The European Commission’s intention to put in place an enabling legislative framework to facilitate the use of data, both personal and non-personal, for innovative business ideas within Europe, was already communicated in the European Strategy for Data back in February 2020 as part of a set of proposals for a “Europe fit for the Digital Age”. The European Strategy for Data had announced a number of key instruments to enable the creation of a single market for data, building on existing EU legislation, such as the GDPR, the Regulation on the free-flow of non-personal data, the Cybersecurity Act and the Open Data Directive.
What is the DGA?
The draft Data Governance Act (‘DGA’) was published by the European Commission on 25.11.2020, constitutes the first of the legislative proposals set forth in the European Strategy for Data and applies to both personal and non-personal data. Its main objectives are a) to foster the availability of data for use by increasing trust in data intermediaries; and b) to strengthen data sharing mechanisms across the EU. It sits upon four basic pillars:
- the re-use of protected data held by public sector bodies;
- the creation of a framework governing data sharing intermediaries;
- the conditions for data use on altruistic grounds; and
- the coordination and interoperability of the above through the European Data Innovation Board.
Re-use of protected public sector data
The DGA does not create an obligation to public sector bodies to allow for the re-use of the data, but it rather includes a set of harmonised basic conditions for the re-use of such data. The relevant provisions apply to ‘protected’ data, namely data subject to rights of others under various legislations, such as data protection, intellectual property and trade secrets legislation. In this respect, the DGA is complementary to the Open Data Directive.
Public sector bodies allowing this type of re-use should not in principle grant exclusive rights; additionally such bodies need to be technically equipped so that they ensure that data protection, privacy and confidentiality are fully preserved.
Data sharing services
The proposal establishes a framework for data sharing providers with the aim to increase trust in sharing of data and to lower transaction costs for both B2B and B2C data sharing. The DGA shall apply only to providers of data sharing services, i.e. those whose main objective is the establishment of a business, legal and technical relation between data holders (including data subjects) and potential users. Cloud providers, advertisement and data brokers, as well as data consultancies, which do not establish a direct relationship between data holders and data users, are not covered by the ambit of the DGA.
Data sharing providers or data intermediaries are required to notify their activities with the competent authority in each member state; they should also remain neutral as regards the data exchanged and assume fiduciary duties towards individuals when offering services to them.
The DGA promotes ‘data altruism’, a new concept referring to the act of making available data offered either by individuals or by companies, for purposes of general interest, such as healthcare, combating climate change and scientific research. The DGA provides for a common European data altruism consent form, in order to lower the costs of collecting consent and to facilitate portability of the data; it also establishes the possibility for organisations to register as a ‘Data Altruism Organisation recognised in the EU’, in order for them to increase trust in their operations.
The European Data Innovation Board
The newly introduced ‘European Data Innovation Board’ will facilitate the emergence of best practices by member states authorities on processing requests for the re-use of data subject to the rights of others, on ensuring a consistent practice regarding the notification framework for data sharing service providers and for data altruism.
In addition, the formal expert group will support and advise the European Commission on the governance of cross-sectoral standardisation.
Personal data as the basis of a fundamental right and as a business asset
The proposed DGA is the first EU legal instrument clearly reflecting an EU policy trend towards a data-driven economy, where personal data are regarded as a commodity for unlocking key innovations and ultimately promoting economic growth within the EU. This policy swift requires a delicate balancing exercise between unleashing the economic potential of data re-use and sharing, while respecting the personal data and other fundamental rights of the EU citizens.
In their Joint Opinion 3/2021, the European Data Protection Board (‘EDPB’) and the European Data Protection Supervisor (‘EDPS’) criticise the text of the DGA proposal for ‘significant inconsistencies with the GDPR’ and for ‘not duly taking into account’ the need to ensure and guarantee the EU level of data protection. The Opinion notes that the GDPR must be considered as a foundation rather than an obstacle, to the development of a data economy.
The above concerns echo the voices of several commentators arguing that the potential conflicts created between the DGA and the GDPR could seriously jeopardise the object of the proposal. And as the proposals on a new legislative regime governing AI and on a Data Act will soon be on their way, it remains to be seen whether Europe’s vision to become a digital leader while preserving a strong protection of rights and fundamental values can really be fulfilled.