The new Data Governance Act – building a EU data ecosystem?
The Proposal for a Regulation on Data Governance (the “Data Governance Act”) is the first of a set of measures announced in the EU’s 2020 European Strategy for Data. The instrument aims to foster the availability of data held by public sector bodies for their re-use by any natural or legal person either for commercial or non-commercial purposes. It also establish the conditions for the re-use of certain categories of data held by public sector bodies within the Union. All of this should be achieved by increasing trust in data intermediaries who are providing data sharing services and who act “as a tool to facilitate the aggregation and exchange of substantial amounts of […] data” among the different actors mentioned above.
The improvement of the data sharing mechanism should notably:
- Make public sector information available for re-use where such information is subject to rights of others;
- Increase the exchange of data among businesses;
- Establish a standardized form for research data; and
- Allowing the re-use of data (especially personal data) on altruistic grounds.
The Data Governance Act will facilitate data sharing across the EU and between sectors in order to better exploit the data’s potential and maximize their use. The plan is to improve the flow of data held by public sector bodies through reliable and trustful channels for data bearing commercial or statistical confidentiality, third parties’ intellectual property rights, or a personal character (Article 3 (1)). Therefore, it will be complementary to the Open Data Directive as it will cover data that cannot be considered and made available as “open data”.
However, the Act “do[es] not create any obligation on public sector bodies to allow re-use of data nor do[es] [it] release[s] public sector bodies from their confidentiality obligations” (Article 3 (3)). In addition, the grant of exclusive rights to entities other than the parties to an agreement for the re-use of these data is prohibited, to ensure that these data can be largely accessed, unless the grant relates to the provision of a service or a product bearing a general interest (Article 4).
Finally, the Regulation lays down a framework for voluntary registration of entities that collect and process data made available for altruistic purposes. In that sense, it introduces a voluntary mechanism whereby data subjects allow the re-use of their personal data by data altruism organizations, without a specific reward. Processing of such data is currently subject to the GDPR, which sets high standards for this purpose. The new Data Governance Act now aims to allow such processing for purposes of general interest, such as scientific research purposes or improving public services (Articles 2(10) and 16), which might also help Artificial Intelligence systems and public health research.
To go more into detail, the Data Governance Act includes different provisions on the use of public data, which include the following:
- Requests for accessing and re-using data by private institutions should be transmitted to the competent bodies that are effectively holding them through a single information point (Article 8 (2)).
- The re-use should occur in a “secure processing environment” (Article 5 (4) (a)). In that view, “Public sector bodies may impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymize personal data” (Article 5 (3)). In cases where this cannot be achieved, re-users, with the help of the public sector body, should seek the consent of the data-subject or the legal entity having rights and interests in the use of these data (Article 5(6)). One shortcoming is to be noted, though: the re-use of data may be allowed against the charging of a fee by the public sector bodies that are holding them (Article 6 (1)).
- Data sharing services should be supervised by competent authorities, designated by each Member State. The former shall be “legally distinct from, and functionally independent of any provider of data sharing services […]” and “exercise their tasks in an impartial, transparent, consistent, reliable and timely manner” (Article 23 (1) and (2)). This supervision should occur through a notification sent by the data sharing services provider to the authority (Article 10 (1)) and be followed by appropriate monitoring measures (Article 13). Importantly, data sharing services providers not established in the Union but offering such services within the EU “shall appoint a legal representative in one of the Member States in which those services are offered” (Article 10 (3)).
- Data sharing services should only occur under certain conditions, listed in Article 11 of the Regulation. This includes notably:
- When providing the data sharing service, data should only be used by the provider for the defined purposed they have been asked for, that is, to put them at the disposal of the data user;
- Fair, transparent and non-discriminatory procedures should be ensured by the provider and should provide procedures to prevent fraudulent or abusive access to data;
- The provider shall also take measures to ensure a high level of security for the storage and transmission of non-personal data and indicate to the data subjects the jurisdictions in which the data use is intended to take place.
Additionally, the Data Governance Act proposes that the EU Commission establishes the so-called European Data Innovation Board (Article 26) composed of representatives of each Member State. This Board especially should be entrusted with the mission of advising and assisting the EU Commission according to Article 27 in:
- Developing a consistent practice of the competent authorities in the application of requirements applicable to data sharing providers (letter (b));
- Enhancing the interoperability of data as well as data sharing services between different sectors and domains (letter (d));
- Establishing consistent data sharing policies among Member States through cooperation and the exchange of information (letter (e)).
Summary: Will the Data Governance Act be a Game Changer?
The EU Commission’s initiative aims to propose a European concept for data access, in contrast to other global powers that do not envisage such level of protection for the exchange of information among different stakeholders.
In relation to the Open Data Directive, this new draft is expected to provide a specific framework for the exchange of information that cannot be considered as “open” due to their specific character (e.g. personal data, intellectual property, trade secrets or other commercially sensitive information).
This “single market for data” (Recital 2) is set to engender a “free and safe flow of data” (Recital 3), notably with third countries, for instance regarding the transfer of data falling under the scope of an international agreement dealing with the exchange of information in judicial proceedings (Article 30).
On top of that, the Proposal guarantees the neutrality of data sharing services as trusted intermediaries. The creation of the European Data Innovation Board can ensure consistent practices in processing requests for public sector data across Europe.
For companies, this should be a welcomed step forward in their strategy of acquiring more and more data. Regarding the charging of fees by public sector bodies, even though the former shall be non-discriminatory, proportionate and objectively justified (Article 6(2)), it might become relevant for the European Data Innovation Board to get involved on this matter in its mandate aimed at maintaining consistent data sharing practices among Member States.