EU: European Commission's proposal for a new Data Governance Act
According to the 'European data strategy,' in 2025 the amount of data generated by public bodies, businesses, and citizens is expected to be five times that of 2018. In a digitalised world that has taken data 'as the fuel to keep the engine running,' this exponential growth is being closely overseen by regulatory bodies, in order to be able to use such data while protecting the various rights and interests at stake. As a response to that scenario, the European Commission intends to pass a set of rules allowing organisations to use those huge amounts of data in a lawful and advantageous manner in order to encourage the development of the 'European Data Economy,' which ultimately will boost the 'Digital Single Market.' This set of rules has been translated in the Commission's Proposal for a Regulation on European Data Governance1 ('the Act Proposal'). Rafael García del Poyo, Samuel Martinez, and Mario Gras, Partner, Senior Associate, and Associate respectively at Osborne Clark LLP, provide a brief overview of the Act Proposal and how it may affect data altruism and data sharing service providers, among others.
Re-use of public sector data
Firstly, this new piece of legislation seeks to set rules on the re-use of data held by public sector bodies. Although the Commission already published a Directive on open data and the re-use of public sector information in 2019, only data free from third-party rights (e.g., intellectual property, confidentiality, or personal data protection regulations) would fall under the scope of application of such Directive, so a great part of the data managed by public sector bodies would currently be left out.
In the Act Proposal, the re-use of data held by public sector bodies is governed by a series of obligations, among others:
- a general prohibition to set exclusive agreements for the exploitation of such data;
- a set of principles of proportionality, non-discrimination, and objective justification regarding the conditions imposed by public bodies for re-use of data; or
- the possibility for public bodies to impose specific requirements to access and process the data, either within a secure processing environment provided and controlled by the public sector, or within the physical premises in which the secure processing environment is located if remote access may jeopardise rights or interests of third parties.
Moreover, where feasible without undertaking disproportionate costs, the Act Proposal envisages the obligation for public bodies to support data re-users by seeking consent from data subjects or permission from legal entities in cases where the re-use of data cannot be granted according to the requirements laid down in the Act Proposal, or if no other legal basis under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') can be provided. In return for the re-use of such data, public bodies may charge non-discriminatory, proportional, fair, and objectively justified fees.
Data sharing service providers
On a separate note, requirements applicable to data sharing services provided by private entities (except for non-profit organisations) are detailed by the Act Proposal, establishing a regulatory supervision regime for these services in the form of a notification procedure, and the minimum contents thereof. Data sharing service providers are prohibited from using the data for purposes other than providing the services, and they may only use metadata collected for the development of that service (e.g., biometric data to train a facial-recognition algorithm).
In addition to having in place procedures to prevent fraudulent or abusive practices, as well as adequate technical, legal, and organisational measures ensuring a high level or security for the storage and transmission, data sharing service providers providing tools for obtaining consent of data subjects or permission to process data made available by legal persons shall have to specify the jurisdictions where the data will be used. Compliance with these requirements shall be overseen by the supervisory authorities designated by Member States, which will have specific powers to require cessation of the services provided by data sharing service providers, as well as dissuasive financial penalties (including periodic penalties with retroactive effect).
The Act Proposal also goes on to regulate the possibility for certain organisations to practise data altruism, requiring such organisations to be listed in a register held by the designated national supervisory authority (which may not necessarily be the same as the one designated for data sharing services), maintaining certain transparency requirements, and providing information to data subjects and legal entities regarding the safeguard of their rights and interests.
Monitoring of data-altruism-related obligations made by the designated supervisory authority may include information requests for compliance verification, requirements for cessation of infringement of obligations laid down by the Act Proposal, and ultimately losing the possibility for an organisation to refer itself as 'data altruism organisation recognised in the Union' and removal from the register of recognised data altruism organisations.
In order to facilitate tools for organisations to collect data based on data altruism, the Commission may develop a European data altruism consent form in the future, allowing provision of consent in a modular approach that will consider various sectors and purposes in a uniform format applicable across Member States. The consent form would also endow data subjects with the possibility to withdraw their consent at any time where personal data is provided.
Remedies and the European Data Innovation Board
The Act Proposal provides the possibility for natural and legal persons to lodge a complaint before the designated authority or authorities, regarding both data sharing services and data altruism organisations, and to obtain an effective judicial remedy in case of failure to act on one of these complaints, or in relation to final decisions taken, either on the notification regime applicable to data sharing services, or in relation to the monitoring of data altruism entities.
The final relevant point of the Act Proposal to be addressed envisages an obligation for the Commission to establish a European Data Innovation Board composed of representatives of competent authorities of all the Member States, the European Data Protection Board ('EDPB'), the Commission, and other representatives from authorities and entities closely related to management of data.
The tasks of the Board shall consist in advising and assisting the Commission in relation to consistent practices regarding public sector bodies and data sharing service providers, cross-sector standards and best practices, enhancing the interoperability of data, as well as facilitating the cooperation between national competent authorities.
To this point, it seems clear that it is the intention of the Commission to set fair rules for the need of using data in the context of the digital society, and that organisations will profit from having a regulatory framework that will permit them to use data in a lawful manner. However, the Act Proposal may entail organisations to undertake a process of identification of requirements and a review of their compliance programmes (in a scenario similar to the one arisen when the GDPR finally came into force) which hopefully shall not be too burdensome.