In February 2020, the European Commission published its European Strategy for Data which set out the Commission’s vision for a single market for data across the EU, to provide access to high quality data sets and enable growth and create value in the European economy.
The Commission’s proposal for the Data Governance Act (which is the first implementation of its Data Strategy) was published on 25th November. The Act (which will take the form of a Regulation, directly applicable in all Member States) aims to build trust in order to facilitate access to data which would not otherwise have been shared due to protected characteristics (for example personal data. protected intellectual property rights or trade secrets). The Act lays the ground rules for reuse and sharing of that data and, in doing so, makes any sharing and reuse of data conditional on the full respect of those intrinsic rights.
A new definition of ‘Data’ and the interaction with GDPR
The Act provides us with a definition of ‘data’, which appears to be purposefully broad in order to maximise the scope of the Act. Data is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording”. This fully encompasses the definition of personal data within the GDPR and includes ‘non-personal data’ (which is defined as anything not falling within the definition of ‘personal data’ in the GDPR).
Following the leaked draft of the Commission’s proposal for the Act earlier in November, concerns were raised about the interaction between the Data Governance Act and the GDPR. The Commission appears to be fully aware of this risk and states clearly in its proposal that the Act is designed in a way that fully complies with the GDPR. This is demonstrated a number of times throughout the recitals and the Act itself, whereby references are made to the legal bases for processing already set out under the GDPR and the necessity to ensure that individuals are able to provide and withdraw their consent to their data being shared in compliance with the GDPR’s requirements. It is clear that the Commission sees the Data Governance Act as a method to further the rights provided to individuals under the GDPR by ensuring that they have control over and are able to harness the value in their data by sharing it with initiatives which they are interested in.
Internal Market Commissioner, Thierry Breton, whose office oversaw the draft proposal, introduced the published draft with one word: trust. Trust is seen as key to unlocking willingness to share data with different sectors, for different purposes and the Commission aims to achieve this via a framework which protects rights, ensures security and provides interoperability. The Act provides for this in a number of ways.
By setting up a mechanism to facilitate the reuse of protected public sector data
The Act creates a mechanism for re-use of public sector data which have protected characteristics (such as commercial or statistical confidentiality, intellectual property rights or personal data) for commercial or non-commercial purposes. In order to ensure the data can be widely used, there is a general prohibition on the granting of exclusive rights in relation to the data. Re-use of such public sector data is made subject to the public sector bodies putting in place a number of conditions which ensure that the use is respectful of existing privacy, confidentiality and intellectual property rights in the data. The Act also paves the way for the Commission to introduce special conditions applicable to the transfer of sensitive non-personal data to third countries.
In addition, the Act provides for the establishment of the European Data Innovation Board which would have several aims, including oversight of data sharing services providers, ensuring consistent practice in processing requests for public sector data and to advise the Commission on governance of cross-sectoral standardisation.
By providing for secure processing environments in which the shared data should be used
Member states are required to designate a competent body to support public sector bodies which grant access to and reuse of their data. They are required to provide ‘secure processing environments’ in which the public sector body can determine and supervise the data analysis conducted by the data recipient and any use of derivative data in order to ensure third party rights are protected. The public sector body must reserve the right to verify the results of the processing undertaken by the data recipient and to prohibit use of results which it considers jeopardise the rights of third parties.
By creating a dual framework to monitor compliance of data intermediaries
The Act also sets out a framework for the oversight of data sharing service providers and data altruism organisations. Data sharing service providers (which provide intermediary services between data holders/data subjects and data users) are required to notify their business to the designated competent authority. They are required to remain neutral, act in data subjects’ best interests and separate data sharing services from other commercial endeavours. In addition, they must ensure: access to their service is fair, transparent and non-discriminatory; data is interoperable; they prevent fraudulent or abusive practices; reasonable continuity of service; compliance with competition law; and a high level of security for the data so that unlawful access to the data is not permitted.
Data altruism organisations, which are not-for-profit entities who perform activities related to data altruism are also required to register with the competent authority. They are required to be transparent and to keep full and accurate records in relation to their data processing; inform data holders/data subjects about the purposes of its processing and any processing which takes place outside the Union; and to ensure that the data is not used for any purpose other than that of the general interest for which it permits the processing.
The requirements for these entities to be established in the Union or European Economic Area which were in the leaked draft have been replaced with an obligation to appoint a legal representative in one of the Member States in which it operates. That member state will be deemed to have jurisdiction over their activities. The requirement of the leaked draft to have adequate safeguards in place to ensure requests from authorities of third countries so that they cannot obtain EU data without a judicial decision has also been removed. The more general obligations to ensure purpose limitation and prevent unlawful access seem to have replaced them.
By implementing a common data altruism consent form
The Act aims to facilitate data altruism by creating an authorisation framework and a standard consent form for data altruism schemes under which individuals or companies may make their data available for the common good. The framework is geared to protect those who make their data available to the schemes and enable greater data portability (by virtue of the standardised consent form – which the Commission aims to develop and implement following adoption of the Act). The data holders will have the choice whether to make their data available for free or for a charge.
By empowering data holders and competent authorities to enforce the rules
Competent authorities are required to monitor and supervise compliance of data service providers and data altruism organisations. They are provided with the power to require the entity to stop any processing in breach of the rules, to impose “dissuasive financial penalties” and to require the organisation to cease or postpone providing its service (and in the case of a data altruism organisation, remove it from the register of recognised data altruism organisations).
In addition, data holders and data subjects are provided the right to lodge a complaint with the relevant national competent authority. The penalties and remedies to be applied to non-compliant organisations are to be determined by Member States.
The proposal will be debated and negotiated by the European Parliament and the Council of Ministers before it is adopted. We are therefore some time away from the implementation of the Act. We anticipate it’s passing through parliament will lead to some lively debate around the interaction with GDPR and the upcoming proposals for the Digital Markets Act and Digital Services Act (which are both part of the implementation of the Commission’s Data Strategy).