European Commission proposes new data governance measures for EU data sharing

On 25th November, the European Commission published its proposal for a Regulation on European Data Governance (the Data Governance Act) (“the DGA”). The proposed DGA (which will be directly applicable in all Member States), aims to strengthen data sharing mechanisms across the EU and between sectors. In particular, the European Commission recognises that businesses often need data from several Member States so they can develop EU-wide products and services; and allow ‘Big Data’ pattern detection or machine learning. In addition, the Commission emphasises the importance of increased access to data to assist companies and research organisations to advance representative scientific developments and market innovation in the EU.

The proposed Data Governance Act is the first of a set of measures announced in the 2020 European Strategy for Data, which aims to facilitate data flow within the EU and across sectors. Further  proposals are expected to follow in 2021, including a Data Act and the Digital Services Act, to foster data sharing among businesses, and between business and governments.

Key takeaways

  1. Re-use of public sector data

The proposed DGA introduces measures to facilitate the re-use of certain data for commercial or non-commercial purposes held by the public sector, which would normally be protected on grounds of commercial or statistical confidentiality, intellectual property rights or personal data.

The DGA requires EU Member States to put in place national rules in order to provide a set of harmonized basic conditions under which the re-use of such data may be allowed (including the requirement of non-exclusivity). Public sector bodies allowing this type of re-use would need to be technically equipped to ensure that data protection, privacy and confidentiality are fully preserved. The proposed DGA also provides that the Commission may introduce additional conditions applicable to the transfer of sensitive non-personal data to third countries.

In addition, the DGA introduces the requirement for Member States to set up a single contact point supporting researchers and innovative business in identifying suitable data. Member States are also required to put structures in place to support public sector bodies with technical means and legal assistance.

       2.  Increase trust in data sharing and data intermediaries

A number of measures have been introduced to “increase trust in data sharing”, as the European Commission recognises that lack of trust is currently a major obstacle for EU wide data sharing and results in high costs.

Under the DGA, the European Commission aims to provide an alternative model to the data-handling practices of the big tech platforms. The new approach proposes a model based on the ‘neutrality and transparency’ of data intermediaries, which are organisers of data sharing or pooling. The data-sharing intermediary will have to comply with strict requirements in order to ensure neutrality, including:

  • notifying as a provider of intermediary services to the designated competent authority in the relevant EU Member State (such notification will automatically grant the provider the right to start offering the intended services in all of the EU);
  • not using such data for other purposes (i.e. the provider cannot sell the data to another company or use it to develop its own product);
  • ensuring that the data sharing activity is strictly separated from other commercial activities;
  • having in place adequate technical, organisational and legal measures to safeguard the data and ensuring that fraudulent or abusive practices are prevented; and there is reasonable continuity of service;
  • assuming fiduciary duties towards data subjects to act in their best interests;
  • appointing an EU representative where the provider is not established within the EU; and
  • ensuring access to the data sharing service is fair, transparent and non-discriminatory.

A competent authority designated by the Member States will monitor and supervise compliance of data service providers with the DGA. The competent authority will have the power to require the entity to stop any processing in breach of the rules, to impose “dissuasive financial penalties which may include periodic remedies with retroactive effect” and to require the cessation or postponement of the services. In addition, natural and legal persons will have the right to lodge a complaint with the relevant national competent authority against a provider of data sharing services. The penalties and remedies to be applied to non-compliant organisations are to be determined by Member States.

        3. Data altruism

The proposed DGA aims to facilitate data altruism (data, both personal and non-personal, voluntarily made available by individuals or companies for the projects of general public interest) by including the ability for organisations engaging in data altruism to register as a ‘data altruism organisation’. In addition, a common European data altruism consent form will be developed to lower the costs of collecting consent and to facilitate portability of the data.

In order to qualify for registration, the data altruism organisation must:

  • be a legal entity constituted to meet objectives of general interest;
  • operate on a not-for-profit basis and be independent from any entity that operates on a for-profit basis; and
  • perform the activities related to data altruism through a legally independent structure, separate from other activities it has undertaken.

Data altruism organisations are also required to: be transparent and to keep full and accurate records in relation to their data processing; ensure that the data is not used for any purpose other than that of the general interest for which it permits the processing; and appoint an EU representative where it is not established in the EU. In addition, any organisation entered in the register of recognised data altruism organisations must draw up and transmit an annual activity report to the relevant competent authority.

A competent authority designated by the Member States will monitor and supervise compliance of data altruism organisations with the DGA.  The competent authority will have with the power to remove an organisation from the register of recognised data altruism organisations in the event of a breach of the requirements of the DGA. In addition, natural and legal persons will have the right to lodge a complaint with the relevant national competent authority against an entity entered in the register of recognised data altruism organisations.

        4. Creation of a European Data Innovation Board

 The DGA provides for the establishment of a European Data Innovation Board, which will be an ‘expert group’ consisting of representatives of competent authorities of all the Member States, the European Data Protection Board, the Commission, relevant data spaces and other representatives of competent authorities in specific sectors.

The Board will have a number of responsibilities, including: processing requests for the re-use of data; assisting the Commission to develop a consistent approach among all EU Member States in the application of the requirements of the DGA;  overseeing data services providers; and advising the European Commission on governance of cross-sectoral standardisation.

What next?

The proposed DGA will need approval from both the European Parliament and the Council of Ministers before it is adopted and we expect adoption will likely be towards the end of next year.

One question that is likely to attract attention is the interaction of the DGA and the GDPR, especially given the much boarder definition of ‘data’ within the DGA. It will also be interesting to see how the Commission’s other proposals as part of its 2020 European Strategy for Data, such as the Digital Services Act package, will impact the adoption of the DGA. Once adopted, the DGA will enter into force after one year.

For further information and advice, please get in touch with dataprivacy@dlapiper.com or your usual DLA Piper contact.