On 25 November 2020, the European Commission published a proposal for a regulation on data governance (see here) and a related Q&A (see here). The texts are part of the European Strategy for Data published (and launched) by the Commission on 19 February 2020 (see here). This strategy should enable the European Union (EU) to strengthen its competitiveness and its digital sovereignty to become a major player in and of the data economy. EU aims to create a single European market for data, in order to guarantee their free circulation, share and re-use for the benefit of individuals, companies, researchers and/or public administrations. This cannot be done outside any regulatory framework, respecting the EU values. The proposed regulation has the difficult task to develop a data market that gains the trust of all stakeholders.
On 1 October 2021, the Council of the European Union agreed position on Data Governance Act (see here). That will allow the Council presidency to start negotiations with the European Parliament. Both the Council and the European Parliament will need to agree on the final text.
Scope of application and impact on the GDPR
The proposal deals with data governance. However, this key concept is not defined in the text but well in the Q&A: “[d]ata governance refers to a set of rules and means to use data, for example through sharing mechanisms, agreements and technical standards. It implies structures and processes to share data in a secure manner, including through trusted third parties”.
The concept of “data” is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording”. This broad definition encompasses the concept of personal data, i.e. “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (article 4(1) GDPR).
The European Commission is fully aware of the risks that this new text may present in terms of articulation with the GDPR. This is why, on several occasions, it indicates that the draft regulation is without prejudice to GDPR. In other words, the proposal (a general regulation) strengthens personal data protection (a specific regulation). In consequence, the requirements of the GDPR should prevail when data falling within the definition of personal data.
The key content of the proposed regulation on data governance
The aim of the European Commission is to develop trustworthy systems to share, re-use and process data. To achieve it, several sets of measures are taken.
1. The proposal of regulation provides for mechanisms to facilitate the re-use of data held by public sector bodies that cannot be made available as open data because they are protected on grounds of commercial or statistical confidentiality, protection of intellectual property rights, or protection of personal data. It prohibits to grant exclusive rights on these data or to restrict their availability preventing their re-use.
The re-use of this data (that may be subject to a fee) must comply with some conditions: for example, it has to be “non-discriminatory, proportionate and objectively justified with regard to categories of data and purposes of re-use and the nature of the data for which re-use is allowed”. These conditions guarantee in particular that the right to privacy of the persons concerned by these data is respected, as well as any intellectual property rights.
2. Other requirements relate to data sharing services and their providers. Data sharing means “the provision by a data holder of data to a data user for the purpose of joint or individual use of the shared data, based on voluntary agreements, directly or through an intermediary”. Among others, the providers “shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory” and take procedures to “prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services”. Some data sharing services shall also be subject to a notification procedure.
3. Data altruism means “the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services”. The proposal introduces a common European data altruism consent form in order to facilitate the collection of data based on data altruism.
Data altruism organisations are recognised and registered by national authorities. That imply that the organisations (i) are legal entities acting in the general interest, (ii) operate on a non-profit basis, and (iii) perform activities related to the data altruism independently. These organisations must comply with transparency requirements (that are monitored by the national authorities) by keeping full and accurate information records and providing to the data subjects guarantees and information.
4. The national competent authorities have to be independent, impartial and transparent in the exercise of their tasks. One of their function is to receive complaints against providers of data sharing services or entities entered in the register of recognised as data altruism organisations.
On a European level, the proposal of regulation creates a European Data Innovation Board composed of representatives of national competent authorities. The board has mainly to (i) advice the European Commission on the regulation and (ii) facilitate the coordination between the national authorities.
The proposed regulation on Data Governance must now be discussed, negotiated and voted on by the European Parliament and the Council of Ministers. It constitutes a first draft that will perhaps be amended. The text remains very interesting in the context of the development of the European data strategy. It proposes a new legal framework for the data with a broader scope of application than GPDR. It is clear that the future adoption of the proposal will lead to many questions regarding its exact relationship with GDPR. The proposal also seems to have to be understood as giving new economic and social opportunities, in particular for businesses. From this point of view (at least), it is therefore interesting to follow the future developments of the text, until its final adoption.
This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.