On the 25^th of November 2020, the European Commission (EC) has published the proposed European Data Governance Act.

The EU Data Governance Act is part of the European Strategy for Data, which sets out the Commission’s vision for a single market for data across the EU, ensuring the EU’s global competitiveness and data sovereignty. The single data market strategy aims to ensure that:

1. Data can flow within the EU for the benefit of all;
2. EU rules, in particular privacy, data protection and competition law are fully respected; and
3. The rules for access and use of data are fair, practical and clear.

You may read further regarding the European Strategy for Data by accessing here.

The EC’s EU Data Governance Act is proposed to take the form a Regulation which will thus be directly applicable in all Member States and ensure harmonized implementation.

Under the Data Governance Act, the term “data” is proposed to mean “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording”. As personal data will also be captured by the Data Governance Act, the EC specifically states that the Data Governance Act was drafted in a manner to ensure compliance with data protection legislation, and in fact, the Data Governance Act contains multiple references to the General Data Protection Regulation (2016/679).

In a nutshell, the EU Data Governance Act aims to lay down rules:

1. Establishing the conditions for re-use, within the EU, of certain categories of data held by public sector bodies;
2. Mandating a notification and supervisory framework for the provision of data sharing services;
3. Providing for a framework for voluntary registration of entities which collect and process data made available for altruistic purposes; and
4. Creating the European Data Innovation Board.

1. Conditions for Re-Use of Certain Categories of Data Held by Public Sector Bodies

The Data Governance Act proposes rules which apply to data held by public sector bodies, which data are protected on the grounds of:

1. commercial confidentiality;
2. statistical confidentiality;
3. protection of intellectual property rights of third parties; and
4. protection of personal data.

Critically, the proposed rules are not meant to apply to

1. data held by public undertakings;
2. data held by public service broadcasters and their subsidiaries or other related bodies in the fulfilment of a public service broadcasting remit;
3. data held by cultural establishments and educational establishments;
4. data protected for reasons of national security, defence or public security; and
5. data the supply of which is an activity falling outside the scope of the public task of the public sector bodies concerned.

Public sector bodies which are competent under national Member State’s laws to grant or refuse access for the re-use of the data referred to above must make publicly available the conditions for allowing such re-use. In this respect, it should be noted that by “re-use”, the EC is proposing that this captures the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than for the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks.

In establishing the conditions allowing data re-use, public sector bodies are to establish conditions for re-use which are non-discriminatory, proportionate and objectively justified with regard to the categories of data, purposes of re-use and the nature of the data for which re-use is allowed. Furthermore, such conditions cannot be used to restrict competition.

It will be possible for public sector bodies to impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secrets. Public sector bodies may also impose obligations to access and re-use the data within a secure processing environment provided and controlled by the public sector and to access and re-use the data within the physical premises in which the secure processing environment is located, if it is not possible to implement remote access without jeopardising the rights and interests of third parties.

The public sector body shall also be able to verify any results of processing of data undertaken by the re-user and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties.

The setting up of exclusive arrangements for the re-use of data held by public sector bodies is generally prohibited, with the exception that an exclusive right to re-use data is possible to the extent that such is necessary for the provision of a service or product in the general interest.

Critically, it should be observed that the Data Governance Act does not propose to create an obligation on public sector bodies to allow re-use of data, nor will it release such bodies from their confidentiality obligations. In fact, the Act itself specifies that the rules are without prejudice to applicable EU, national and international laws/arrangements on the protection of the relevant categories of data and that it is without prejudice to EU and national law on access to documents and to obligations of public sector bodies under Union and national law to allow the re-use of data.

2. A Notification and Supervisory Framework for the provision of Data Sharing Services

A prior notification framework is proposed to be established under the Data Governance Act, for providers of the following data sharing services:

1. intermediation services between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services;
2. intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights under GDPR; and
3. services of data cooperatives, that is to say services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperative to negotiate terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal persons.

While a prior notification framework is envisaged for such data sharing service providers, it should be noted that ex ante approval of such providers is not at present proposed, with such providers being able to start their activity in all Member States upon submitting the required notification.

Provision of such data sharing services will be subject to the following conditions:

1. the provider may not use the data for which it provides services for purposes other than to put them at the disposal of data users. Furthermore, data sharing services must be placed in a separate legal entity;
2. the metadata collected from the provision of the data sharing service may be used only for the development of that service;
3. the provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data holders and data users, including as regards pricing;
4. the provider must facilitate the exchange of the data in the format in which it receives it from the data holder and shall convert the data into specific formats only to enhance interoperability within and across sectors or if requested by the data user, or where mandated by EU law or to ensure harmonisation with international or European data standards;
5. the provider must have procedures in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services;
6. the provider must ensure a reasonable continuity of provision of its services and, in the case of services which ensure storage of data, must have sufficient guarantees in place that allow data holders and data users to obtain access to their data in case of the provider’s insolvency;
7. the provider must put in place adequate technical, legal and organisational measures in order to prevent transfer or access to non-personal data that is unlawful under EU law;
8. the provider must take measures to ensure a high level of security for the storage and transmission of non-personal data;
9. the provider must take measures to ensure a high level of security for the storage and transmission of non-personal data;
10. the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential data uses and standard terms and conditions attached to such uses; and
11. where a provider provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place.

A supervisory framework of such data sharing service providers will also be established, with each Member State being required to designate one or more authorities competent to carry out the tasks related to the notification framework, and who will also be responsible to monitor and supervise the compliance with applicable rules by such data sharing service providers.

3. A Framework for Voluntary Registration of Entities which collect and process Data made available for Altruistic Purposes

The Data Governance Act seeks to aid data altruism by creating a voluntary registration framework for data altruism organisations and creating a standard consent form for data altruism schemes under which data is made available for the common good. In this regard, it should be noted the EC proposes that “data altruism” is to mean the “consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services.”

The designated national competent authorities and the EC are proposed to maintain a register of recognised data altruism organisations.#

Any organisation who voluntarily registers for such purpose, will be bale to refer to itself as a “data altruism organisation recognised in the Union” in its written and spoken communications. In order to qualify for registration, data altruism organisations must:

1. Be a legal entity constituted to meet objectives of general interest;
2. Operate on a not-for-profit basis and independently from any entity operating for profit;
3. Perform the activities related to data altruism through a legally independent structure that is separate from other activities.

Specific requirements to safeguard rights and interests of data subjects and legal entities as regards their data will be established in this regard. Any entity entered in the register of recognised data altruism organisations is to inform data holders about the purposes of general interest for which it permits the processing of their data by a data user in an easy-to-understand manner and about any processing outside the Union.

Such entity is to also ensure that the data is not used for other purposes than those of general interest for which it permits the processing. Where an entity entered in the register of recognised data altruism organisations provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place.

In order to facilitate the collection and portability of data based on data altruism, the EC is also proposing the development of a “data altruism consent form”, which shall use a modular approach to allow customisation for specific sectors and for different purposes.

4. Establishment of the EU Data Innovation Board

The EC is also proposing the establishment of an EU Data Innovation Board under the Data Governance Act, which will take the form of an Expert Group, consisting of the representatives of competent authorities of all the Member States, the European Data Protection Board, the EC itself, relevant data spaces and other representatives of competent authorities in specific sectors.

The proposed tasks of the EU Data Innovation Board can be summarised as follows:

1. to advise and assist the EC in developing a consistent practice of public sector bodies and competent bodies in respect of data re-use;
2. to advise and assist the EC in developing a consistent practice of the competent authorities in the application of requirements applicable to data sharing providers;
3. to advise the EC on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing, cross-sectoral comparison and exchange of best practices with regards to sectoral requirements for security, access procedures, while taking into account sector-specific standardisations activities;
4. to assist the EC in enhancing the interoperability of data as well as data sharing services between different sectors and domains; and
5. to facilitate the cooperation between national competent authorities under the Data Governance Act through capacity-building and the exchange of information.

Should you wish to access the proposed Data Governance Act you may click here.

This article was written by Senior Associate Dr Terence Cassar.

For more information on Data Law, Data Protection & Privacy and related areas please contact Dr Ian Gauci or Dr Terence Cassar.

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.