The European Commission published its European Strategy for Data in February 2020 as part of a package of proposals on the EU's digital future to create a "Europe fit for the Digital Age".
Behind the European Data Strategy is a desire not merely to harness the power of data, but to use it ethically and for maximum benefit to individuals (as discussed here).
The first related legislative proposal published by the EC in November 2020, is the draft Data Governance Act (in the form of a Regulation). It establishes:
The DGA applies to a very broad range of data, both personal and non-personal, covering "any digital representation of the acts, facts or any information and any compilation of such acts, facts or information including in the form of sound, visual or audiovisual recording".
The intention is to facilitate the sharing of data held in key public sectors, including health and environmental data, for the benefit of research and, therefore, the greater good.
The DGA also aims to encourage individuals and businesses to share their data for the benefit of society by establishing a trustworthy framework around the sharing, particularly within the proposed common European data spaces but also across sectors and borders.
"Re-use" is defined as "the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced except for the exchange of data between public sector bodies purely in pursuit of their public tasks". This means that while the definition of data is broad, provisions around re-use only apply where the data is held by the public sector bodies and is protected on grounds of:
Data held by public undertakings, public service broadcasters, cultural and educational establishments, which is protected for reasons of national security, defence or public security, or which is outside the scope of the public task of the public bodies, is out of scope of the provisions on re-use.
There is no obligation on public bodies to share data but where they do, they are required not to enter into exclusive data sharing agreements (subject to limited exemptions). They also have the right to impose conditions for re-use provided these are non-discriminatory, proportionate and objectively justified and do not restrict competition. These obligations can include:
Additional rules apply to re-use of data which is protected by confidentiality, or by intellectual property rights and for non-personal data designated as "highly sensitive" by EU legislation in relation to onward cross-border transfers. Obviously the GDPR also contains protections in relation to personal data.
Member States must designate one or more competent authority to support the public sector bodies granting re-use of their data by helping with security and processing techniques to preserve data privacy, as well as to help get consents where required.
Member States also need to create a single information point for re-use conditions and to receive and help process decisions on requests for re-use of data. Natural or legal persons affected by decisions on data re-use will have the right to judicial redress in the relevant Member State.
The DGA sets up a system under which trusted (and regulated) data sharing service providers can operate as:
Data sharing service providers have a number of compliance requirements including notification of their relevant supervisory authority who will be located in the Member State of their main establishment. Providers with no EU base will need to appoint a representative in one of the Member States in which they offer services.
They must also comply with conditions in relation to the processing of the data entrusted to them which must be held in a separate legal entity solely for the purpose of making it available to data users. The data must be kept secure, steps must be taken to prevent unlawful transfers, and service providers offering services to data subjects must act in the best interests of the relevant individuals.
The DGA formalises the concept of data altruism, whereby individuals or businesses make their data available for re-use for the common good, for example for scientific research or to benefit public services, voluntarily and without financial reward.
A registration and monitoring regime is set up for organisations facilitating data altruism. The organisations must be non-profit and operate independently from any other activities and must also comply with transparency requirements.
Where personal data is provided, the data altruism organisations must ensure a GDPR-compliant consent mechanism. They also have duties to safeguard data subject rights and the interests of legal entities supplying data.
As with data sharing service providers, data altruism organisations will be regulated in the Member State of their main establishment or must appoint a representative if they don't have one.
Cross-border transfers of personal data are currently a hot topic. While these are protected under the GDPR, the DGA introduces protections regarding cross-border transfers of non-personal data, whether in relation to re-use of protected public sector data, or where shared under data altruism principles.
Those sharing or re-using the data or facilitating either must ensure they take reasonable steps to prevent access to non-personal data held in the Union where its transfer or access would conflict with EU or Member State law. In particular, the DGA sets out steps for holders of non-personal data to take on receipt of an order from a third country authority seeking access to data.
Competent authorities charged with responsibilities under the DGA and those working in them must be independent from the services they evaluate and cannot be or be employed by the authorised representative of the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the services they evaluate. Management and personnel are also precluded from engaging in any activities which might cause a conflict with their duties under the DGA.
Competent authorities will have a range of enforcement powers which might include dissuasive financial penalties for non-compliance.
The DGA also sets out conditions for the creation of a new European Data Innovation Board, an expert group including representatives from all Member State competent authorities, the EDPB, the EC, relevant data spaces and representatives of competent authorities in specific sectors.
The Board will have a largely advisory role, helping to set up consistent practices and procedures, and advising the Commission in a number of areas, in particular cross-border data sharing and cross-sector standards.
This DGA is just part of the EU's data strategy which is heavily focused on setting up common EU data spaces and trusted European cloud infrastructure. It lays the foundations for progressing the wider strategy but is at the beginning of its journey to enactment and there may be changes along the way.
To discuss any of the issues raised in this article in more detail, please reach out to a member of our Technology, Media & Communications team.
We look at the data protection and privacy impacts of the newly drafted Digital Services Package, and the UK government's response to the CMA on digital advertising.
1 of 6 Insights
We look at the EU's draft Digital Markets Act and the UK's plans for a Digital Markets Unit.
2 of 6 Insights
The DSA may be some way off, but here's a round-up of what you can do now.
3 of 6 Insights
An overview of the EC's IP Action Plan, which proposes changes to the EU's regulation of IPRs.
5 of 6 Insights
A summary of the issues, developments, and what it means for you.
6 of 6 Insights