Greetings from Brussels!
With all the fanfare last week around the latest EDPB "Schrems II" guidance and "SCCs 2.0," the recent mooting of a potential EU Data Governance Act may have slipped by you. Clearly, there is a lot going on in the field of data protection and privacy in Europe to keep track of as the EU steps up its communication and action plans around the digital economy and strategy.
Earlier this month, a leaked copy of the EU Data Governance Act revealed key insights into how the European Commission will look to implement its strategy for data. The act itself is expected to take the form of regulation. Much like the GDPR, the approach is to ascertain a uniform application of the legislation across EU member states to avoid fragmentation. Personal data will fall under the scope of the act, at least in part, so it has been designed to align with the GDPR in that regard. Bird & Bird offers a good summary here.
At the center of the drive is Europe’s quest for data sovereignty. Many would have you believe that as a region, Europe has lost the battle on personal data to the U.S., taken the dominance of U.S. tech firms. However, EU Commissioner for Internal Market Thierry Breton, among others, has alluded in recent statements that it is not too late where the application of industrial data is concerned. The upcoming data governance act is aimed at creating a new infrastructure facilitating the exchange and sharing of both sensitive and unused industrial data to nurture the emergence of an EU single market for data. It is the commission’s hope to create an ecosystem of independent data trustees that will act as data-sharing service providers and intermediaries between the companies that produce data and those that want to process it for research purposes. The act also provides for such entities to be established within the EU or EEA. Moreover, one can surmise that the condition of the geographical location of such entities also facilitates the supervision and compliance laid out by the act and other relevant EU data protection laws.
It is questionable if these provisions are protectionist in nature. At some level, the draft act seems incompatible with the EU’s stance on free trade as it suggests that all the data processing envisaged by this law will be limited to the EU. This may not be the most optimal solution for EU trustees and intermediaries or their future clients in what appears to be a call for data localization measures. I participated in a recent panel at the European Business Summit 2020 on "Protection in the Digital Age" where it was clearly expressed by industry that such data governance frameworks would most likely increase company costs to align with both EU and non-EU regulations. Questions around commercial viability and legal predictability, in an uncertain environment, are foremost concerns for companies. It is also a real source of debate whether such an initiative would make the EU more competitive in the long run. On the surface, it appears the ongoing tension between EU values and economic development continues to drive this debate. We cannot deny there is a direct correlation between the cost of economic development and the increase in regulations as was poignantly referenced by fellow panelist Mike Hwang, CEO of FiscalNote, at the European Business Summit this week.
The act does foresee the creation of a European Data Innovation Board. A committee made of EU representatives will be useful to elevate the importance, as well as challenges of data-driven innovation in EU policy circles and to advise on consistent standards for data governance practices — arguably, you could say that type of committee should already be in existence to help determine efficiency and unity in data-oriented legislation. What will be important to address for the EU to assert itself as a leader in the data economy is the political support and appetite for the ambition of the strategy across member states. There is a lot at stake. The Data Governance Act is expected to be unveiled 24 Nov.
If you want to comment on this post, you need to login.