Data Governance Act Proposal

Authors: Jesper Nevalainen and Anna Mäkinen

On the date of publication of this blog post, Europe is celebrating the annual European Data Protection Day. Although some significant developments have taken place in relation to the General Data Protection Regulation over the past 12 months, not the least of which the EUCJ decision in the so-called Schrems II case (which was summarised in our earlier blog post Schrems II: Privacy Shield Declared Invalid by the CJEU of 16 July 2020) and the European Data Protection Board’s subsequent recommendations 1/2020 on measures that supplement transfer tools, we make an attempt in this blog post to summarise the Commission proposal for a Data Governance Act, which is deemed to be significant in its own right but also and especially from the perspective of data protection.  

The European Commission published a proposal for the Data Governance Act on 25 November 2020. The proposal is a part of the 2020 European Strategy for Data, and it complements the Open Data Directive, which governs open data and the re-use of public sector information that is not subject to rights of others. The proposal aims to foster data-driven innovation for the benefit of EU citizens in accordance with the vision of the European Strategy for Data concerning a single market for data. The proposed regulation aims to increase the availability of data for use by reinforcing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. The proposal does not aim to grant, amend, or remove any of the substantial rights on access and use of data.

The key features addressed in the proposed regulation are:

Making public sector data available for re-use in situations where such data is subject to rights of others

• The proposed regulation aims to create a mechanism for re-using certain categories of protected public sector data that is subject to rights of others (mainly rights concerning the protection of personal data, but also with regard to the protection of intellectual property rights and commercial confidentiality). The provisions in the proposal provide for a set of harmonised basic conditions under which the re-use of such data may be allowed (for instance the requirement of non-exclusivity). The mechanism is without prejudice to the sector-specific EU legislation on access and re-use of this data, i.e. the mechanism does not in itself create rights to access and re-use. Public sector bodies allowing this type of re-use would need to be technically equipped to ensure that data protection, privacy, and confidentiality are safeguarded.

Sharing of data among businesses against remuneration in any form

• The proposed regulation aims to increase trust in sharing personal and non-personal data and to lower transaction costs in connection with B2B data sharing by introducing a notification system for data sharing providers. These providers will have to comply with a set of requirements, such as ensuring adequate security safeguards and remaining neutral with regard to the exchanged data. The providers are not allowed to use such data for other purposes.

Allowing personal data to be used with the help of a ‘personal data-sharing intermediary’ designed to help individuals exercise their rights under the GDPR

• In case the data sharing providers offer services for natural persons (C2B data sharing), they must adhere to the additional criterion of acting in the individual’s best interest when assisting the individual in connection with the exercise of the individual’s rights. This approach is intended to ensure that data sharing services function in an open and collaborative manner. It is also designed to empower natural and legal persons by giving them greater overview of and control over their data.
• A competent authority appointed by the Member States will be responsible for supervising compliance with the requirements connected to the provision of data sharing services.

Allowing data use on altruistic grounds

• The proposal aims to facilitate the use of data on altruistic grounds (data altruism refers to data made voluntarily available by natural and legal persons for the common good).
• The proposed regulation establishes the possibility for organisations to register as a ‘Data Altruism Organisation recognised in the EU’ in order to increase trust in their operations concerning data altruism.
• A common European data altruism consent form will be developed to lower the costs of collecting consent and to facilitate portability of the data (where the data to be made available is not held by the individual).

Additional provisions

• The proposal also sets out the requirements for the operations of the competent authorities appointed to implement and supervise the notification framework for data-sharing service providers and entities that engage in data altruism. It also contains provisions on the right to lodge complaints against the decisions of such bodies and on the means of judicial redress.
• The proposed regulation establishes a formal expert group, the European Data Innovation Board. The expert group will focus on the development of best practices used by the Member States’ authorities, and support and advise the Commission on the governance of cross-sectoral standardisation and preparation of strategic cross-sector standardisation requests.