Data Governance Act: A step closer to easier sharing of data
On 30 November 2021, the Council of the European Union and the European Parliament reached a provisional agreement on the final wording of a draft Data Governance Act (DGA) (COM/2020/767 final).
The aim of the proposal is to promote the availability of data and to build a trustworthy environment facilitating the use of data (both person and non-personal) for research and creation of innovative new products and services. It is also intended to create a legal framework for easier sharing of data and mechanisms facilitating re-use of certain data held by the public sector, including data involving health, agriculture and the environment.
Thus, by design, the DGA should contribute to the development of shared European data spaces, particularly in such areas as health, environment, energy, agriculture, mobility, finance, manufacturing, and public administration. These in turn will help feed artificial intelligence systems developed in the EU in these fields.
Scope of application of the DGA
The Data Governance Act would apply to the following situations:
- Making public sector data available for re-use in situations where such data is subject to rights of others (including when they constitute trade secrets, confidential statistical information, or personal data, or are subject to intellectual property rights of third parties)—complementing in this respect the Open Data Directive (2019/1024), as it also applies to data in the possession of public-sector entities covered by rights of other persons
- Sharing of data among businesses, against remuneration in any form
- Allowing personal data to be used with the help of a “personal data-sharing intermediary,” through whom data subjects could make their data available to potential users of the data
- Allowing data use on altruistic grounds (i.e. voluntary sharing of data by individuals or businesses for the common good).
Intermediation in data-sharing
The DGA creates a legal framework for a new business model: data-sharing intermediation services. By assumption, data intermediaries, defined as providers of “data intermediation services,” would ensure a secure and trustworthy environment in which legal or natural persons (data holders) could make their data available.
In the case of legal persons, these services could consist of creation of platforms or databases facilitating the exchange or shared use of data, as well as creation of special infrastructure for mutual connections between data holders and data users. By using such services, firms could make their data available without fear of misuse, erosion of competitive advantage, or charges that such action is unlawful.
In the case of personal data, data intermediation services would help data subjects make their data available to potential users of the data. To this end, the service provider would offer technical and organisational means facilitating the delivery of such services and easy exercise by data subjects of their rights under the General Data Protection Regulation. By assumption, this would help individuals gain full control over their own data while allowing them to make their data available to firms they trust. This could be done, for example, by means of novel personal information management tools, such as personal data spaces or data wallets—apps that share such data with others based on the data holder’s consent.
To increase trust in data intermediation service providers, their activity would be closely regulated. Providers of such services would be subject to registration with the competent national authorities, and then entry in a register of data intermediation service providers maintained by the European Commission. Their services would have to meet detailed conditions set forth in the regulations. Crucially, data intermediation service providers could not use data provided to them for other purposes. However, they could charge fees for the transactions they conduct.
International access and transfer of non-personal data to third countries
The DGA creates safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data.
Under the new regulations, the Commission could adopt adequacy decisions declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU. These decisions would be similar to adequacy decisions relating to personal data under Art. 45 GDPR.
The Commission could also adopt model contractual clauses to support public-sector bodies and re-users in the case of transfers of public-sector data to third countries.
European Data Innovation Board
The DGA also provides for establishment of a formal group of experts, the European Data Innovation Board, to advise and assist the Commission in enhancing the interoperability of data intermediation services and issuing guidelines on how to facilitate the development of data spaces. The board would facilitate the emergence of best practices by member states’ authorities, in particular on processing requests for re-use of data subject to the rights of others, ensuring a consistent practice regarding the notification framework for data-sharing service providers, and data altruism.
What next?
Before the proposal becomes law, it must be formally approved by the European Parliament and the Council at the third reading. Although the new regulations would begin to apply 15 months after the effective date, achievement of a political agreement on the final text of the DGA can already be regarded as a milestone on the way to easier data-sharing within the EU.
The DGA proposal is the first legislative initiative adopted within the EU Data Strategy. As part of this strategy, the EU intends to adopt a number of legislative initiatives facilitating data-sharing and the use of data for research, creation of innovative new services and products, and training AI systems. The European Commission is already working on the draft of the next instrument—the Data Act, which should foster the flow of data between businesses and between businesses and the public administration.
Iga Małobęcka-Szwast