Towards a new data-sharing ecosystem across the EEE: the Data Governance Act
Published on 25th Jan 2021
Recently, the European Commission has published a proposal for a Regulation on European Data Governance, which would intend to foster trust among entities to share data as well as enable more possibilities for innovation, among other aspects.
The Commission's European Strategy for Data is conceived as one of the main pillars to achieve digital transformation in Europe. Among the wide range of measures contained in the institution’s Strategy for Data is the proposal for a Regulation on European Data Governance (the Data Governance Act). In particular, this new legal framework has the following purposes:
- To enhance the reutilisation of public sector data that cannot be made available as open data.
- To create new EU rules to enable new data intermediaries to operate as trustworthy organisers of data sharing, ensuring the neutrality in the exchange of data.
- To facilitate data altruism to make it easier and safer for companies and individuals to voluntarily make their data available for the benefit of society.
In this sense, the Data Governance Act facilitates the sharing of data from three points of view depending on the entity that is sharing the data, which may be (i) public sector bodies, (ii) companies or individuals through data intermediaries, or (iii) organisations sharing data in an altruist manner.
To access data kept by public sector bodies, it will be key to check the conditions for the re-use of data that will be published by the competent bodies pursuant to the Data Governance Act. Bearing in mind that the scope of the Data Governance Act would expressly comprise data protected by special rules (either laws regarding data protection, trade secrets, or intellectual property rights), this Act would oblige competent authorities to lay down a set of conditions to prevent the reutilisation of data infringing those special rules.
In any event, it is important to note that public sector bodies will be able to verify the processing of data undertaken by the data re-user and to prohibit the use of data processing results that contain information jeopardising the rights and interests of third parties. Furthermore, the new Data Governance Act also envisages measures to facilitate data sharing by public sector bodies. For instance, the Data Governance Act would provide that the relevant public sector bodies could support data re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use.
The proposal for the Data Governance Act includes, as its main novelty, the promotion of a new institution that will seek to foster trust between companies regarding the sharing of data (both bilaterally and multilaterally): the data intermediary, who centralises the exchange of data. The Data Governance Act provides for a set of requirements for the provision of data sharing services, including obligations such as not being allowed to use the data being shared for purposes other than to put them at the disposal of data users, or to put in place adequate technical, legal and organisational measures in order to prevent transfer or access to non-personal data that is unlawful under EU law.
The current proposal of Regulation does not clarify the liability regime regarding data intermediaries. In this sense, it is not expressly determined whether a company sharing data may establish the relevant legal actions against the data intermediary in the event of infringement by the data re-user of the relevant rules. For example, in the event of trade secrets, it would be interesting to see whether the companies sharing data may also establish the actions for the protection of trade secrets envisaged in Act 1/2019 of Trade Secrets against the data intermediaries.
The proposed Data Governance Act also regulates the sharing of data by data altruism organisations, which will be required to be included in a register kept by competent authorities of the Member States. In order to be included in the register, such organisations would have to (i) be a legal entity constituted to meet objectives of general interest, (ii) operate on a not-for-profit basis, and (iii) perform the activities related to data altruism through a legally independent structure. The proposal would also oblige such organisations to ensure that the data is not used for purposes other than those general interest purposes for which it permits the processing.
The proposal also envisages the creation of an independent body (the European Data Innovation Board) that will ensure the consistent implementation of the Data Governance Act in all Member States, supporting data-sharing across multiple sectors and steering the collaboration between national competent authorities.
On a separate note, the Spanish data protection authority (Spanish DPA) has also addressed the potential implications of data governance, whose study may be of interest to data controllers who shall adapt to the new Data Governance Act. In this regard, when the processing related to data governance includes personal data, the Spanish DPA recommends adopting an appropriate strategy for the proper administration and management of the data policy and, in particular:
- To comply with data protection principles (among others, lawfulness of processing, transparency, and purpose limitation.
- To ensure that data subjects can exercise their rights.
- To ensure the protection of personal data by design and by default, through a management of the potential risks to rights and freedoms.
- To comply with the rest of the requirements and obligations envisaged in the applicable data protection laws. To do so, the Spanish DPA also advises to abide by their recommendations on the accountability principles.
The proposal has been drafted following the relevant public consultations for the Commission's European Strategy for Data and the impact assessment related to the Data Governance Act (respectively carried out in February-March 2020 and November 2020). The Data Governance Act is currently going through the European legislative process and will enter into force twenty days after its publication in the OJEU and become applicable twelve months after its entry into force.