TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to know you are a 'data intermediary' under the Data Governance Act Related reading: Proposal for an EU Data Governance Act — a first analysis

rss_feed

""

""

""

The free flow of data could make or break a business. This needs no explanation, especially to privacy pros and data specialists with a clear view of both sides of the spectrum. On the one hand, data is the fuel needed to run the business engine, thereby driving the total value and growth of modern businesses; on the other hand are the commercial and reputational risks attached to hefty fines prescribed by data protection and other laws for noncompliance. This makes access to data by creating trust in data sharing and use, the focus point for businesses and governments to become leaders in a data-driven society.

The European data strategy

Recognizing that access to data and the ability to trust and use it are essential for innovation and economic growth, the European Commission as part of its European data strategy, proposed regulation on data governance. Dubbed the Data Governance Act, the regulation aims to facilitate data sharing across sectors and the member states of the European Union.

The definition of "data" under the DGA is so broad that it also includes personal data as defined in the EU General Data Protection Regulation. Therefore, the GDPR and DGA may apply simultaneously, which explains why the recitals and provisions of the DGA indicate on several occasions they are without prejudice to the application of the GDPR, among others. 

The DGA proposal covers three key areas: (1) access to data held by public sector bodies; (2) regulation of data sharing services through "data intermediaries"; and (3) encouraging "data altruism," which means donating data for the common good, such as health care research.

While public sector data and data altruism would largely cover non-commercial activities, it is data sharing by companies or individuals through "data intermediaries" that lies at the heart of commercial operations. This type of data sharing is likely to make the biggest impact on businesses that either currently work with data intermediaries covered under the DGA or are data intermediaries themselves. It may also impact those wanting to qualify as one because they have to plan or re-plan their operations to ensure compliance with the new notification requirements.

Definition of a data intermediary

Generally speaking, "data intermediary" is a catch-all term for those who help broker the flow of data from data source to data user who otherwise could be described as middlemen, data aggregators, data brokers, etcetera.

While these facilitators have traditionally existed in the EU, the DGA will probably be the first law where data intermediary is conspicuously mentioned in its recitals. Still, surprisingly the term is not defined in the provisions, which instead use the term "provider" of data-sharing services. Whether this is due to loose drafting of the DGA or another reason is not entirely clear; what is interesting or rather challenging for a business is whether it qualifies to be a "data intermediary/provider" of data-sharing services. The general provisions of the DGA provide little help in addressing the concern, except for Article 9(1), which lists the following data-sharing services requiring notification under the DGA:

  1. Intermediary between data holders, which are legal persons and potential data users and include platforms or databases enabling the exchange or joint exploitation of data and the establishment of specific infrastructure for the interconnection of data holders and data users.
  2. Intermediation services between data subjects and potential data users.
  3. Data cooperatives that support individuals or small- and medium-sized enterprises to negotiate terms and conditions for data processing.

The only thing that comes out from the above categorization is that while the second and third category is primarily focused on a rare concept that enhances individual agency regarding personal data, the first one has the main impact on businesses. Otherwise, these are so vague you that must go back to Recital 22, which provides that you can be a PDSSonly if you:

  1. Are businesses with the primary objective to provide legal and technical relation between data holders and users and assist both the parties in data assets transactions between the two.
  2. Provide services aiming at intermediating between an indefinite number of data holders and data users.
  3. Offer services to data subjects in the sense of the GDPR, where you focus exclusively on personal data and seek to enhance individual agency and the individuals' control over the data about them by assisting individuals in exercising their rights under the GDPR.

Although Recital 22 also does not define a PDSS, it includes a more concrete qualifier than Article 9 in point A through an express qualification where your main objective must be to provide legal and technical relation between data holders and users. Point A and C have the main impact on commercial organizations, as point C is of limited application due to its focus exclusively on personal data. Unfortunately, point B is not only unclear, but it also may have a direct conflict with the GDPR in light of the joint opinion of the European Data Protection Board and European Data Protection Supervisor, which states as follows:

"The concept of data sharing service as platform 'intermediating between an indefinite number of data holders and data users', as kind of open data marketplace, would be contrary to the aforesaid data protection principles of privacy by design and by default, transparency and purpose limitation if the platform does not allow a pre-selection of and prior information about the purposes and users of her or his personal data by and to the data subject. For the sake of clarity, the Proposal should specify, at least in a recital, this aspect."

Exclusions with a goal — to create a special category

The European strategy recognizes the European technology industry has perpetually seemed a step behind its American counterpart, where American companies buy three out of four European startups, according to research funded by the EU, and because much of the data is generated, retained and later on analyzed in "silos" by American tech giants. This makes it very difficult for European businesses to access and use datasets. Read in this context, where the goal appears to be clearly to free the EU from clutches of Big Techs by creating a special category of data intermediaries; it is the exclusions in Recital 22 rather than inclusions that help in forming a firmer opinion on whether you could be a PDSS. Per these exclusions, the following cannot become a PDSS under the DGA:

  • Cloud service providers, an area dominated by American companies.
  • Data brokers and online optimization tool providers selling/licensing data that is not accessible directly from the platforms or data holders.
  • Services that focus on the intermediation of content, which means search engines, social network companies, etcetera, again a territory occupied by a few companies.
  • Data exchange platforms that one data holder exclusively uses to enable the use of data they hold. Generally, all platforms claim the only intended recipients for their data for reuse are their direct business users, which points out to dominance by e-commerce and tech giants already having a large footprint in the EU.
  • Platforms developed in the context of objects and devices connected to the Internet of Things have as their main objective to ensure functionalities of the connected object or device and allow value-added services. IoT platforms are also dominated by big techs in particular companies with their headquarters outside the EU.
  • "Consolidated tape providers" in the sense of Article 4 (1) point 53 of Directive 2014/65/EU, as well as "account information service providers" in the sense of Article 4 point 19 of Directive (EU) 2015/2366, both limited to financial services data largely regulated by existing sector-specific legislation.
  • Entities with activities restricted to facilitating the use of data made available based on data altruism and that operate on a not-for-profit basis.
  • Data sharing services that are meant to be used by a closed group of data holders and users.

Moreover, the nature of conditions under the DGA that a PDSS needs to satisfy further acts as an entry barrier for non-EU entities to become a PDSS, e.g., registering with a regulatory authority and (if based outside the EU) appoint a representative in the EU, not use the data for their own purposes (i.e., their use of the data must be limited to their role as PDSS) and placing the data-sharing service in a separate legal entity.

It's not hard to conclude from these exclusions and conditions that with this new category of intermediaries, the DGA aims to push back the dominance of tech giants while promoting competition, which is a part of the overall European strategy. The strategy also includes the proposals for a Digital Services Act to standardize safety rules for online business and a Digital Markets Act, limiting tech giants to boost competition in the digital markets they dominate.

Conclusion

The starting point for any assessment to become a PDSS as per the current draft of the DGA should be to look at the exceptions provided in Recital 22 of the DGA and its conditions because the qualifications under Article 9 are unclear at least, if not manifestly ambiguous. While this is only the beginning of the legislative process, and the European Parliament and member states will now have to come forward with their amendments. The concrete operational and legal implications of the DGA and the precise qualifications for a PDSS are difficult to assess from the current text of the proposal. However, despite these amendments, the European strategy seems to have a clear agenda on creating the EU data spaces, which means the overly restrictive exceptions for PDSSes are here to stay.

Photo by Glenn Carstens-Peters on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.