Proposal for a Regulation on European Data Governance – a Tool to Reinforce the Single Market for Data
In February 2020, the European Commission (Commission) released its communication Shaping Europe’s Digital Future that aims at facilitating the digital transformation by promoting technology that works for people, a fair and competitive economy and an open, democratic and sustainable society. More information on the main approaches and forthcoming initiatives can be found in our previous blog.
Data is at the center of this digital transformation as recognized by the Commission in its European Strategy for Data. Data is indeed an essential resource for competitiveness, job creation and economic growth. However, access to data and data sharing face numerous challenges, ranging from privacy and consumer protection to confidentiality and security. Also, data-driven innovation may bring various benefits for the public interest, for instance the sharing of health data might be beneficial as seen, to some extent, in the management of the COVID-19 pandemic.
With a view to develop several data spaces, including the European Health Data Space (on which the European Data Protection Supervisor released a 17 November 2020 Preliminary Opinion), the Commission proposes an enabling framework in the form of a draft Regulation on European data governance (also qualified as Data Governance Act or DGA Proposal). This EU-wide governance framework aims at preventing the fragmentation of the data market and at providing the relevant horizontal measures for the European data spaces. It must be distinguished from the Digital Services Act (DSA), which will address issues relating to the market power of big online platforms, resulting, among others, from their control of large amounts of data. The DGA Proposal aims at improving data governance across the common European data spaces, it does not aim to change the substantive rights on who can access and use what data under which conditions. This last issue could be addressed in the already announced 2021 Data Act.
The DSA, to be released before the end of 2020, is probably a piece of legislation that will have more far-reaching consequences on the online ecosystem than the DGA. The DSA should provide tools to catch up with recent developments in the digital environment, including ex-ante rules for online platforms acting as ‘gatekeepers’ to ensure that markets stay open and fair. We follow up the developments closely and will be back once the draft DSA is released.
The Data Governance Act Proposal in a nutshell
The DGA Proposal aims “to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data sharing mechanisms across the EU”. Therefore it creates (i) a mechanism for re-use of public sector data, (ii) a framework for data sharing service providers, i.e. the data brokers, and (iii) a framework for voluntary registration of entities which collect and process data for what is called “data altruism”, i. e. the making available by individuals or private entities of their (personal) data for purposes of public interest. Whether the DGA will incentivize more EU businesses to engage in data sharing activities remains to be seen; at least the requirements for the data intermediaries to be established in the EU/EEA aim at forcing the large non-EU companies active as data brokers to localize (part of) their activities in the EU.
The DGA would complement the Directive on open data and the re-use of public sector information (Open Data Directive), given that it addresses, among others, data held by public sector bodies that are not publicly accessible and falls outside the scope of the latter directive. Otherwise, the DGA Proposal preserves the existing framework for controlling data and for supporting data sharing. For instance, the instrument for enhancing the re-use of public sector data (Title II) and the other provisions of the DGA are subject to the condition that the rights of others are respected, for example the rights granted by the GDPR, intellectual property rights legislations or trade secret protection (Article 28).
To enhance the availability of data in the EU, the DGA defines a notification and supervisory framework for data sharing businesses addressing business users (B2B) or citizens/data subjects (B2C) and a voluntary certification framework for the not-for-profit organizations collecting data based on data altruism.
This proposal also calls for the creation of the European Data Innovation Board, an expert group composed of the representatives of the Member States, the Commission and relevant data spaces and specific sectors. This Board will advise and assist the Commission in order to facilitate, among others, the emergence of consistent practice in data sharing, the definition of cross-sector standards for data use and the interoperability of data.
1.Definition of the conditions for the re-use of data held by public sector bodies
While open data are subject to the Open Data Directive, the draft DGA only applies to the data held by public sector bodies that are protected because of confidentiality, intellectual property or personal data protection. The DGA Proposal defines the re-use as the use by natural or legal persons of data for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced.
The DGA determines the set of basic conditions under which data re-use shall be permitted. It stipulates that the individual public sector bodies (which allow this type of re-use) need to be adequately technically equipped to ensure that privacy and confidentiality are fully preserved.
Article 4 of the DGA Proposal contains a prohibition of agreements or other practices regarding the re-use of data held by public sector bodies which (i) grant exclusive rights or (ii) have as object or effect granting such exclusive rights or (iii) restricting the availability for the re-use of data to other entities than the parties to such agreements.
The DGA Proposal also stipulates that the conditions for re-use shall be non-discriminatory, proportionate and objectively justified, and they shall not restrict competition.
Public sector bodies may impose an obligation to re-use only pre-processed data, with the aim to anonymize or pseudonymise personal data or delete commercially confidential information. Also, if data is considered confidential, public sector bodies should ensure that the confidential information is not disclosed as a result of the re-use.
In the event that personal data are transmitted without the legal basis under GDPR, the public sector bodies should support re-users in seeking consent of the data subjects and potentially affected legal entities (if this does not cause disproportionate cost for the public sector). Member States shall designate competent bodies to support the public sector bodies in exercising their tasks.
If commercially sensitive non-personal data and non-personal data representing content protected by intellectual property rights are transferred to third-countries, which are not declared to provide an essentially equivalent level of protection by the Commission’s implementing acts, the public sector bodies should only transmit these data to a re-user if he/she undertakes certain obligations (e.g. committing to comply with the obligations laid out in DGA even after the data has been transferred to the third country and accepting the jurisdiction of the Member State of the public sector body that allowed the re-use). Even stricter conditions may be attached if highly sensitive non-personal data are transferred to third countries and if such transfer could jeopardize public policy objectives. Those additional rules dealing with the data transfers to third countries in case of re-use of public sector data were added to the earlier leaked draft. This indicates that the issue of where the data can be transferred or collected was hotly discussed between the Commission’s services.
2.A notification requirement for companies wanting to provide data sharing services
The DGA Proposal defines a notification framework that applies to the provision of the services aimed at supporting various intermediation services, called data sharing services. Several requirements apply to (i) intermediation services aiming at facilitating data sharing through platforms or other means, for instance within the industrial data spaces, (ii) intermediation services facilitating the exercise of the GDPR rights, such as the right to portability, and contributing to the personal data spaces, and (iii) data cooperatives services, i.e. services enabling data subjects or micro, small and medium-sized enterprises to collectively exercise their rights.
A data user is defined as a person who has lawful access to certain data and is authorized to use that data for commercial or non-commercial purposes.
The DGA imposes numerous requirements for data sharing service providers, for instance the provider shall structurally separate its data intermediation services from any other value-added services it may provide, it shall have procedures in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services, it shall ensure reasonable continuity of the provision of its services, etc.
The provider of data sharing services must notify its intent to undertake one of the activities to a competent authority in the Member State of its main establishment, and this authority will, within one week, issue a standardized declaration that the data broker has submitted the notification. A provider that is not established in the Union, but offers the services within the Union, has to appoint a legal representative in one of the Member States in which those services are offered. Each Member State should designate the competent authority empowered to request information from providers of data sharing services and, if the provider fails to comply with the requirements, the authority should be able to require the cessation of the breach and take appropriate measures to ensure compliance. The condition that the data intermediaries be established in the EU/EEA that has been criticized when the leaked draft circulated was removed from the DGA Proposal made public on November 25, 2020.
3.A voluntary certification framework for the collection and processing of data made available for altruistic purposes by individuals or undertakings
The DGA also aims at promoting data altruism, when individuals or companies voluntary make data available for the common good, e.g. improving healthcare, combating climate change, contributing to scientific research, etc. The DGA Proposal establishes a framework to enable entities to register as a “data altruism organization recognized in the Union” and to protect the individuals and companies that provide the data. To bring additional legal certainty, a European data altruism consent form is suggested.
The entities wishing to register as data altruism organization must (i) be a legal entity constituted to meet objectives of general interest, (ii) operate on a not-for-profit basis and be independent from any entity that operates on a for-profit basis and (iii) perform the activities related to data altruism through a legally independent structure, separate from other activities it has undertaken.
Once the entity has submitted all necessary information and the competent authority considers that the requirements are met, it shall register the entity in the national register and inform the Commission to include it in the Union register of recognized data altruism organizations. If an entity is not established in the Union, but meets the requirements, it should appoint a legal representative in one of the Member States where it intends to collect data based on data altruism.
Besides, specific requirements to safeguard rights and interests of data subjects and legal entities as regards their data are set up. Namely, registered data altruism organization needs to inform data holders about the purposes of general interest for which it permits the processing of their data by a data user in an understandable manner, as well as about any processing outside the Union. Additionally, such an organization must ensure that the data is not used for other purposes than those of general interest for which it permits the processing.
The DGA Proposal is the first of a set of measures announced in the European Strategy for Data. The explanatory document accompanying this proposal emphasizes that businesses often need data from across several Member States to provide EU-wide products and services. Also data-based products and services developed in one Member State may need to be customized to the preferences of users in another country. For these reasons, a harmonized legislative environment is crucial to enable data to flow easily across the EU. Creating a single market for data would ensure that access and use of data from the public sector to businesses (G2B) or between businesses (B2B) are conducted effectively and responsibly.