EU Data Governance Act | Creating European regulation for the data ecosystem
Published on 2nd Dec 2020
The proposed new regulatory regime seeks to encourage greater sharing of data but also to control the mechanisms and the entities that facilitate sharing
As digitalisation sweeps across all sectors, organisations and individuals are developing a much deeper understanding of the value and potential power of data. The European Commission has proposed a new "European model" for sharing data, set out in the proposed Data Governance Act, published on 25 November and now making its way through the EU legislative process.
The proposals are focused on:
- data sharing by public authorities where the data in question is subject to rights such as intellectual property, data privacy, confidentiality or trade secrets;
- data-sharing through profit-making intermediaries, where the data is shared by businesses or individuals
- "data altruism" where data is shared by individuals, without reward and via a not-for-profit organisation pursuing objectives in the general interest, such as scientific research or the improvement of public services.
As the European Commission comments in its Questions and Answers document: "The economic and societal potential of data use is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges".
The proposed legislation has two main thrusts: first, to create trustworthy frameworks and organisations to encourage data holders to share more data; and second, to regulate the behaviour of those data sharing bodies.
The proposed Data Governance Act seeks to encourage greater sharing of data, particularly data which is protected by rights. It does so by creating structures and safeguards so that individuals and organisations can trust that their data will not be compromised and that the organisation to which they have entrusted it will not exploit the data for its own benefit or in ways which they did not expect. This is reflected, for example, in the creation of mechanisms to centralise the sharing of public sector data which is subject to rights such as GDPR protections, intellectual property rights, confidentiality or trade secrets. There are also options to adopt more specific, tailor-made regimes for highly sensitive data such as in the health sector.
This impetus is also seen strongly in the provisions to create new "data altruism" structures and organisations. Such organisations must be not-for-profit, pursuing stated objectives in the general interest and inviting data holders to contribute their data in pursuance of those objectives. They will not be able to use the data for any other purposes.
New regulatory supervision
The efforts to create trustworthy mechanisms for data sharing are reinforced in the proposed Act by creating new regulatory regimes. The first set of new rules will apply to for-profit intermediaries; the second to not-for-profit data altruism organisations. The new frameworks will seek, in particular, to constrain how the benefits of sharing data are distributed.
The new legislation seeks to ensure that data sharing intermediaries will act transparently and neutrally, without favouring the data subjects or providers, the data users, or their own businesses. The concept of "data-sharing intermediaries" is not formally defined, but will include organisations that facilitate bilateral or multilateral data-sharing by businesses or by individuals, as well as data co-operatives. The recitals to the proposed Act also indicate categories that it is not intended to catch, including cloud providers, data brokers, or those who supply data to which they have added value.
The new regulatory regime will, for example:
- prohibit a for-profit data-sharing intermediary from using the collected data for its own purposes;
- require that the terms of access to its data sharing service (including pricing) are fair, transparent and non-discriminatory for both data holders and data users; and
- impose a fiduciary duty to act in the best interests of the data subjects.
The regulatory frameworks to be created by the proposed Act include supervisory bodies, registration obligations, compliance monitoring, complaints mechanisms and sanctions.
There is no regulatory regime around public sector data sharing, but exclusive deals for valuable public sector data are prohibited. If data is to be released, it must be on terms which are non-discriminatory, proportionate and objectively justified.
Various overarching objectives are also tangible in the proposed new legislation. Notably, the new provisions are a further clear illustration of the desire, expressed in the European Commission's Digital Strategy published earlier in 2020, to set the global gold standard for regulation of digital markets and activities across all sectors.
The Act also provides for the creation of the European Data Innovation Board, bringing together representatives from the Member States' competent authorities, the European Data Protection Board and the European Commission, among others. The Board's role will be that of a body of experts, developing and sharing best practice and ensuring a consistent approach across the EU.
The aspiration of "tech sovereignty" is another significant plank of the EU's Digital Strategy, seeking to reduce the reliance of European businesses on digital infrastructure and technology from the US or China. This includes the ambition for the EU to become less reliant on cloud services from non-EU providers and to build greater EU digital self-sufficiency.
Leaked drafts of the Data Governance Act included provisions requiring data localisation, such that shared data should remain within the EU. This would have potentially boosted the EU cloud by creating a legal requirement to keep data within the EU. Those provisions have disappeared from the final proposals, following criticism that they would have been in breach of international trade rules. However, non-EU businesses that act as data-sharing intermediaries or data altruism organisations are required to have legal representation within the EU.
The value and power of data in digital innovation has created concerns that the accumulation of data to which others do not have access can create a competitive advantage that is difficult to counter in the market, or to correct through regulatory intervention. A clear tension arises between the public interest in making data widely available for innovation and to level out competitive opportunities, versus the private interest in maximising revenues from valuable data by retaining control over access to it. The Data Governance Act can be seen as a response to that tension, seeking to boost the public interest considerations.
The EU Data Governance Act would create a new regulatory regime for the data-sharing ecosystem, although it still has to navigate the EU legislative process before becoming law.
It sets a clear policy tone in favour of opening up public sector data and provides a framework for data-sharing and the further use of data for research or other secondary purposes with commercial intent. It could therefore boost the quantity and quality of datasets made available in Member States where there has so far been some reluctance to unleash fully the potential of public sector data.
On the one hand, it will constrain the ability of some data-sharing intermediaries to operate as they currently do. They will no longer being able to use gathered data for their own ends, and will have to act in the best interests of the data subjects. Such businesses will face the additional costs and burden of notification and compliance requirements. Member States are given the ability, should they choose, to legislate for "dissuasive financial penalties" for non-compliance.
On the other hand, some businesses will undoubtedly benefit from the wider availability of greater volumes of higher quality data. The prohibition on exclusive sharing of the relevant categories of public sector data will likely benefit smaller businesses that might not otherwise have secured access to the valuable data in question. The "data altruism" framework has obvious potential benefit in relation, for example, to scientific research. It seems very likely that organisations will be created to support medical research by individuals agreeing to share their medical data for the greater good. Sustainability and environmental initiatives may similarly benefit.
Brexit means that this legislation (once finalised) will not take effect in the UK, although it clearly may affect UK businesses doing business in the EU. It remains to be seen whether the UK decides to take a similar approach to the UK data ecosystem. This may depend, among other things, on whether the provisions of any free trade agreement with the EU extend to data regulation. It is notable that UK authorities have recently consulted on the UK's own national data strategy. They have also been encouraging for some time the development of "data trusts" and similar structures, which have many similarities with the EU concept of data altruism, but have not suggested regulating the data ecosystem as such.