The European Commission published on November 25, 2020 a proposal for a Regulation on European Data Governance, also dubbed the Data Governance Act. It is one of several incoming pieces of legislation proposed at the EU level (including the Digital Services Act, expected in early December) in order to accomplish the European Strategy for Data, adopted in February 2020, and create an EU single market for data.
The Data Governance Act will introduce:
- Rules for making public sector data available for reuse, in situations where such data is subject to rights of others (like intellectual property or data protection rights)
- A framework allowing companies to share industrial data in common data lakes, called European Data Spaces
- Rules for data brokers, called "data sharing providers," including a notification regime and the obligation to remain neutral as to the data exchanged
- The concept of "data altruism," allowing people to share data for the common good
The bill still needs to be approved by both the European Parliament and the Council of the European Union.
The aim of the Data Governance Act
According to the European Commission, the DGA "aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data sharing mechanisms across the EU." With this, the commission hopes to facilitate the creation of new products and services offered in the EU, which rely on the use of big data analytics and machine learning. Furthermore, the DGA should also contribute towards EU innovation and scientific development projects being done in a more coordinated and unified manner.
If adopted, the DGA will provide for a legal recourse for companies to access new, and until now restricted, public sector data, improve trust in the sharing of industrial data between companies by introducing a framework for the operation of data intermediaries and data brokers, and establish a way for individuals to share their data for altruistic purposes.
The DGA will not, however, be a way to circumvent any existing rules related to the processing and sharing of data (both personal and nonpersonal). Thus, the DGA will need to be applied in a way that respects the General Data Protection Regulation, national laws stemming from the ePrivacy Directive, sector-specific guidance (i.e., in healthcare, automotive, telecoms, etc.), the Open Data Directive and any other data-governing rules.
Accessing public sector data
Currently, public authorities are gathering and holding vast amounts of data, which has great commercial potential. The authorities themselves are restricted from utilizing this data beyond their public service duties, but at the same time, they are often prevented from sharing this data due to those same rules.
The DGA will open up several categories of public sector data, which companies will be able to reuse for either commercial or noncommercial purposes. Specifically, the DGA will apply to data held by public sector bodies, which would normally be restricted or otherwise unavailable due to:
- Commercial or statistical confidentiality
- Intellectual property rights interests
- Rules on personal data protection
The DGA will not create a right as such for companies to access public sector data but will oblige EU Member States to put in place national rules, which regulate the conditions for access. The DGA will, however, lay down certain ground rules that national rules regulating the reuse of this data will need to follow. For example, it will require that all conditions for reuse be nondiscriminatory, proportionate and objectively justified and that they do not restrict competition. Furthermore, if the data in question is deemed to be highly sensitive, additional rules for transferring such data to third countries will apply, which shall be specified by the commission.
One additional point of interest is that the DGA will generally prohibit exclusive arrangements, which grant the right to reuse public sector data only to certain entities. Exceptionally, such arrangements could be allowed, following established public procurement rules, if the arrangement is aimed at providing a service in the public interest.
Data intermediaries and data brokers - more trust in data sharing and new market opportunities
It is clear that the data available today can be used to create amazing new products and services, but it can only happen if sufficiently large amounts of data can be used effectively and freely by everyone. Right now, however, the problem lies in the fact that companies generating data do not see any benefits in sharing their data with competitors. In fact, they even fear that by sharing their data, a competitor will find ways to monetize the data, thus gaining a competitive edge in the market.
To solve this issue and improve trust among companies to share their industrial data with one another, the DGA will introduce rules for the operation of neutral data intermediaries and data brokers (officially called "data sharing services"). Specifically, the DGA will establish a notification framework for companies wanting to provide the following data sharing services:
- Intermediation services between data holders and data users, which would include the creation of platforms or databases enabling the exchange or joint exploitation of data (industry data spaces)
- Intermediation services between data subjects that seek to make their personal data available and potential data users (personal data spaces)
- Data cooperative services that support individuals or SMEs to negotiate terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal persons
The DGA lays down several requirements for companies wanting to provide data sharing services. The most notable of these include:
- Notifying the relevant EU Member State authority of its intention to provide such services (where such notification automatically grants the right to start offering the intended services in all of the EU)
- Appointing a legal representative in one of the EU countries, if the company is not established within the EU
- Prohibition to use the data for which it provides services for other purposes, including the obligation to use metadata collected from the provision of the data sharing service only for the development of that service (i.e., a de facto prohibition to monetize data)
- Structurally separating its other business activities from the data sharing service
- Having in place adequate safeguards in the form of different technical, organizational and legal measures
- Fiduciary duty towards data subjects to act in their best interests
Data altruism - donating data for a greater cause
Another form of data sharing established by the DGA will be data altruism. Essentially, this will allow companies to gather data (both personal and nonpersonal) from individuals for projects of general public interest.
In order to be able to collect data for altruistic purposes, a company will need to be 1) constituted to meet objectives of general interest, 2) operate on a not-for-profit basis and be independent from any entity that operates on a for-profit basis, and 3) ensure the activities related to data altruism take place through a legally independent structure, separate from other activities it has undertaken. Moreover, a company meeting these conditions will also need to register as a data altruism organization in one of the EU Member States. Finally, companies not registered within the EU will also have to appoint a legal representative in one EU country.
The DGA also lays down several other provisions, which are mostly aimed at EU Member State authorities, and addresses their cooperation with each other and the companies, who will be seeking access to the industrial data, as well as various procedural issues. Most notably, the DGA will call for a creation of the European Data Innovation Board, which will be tasked with ensuring a consistent approach among all EU Member States in how to apply the DGA and will be composed of competent authorities of all the Member States, the European Data Protection Board, the European Commission, relevant data spaces and other representatives of competent authorities in specific sectors.
Key takeaways and timeline
The EU Commission projects that industrial data will continue to increase rapidly. The DGA is the next step forward in grasping the full potential of such data, especially in terms of the new and potential products and services it can bring.
At the outset, companies should remember that the DGA will not create any new obligations on their existing business practices, and competitors will not be able to rely on the DGA to demand the disclosure of a company's trade secrets or other valuable data. Rather, the DGA will provide for new opportunities in getting access to new data pools, both from public sector bodies, as well as through the voluntary sharing of data between companies and individuals for commercial and noncommercial purposes.
For example, companies in the automotive sector working on connected or self-driving car projects generate enormous amounts of industrial data. There is nothing in the DGA that will force these companies to disclose the generated data. However, these companies might want to share some data on a voluntary basis, if there would be a data pool for the automotive industry, which could then be utilized by those same companies for their big data and machine learning projects and to improve the accuracy and objectivity of the underlying algorithms. Accordingly, having a data intermediary, which sets up an automotive data space where data can be shared in a way that does not put at risk trade secrets or result in an unfair market situation, will sound appealing to many companies.
Finally, companies thinking of becoming data sharing intermediaries or obtaining altruistic data will need to remember the following 4 key rules:
- You will need to be based in the EU (either via an establishment or a legal representative)
- You will need to notify a competent EU Member State authority of the envisaged data sharing services before starting to offer them (for data altruism, you will need to obtain relevant registration)
- You will not be able to monetize the data you obtain for the purposes of providing the envisaged sharing services or for altruistic purposes
- You will need to structurally separate your other business activities from the data sharing services.
The proposal for the DGA still needs to be approved by both the European Parliament and the Council of the EU. If things go smoothly, the DGA could be adopted by mid-2021, although a date closer towards the end of 2021 would be a more realistic estimate. Once adopted, the DGA will enter into force after one year. Accordingly, it is not unlikely that the DGA will enter into force no earlier than in 2023.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.