The European Commission published on November 25, 2020 a
proposal for a Regulation on European Data Governance, also dubbed
the Data Governance Act. It is one of several incoming pieces of
legislation proposed at the EU level (including the Digital
Services Act, expected in early December) in order to accomplish
the European Strategy for Data, adopted in February 2020, and
create an EU single market for data.

The Data Governance Act will introduce:

  1. Rules for making public
    sector data
    available for reuse, in situations where such
    data is subject to rights of others (like intellectual property or
    data protection rights)

  2. A framework allowing companies to
    share industrial data in common data lakes, called European
    Data Spaces

  3. Rules for data
    brokers
    , called “data sharing providers,”
    including a notification regime and the obligation to remain
    neutral as to the data exchanged

  4. The concept of “data
    altruism
    ,” allowing people to share data for the
    common good

The bill still needs to be approved by both the European
Parliament and the Council of the European Union.

The aim of the Data Governance Act

According to the European Commission, the DGA “aims to
foster the availability of data for use by increasing trust in data
intermediaries and by strengthening data sharing mechanisms across
the EU.” With this, the commission hopes to facilitate the
creation of new products and services offered in the EU, which rely
on the use of big data analytics and machine learning. Furthermore,
the DGA should also contribute towards EU innovation and scientific
development projects being done in a more coordinated and unified
manner.

If adopted, the DGA will provide for a legal recourse for
companies to access new, and until now restricted, public sector
data, improve trust in the sharing of industrial data between
companies by introducing a framework for the operation of data
intermediaries and data brokers, and establish a way for
individuals to share their data for altruistic purposes.

The DGA will not, however, be a way to circumvent any existing
rules related to the processing and sharing of data (both personal
and nonpersonal). Thus, the DGA will need to be applied in a way
that respects the General Data Protection Regulation, national laws
stemming from the ePrivacy Directive, sector-specific guidance
(i.e., in healthcare, automotive, telecoms, etc.), the Open Data
Directive and any other data-governing rules.

Accessing public sector data

Currently, public authorities are gathering and holding vast
amounts of data, which has great commercial potential. The
authorities themselves are restricted from utilizing this data
beyond their public service duties, but at the same time, they are
often prevented from sharing this data due to those same rules.

The DGA will open up several categories of public sector data,
which companies will be able to reuse for either commercial or
noncommercial purposes. Specifically, the DGA will apply to data
held by public sector bodies, which would normally be restricted or
otherwise unavailable due to:

  • Commercial or statistical
    confidentiality

  • Intellectual property rights
    interests

  • Rules on personal data
    protection

The DGA will not create a right as such for companies to access
public sector data but will oblige EU Member States to put in place
national rules, which regulate the conditions for access. The DGA
will, however, lay down certain ground rules that national rules
regulating the reuse of this data will need to follow. For example,
it will require that all conditions for reuse be nondiscriminatory,
proportionate and objectively justified and that they do not
restrict competition. Furthermore, if the data in question is
deemed to be highly sensitive, additional rules for transferring
such data to third countries will apply, which shall be specified
by the commission.

One additional point of interest is that the DGA will generally
prohibit exclusive arrangements, which grant the right to reuse
public sector data only to certain entities. Exceptionally, such
arrangements could be allowed, following established public
procurement rules, if the arrangement is aimed at providing a
service in the public interest.

Data intermediaries and data brokers – more trust in data
sharing and new market opportunities

It is clear that the data available today can be used to create
amazing new products and services, but it can only happen if
sufficiently large amounts of data can be used effectively and
freely by everyone. Right now, however, the problem lies in the
fact that companies generating data do not see any benefits in
sharing their data with competitors. In fact, they even fear that
by sharing their data, a competitor will find ways to monetize the
data, thus gaining a competitive edge in the market.

To solve this issue and improve trust among companies to share
their industrial data with one another, the DGA will introduce
rules for the operation of neutral data intermediaries and data
brokers (officially called “data sharing services”).
Specifically, the DGA will establish a notification framework for
companies wanting to provide the following data sharing
services:

  • Intermediation services between data
    holders and data users, which would include the creation of
    platforms or databases enabling the exchange or joint exploitation
    of data (industry data spaces)

  • Intermediation services between data
    subjects that seek to make their personal data available and
    potential data users (personal data spaces)

  • Data cooperative services that
    support individuals or SMEs to negotiate terms and conditions for
    data processing before they consent, in making informed choices
    before consenting to data processing, and allowing for mechanisms
    to exchange views on data processing purposes and conditions that
    would best represent the interests of data subjects or legal
    persons

The DGA lays down several requirements for companies wanting to
provide data sharing services. The most notable of these
include:

  • Notifying the relevant EU Member
    State authority of its intention to provide such services (where
    such notification automatically grants the right to start offering
    the intended services in all of the EU)

  • Appointing a legal representative in
    one of the EU countries, if the company is not established within
    the EU

  • Prohibition to use the data for which
    it provides services for other purposes, including the obligation
    to use metadata collected from the provision of the data sharing
    service only for the development of that service (i.e., a de facto
    prohibition to monetize data)

  • Structurally separating its other
    business activities from the data sharing service

  • Having in place adequate safeguards
    in the form of different technical, organizational and legal
    measures

  • Fiduciary duty towards data subjects
    to act in their best interests

Data altruism – donating data for a greater cause

Another form of data sharing established by the DGA will be data
altruism. Essentially, this will allow companies to gather data
(both personal and nonpersonal) from individuals for projects of
general public interest.

In order to be able to collect data for altruistic purposes, a
company will need to be 1) constituted to meet objectives of
general interest, 2) operate on a not-for-profit basis and be
independent from any entity that operates on a for-profit basis,
and 3) ensure the activities related to data altruism take place
through a legally independent structure, separate from other
activities it has undertaken. Moreover, a company meeting these
conditions will also need to register as a data altruism
organization in one of the EU Member States. Finally, companies not
registered within the EU will also have to appoint a legal
representative in one EU country.

Other provisions

The DGA also lays down several other provisions, which are
mostly aimed at EU Member State authorities, and addresses their
cooperation with each other and the companies, who will be seeking
access to the industrial data, as well as various procedural
issues. Most notably, the DGA will call for a creation of the
European Data Innovation Board, which will be tasked with ensuring
a consistent approach among all EU Member States in how to apply
the DGA and will be composed of competent authorities of all the
Member States, the European Data Protection Board, the European
Commission, relevant data spaces and other representatives of
competent authorities in specific sectors.

Key takeaways and timeline

The EU Commission projects that industrial data will continue to
increase rapidly. The DGA is the next step forward in grasping the
full potential of such data, especially in terms of the new and
potential products and services it can bring.

At the outset, companies should remember that the DGA will not
create any new obligations on their existing business practices,
and competitors will not be able to rely on the DGA to demand the
disclosure of a company’s trade secrets or other valuable data.
Rather, the DGA will provide for new opportunities in getting
access to new data pools, both from public sector bodies, as well
as through the voluntary sharing of data between companies and
individuals for commercial and noncommercial purposes.

For example, companies in the automotive sector working on
connected or self-driving car projects generate enormous amounts of
industrial data. There is nothing in the DGA that will force these
companies to disclose the generated data. However, these companies
might want to share some data on a voluntary basis, if there would
be a data pool for the automotive industry, which could then be
utilized by those same companies for their big data and machine
learning projects and to improve the accuracy and objectivity of
the underlying algorithms. Accordingly, having a data intermediary,
which sets up an automotive data space where data can be shared in
a way that does not put at risk trade secrets or result in an
unfair market situation, will sound appealing to many
companies.

Data sharing intermediaries will not only be sought after by
companies doing data-heavy projects, but also by data subjects and
SMEs who will be in search of an alternative and more
privacy-friendly way of not only sharing their data to gain access
to various services (e.g., banking, social media, utilities, postal
services, etc.), but also negotiating service providers’ terms
of use and generally seeking more bargaining power when it comes to
their data.

Finally, companies thinking of becoming data sharing
intermediaries or obtaining altruistic data will need to remember
the following 4 key rules:

  1. You will need to be based in the EU
    (either via an establishment or a legal representative)

  2. You will need to notify a competent
    EU Member State authority of the envisaged data sharing services
    before starting to offer them (for data altruism, you will need to
    obtain relevant registration)

  3. You will not be able to monetize the
    data you obtain for the purposes of providing the envisaged sharing
    services or for altruistic purposes

  4. You will need to structurally
    separate your other business activities from the data sharing
    services.

The proposal for the DGA still needs to be approved by both the
European Parliament and the Council of the EU. If things go
smoothly, the DGA could be adopted by mid-2021, although a date
closer towards the end of 2021 would be a more realistic estimate.
Once adopted, the DGA will enter into force after one year.
Accordingly, it is not unlikely that the DGA will enter into force
no earlier than in 2023.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Source link Google News