[ad_1]
The European Commission published on November 25, 2020 a
proposal for a Regulation on European Data Governance, also dubbed
the Data Governance Act. It is one of several incoming pieces of
legislation proposed at the EU level (including the Digital
Services Act, expected in early December) in order to accomplish
the European Strategy for Data, adopted in February 2020, and
create an EU single market for data.
The Data Governance Act will introduce:
- Rules for making public
sector data available for reuse, in situations where such
data is subject to rights of others (like intellectual property or
data protection rights) - A framework allowing companies to
share industrial data in common data lakes, called European
Data Spaces - Rules for data
brokers, called “data sharing providers,”
including a notification regime and the obligation to remain
neutral as to the data exchanged - The concept of “data
altruism,” allowing people to share data for the
common good
The bill still needs to be approved by both the European
Parliament and the Council of the European Union.
The aim of the Data Governance Act
According to the European Commission, the DGA “aims to
foster the availability of data for use by increasing trust in data
intermediaries and by strengthening data sharing mechanisms across
the EU.” With this, the commission hopes to facilitate the
creation of new products and services offered in the EU, which rely
on the use of big data analytics and machine learning. Furthermore,
the DGA should also contribute towards EU innovation and scientific
development projects being done in a more coordinated and unified
manner.
If adopted, the DGA will provide for a legal recourse for
companies to access new, and until now restricted, public sector
data, improve trust in the sharing of industrial data between
companies by introducing a framework for the operation of data
intermediaries and data brokers, and establish a way for
individuals to share their data for altruistic purposes.
The DGA will not, however, be a way to circumvent any existing
rules related to the processing and sharing of data (both personal
and nonpersonal). Thus, the DGA will need to be applied in a way
that respects the General Data Protection Regulation, national laws
stemming from the ePrivacy Directive, sector-specific guidance
(i.e., in healthcare, automotive, telecoms, etc.), the Open Data
Directive and any other data-governing rules.
Accessing public sector data
Currently, public authorities are gathering and holding vast
amounts of data, which has great commercial potential. The
authorities themselves are restricted from utilizing this data
beyond their public service duties, but at the same time, they are
often prevented from sharing this data due to those same rules.
The DGA will open up several categories of public sector data,
which companies will be able to reuse for either commercial or
noncommercial purposes. Specifically, the DGA will apply to data
held by public sector bodies, which would normally be restricted or
otherwise unavailable due to:
- Commercial or statistical
confidentiality - Intellectual property rights
interests - Rules on personal data
protection
The DGA will not create a right as such for companies to access
public sector data but will oblige EU Member States to put in place
national rules, which regulate the conditions for access. The DGA
will, however, lay down certain ground rules that national rules
regulating the reuse of this data will need to follow. For example,
it will require that all conditions for reuse be nondiscriminatory,
proportionate and objectively justified and that they do not
restrict competition. Furthermore, if the data in question is
deemed to be highly sensitive, additional rules for transferring
such data to third countries will apply, which shall be specified
by the commission.
One additional point of interest is that the DGA will generally
prohibit exclusive arrangements, which grant the right to reuse
public sector data only to certain entities. Exceptionally, such
arrangements could be allowed, following established public
procurement rules, if the arrangement is aimed at providing a
service in the public interest.
Data intermediaries and data brokers – more trust in data
sharing and new market opportunities
It is clear that the data available today can be used to create
amazing new products and services, but it can only happen if
sufficiently large amounts of data can be used effectively and
freely by everyone. Right now, however, the problem lies in the
fact that companies generating data do not see any benefits in
sharing their data with competitors. In fact, they even fear that
by sharing their data, a competitor will find ways to monetize the
data, thus gaining a competitive edge in the market.
To solve this issue and improve trust among companies to share
their industrial data with one another, the DGA will introduce
rules for the operation of neutral data intermediaries and data
brokers (officially called “data sharing services”).
Specifically, the DGA will establish a notification framework for
companies wanting to provide the following data sharing
services:
- Intermediation services between data
holders and data users, which would include the creation of
platforms or databases enabling the exchange or joint exploitation
of data (industry data spaces) - Intermediation services between data
subjects that seek to make their personal data available and
potential data users (personal data spaces) - Data cooperative services that
support individuals or SMEs to negotiate terms and conditions for
data processing before they consent, in making informed choices
before consenting to data processing, and allowing for mechanisms
to exchange views on data processing purposes and conditions that
would best represent the interests of data subjects or legal
persons
The DGA lays down several requirements for companies wanting to
provide data sharing services. The most notable of these
include:
- Notifying the relevant EU Member
State authority of its intention to provide such services (where
such notification automatically grants the right to start offering
the intended services in all of the EU) - Appointing a legal representative in
one of the EU countries, if the company is not established within
the EU - Prohibition to use the data for which
it provides services for other purposes, including the obligation
to use metadata collected from the provision of the data sharing
service only for the development of that service (i.e., a de facto
prohibition to monetize data) - Structurally separating its other
business activities from the data sharing service - Having in place adequate safeguards
in the form of different technical, organizational and legal
measures - Fiduciary duty towards data subjects
to act in their best interests
Data altruism – donating data for a greater cause
Another form of data sharing established by the DGA will be data
altruism. Essentially, this will allow companies to gather data
(both personal and nonpersonal) from individuals for projects of
general public interest.
In order to be able to collect data for altruistic purposes, a
company will need to be 1) constituted to meet objectives of
general interest, 2) operate on a not-for-profit basis and be
independent from any entity that operates on a for-profit basis,
and 3) ensure the activities related to data altruism take place
through a legally independent structure, separate from other
activities it has undertaken. Moreover, a company meeting these
conditions will also need to register as a data altruism
organization in one of the EU Member States. Finally, companies not
registered within the EU will also have to appoint a legal
representative in one EU country.
Other provisions
The DGA also lays down several other provisions, which are
mostly aimed at EU Member State authorities, and addresses their
cooperation with each other and the companies, who will be seeking
access to the industrial data, as well as various procedural
issues. Most notably, the DGA will call for a creation of the
European Data Innovation Board, which will be tasked with ensuring
a consistent approach among all EU Member States in how to apply
the DGA and will be composed of competent authorities of all the
Member States, the European Data Protection Board, the European
Commission, relevant data spaces and other representatives of
competent authorities in specific sectors.
Key takeaways and timeline
The EU Commission projects that industrial data will continue to
increase rapidly. The DGA is the next step forward in grasping the
full potential of such data, especially in terms of the new and
potential products and services it can bring.
At the outset, companies should remember that the DGA will not
create any new obligations on their existing business practices,
and competitors will not be able to rely on the DGA to demand the
disclosure of a company’s trade secrets or other valuable data.
Rather, the DGA will provide for new opportunities in getting
access to new data pools, both from public sector bodies, as well
as through the voluntary sharing of data between companies and
individuals for commercial and noncommercial purposes.
For example, companies in the automotive sector working on
connected or self-driving car projects generate enormous amounts of
industrial data. There is nothing in the DGA that will force these
companies to disclose the generated data. However, these companies
might want to share some data on a voluntary basis, if there would
be a data pool for the automotive industry, which could then be
utilized by those same companies for their big data and machine
learning projects and to improve the accuracy and objectivity of
the underlying algorithms. Accordingly, having a data intermediary,
which sets up an automotive data space where data can be shared in
a way that does not put at risk trade secrets or result in an
unfair market situation, will sound appealing to many
companies.
Data sharing intermediaries will not only be sought after by
companies doing data-heavy projects, but also by data subjects and
SMEs who will be in search of an alternative and more
privacy-friendly way of not only sharing their data to gain access
to various services (e.g., banking, social media, utilities, postal
services, etc.), but also negotiating service providers’ terms
of use and generally seeking more bargaining power when it comes to
their data.
Finally, companies thinking of becoming data sharing
intermediaries or obtaining altruistic data will need to remember
the following 4 key rules:
- You will need to be based in the EU
(either via an establishment or a legal representative) - You will need to notify a competent
EU Member State authority of the envisaged data sharing services
before starting to offer them (for data altruism, you will need to
obtain relevant registration) - You will not be able to monetize the
data you obtain for the purposes of providing the envisaged sharing
services or for altruistic purposes - You will need to structurally
separate your other business activities from the data sharing
services.
The proposal for the DGA still needs to be approved by both the
European Parliament and the Council of the EU. If things go
smoothly, the DGA could be adopted by mid-2021, although a date
closer towards the end of 2021 would be a more realistic estimate.
Once adopted, the DGA will enter into force after one year.
Accordingly, it is not unlikely that the DGA will enter into force
no earlier than in 2023.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
[ad_2]
Source link Google News