On 25 November 2020, the European Commission published a proposal for a Regulation on European Data Governance (“Data Governance Act”). The proposed Act aims to facilitate data sharing across the EU and between sectors, and is one of the deliverables included in the European Strategy for Data, adopted in February 2020. (See our previous blog here for a summary of the Commission’s European Strategy for Data.) The press release accompanying the proposed Act states that more specific proposals on European data spaces are expected to follow in 2021, and will be complemented by a Data Act to foster business-to-business and business-to-government data sharing.
The proposed Data Governance Act sets out rules relating to the following:
- Conditions for reuse of public sector data that is subject to existing protections, such as commercial confidentiality, intellectual property, or data protection;
- Obligations on “providers of data sharing services,” defined as entities that provide various types of data intermediary services;
- Introduction of the concept of “data altruism” and the possibility for organisations to register as a “Data Altruism Organisation recognised in the Union”; and
- Establishment of a “European Data Innovation Board,” a new formal expert group chaired by the Commission.
Conditions for reuse of public sector data (Chapter II, Articles 3-8)
Chapter II of the Data Governance Act would impose conditions on public-sector bodies when they make certain protected data that they hold available for re-use. These provisions apply to data held by public-sector bodies that are protected on grounds of commercial or statistical confidentiality, intellectual property rights, or personal data protection. The Act does not impose new obligations on public-sector bodies to allow re-use of data and does not release them from their existing legal obligations with respect to data. But if public-sector bodies do make protected data available for re-use, they must comply with the conditions set out in Chapter II.
Specifically, the Act prohibits public-sector bodies from granting exclusive rights in data or restricting the availability of data for re-use by entities other than the parties to such exclusive agreements, with limited derogations. In addition, if a public-sector body grants or refuses access for the re-use of data, it must ensure that the conditions for such access (or refusal) are non-discriminatory, proportionate, and objectively justified, and must make those conditions publicly available. The Act also provides that public bodies “shall” impose conditions “that preserve the functioning of the technical systems” used to process such data, and authorizes the Commission to adopt implementing acts declaring that third countries to which such data may be transferred provide IP and trade secret protections that are “essentially equivalent” to those in the EU.
In addition, where specific EU acts establish that certain non-personal data categories held by public-sector bodies are “highly sensitive,” such data may be subject to restrictions on cross-border transfers, as specified by the Commission through delegated acts.
Obligations on “providers of data sharing services” (Chapter III, Articles 9-14)
Chapter III of the Act introduces new rules for the operation of data intermediaries, termed “providers of data sharing services”. Specifically, it would establish a notification and compliance framework for providers of the following data sharing services:
- Intermediation services between data holders and data users, which include platforms or databases enabling the exchange or joint exploitation of data, such as industry data spaces;
- Intermediation services between data subjects that seek to make their personal data available and potential data users; and
- “Data cooperative” services that support individuals or SMEs to negotiate terms and conditions for data processing.
The Act set out several requirements that providers of these data sharing services would need to comply with, including:
- Notifying the relevant EU Member State authority of its intent to provide such services;
- Appointing a legal representative in one of the Member States, if the company is not established within the EU;
- Not using the data collected for other purposes, and using any metadata only for the development of that service;
- Placing its data sharing service in a “separate legal entity” from its other services;
- Having in place adequate security safeguards; and
- Imposing a fiduciary duty towards data subjects to act in their best interests.
Member States would be required to nominate a “competent authority” with the power to monitor compliance with the Act’s requirements, to impose financial penalties, and to “require cessation or postponement” of the provision of the service.
Introduction of the concept of “data altruism” (Chapter IV, Articles 15-22)
Chapter IV of the Act introduces the concept of “data altruism”, which describes situations where individuals or companies make data voluntarily available for re-use, without compensation, for the common good—such as for scientific research or improving public services. The Act proposes the establishment of a registration and monitoring regime for organisations that facilitate data altruism, called “data altruism organisations”. These organisations must meet certain conditions to register with competent authorities—including a requirement to operate on an independent not-for-profit basis—and will be subject to transparency obligations and other requirements to safeguard the rights and interests of data subjects and legal entities as regards their data. The Commission will also be empowered to adopt implementing acts to develop a European data altruism consent form.
Here again, Member States would be required to nominate a “competent authority” with the power to monitor compliance with the Act’s requirements; sanctions, however, would be limited to revoking an entity’s right to refer to itself as an EU data altruism organization.
Establishment of the European Data Innovation Board (Chapter VI, Articles 26-27)
Chapter VI of the Act requires the Commission to establish a new body called the “European Data Innovation Board”. This Board would be tasked with ensuring a consistent application of the Act across all Member States, supporting cross-sector data sharing, and facilitating cooperation between national competent authorities. The Board will be composed of the competent authorities of all Member States, the European Data Protection Board, the European Commission, and representatives from relevant data spaces and competent authorities in specific sectors.
Restrictions on International Transfer
Chapter VIII sets out rules designed to regulate “transfer or access to non-personal data” in scenarios covered by the Act “where such transfer or access would create a conflict with Union law or the law of the relevant Member State.” It focuses in particular on scenarios in which an entity holding data covered by the Act is the addressee of an order from a third-country authority seeking access to the data and sets out the conditions that must be met before the entity may provide such access.
Next steps in the legislative process
The Data Governance Act must be debated and negotiated by the European Parliament and the Council of Ministers before it is adopted. Once adopted, it will enter into force after one year.
A public consultation was carried out on the Commission’s European Strategy for Data between February and May 2020, and an impact assessment of the Act was published by the Commission alongside the regulatory proposal in November 2020.