respondents indicate that overall broadband access prices will decrease in the coming years, although there is more discrepancy when considering high transmission speeds. There is also no consensus among respondents on the effectiveness/efficiency of the Universal Service Obligation rules to protect consumers with special needs, and there is also disagreement on whether it should continue to be financed by the public budget or by network providers.
• It also points to the importance of harnessing the single market to drive investment and innovation, cooperating on key technology developments, and standardising technologies and platform building, so as to support the deployment of initiatives based on federated, interoperable and open source models. The majority of responses indicate that streamlining and simplifying regulation by harmonising best practices at EUlevel would serve to reduce administrative burdens, supply chain and/or regulatory costs, thereby increasing efficiency and speed of infrastructure deployment.
• The fourth conclusion focuses on the need to protect EU networks. In an interconnected world with growing geopolitical tensions, security is critical. Despite advances in the security of 5G networks, gaps remain in the protection of network infrastructure. A more coordinated European approach, especially with regard to further integration of radio spectrum, and with a better aligned auction model and licensing conditions between regions, could improve coverage in border areas and strengthen the EU against harmful external interference.
• Finally, as regards the contribution of digital players to network roll-out, several telco providers anticipate a negative outlook for the next 5 years, driven by the continued fall in unit prices (in terms of EUR/Mbps), which offset the potential revenues from increased data traffic and, therefore, to the detriment of the investments needed to support such traffic. More than half of the respondents answered in the affirmative on the question of whether large digital players should contribute in a fair and proportionate way to the costs of public goods, services and infrastructure, and on the potential introduction of a mandatory mechanism for direct payments from content application providers.

The role of communications networks in the development of data spaces

The data spaces are ecosystems from which to realise the voluntary sharing of data among their participants, based on the creation of an environment of sovereignty, trust and cybersecurity. In contrast to traditional monolithic models, data spaces are virtual, federated environmentsand are therefore established through integrated governance, organisational, regulatory and technical mechanisms.

Data spaces ensure that a large amount of data and algorithms are available for use in the economy and society, while the companies, organisations and individuals that generate these resources retain control over them. As such, these data sets and algorithms will aspire to maintain their residence in the computer systems of their respective owners, connecting with others on an ad hoc basis according to precise needs, which is why data spaces require a renewed infrastructure of communication networks. Based on 5G (or even 6G) technology, data transmission with lower latency and higher capacity is enabled, and also drives the development of edge computing solutions (edge computing), which allow added flexibility for the emerging European Data Economy.

Likewise, operators, through initiatives such as Open Gateway, will also be able to transform their telecommunication networks into value-added platforms, making their capabilities more flexible and available through standardised APIs, with which to develop new applications and digital solutions of greater complexity and scope. Such developments may encourage the participation, collaboration and interoperability of the different actors in the data spaces, with telecommunications operators also playing an important role as facilitators, not only in the development of use cases, but also in the implementation and operation of these use cases.