TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Proposal for an EU Data Governance Act — a first analysis Related reading: European Commission expected to unveil Digital Services Act in December

rss_feed

""

""

On Nov. 25, 2020, the European Commission published its draft Data Governance Act. The act is one of the deliverables included in the commission’s 2020 European Strategy for Data, which sets out policy measures and investments designed to give the EU a competitive advantage by enabling it to capitalize on its vast quantity of data. Other deliverables that will follow before the end of the year are the Digital Services Act and the Digital Markets Act.

The act aims to create a framework that encourages greater reuse of data by increasing trust in data intermediaries and strengthening various data-sharing mechanisms across the EU. The act will play a central role in enabling and guiding the creation of EU-wide common, interoperable data spaces in strategic sectors, such as energy, mobility and health, which, in turn, are meant to bring benefits to citizens through improved personalized medicine, new mobility and contributions to the European Green Deal, among other things.

The proposal sets out rules relating to the following:

  • Conditions for reuse of public sector data that is subject to existing protections, such as commercial confidentiality, intellectual property or data protection.
  • Obligations on providers of certain data-sharing services, defined as entities that provide various types of intermediation services.
  • Introduction of the concept of data altruism and the possibility for organizations to register as “Data Altruism Organization recognized in the Union.”
  • Establishment of a European Data Innovation Board, a new formal expert group chaired by the European Commission.

It is interesting to note that “data” is defined in the act as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” This is a broad definition that also includes personal data as defined in the EU General Data Protection Regulation. The GDPR and the act, therefore, may apply simultaneously, which explains why the recitals and provisions of the act indicate on several occasions that they are “without prejudice” to the application of the GDPR, among others. The explanatory memorandum indicates that “the measures are designed in a way that fully complies with the data protection legislation, and actually increase in practice the control that natural persons have over the data they generate.”

Reuse of public sector data

Chapter II of the Data Governance Act sets out a series of obligations and restrictions that public sector bodies are subject to if and when they allow reuse of certain data they hold. Public sector bodies are defined as “the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law.”

The act emphasizes that it does not create an obligation for public sector bodies to make data available for reuse. Nor does the act release public sector bodies from their existing legal obligations under the GDPR or other applicable statutes, with respect to this data.

Public sector bodies that decide to make data available for reuse are prohibited from entering into exclusive arrangements, subject to certain exceptions. They are also subject to a series of obligations, including an obligation to make publicly available the conditions for allowing such reuse. Those conditions must be non-discriminatory, proportionate and objectively justified. One or more competent bodies designated by the member states are available to render various types of assistance and support to the public sector bodies concerned. Member states are under an obligation to communicate to the European Commission the identity of the competent bodies they designate. 

There are special rules for the sharing of confidential data or data protected by intellectual property rights, with a reuser who intends to transfer this data to a third country, as well as for cross border transfers of non-personal data deemed “ highly-sensitive” by a specific union act. The recitals mention certain datasets held by actors in the public health system as an example of “highly sensitive” data. In both instances, the European Commission may issue additional rules and conditions by way of implementing and/or delegated acts.

To incentivize the reuse of data, member states will create a single information point to act as the primary interface for reusers. Natural or legal persons affected by a decision of a public sector body or a competent body shall have the right to effective judicial remedy before the courts of the member state where the relevant body is located.

Obligations on providers of data sharing services

Chapter III of the act introduces new rules for the operation of data intermediaries, termed “providers of data sharing services.” Specifically, it would establish a notification and compliance framework for providers of the following data sharing services:

  • Intermediation services between data holders and data users, which include platforms or databases enabling the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users.
  • Intermediation services between data subjects that seek to make their personal data available and potential data users.
  • Services of data cooperatives that support individuals or small- and medium-sized enterprises to negotiate terms and conditions for data processing.

The act set out several requirements that a provider of these data sharing services would need to comply with, including:

  • Notifying the relevant EU member state authority of its intent to provide such services.
  • Appointing a legal representative in one of the member states, if the provider is not established within the EU.
  • Not using the data for which it provides services, for other purposes than to put them at the disposal of a data user, and using any metadata only for the development of that service.
  • Placing the data-sharing service in a separate legal entity.
  • Having in place adequate security safeguards.
  • Acting in the data subject’s best interest when facilitating the exercise of data subjects’ rights.

Member states would be required to nominate a “competent authority” with the power to monitor compliance with the act’s requirements, impose “dissuasive” financial penalties, and “require cessation or postponement” of the provision of the service. Since the act also applies to personal data covered by the GDPR, this “competent authority” would be yet another regulator in an already complex — and according to some, overcrowded — regulatory environment for personal data.

Introduction of the concept of data altruism

Chapter IV of the act introduces the concept of data altruism, which describes situations where individuals or companies make data voluntarily available for reuse, without compensation, for the common good, such as for scientific research or improving public services. The act proposes the establishment of a registration and monitoring regime for organizations that facilitate data altruism. These organizations may use the name “data altruism organizations.” These organizations must meet certain conditions to register with competent authorities — including a requirement to operate on a not-for-profit basis and through a legally independent structure, separate from other activities — and will be subject to transparency obligations and other requirements to safeguard the rights and interests of data subjects and legal entities as regards their data. The commission will also be empowered to adopt implementing acts to develop a European data altruism consent form. The act specifies that where personal data are provided, the consent form shall ensure that individuals are able to provide and withdraw consent, for a specific data processing operation, in line with the GDPR.

Here again, member states would be required to nominate a competent authority with the power to monitor compliance with the act’s requirements; sanctions, however, would be limited to revoking an entity’s right to refer to itself as an EU data altruism organization.

European Data Innovation Board

Chapter VI of the act requires the commission to establish a new body called the European Data Innovation Board. The board would be tasked with ensuring a consistent application of the act across all member states, supporting cross-sector data sharing, and facilitating cooperation between national competent authorities. The board appears to have no sanctioning or fining authority, in line with the approach taken in other laws where enforcement is left to the member states.

The board will be composed of the competent authorities of all member states, the European Data Protection Board, the European Commission and various other representatives.

The board will focus initially on the sectors covered by the act, i.e., reuse of public sector data and operation of data sharing services and data altruism organizations. The board will also be involved in some of the other data-related activities that the commission has announced in its European Strategy for Data and that will be finalized and rolled out in the next few years.

Restrictions on international transfer

Chapter VIII sets out rules designed to regulate “transfer or access to non-personal data” in scenarios covered by the act “where such transfer or access would create a conflict with Union law or the law of the relevant member state.” It focuses in particular on scenarios in which an entity holding data covered by the act is the addressee of an order from a third-country authority seeking access to the data and sets out the conditions that must be met before the entity may provide such access. The obligations set out in this chapter are addressed to all participants in the activities covered by the act, to know, the public sector body, the reuser, the data-sharing provider and data altruism organization. These obligations are different and stand next to the tasks entrusted by the act to the European Commission in regulating certain international transfers of “highly sensitive” non-personal data or confidential data and data protected by intellectual property rights that we described above in the section reuse of public sector data.

Next steps in the legislative process

The Data Governance Act must be debated and negotiated by the European Parliament and the Council of Ministers before it is adopted. Once adopted, it will enter into force after one year. It is directly applicable in all EU member states.

Photo by Guillaume Périgois on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Comments

If you want to comment on this post, you need to login.