EU Data Governance Act | Creating European regulation for the data ecosystem
Published on 2nd Dec 2020
The proposed new regulatory regime seeks to encourage greater sharing of data but also to control the mechanisms and the entities that facilitate sharing
As digitalisation sweeps across all sectors, organisations and individuals are developing a much deeper understanding of the value and potential power of data. The European Commission has proposed a new "European model" for sharing data, set out in the proposed Data Governance Act, published on 25 November and now making its way through the EU legislative process.
The proposals are focused on:
- data sharing by public authorities where the data in question is subject to rights such as intellectual property, data privacy, confidentiality or trade secrets;
- data-sharing through profit-making intermediaries, where the data is shared by businesses or individuals
- "data altruism" where data is shared by individuals, without reward and via a not-for-profit organisation pursuing objectives in the general interest, such as scientific research or the improvement of public services.
As the European Commission comments in its Questions and Answers document: "The economic and societal potential of data use is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges".
The proposed legislation has two main thrusts: first, to create trustworthy frameworks and organisations to encourage data holders to share more data; and second, to regulate the behaviour of those data sharing bodies.
The proposed Data Governance Act seeks to encourage greater sharing of data, particularly data which is protected by rights. It does so by creating structures and safeguards so that individuals and organisations can trust that their data will not be compromised and that the organisation to which they have entrusted it will not exploit the data for its own benefit or in ways which they did not expect. This is reflected, for example, in the creation of mechanisms to centralise the sharing of public sector data which is subject to rights such as GDPR protections, intellectual property rights, confidentiality or trade secrets. There are also options to adopt more specific, tailor-made regimes for highly sensitive data such as in the health sector.
This impetus is also seen strongly in the provisions to create new "data altruism" structures and organisations. Such organisations must be not-for-profit, pursuing stated objectives in the general interest and inviting data holders to contribute their data in pursuance of those objectives. They will not be able to use the data for any other purposes.
New regulatory supervision
The efforts to create trustworthy mechanisms for data sharing are reinforced in the proposed Act by creating new regulatory regimes. The first set of new rules will apply to for-profit intermediaries; the second to not-for-profit data altruism organisations. The new frameworks will seek, in particular, to constrain how the benefits of sharing data are distributed.
The new legislation seeks to ensure that data sharing intermediaries will act transparently and neutrally, without favouring the data subjects or providers, the data users, or their own businesses. The concept of "data-sharing intermediaries" is not formally defined, but will include organisations that facilitate bilateral or multilateral data-sharing by businesses or by individuals, as well as data co-operatives. The recitals to the proposed Act also indicate categories that it is not intended to catch, including cloud providers, data brokers, or those who supply data to which they have added value.
The new regulatory regime will, for example:
- prohibit a for-profit data-sharing intermediary from using the collected data for its own purposes;
- require that the terms of access to its data sharing service (including pricing) are fair, transparent and non-discriminatory for both data holders and data users; and
- impose a fiduciary duty to act in the best interests of the data subjects.
The regulatory frameworks to be created by the proposed Act include supervisory bodies, registration obligations, compliance monitoring, complaints mechanisms and sanctions.
There is no regulatory regime around public sector data sharing, but exclusive deals for valuable public sector data are prohibited. If data is to be released, it must be on terms which are non-discriminatory, proportionate and objectively justified.
Various overarching objectives are also tangible in the proposed new legislation. Notably, the new provisions are a further clear illustration of the desire, expressed in the European Commission's Digital Strategy published earlier in 2020, to set the global gold standard for regulation of digital markets and activities across all sectors.
The Act also provides for the creation of the European Data Innovation Board, bringing together representatives from the Member States' competent authorities, the European Data Protection Board and the European Commission, among others. The Board's role will be that of a body of experts, developing and sharing best practice and ensuring a consistent approach across the EU.
The aspiration of "tech sovereignty" is another significant plank of the EU's Digital Strategy, seeking to reduce the reliance of European businesses on digital infrastructure and technology from the US or China. This includes the ambition for the EU to become less reliant on cloud services from non-EU providers and to build greater EU digital self-sufficiency.
Leaked drafts of the Data Governance Act included provisions requiring data localisation, such that shared data should remain within the EU. This would have potentially boosted the EU cloud by creating a legal requirement to keep data within the EU. Those provisions have disappeared from the final proposals, following criticism that they would have been in breach of international trade rules. However, non-EU businesses that act as data-sharing intermediaries or data altruism organisations are required to have legal representation within the EU.
The value and power of data in digital innovation has created concerns that the accumulation of data to which others do not have access can create a competitive advantage that is difficult to counter in the market, or to correct through regulatory intervention. A clear tension arises between the public interest in making data widely available for innovation and to level out competitive opportunities, versus the private interest in maximising revenues from valuable data by retaining control over access to it. The Data Governance Act can be seen as a response to that tension, seeking to boost the public interest considerations.