EU: Non-personal data transfers under the DGA and the Data Act
In the past year, the proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data ('the Draft Data Act') (which was published by the European Commission ('the Commission') on 23 February 2022) and the Data Governance Act ('DGA') (approved by the European Council on 16 May 2022, whose provisions will apply 15 months after its entry into force) have become two important and highly anticipated pieces of EU legislation.
In this Insight article, the data expert Gonzalo Muelas assesses the goals of both legislative proposals, focusing particularly on the potential effects on international data transfers and, accordingly, cross-border trade regarding data processing activities.
"I love the way it flows
I love the way it grows
You can't take this away from me"
Despite these catchphrases being extracted from the beginning of Tom Misch's classic 'It Runs Through Me', they could also speak for European politicians while referring to the intangible potential of personal and non-personal data.
The proactive approach adopted by the Commission at the time of attempting to make EU ready for the digital age has been recently complemented by the legislative initiatives adopted by the European Parliament aimed at implementing their data strategy.
The aforementioned regulatory willingness stems from the revelatory conclusions and recommendations provided in 'Towards a European strategy on business-to-government data sharing for the public interest: Final report prepared by the High-Level Expert Group on Business-to-Government Data Sharing' ('the final report')1. The final report contains interesting figures on the relevance of data for European economic growth, competitiveness, job creation, and societal progress in general. For instance, f2025, the final report projects:
- a 530% increase of global data volume, from 33 zettabytes in 2018 to 175 zettabytes;
- a growth of value of the data economy to over €829 billion by 2025, representing 5.8% of the overall EU GDP, compared to €301 billion in 2018; and
- a rise of data professionals from 5.7 million in 2018 to 13 million in 2025.
These estimates have highlighted the need to adapt current legislation in order to be able to make proper use of all this information.
Both legislative initiatives, the Draft Data Act and the DGA ('the Acts'), have been developed with the fundamental objective of promoting the availability of data and creating a reliable environment that facilitates its use for research and the creation of new innovative services and products and they are relevant components of a bigger legislative plan, the European Data Strategy2, which aims to strengthen the data economy.
Notwithstanding the foregoing, the legislative route is not the only one promoted by the Commission, as they have recently approved the investment of €2 billion in a European High Impact Project to develop data processing infrastructures, data exchange tools, architectures, and governance mechanisms for a thriving data exchange.
Independently common goals
Despite the fact that both legislative proposals have been conceived for the common goal of creating a data flowing territory, there are evident differences between the approaches adopted by each of them as recognised by the European Council in its press release3. In particular, in the Commission's own words, 'while the Data Governance Regulation creates the processes and structures to facilitate data, the Data Act clarifies who can create value from data and under which conditions'.
On the one hand, the Draft Data Act aims to maximise the value of data in the economy by ensuring that a wider range of stakeholders gain control over their data, and that more data is available for innovative use, while preserving incentives to invest in data generation by regulating:
- measures to increase legal certainty for companies and consumers who generate data on who can use what data and under which conditions;
- incentives for manufacturers to continue investing in high-quality data generation;
- mechanisms that ensure that both individuals and businesses have more control over the data they generate through their use of smart objects, machines, and devices, thereby allowing them to enjoy the advantages of the digitisation of products; and
- measures to ensure that the users are able to transfer data to and between service providers, which encourage more actors, regardless of their size, to participate in the data economy4.
On the other hand, the DGA refers to a set of rules and means to use data in a secure way, including through trusted third parties. The DGA, which introduces amendments to Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information and Regulation (EU) No 1024/20125 (one of the first regulatory proposals aimed at establishing the Single Digital Gateway), attempts to ensure that Member States' actions on data are aligned to create a single European market for data.
The main goal of the DGA is to enable data to move freely within the internal market and to build trust in order to facilitate access to data. In order to achieve such a demanding goal, a number of measures has been regulated through the DGA, including:
- the re-use of protected public sector data;
- a framework to monitor compliance of data intermediaries;
- provisions to facilitate data altruism; and
- the creation of the European Data Innovation Board.
As a conclusion, despite of the differences found within the scope of each of the laws, and taking into consideration the nature, scope, and content, it could be held that the DGA and the Draft Data Act are closely related and perfectly complementary.
How these legislative initiatives fit in with the GDPR
The Commission recognises that the public sector collects large volumes of data at the expense of public budgets, and that it should benefit society by making it reusable. However, amongst these sets of data, we may find not only non-personal data, but also data that could identify a natural person or make it identifiable. This brings to the table a debate on how these Acts complement privacy legislation.
It could be held that while the restrictions do not apply to personal data (as the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') already contains more extensive restrictions), they may still be of relevance at the time of assessing how data should be used by a re-user that was granted access to such data by the public sector. This is evidenced by the fact that the Commission's proposals evidently borrowed extensively from the GDPR, especially in relation to the Acts' fundamental concepts (e.g. its risk-based approach, minimisation principle, and similar definitions).
In fact, if we take a closer look at the definition of data established in the DGA6, it may be concluded that the GDPR and the Acts apply simultaneously. This conclusion is further justified by the fact that the recitals and provisions of the Acts indicate on several occasions that they are 'without prejudice' to the application of the GDPR, among other applicable legislations.
Even though the Acts extensively attempt to regulate the access and use of data, these are not per se privacy legislation. Consequently, their provisions leave unaltered the rights and obligations under the GDPR which apply to personal data, and, consequently, they should be analysed separately to the privacy norms.
The five commandments on international access to data
In particular, there are certain provisions that have created uncertainty at the time of assessing how companies should deal with a third party located outside of the EU asking to access non-personal data. To ease the interpretation of the new regulatory paradigm, we have summarised in five commandment-like phrases the aspects that should be taken into consideration at the time of conducting an international transfer of data.
Honour the information (securely)
Article 30(1) of the DGA imposes a general obligation to any company (public or private) which is willing to re-use data (including the data-sharing provider or the entity entered in the register of recognised data altruism organisations, as the case may be) to take all reasonable technical, legal, and organisational measures in order to prevent the transfer or access to non-personal data held in the EU (in particular, where such transfer or access would create a conflict with applicable EU or local law).
You shall not take EU's data in vain
Taking the aforementioned commandment into consideration, it may be said that the non-personal data transfer restrictions may be of limited relevance. Notwithstanding the foregoing, Article 30(2) of the DGA extends these restrictions by introducing a general prohibition equivalent to Article 48 of the GDPR that entails that third-country judgments or decisions requiring access to data are only recognised in the EU if based on an international treaty.
The DGA introduces a possibility for the Commission to adopt model contractual clauses and to declare certain countries to offer adequate protection for non-personal data by taking adequacy decisions. The recitals to the DGA set out the types of factors which the Commission must consider when assessing the adequacy of the level of protection offered (which may remember to the risk-based approach required since the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II')).
Similarly, the Draft Data Act proposal includes severe restrictions on international data sharing under the scope of cloud services. In particular, cloud providers must take all measures necessary to prevent any international access or transfer of non-personal data held in the EU that would be contrary to EU or Member State laws. Third-country data access requests are only permitted if based on international agreements or if the third country's legal system affords protections that are similar to those of the Draft Data Act.
These restrictions could affect existing cloud data flows between the EU and third countries, as well as EU opportunities for new cloud-based businesses from third countries. In particular, these rules appear to be stricter than the requirements for the transfer of personal data; while the European Data Protection Board ('EDPB') has issued guidance for conducting an impact assessment regarding the transfer of personal data, the Draft Data Act appears to leave no room for either such an assessment, or for respective supplementary measures safeguarding data security, which are put in place by the data exporter7.
You shall not provide access to data unless there is a good reason
In the absence of an international agreement, any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring access to non-personal data subject to the DGA in the EU may only be recognised or enforceable in any manner if based:
- on an international agreement in force between the requesting third country and the EU; or
- any such agreement between the requesting third country and a Member State.
Additionally, the DGA expressly establishes that, where a EU company is the addressee of a decision of a court or of an administrative authority of a third country to transfer from, or give access to, non-personal data held in the EU and compliance with such a decision would put the addressee in conflict with Union law, or with the law of the relevant Member State, the transfer or access to such data by that third-country authority should take place only:
- where the third-country system requires the reasons and proportionality of the decision to be set out, and the decision is specific in character (e.g. for instance by establishing a sufficient link to certain suspected persons, or infringements);
- the reasoned objection of the addressee is subject to a review by a competent court in the third country; and
- in that context, the competent court is empowered under the law of that country to take duly into account the relevant legal interests of the provider of the data protected by Union law or the applicable Member State law.
Furthermore, in order to empower EU companies, the DGA recognises their right to ask the opinion of the relevant competent bodies or authorities, in order to determine if these conditions are met.
You shall provide the necessary information
The DGA requires to inform the data holder about the existence of a request of an administrative authority in a third country to access its data, except in cases where:
- the request serves law enforcement purposes; and
- for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
However, what does this obligation actually entail? To sum it up, it may be said that in case an international data transfer is willing to be conducted:
- a re-user should notify the public sector body of the intention to transfer the non-personal data at the time that it requests the re-use of the data;
- the public sector body, in turn, must notify and request express consent to the parties who may be affected by this;
- unless a situation falls within one of the exemptions expressly recognised in the DGA, the provider must also notify the data holder of the request; and
- providers of intermediation services, or data altruism services, which relate to non-personal data will therefore have to use transfer risk assessments and processes for dealing with public authority requests to access data.
Respect highly sensitive data
In addition, the DGA introduces additional restrictions for certain categories of non-personal data which pose a high risk, identified as 'highly sensitive' (Article 11 and Recital 19 of the DGA) by Union law or other sectoral legislation.
In order to ensure the effectiveness of the DGA, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union ('TFEU') should be delegated to the Commission which will supplement it by laying down special conditions applicable to transfers to third countries of certain non-personal data categories deemed to be highly sensitive in specific legislative acts and by establishing a rulebook for recognised data altruism organisations.
Additionally, international transfers of such data may be subject to even stricter conditions in the event that it is considered to jeopardise public policy objectives (such as public health, public order, privacy, and personal data protection).
Potential operational challenges for organisations vis-à-vis Schrems II
The aforementioned restrictions on international transfers of non-personal data have been apparently modelled after the applicable regime at the time of conducting a data transfer of personal data under the scope of the GDPR. It is questionable whether this 'transposition' of the currently applicable data protection norm to the realm of non-personal data is actually justified - in particular, taking into consideration the restrictive approach followed by this latter norm.
However, one aspect is not debatable: the introduction of safeguards for the transfer of non-personal data will pose an interesting challenge for organisations, many of which are still evaluating the impact of the Schrems II decision.
This notion, in itself, is likely to be controversial as the sector is still unaware of where this new paradigm leaves workarounds on which businesses conventionally rely to manage restrictions imposed by the GDPR (e.g. the anonymisation of data). Organisations could find themselves in a situation where applying anonymisation techniques could ensure that they avoid the rigorous data transfer rules demanded under the scope of the GDPR; nonetheless, that same transfer could be subject to the rules of the Draft Data Act (which, as already mentioned, under certain circumstances could entail stricter restrictions).
At this point, it is clear that, by the inclusion of an additional layer of regulated data, the European legislator is urging organisations based in the EU territory to appoint privacy professionals and implement additional resources to ensure that a unified privacy and data governance programme is implemented. The new scheme requires to put in place strong data discovery and mapping processes to identify this data and how it is being used, which may in practical terms render an international data transfer impracticable.
Current situation and what comes next
The German Member of the European Parliamant ('MEP') of the European People's Party, Angelika Niebler, which took an active role in the development of the legislation within the Parliament, recently acknowledged, "some companies don't even know what can be done with the data from, for example, their industrial machines. Through increased data exchange, new business models can emerge, greater efficiency can be achieved or products can be improved".
This statement serves as an argument for the new legislative proposals. In fact, according to the Commission's own data, the new rules are expected to create €270 billion of additional GDP for EU Member States by 2028 by addressing the legal, economic, and technical issues that lead to data being under-used.
Despite of the insecurity on whether these predictions will finally take place, by having more information, consumers and users will be in a position to take better decisions (e.g. jet engines filled with thousands of sensors collect and transmit data to ensure their efficient operation or wind farms use industrial data to reduce visual impact and optimise wind power) or to safe costs (e.g. real-time traffic avoidance navigation can save up to 730 million hours and €20 billion in labour costs).
As the Commission emphasised in a recent communication on the occasion of the review of the GDPR, its provisions 'help to foster trust-worthy innovation, notably through its risk-based approach and principles such as privacy by design and by default'. This is precisely the approach followed by the new proposals: establishing the bases of a regulatory model based on the protection of the rights and interests affected, thus facilitating the optimal legal conditions that will allow the re-use of public sector information to be promoted with the appropriate guarantees.
Now that the potential impact of the Acts and the rationale are understood, the following part considers that their success over the next years will be mainly conditioned upon three main aspects:
The role of the control authorities
Despite habilitated by the recitals of the DGA, it is still uncertain whether the data protection authorities will take an active role at the time of ensuring that the regulatory requirements are met. In addition to this, one of the crucial issues that should be faced by the Commission as soon as possible consists in the establishment of a European Data Innovation Board as it will be in charge of issuing guidelines on the development of personal data spaces, as well as adopting acts in accordance with Article 290 of the TFEU to establish special conditions applicable to the transfer to third countries of certain categories of non-personal data considered to be highly sensitive.
The implementation of fines
Article 31 of the DGA, similarly to Article 83 of the GDPR, states that fines are to be set and implemented by each Member State so that they are 'effective, proportionate and dissuasive', which is the reason why the local 'transpositions' will take relevance at the time of ensuring the success of the Acts. Unlike the GDPR, the DGA does not prescribe the specific amounts and weighting factors applicable to the corresponding monetary sanctions.
Complementary regulatory action
Although the proposal contemplates a future sharing of data between sectors, a crucial element to open up the opportunity for improved products and services, is the adequate complementary legislative action.
Although these obligations may be a lot to process for the data owners, the party is not over, and the Commission is planning further regulatory initiatives that may complement the actual regulatory environment deployed by the Acts. In particular, in the past weeks the Commission has published a proposal for a regulation establishing a list of so-called high-value datasets, which develops the provisions of Directive (EU) 2019/1024 on Open Data and the Re-use of Public Sector Information, whose main objective is to establish this list of high-value datasets to ensure that public data with the highest socio-economic potential are available, via Application Programming Interfaces ('APIs'), for re-use with a minimum of legal and technical restrictions and free of charge.
Gonzalo Muelas Data Expert
1. Available for download at: https://ec.europa.eu/newsroom/dae/document.cfm?doc_id=64954
2. Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020DC0066
3. Available at: https://www.consilium.europa.eu/en/press/press-releases/2022/05/16/le-conseil-approuve-l-acte-sur-la-gouvernance-des-donnees/
4. See at: https://multimedia.europarl.europa.eu/en/video/x_N01_AFPS_220404_BDAT
5. Available at: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:32018R1724
6. Article 2(1) of the DGA states that 'any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording'.
7. See at: https://edpb.europa.eu/system/files/2021-06/edpb_recommendations_202001vo.2.0_supplementarymeasurestransferstools_en.pdf