Large amounts of data are the core of the digital transformation. According to current estimates, the global volume of data will increase by 530 percent between 2018 and 2025. This includes not only personal data, but also and in particular non-personal data, for example from industrially deployed sensors which constantly capture production data. The European Union has recognized the potential of these – today largely untapped – data sources and is striving to promote the exploitation of this data on the one hand and to uphold European values and principles, in particular data protection and fair competition, on the other. To this end, a number of data-related measures are to be adopted as part of the European Strategy for Data. The most developed measure to date is the Data Governance Act (“DGA”), which is about to be implemented by the European Parliament. The DGA is intended to create fundamental framework conditions for the European single market for data and to strengthen trust in certain key players in order to facilitate and boost cross-sector data sharing between companies, consumers and public bodies. Consequently, the topics addressed by the DGA are diverse, including the re-use of data held by public sector bodies, data intermediation services, data altruism, and the creation of a European Data Innovation Board. It is therefore worth taking a closer look at the final draft and having an initial assessment of the proposed measures.
By Dr. Paul Voigt & Daniel Tolks[1]
I. INTRODUCTION
In April 2022, the European Parliament will cast its vote on the Data Governance Act (“DGA”), which is the first measure in the course of the European Data Strategy. Correspondingly, high expectations are associated with this. The text of the first draft presented by the Commission in November 2020 was negotiated in detail in several trilogue discussions between the European Council, Parliament and Commission in October and November 2021 (“DGA-draft”). Thus, the final vote is only considered a formal step. The following article is therefore intended to provide a cursory overview of the main regulations as they currently stand, highlighting key changes from the trilogue discussions and providing a preliminary assessment of the proposed measures.
II. OVERVIEW
A. General Categorization
The DGA-draft represents the first measure from the European Data Strategy published by the EU Commission in 2020. The latter aims to create European data spaces – i.e. an EU single market for data – in which both personal and non-personal data can be securely stored, processed, and used to create value. The DGA-draft sets a structural regulatory framework with regard to some actors considered crucial in this context. Despite the ambiguous title, it is a regulation that therefore does not require an implementation act by the member states. The regulation is to apply 15 months after its entry into force (Art. 35 DGA-draft).
B. Objectives and Scope of Regulation
The objective of the DGA-draft is to promote the availability of data by increasing trust in certain data-providing actors and strengthening data sharing mechanisms in the EU. For this purpose, the DGA-draft addresses four – in some cases very different – regulatory priorities (Art. 1(1) DGA-draft):
- Re-use of protected data held by public sector bodies (Chapter II),
- Data intermediation services (Chapter III),
- Data altruism (Chapter IV), and
- Creation of a European Data Innovation Board.
For these regulatory areas, the DGA-draft determines basic material as well as formal conditions and a corresponding supervisory framework.
C. Extensive Restrictions
Despite – or precisely because of – the broad range of topics addressed by the DGA-draft, there are extensive restrictions regarding the scope of application right at the beginning. Article 1(2) of the DGA-draft explicitly states that the DGA-draft is not intended to impose an obligation on public sector bodies to permit the re-use of data. Any rights of access to specific data sets or documents thus continue to be governed exclusively by national law.
The relation to other laws dealing with data processing is also explicitly clarified. According to Art. 1(2a) DGA-draft, Union and Member State data protection law, in particular the GDPR and the e-Privacy Directive, shall prevail. Equally, the powers and competences of the data protection supervisory authorities shall remain unaffected. Thus, to the extent that personal data is to be re-used under the DGA-draft, all of the requirements of the GDPR must additionally be observed, which is likely to raise a large number of detail questions in practice. Furthermore, the DGA-draft shall be without prejudice to competition law and the law of public security, defense, or national security pursuant to Art. 1(2b) and (2d) DGA-draft.
III. RE-USE OF PROTECTED DATA HELD BY PUBLIC AUTHORITIES
A. Background
Chapter II sets out the conditions for the re-use of data that is held by public sector bodies and protected for certain reasons. The background of the regulation is the idea that data generated or collected with the help of public funds should also benefit society (Rec. 5).
Chapter II can only be understood against the background of the OD-PSI Directive.[2] Since the scope of the OD-PSI Directive is limited only to “open data” that can be freely used by anyone, the DGA-draft now also regulates, in a complementary manner, the re-use of such data that is subject to the rights of others. Article 3(1) of the DGA-draft conclusively lists commercial secrecy (including business, professional and trade secrets), statistical secrecy, the protection of the intellectual property of third parties and the protection of personal data as such grounds of protection.
B. No Right to Data Access
It is important to emphasize that the DGA-draft does not create a right to re-use of these data (again stated in Art. 3(3) DGA-draft). Rather, it lays down basic conditions under which the re-use – which is presumed to be permitted – shall be structured. First of all, Art. 4 DGA-draft stipulates the fundamental prohibition of exclusive agreements in order to prevent any unfair competition. Exceptions may exist if services are provided in the public interest that would not be possible without such exclusive agreement. It should be noted that the exclusivity period under Art. 4(5) and (7) DGA-draft was shortened considerably in the trilogue discussions: For new contracts it is now 12 months (previously three years) and for existing contracts 30 months (previously also three years).
C. Conditions for Continued Use
Art. 5 DGA-draft then lists, as the core of the chapter, various different conditions for re-use. Art. 5(2) DGA-draft stipulates that the conditions for re-use must be “non-discriminatory, transparent, proportionate and objectively justified.” According to Art. 5(3) DGA-draft, the public sector bodies shall then ensure that the protective nature of the respective data is preserved. This can be achieved, for example, by anonymizing persona data, or by modifying or aggregating non-personal data like trade secrets or content protected by intellectual property rights. It may also be required that access to and re-use of the data must be made within a “secure processing environment,” the technical integrity of which shall be verified by the public body. This can be done remotely or, if necessary, on premise. Access to the data shall also be made conditional on the adherence to a confidentiality obligation (Art. 5(5a) DGA-draft).
If re-use cannot be permitted and a legal basis for the (re-)processing of personal data is lacking, the public sector body should, according to Art. 5(6) DGA-draft, make best efforts to support in obtaining appropriate consents from the data subjects. Furthermore, the re-use of data is only permitted if intellectual property rights are respected, whereby public bodies cannot invoke the database producer right (Art. 5 (7) DGA-draft).
Although the conditions were specified in the course of the trilogue discussions, they still leave considerable room to the national public sector bodies to decide on the precise details. It is questionable how the public bodies will manage the balancing act between ensuring the protective nature of the data on the one hand and enabling re-use on the other.
D. Third-country Transfers
The provisions on the transfer of non-personal data to (non-EU) third countries have been aligned with the procedures of the GDPR. According to Art. 5(8a) DGA-draft, the intended third country transfer must first be notified to the public body. According to Art. 5(10) DGA-draft, the public sector body may only transfer the requested data to the re-user if the Commission has declared the recipient country’s laws on the protection of intellectual property and trade secrets to be equivalent to EU standards (Art. 10b DGA-draft) or the re-user contractually undertakes to comply with the terms of the DGA-draft. In doing so, the public sector body shall support the re-user in implementing these obligations pursuant to Art. 5(10a) DGA-draft, for which standard contractual clauses may also be issued by the Commission.
This mechanism, already known from the GDPR, thus also applies to non-personal, sensitive data under the DGA-draft. In addition, the Commission may still adopt special conditions for the third country transfer of such categories of data that are classified as “highly sensitive” by separate EU legal act, for example in the area of public security or health (Art. 5(11) DGA-draft).
E. Procedure
According to Art. 6 DGA-draft, public sector bodies may charge proportionate and objectively justified fees for the re-use of data. According to Art. 8 DGA-draft, the competent Member State authorities shall establish a “single information point,” which receives the requests for re-use of data and forwards them to the competent public sector body. On the initiative of the European Parliament, the trilogue discussions also included the possibility of establishing a simplified information channel for start-ups and small and medium-sized enterprises (SMEs), adapted to their specific needs, Art. 8(2b) DGA-draft. In this context, it is also important to note Art. 8a (1) DGA-draft, which stipulates that applications for the re-use of data must be regularly decided within two months; in extensive cases, the public sector body has a further 30 days.
The simplified application process and the short decision period are to be welcomed from the point of view of the re-users, since in this way innovative, data-based solutions can also be sought for current phenomena – e.g. regarding data from the COVID-19 pandemic. However, in view of the administrative burden required for this, it remains to be seen how this administrative simplification will play out in practice.
IV. DATA INTERMEDIATION SERVICES
A. Background
Chapter III establishes a notification and supervision framework for so-called data intermediation services. According to the definition in Art. 2 (2a) DGA-draft, these are services which aim to establish commercial relationships for the purpose of data sharing between an undetermined number of data subjects and data holders, on the one hand, and data users on the other hand, through technical, legal, or other means.
The background to the regulation is the expectation that independent data intermediaries will play a key role in the data economy by contributing to the efficient pooling of data sets and facilitating the exchange of data, especially between companies, while also providing SMEs and start-ups with non-discriminatory access to the data economy. This is related to the envisaged creation of common European data spaces, i.e. sector-specific or cross-sector interoperable frameworks with common standards and procedures for data sharing, including for the development of new products and services, scientific research, or civil society initiatives (Rec. 22).
B. Concept of Data Intermediary According to the DGA-Draft Definition.
With the term “data intermediary,” the DGA-draft thus aims at a new form of data sharing associated with thoroughly ambitious visions of the future. While the Commission proposal still referred to “data sharing services” throughout, the negotiated version of the DGA-draft now explicitly introduces the concept of data intermediary. Extensive additions have also been made – particularly in Rec. 22 ff. – to clarify the concept of data intermediary.
However, according to the definition in Art. 2 (2a) DGA-draft, services that aggregate, enrich, or transform data in order to add significant value to it and grant licenses for the use of the resulting data without establishing a direct relationship between data owners and data users are not to be considered data intermediation services. Also excluded are services aimed at mediating copyrighted content and services used by a data owner or by multiple legal entities in a closed group (including supplier or customer relationships) to enable internal data use (especially in the context of the Internet of Things).
C. Further Specifications in the Recitals
Rec. 22a provides some practical examples of services that should or should not be considered as data intermediation services. No data intermediation services are the provision of cloud storage, analytics or file sharing software, web browsers or browser plug-ins, and email services, as long as such services only provide technical tools to share data with others but are not used to establish a commercial relationship between data holders and data users. In contrast, examples of data intermediation services include data marketplaces where companies can make data available to third parties, data sharing organizers in European data rooms that are open to all interested parties, and data pools that are set up by several legal or natural persons in such a way that the possibility of using the pool results from the own contribution to it.
Although the term “data intermediary” has been somewhat clarified by these additions, numerous difficulties of delimitation are likely to continue to arise in practice. For example, the European map service provider “Here Technologies” raised the concern that data sets offered to businesses – i.e. navigation services and high-resolution maps – could fall under the DGA-draft, which could require the separation of domains and the interposition of a data intermediary. Although the aforementioned case is likely to correspond to one of the exceptions in Art. 2(2a) DGA-draft, as the data are processed in a value-added manner, the example illustrates the uncertainty in applying the vague concept in practice.
D. Registration Requirement and (Extended) List of Obligations
Art. 9 DGA-draft establishes a control mechanism for data intermediation services, which can be summarized as a notification requirement and ex-post supervision. Art. 10 DGA-draft provides for a formal notification procedure and Art. 11 DGA-draft for material requirements, including the preservation of the purpose of the data, the process and price design, the format and transformation of the data, measures for fraud prevention, insolvency protection, technical, legal, and organizational measures to prevent unlawful transfers, and security measures for storage.
The conditions have been extended in the course of the trilogue discussions. For example, Art. 11(4a) DGA-draft now stipulates that data intermediaries may, with the consent of data holders, offer additional services that serve to facilitate data exchange, such as temporary storage, curation, conversion, anonymization and pseudonymization. Although this makes sense from a practical point of view, it will probably raise numerous detail questions, particularly with regard to the definition of data intermediary in Article 2 (2a) (a) DGA-draft, according to which the aggregation, enrichment or transformation of data is to be regarded as an exclusion criterion. Furthermore, the interoperability with other data intermediaries shall be ensured through the use of general standards (Art. 11 (6a) DGA-draft) and a log of the intermediation services is to be prepared (Art. 11 (11a) DGA-draft).
E. Supervisory Framework
Data intermediation services do not require regulatory approval. Nevertheless, to the extent that a violation of Art. 10 or 11 DGA-draft has been established, the competent authority may order the termination of the service or impose “dissuasive fines” (Art. 13 (4) DGA-draft). To ensure law enforcement, providers must be established in the EU or designate a legal representative in the EU (Art. 10(3) DGA-draft). In addition, private enforcement by data owners, users or competitors may also be considered.
F. Assessment
The strict obligations for data intermediaries and the notification and supervision framework leaves a mixed impression. On the one hand, one could assume that they create trust in data intermediaries and prevent misuse of the data trustee model. On the other hand, imposing additional stricter requirements than already exist in data privacy and IT security law may potentially inhibit innovation. Indeed, one can doubt whether the regulations on data intermediaries will be understood in practice as an incentive to share data. Even if the regulatory approach may counteract any misuse of the data trustee model, the question arises as to whether this could not have been better achieved with a voluntary certification system that is linked, for example, to certain privileges under data protection law. It therefore remains to be seen whether the DGA-draft will boost the market for data intermediaries, in view of rising compliance costs and limited scope for new business models.
V. DATA ALTRUISM
A. Concept
As another major topic, Chapter IV regulates so-called data altruism. Data altruism, according to the definition in Art. 2(10) DGA-draft, is the voluntary sharing of data on the basis of data subjects’ consent to the processing of personal data relating to them or the permission of other data controllers to use their non-personal data free of charge for purposes of general interest. The DGA-draft cites as examples of such purposes: health care, combating climate change, improving mobility, facilitating the production of official statistics, improving public services, shaping public policy, or scientific research purposes in the general interest.
B. Recognition as a Data Altruistic Organization
Pursuant to Art. 16 et seq. legal entities that strive to promote the aforementioned objectives may register as “data altruistic organizations recognized in the Union.” The prerequisite is that these organizations operate on a non-profit basis and are legally independent, and also fulfill extensive transparency and record-keeping obligations, for example with regard to data processing, purpose tracking and sources of income. Rec. 36 lists further requirements, e.g. a secure processing environment and the establishment of ethics councils, which, however, have not found their way into the enacting terms of the DGA-draft and whose enforceability therefore appears to be questionable.
According to Article 15 of the DGA-draft, registration allows the organization to use the designation “data altruistic organizations recognized in the Union” (including a corresponding logo), which essentially offers the advantage of a de facto leap of faith . In addition, registered data altruistic organizations are exempt from the rules on data intermediaries (Art. 14 DGA-draft). According to Art. 15 DGA-draft, the competent authority keeps a register of recognized data altruistic organizations and can remove the respective organization from the register in case of violations (Art. 21). There are no more severe sanction options, which is to be understood against the background that data altruistic organizations may also operate without registration, but then may have to comply with the conditions for data intermediaries.
C. Member State Funding and Data Altruistic Rulebook
Added in the trilogue discussions is Art. 14a DGA-draft, according to which member states can also promote data altruism by creating a framework in which data subjects can altruistically share such data that is stored with public service providers; in Germany, this is already the case with the electronic patient file (Section 363 (1) SGB V). Furthermore, Art. 19a DGA-draft was introduced, which requires the Commission to issue a “rulebook” setting out further requirements. These relate to information requirements for the consent of data subjects or the permission of other data holders, appropriate security requirements to ensure an adequate level of security for data storage and processing, multidisciplinary “communication roadmaps” to raise awareness among the relevant stakeholders, and recommendations on interoperability standards. According to Art. 19a (2) DGA-draft, the “Rulebook” is to be drafted in cooperation with data altruistic organizations, but at the same time compliance with it is to be a prerequisite for recognition as a data altruistic organization according to Art. 16 DGA-draft (after an 18-month implementation period). It is highly doubtful whether such additional “rulebook” is necessary – at least to the extent that it not only specifies existing obligations (such as information obligations under the GDPR), but also creates entirely new ones.
D. European Consent Form
In order to facilitate the consent of data subjects, which is often required for altruistic data collection, Art. 22(1) DGA-draft provides that the Commission – in consultation with the European Data Protection Board as well as the European Data Innovation Board to be created (on the latter see below) – shall adopt implementing acts establishing a European consent form. In terms of content, Article 22(2) DGA-draft specifies that the consent form should follow a modular approach so that it can be adapted to specific sectors and for different purposes. According to Art 22 (4) DGA-draft, the form shall be provided in a form in which it can be printed on paper and is easily understandable, as well as in electronic, machine-readable form. Conversely, it follows from Art 22(3) DGA-draft that the form not only applies to consents under the GDPR but can also be used for permissions regarding non-personal data.
E. Assessment
Thus, it is clarified that consent is also required for data use for altruistic purposes, which therefore must meet all requirements of the GDPR (including purpose limitation and the possibility of withdrawal at any time). This will put significant burden on organizations trying to pursue altruistic objectives. At least, the consent form offers the advantage of obtaining consent in all member states in a uniform format, which should serve legal certainty. The question of the extent to which the form published by the Commission can also be used as a model for consent declarations outside the scope of the DGA-draft is also likely to be interesting. Rec. 39 p. 4 DGA-draft provides for the possibility of sector-specific adjustments of the consent form, which might indicate its use in different fields of application.
VI. EUROPEAN DATA INNOVATION BOARD AND FURTHER ISSUES
A. Creation of a European Data Innovation Board
Art. 26 DGA-draft provides for the establishment of a “European Data Innovation Board” in the form of an expert group composed of, among others, representatives of the Member State authorities, the European Data Protection Board and other European institutions and expert bodies. The European Data Innovation Board has the tasks set out in detail in Art. 27 DGA-draft. These include advising and assisting the Commission in developing a consistent practice with regard to the topics of the DGA-draft and developing guidelines (in particular with regard to the creation of common European data spaces). Particularly because many of the provisions of the DGA-draft are rather general, the Innovation Board is to be expected great importance in interpreting the DGA.
B. Third-Country Access and Transfers
In the final provisions in Chapter VIII, the DGA-draft contains general provisions relating to the protection of non-personal data in the context of official or judicial third-country access and transfers. According to these, all addressees of the DGA-draft must take appropriate technical, legal, and organizational measures to prevent the transfer of or access to non-personal data stored in the Union if such transfer or access is contrary to Union law or the law of the Member State concerned (Article 30(1) DGA-draft). Corresponding transfers are to be permitted only if they can be based on an international agreement in force, such as a mutual legal assistance treaty, (Art. 30(2)), or if certain rule of law criteria listed in Art. 30(3) DGA-draft are met in the third country concerned.
VII. CONCLUSION
The DGA-draft is intended to represent a first approach to the creation of an EU single market for data. However, the extent to which this will actually advance the European data economy remains to be seen – especially after the trilogue discussions. In view of the numerous (additional) obligations that the DGA-draft imposes on public bodies, data intermediaries and data altruistic organizations that are basically willing to share, one may well raise the question as to whether this will not rather have the opposite effect. This applies in particular to the notorious exclusion of data protection law. The existing data protection rules under the GDPR create imponderables in many respects. This concerns, for example, the relevant legal basis (legally disputed data contract or consent with the risk of withdrawal at any time), the role of the actors under data protection law (legal substitutes outside Art. 80 GDPR) or structural contradictions (data minimization vs. interest in extensive data pools). There is no shortage of proposed solutions for this. These range from facilitating consent (e.g. reducing formal requirements, enabling “broad consent” and waiving withdrawal to a certain extent), creating area-specific exceptions under Art. 2(2) or 85 of the GDPR, or introducing voluntary certifications leading to more extensive processing possibilities under data protection law. However, these proposals have not been considered for the DGA-draft. Therefore, legal uncertainties remain that slow down the envisaged creation of European data spaces.
[1] Dr. Paul Voigt is Partner at Taylor Wessing in Berlin, Germany. Daniel Tolks is Attorney at Taylor Wessing in Berlin, Germany.
[2] Directive 2003/98/EC on the re-use of public sector information.