On the 25th of November 2020, the European Commission (EC) has published the proposed European Data Governance Act.
The EU Data Governance Act is part of the European Strategy for Data, which sets out the Commission’s vision for a single market for data across the EU, ensuring the EU’s global competitiveness and data sovereignty. The single data market strategy aims to ensure that:
You may read further regarding the European Strategy for Data by accessing here.
The EC’s EU Data Governance Act is proposed to take the form a Regulation which will thus be directly applicable in all Member States and ensure harmonized implementation.
Under the Data Governance Act, the term “data” is proposed to mean “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording”. As personal data will also be captured by the Data Governance Act, the EC specifically states that the Data Governance Act was drafted in a manner to ensure compliance with data protection legislation, and in fact, the Data Governance Act contains multiple references to the General Data Protection Regulation (2016/679).
In a nutshell, the EU Data Governance Act aims to lay down rules:
The Data Governance Act proposes rules which apply to data held by public sector bodies, which data are protected on the grounds of:
Critically, the proposed rules are not meant to apply to
Public sector bodies which are competent under national Member State’s laws to grant or refuse access for the re-use of the data referred to above must make publicly available the conditions for allowing such re-use. In this respect, it should be noted that by “re-use”, the EC is proposing that this captures the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than for the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks.
In establishing the conditions allowing data re-use, public sector bodies are to establish conditions for re-use which are non-discriminatory, proportionate and objectively justified with regard to the categories of data, purposes of re-use and the nature of the data for which re-use is allowed. Furthermore, such conditions cannot be used to restrict competition.
It will be possible for public sector bodies to impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secrets. Public sector bodies may also impose obligations to access and re-use the data within a secure processing environment provided and controlled by the public sector and to access and re-use the data within the physical premises in which the secure processing environment is located, if it is not possible to implement remote access without jeopardising the rights and interests of third parties.
The public sector body shall also be able to verify any results of processing of data undertaken by the re-user and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties.
The setting up of exclusive arrangements for the re-use of data held by public sector bodies is generally prohibited, with the exception that an exclusive right to re-use data is possible to the extent that such is necessary for the provision of a service or product in the general interest.
Critically, it should be observed that the Data Governance Act does not propose to create an obligation on public sector bodies to allow re-use of data, nor will it release such bodies from their confidentiality obligations. In fact, the Act itself specifies that the rules are without prejudice to applicable EU, national and international laws/arrangements on the protection of the relevant categories of data and that it is without prejudice to EU and national law on access to documents and to obligations of public sector bodies under Union and national law to allow the re-use of data.
2. A Notification and Supervisory Framework for the provision of Data Sharing Services
A prior notification framework is proposed to be established under the Data Governance Act, for providers of the following data sharing services:
While a prior notification framework is envisaged for such data sharing service providers, it should be noted that ex ante approval of such providers is not at present proposed, with such providers being able to start their activity in all Member States upon submitting the required notification.
Provision of such data sharing services will be subject to the following conditions:
A supervisory framework of such data sharing service providers will also be established, with each Member State being required to designate one or more authorities competent to carry out the tasks related to the notification framework, and who will also be responsible to monitor and supervise the compliance with applicable rules by such data sharing service providers.
3. A Framework for Voluntary Registration of Entities which collect and process Data made available for Altruistic Purposes
The Data Governance Act seeks to aid data altruism by creating a voluntary registration framework for data altruism organisations and creating a standard consent form for data altruism schemes under which data is made available for the common good. In this regard, it should be noted the EC proposes that “data altruism” is to mean the “consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services.”
The designated national competent authorities and the EC are proposed to maintain a register of recognised data altruism organisations.#
Any organisation who voluntarily registers for such purpose, will be bale to refer to itself as a “data altruism organisation recognised in the Union” in its written and spoken communications. In order to qualify for registration, data altruism organisations must:
Specific requirements to safeguard rights and interests of data subjects and legal entities as regards their data will be established in this regard. Any entity entered in the register of recognised data altruism organisations is to inform data holders about the purposes of general interest for which it permits the processing of their data by a data user in an easy-to-understand manner and about any processing outside the Union.
Such entity is to also ensure that the data is not used for other purposes than those of general interest for which it permits the processing. Where an entity entered in the register of recognised data altruism organisations provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place.
In order to facilitate the collection and portability of data based on data altruism, the EC is also proposing the development of a “data altruism consent form”, which shall use a modular approach to allow customisation for specific sectors and for different purposes.
4. Establishment of the EU Data Innovation Board
The EC is also proposing the establishment of an EU Data Innovation Board under the Data Governance Act, which will take the form of an Expert Group, consisting of the representatives of competent authorities of all the Member States, the European Data Protection Board, the EC itself, relevant data spaces and other representatives of competent authorities in specific sectors.
The proposed tasks of the EU Data Innovation Board can be summarised as follows:
Should you wish to access the proposed Data Governance Act you may click here.
This article was written by Senior Associate Dr Terence Cassar.
For more information on Data Law, Data Protection & Privacy and related areas please contact Dr Ian Gauci or Dr Terence Cassar.
Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.