On November 25, 2020, the European Commission published its Proposal for a Regulation on European Data Governance (the “Data Governance Act”). The Data Governance Act is part of a set of measures announced in the 2020 European Strategy for Data, which is aimed at putting the EU at the forefront of the data empowered society. The European Commission also released a Questions & Answers document and a Factsheet on European data governance.
The Data Governance Act is aimed at fostering the availability of data by increasing trust in data intermediaries and strengthening data sharing across the EU and between sectors. “Data” under the Data Governance Act means any digital representation of acts, facts or information and any compilation of the same, including in the form of sound, visual or audiovisual recording.
The Data Governance Act outlines (1) the conditions for re-use of certain categories of data held by public sector bodies in the EU; (2) a notification and supervisory framework for the provision of data sharing services; and (3) a framework for voluntary registration of entities that collect and process data made available for altruistic purposes. It is intended to create a network of trusted and neutral data intermediaries and an oversight regime comprised of national supervisory authorities as well as a pan-EU coordinating body.
Below are some key takeaways from the draft Data Governance Act:
Re-Use of Protected Data by Public Sector Authorities
The Data Governance Act creates a framework for re-using certain categories of public sector data, including data protected on the grounds of (1) commercial or statistical confidentiality; (2) protection of intellectual property rights; or (3) protection of personal data. It also ensures that data can be widely re-used by including a general prohibition on agreements that create (or aim to create) exclusive rights for re-use, except under specific conditions when justified and necessary for the provision of a service of general interest.
Public sector bodies may set conditions around the re-use of data that must be non-discriminatory, proportionate and objectively-justified. Conditions may include, amongst others, the obligation to re-use anonymized or pseudonymized data only or to delete commercially confidential information, including trade secrets, when re-using data. The Data Governance Act also provides the European Commission with the right to impose further conditions regarding the re-use of highly sensitive non-personal data (such as certain datasets held by public health system actors), and in particular, with regard to transfer of such data to third countries. “Non-personal data” means data that does not qualify as personal data under the EU General Data Protection Regulation (“GDPR”).
The Data Governance Act requires the designation of one or more competent bodies, which may be sectoral, by the EU Member States to support public sector bodies granting access to the re-use of data.
Data Sharing Services
The Data Governance Act also sets out a framework for data sharing service providers (i.e., intermediaries between data “holders”, also known as data subjects, and data users). In particular, it imposes a prior notification obligation on data sharing service providers. In addition, the provision of data sharing services is subject to specific conditions including: (1) restrictions on the purposes for which data can be re-used and the use of metadata collected from the data sharing service; (2) conditions for access to the data sharing services; (3) the obligation to ensure the interoperability of the data; (4) the obligation to prevent fraudulent or abusive practices in relation to data access; (5) continuity obligations for the data sharing services; and (6) security obligations to prevent unlawful transfer or access to non-personal data and to ensure a high level of security for the storage and transmission of the data.
Data sharing service providers that are not established in the EU but offer those services in the EU are required to appoint a legal representative in one of the Member States in which the services are offered.
Each Member State must designate one or more authority competent to monitor both notifications and compliance with the requirements applicable to data sharing service providers. Data sharing service providers must share with the competent authorities any information necessary to verify compliance with their requirements under the Data Governance Act. The designated competent authorities should cooperate with the data protection authorities, national competition authorities, authorities in charge of cybersecurity and other relevant sectoral authorities to exchange information necessary for the exercise of their tasks in relation to data sharing service providers.
The Data Governance Act aims to facilitate data altruism by creating a framework for voluntary registration of entities that collect and process data made available for altruistic purposes. “Data altruism” means “the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services.” It provides the possibility for data holders to make their data available for free or for a charge.
In order to qualify for registration, a data altruism organization must meet certain criteria, including being a non-profit organization established to meet objectives of general interest. Similar to data sharing service providers, data altruism organizations that are not established in the EU must appoint a legal representative in the EU. This representative must be located in the country where the organization intends to collect data. Additionally, data altruism organizations must register with the competent supervisory authority of the Member State where they (or their representative, if appropriate) are established. Each Member State must designate one or more authority competent to maintain the register of data altruism organizations and monitor compliance with the requirements applicable to data altruism organizations.
Registered data altruism organizations must keep full and accurate records regarding the (1) natural or legal persons processing data held by that entity; (2) data and duration of the processing and the processing purpose; and (3) fees paid by natural or legal persons processing the data, if any. Annual activity reports must be kept and provided to the competent national authority. The Data Governance Act also imposes specific requirements on registered data altruism organizations to safeguard the rights and interests of data subjects and legal entities with regard to their data, including transparency obligations and purpose limitation restrictions.
Further, the Data Governance Act foresees the development by the European Commission of a template European data altruism consent form to be used by data holders. The template consent form must take into account the consent requirements applicable under the GDPR where personal data is provided.
- The Data Governance Act grants natural and legal persons the right to lodge a complaint with the relevant national competent authority against providers of data sharing services or data altruism organizations. It also provides a right to an effective judicial remedy.
- The Data Governance Act provides for the establishment by the European Commission of a European Data Innovation Board in the form of an Expert Group consisting of representatives of the Member States, the European Data Protection Board (“EDPB”) and representatives of relevant data spaces and specific sectors. The European Data Innovation Board will have several tasks, including advising and assisting the European Commission in developing consistent practice and cross-sector standards, enhancing the interoperability of data and data sharing services between different sectors and domains and facilitating the cooperation between the national competent authorities.
- The Data Governance Act also lays down the rules applicable in the event of a request by an administrative authority in a third country to gain access to or have non-personal data held in the EU transferred. In that case, the relevant entity must take all reasonable technical, legal and organizational measures to prevent the transfer of or access to non-personal data held in the EU where it would create a conflict with EU or Member State law, unless such transfer is required by a court judgment or decision of an administrative authority. The Data Governance Act provides additional conditions and safeguards in the event of such request, including a transparency obligation vis-à-vis the data holder and the obligation for the relevant entity to provide the minimum amount of data permissible.
The draft Data Governance Act will now be sent to both the European Parliament and the Council of Ministers to be negotiated and voted on. The European Commission also plans to publish proposals for a Digital Markets Act and a Digital Services Act, which are part of the 2020 European Strategy for Data.