Leaked copy of the European Commission’s Data Governance Act reveals key insights into how the Commission will seek to implement its European Strategy for Data
In February 2020, the European Commission published its European Strategy for Data, which set out the Commission’s vision for a single market for data across the EU, to provide access to high quality data sets and enable growth and create value in the European economy.
At the end of last week a leaked copy of the Data Governance Act, the Commission’s first proposal to implement the Data Strategy, begun circulating. The proposal is due to be formally published on 11 November. The Act will take the form of a Regulation (which will be directly applicable in all Member States) as the Commission notes that this is a result of the Act requiring a uniform implementation across Member States in order to achieve its objectives. The Commission also states in its proposal that, given personal data will fall within the scope of some parts of the Data Governance Act, the Act has been designed to be fully compliant to data protection legislation. Indeed, there are numerous references to compliance with the GDPR (Regulation 2016/679) throughout the Act, rather than the Act setting out any further obligations with regard to personal data.
The draft Data Governance Act deals with four key areas.
Re-Use of Public Sector Data
The Act creates a mechanism for re-use of public sector data for commercial or non-commercial purposes other than the initial public purpose for which the data was collected. Re-use is stated to be conditional on being respectful of existing privacy and intellectual property rights in the data. The aim is to create a common European data space in which potentially valuable data is made available, including in sensitive areas such as the healthcare sector or others, such as policing where there are confidentiality issues.
Providers of Data Sharing Services as ‘trusted intermediaries’
An authorisation framework for providers of data sharing services is set out, which is based on obligations to remain neutral and separate data sharing services from other commercial endeavours, such that the data sharing services business cannot further monetise the data. The intent of this is to ensure that facilitators can organise common data spaces in an “open and collaborative” manner, without the acquisition of significant market power, thus acting as trusted intermediaries between data providers and data users. Providers of data sharing services will owe fiduciary duties to individuals using their services.
The Act aims to facilitate data altruism by creating an authorisation framework and a standard consent form for data altruism schemes under which individuals or companies may make their data available for the common good. The framework is geared to protect those who make their data available to the schemes and enable greater data portability (by virtue of the standardised consent form). The data holders will have the choice whether to make their data available for free or for a charge. Interestingly the recitals refer to data cooperatives and data unions, which seek to influence terms and conditions of data use in order to provide better choices to individuals providing their data. The Commission notes that they are likely to be intermediaries between data users and individual data providers, likely anticipating that a number of such organisations will emerge to advocate for compensation and better transparency for individuals who provide their data to the common European data space.
Creation of the European Data Innovation Board
The European Data Innovation Board which would have several aims, including oversight of data sharing services providers, ensuring consistent practice in processing requests for public sector data and to advise the Commission on governance of cross-sectoral standardisation.
Data processing limited to the EU
The current draft of the Act, which has been overseen by the office of Internal Market Commissioner, Thierry Breton, focuses on developing a strongly European capability and approach. The Act places a lot of importance on the role to be played by providers of data sharing services in the establishment and operation of common European data spaces and facilitation of data sharing. The draft Act requires providers of data sharing services to be established within the European Union or European Economic Area. In addition to this, data sharing service providers are required to have “adequate safeguards in place… that prevent it from responding to requests from authorities of third countries” such that they cannot obtain non-personal data of EU companies or EU public administration unless so permitted by a judicial decision of the Member State in which the company to which the data relate is established. There is a further requirement to limit the processing of data drawn from European data spaces to the European Union, which will likely raise concerns around data localisation.
It should be noted that this is not the first governmental proposal to regulate data governance; the Indian Government published a first draft of its own “Non-Personal Data Governance Framework” for public consultation back in July. The framework aims to both create growth in the economy by providing incentives for innovation by establishing rights over non-personal data, as well as to develop a framework to enable data sharing for the public good.
This is a trend which we expect to continue across the globe as governments seek to both regulate the commercialisation of data and harness it for the greater good.