It’s been almost a year since the European Union’s executive proposed legislation aimed at encouraging widespread sharing and reuse of industrial data and protected public sector data-sets — such as health data, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills.
On Thursday the bloc’s co-legislators reached an agreement on the DGA after trialogue discussions — paving the way for formal adoption once the Council and Parliament vote to approve the final text.
The Data Governance Act (DGA) is intended to create a standardized framework of trusted tools and techniques to encourage data reuse — by setting “secure and privacy-compliant conditions” for sharing data, as the Commission presented it.
The hope is also that legislation will lead to the creation of common data spaces across strategic domains to support R&D.
Key components of the plan include the creation of a network of trusted and neutral data intermediaries; and an oversight regime to ensure conditions are being complied with — comprised of national monitoring authorities and a new advisory/steering body (aka, the European Data Innovation Board).
The legislation will also bring in international data transfer rules for non-personal data. (Such rules already exist — at least on paper — covering the export of personal data from the EU under the General Data Protection Regulation.)
Getting a political agreement is typically the most challenging component of EU law-making.
Although the final text of the DGA will still need to be approved by the Council and Parliament before it’s formally adopted. (And, in terms of wider timeframe, the new rules will apply 15 months after the entry into force of the regulation — so likely not before 2023.)
In a press release on the provisional agreement, the Council of the EU said: “[N]egotiators from the Council and the European Parliament reached a provisional agreement on a new law to promote the availability of data and build a trustworthy environment to facilitate its use for research and the creation of innovative new services and products.”
“The [DGA] will create a mechanism to enable the safe reuse of certain categories of public-sector data that are subject to the rights of others. This includes, for example, trade secrets, personal data and data protected by intellectual property rights. Public-sector bodies allowing this type of reuse will need to be properly equipped, in technical terms, to ensure that privacy and confidentiality are fully preserved,” the Council added.
An earlier Open Data Directive, from 2019, does not cover the data types being legislated for here.
EU lawmakers believe Europe has a major advantage in industrial data — and want the DGA to create conditions that will encourage widespread data sharing and reuse. (A Data Act is also incoming which will propose measures intended to encourage business-to-business data sharing and business-to-government data sharing.)
The Commission has also been pushing the notion of “data altruism” and data sharing for the common good, although the overarching goal for the DGA is to foster the development of regional AIs to stoke economic competitiveness and growth.
“Businesses, both small and large, will benefit from new business opportunities as well as from a reduction in costs for acquiring, integrating and processing data, from lower barriers to enter markets, and from a reduction in time-to-market for novel products and services,” it suggests in a Q&A on the DGA.
At the same time the Commission has suggested that the creation of common European “data spaces” in sectors like manufacturing and health will help advance research — which could lead to cures for rare or chronic diseases or at least support evidence-based policymaking and foster other types of societally beneficial developments.
So the DGA co-mingles purely economic goals (via opening access to data) with broad-brush notions of “data altruism” and “data for society”.
This fuzziness has raised some watchful concern among civil society groups — such as the European Consumer Organisation BEUC, which has warned that “a weak definition of altruism in this agreement could allow companies to over-use vague, altruistic grounds to push consumers to share their data”.
Weak enforcement of existing legal protections for EU citizens’ data may also work against the sought for ‘trust to share’ push.
Commenting in a statement on the trilogue agreement on the DGA yesterday, the Commission’s EVP for digital, Margrethe Vestager, avoiding citing any such concerns — merely offering a boosterish claim that: “This Regulation is a first building block for establishing a solid and fair data-driven economy.”
“It is about setting up the right conditions for trustful data sharing in line with our European values and fundamental rights,” she went on, adding: “We are creating a safe environment in which data can be shared across sectors and Member States for the benefit of society and the economy.”
Internal Market Commissioner, Thierry Breton, also stuck to the promotional script, saying the agreement on the DGA will allow the bloc to define “a common approach to data sharing”, and further suggesting: “We are facilitating the flow of growing industrial data across sectors and Member States to help Europe become the world’s number one data continent. We are doing so by building trust, putting the individuals and companies who generate data in the driving seat so they remain in control of the data they create. In a nutshell: an open yet sovereign European Single Market for data.”
In its PR, the European Parliament said MEPs secured tighter provisions on “trust and fair access” during the DGA negotiations — aimed at plugging loopholes in the legislation they said would have allowed operators from non-EU countries to abuse the scheme.
MEPs also focused on beefing up the role of the European Data Innovation Board — and on clarifying the scope of the legislation, saying they secured “precise requirements” on which services will fall under the new DGA.
Getting a better deal for SMEs and startups was another parliamentary priority, they said.
What’s been agreed?
The trilogue agreement reached yesterday includes the possibility for exclusive arrangements for the reuse of public-sector data — which the Council said will be possible “when justified and necessary for the provision of a service of general interest”.
However, the maximum duration for existing contracts will be 2.5 years and for new contracts 12 months — with MEPs writing that: “Public sector bodies will have to avoid creating exclusive rights for the re-use of certain data, and exclusive agreements should be limited… to make more data available to SMEs and start-ups.”
The co-legislators have also agreed that the Commission will set up a European single access point with a searchable electronic register of public-sector data — which will be made available via national single information points.
The EU is anticipating that the DGA will create a new business model for data intermediation services — to provide a secure environment in which companies or individuals can share data; and which will commit not to use the data for their own ends (but will be able to charge for the transactions they enable).
Such services must be listed in an EU register under the incoming rules.“For companies, these services can take the form of digital platforms, which will support voluntary data-sharing between companies or facilitate the fulfilment of data-sharing obligations set by law. By using these services, companies will be able to share their data without fear of its being misused or of losing their competitive advantage,” the Council writes.
“For personal data, such services and their providers will help individuals exercise their rights under the [GDPR]. This will help people have full control over their data and allow them to share it with a company they trust. This can be done, for example, by means of novel personal information management tools, such as personal data spaces or data wallets, which are apps that share such data with others, based on the data holder’s consent.”
EU lawmakers are hoping that having dedicated rules to govern data-sharing will encourage both companies and individuals to make data available voluntarily — for altruistic purposes such as medical research projects.
The DGA will therefore create national registers of recognised “data altruism organisations” — aka entities seeking to collect data for objectives of general interest. Such entities must agree to comply with specific rules, and (once registered) will be recognised across the EU.
“This will create the necessary trust in data altruism, encouraging individuals and companies to donate data to such organisations so that it can used for wider societal good,” the Council suggests.
The DGA will establish a voluntary certification program — with a logo — to make it easier to identify compliant providers of data intermediation services and data altruism organisations.
When the Commission proposed the DGA commissioners were closely questioned on the issue of international transfers of data. On this the Council says the Commission may (through secondary legislation) adopt adequacy decisions declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU.
This mirrors procedure attached to the GDPR and covering personal data transfers to third countries.
However, the Commission’s decisions on that front have been shown lacking on a number of occasions — notably two flagship data transfers agreements with the US were struck down by the CJEU in recent years. Which has resulted in increased uncertainty and complexity around international transfers of personal data.
So, there are likely to be questions and concerns about what exactly constitutes “unlawful international transfer of or governmental access to non-personal data”, under the incoming legislation.
“These [DGA adequacy] decisions would be similar to adequacy decisions relating to personal data under the GDPR. Such safeguards should be considered to exist when the country in question has equivalent measures in place that ensure a level of protection similar to that provided by EU or member state law,” the Council writes, without delving into any detail.
It goes on to note that the EC may also adopt “model contractual clauses” to support public-sector bodies and re-users in the case of transfers of public-sector data to third countries — suggesting those that want to export data may be encouraged to follow a standardized approach.
The parliament’s PR, meanwhile, talks of the DGA setting up “common European data spaces in strategic domains” — without making any reference to the international transfer issue.
How many of the touted “European data spaces” may end up hosted in the bloc — i.e. to meet the DGA’s requirements to provide adequate safeguards for the data — isn’t clear.
Although the Commission’s line is that “the free flow of data to third countries should be ensured”.
“We want Europe to create and strengthen its data economy but there is no obligation to store and process data in the EU. Nobody will be prohibited from dealing with the partner of their choice,” it also writes, before segueing into a caveat that: “At the same time, the EU must ensure that any access to EU citizen’s personal data and certain sensitive data is in compliance with its values and legislative framework.”