The EU's Data Governance Act just part of data sharing puzzle

Out-Law Analysis | 16 Dec 2020 | 3:31 pm | 8 min. read

The proposed new EU Data Governance Act (DGA) is a positive step towards to enabling data-driven innovation.

It has the potential to revolutionise data sharing between organisations to the benefit of businesses and society more generally.

The draft Act, outlined by the European Commission, is designed to break down barriers to data sharing – from concerns around compliance with data protection laws and breaches of confidentiality or intellectual property rights, to fears from those generating data that others may derive value from it where they have been unable to. However, it is just one piece in a wider puzzle of EU law governing data that businesses will have to factor into sharing and any existing compliance programs.

Currently, businesses are confronted with a fairly complex interplay between the draft Act and the other existing and forthcoming EU data laws. From a business perspective this has potential regulatory and reputational risks, but guidance is needed to help businesses navigate through the complexity and meet their legal obligations while harnessing the power of data.

Companies across Europe will be hoping that EU law makers address the risk of confusion and unnecessary additional burdens that the DGA might impose when reviewing and amending the Commission's proposals. Many organisations will also be hoping that the publication of the draft Act spurs policy makers in the UK to accelerate their own plans contained in the national data strategy to incentivise greater data sharing in the country

 

What is the Data Governance Act?

The DGA is a core part of the European Commission's broader data and digital strategies, and is designed to encourage the creation of new infrastructure for sharing data, and in turn help build a digital single market for data across EU member states.

The Act is envisaged as an enabler for exciting initiatives such as 'European data spaces' in sectors of the EU economy, including in the area of health, where barriers to data sharing have traditionally existed but where the liberation of data is considered possible for delivering efficiencies to existing ways of working, potentially ground-breaking innovations, and boosting economic growth.

There are four pillars to the DGA: the re-use of sensitive public sector data; establishing a framework for new data intermediaries; corporate and individual data altruism; and fostering coordination and interoperability through the European Data Innovation Board.

The provisions on re-use of data held by public sector bodies focus on data that is subject to the rights of others, whether confidentiality obligations, intellectual property rights or rights in relation to personal data under data protection law. In this respect, the initiative rests on the dual acknowledgment that the overall economy benefits from reasonable sharing of data – both personal data and non-personal data – but also trust and respecting of proprietary rights to such data.

The DGA is the Commission's attempt to design an overarching regulatory framework that addresses that paradox, though some detail will be provided in national legislation implementing elements of the Act across the EU.

The DGA also sets out a framework for voluntary registration of entities which collect and process data made available for altruistic purposes.

Data trusts by another name?

The DGA sets a governance framework to promote confidence in data sharing between organisations and incentivise the development of EU data spaces where natural and legal persons are in control of data they generate. At the heart of those proposals is the idea that access to data be facilitated by third-party 'data sharing service providers'.

These data intermediaries will be required to maintain neutrality and comply with strict requirements, including not being permitted to use the data for their own interest. A certification or labelling framework is proposed along with a notification obligation with subsequent monitoring of compliance with the requirements by designated competent authorities within member states. These proposals are not applicable to closed group data sharing initiatives.

The idea closely resembles the concept of 'data trusts' that has been explored notably in the UK

Cameron Sarah

Sarah Cameron

Legal Director

The onus is on the UK government to ensure that the UK, through implementation of the national data strategy, is not left behind and can continue as a global leader in the area of data trusts, data sharing and data-related innovation after the end of the Brexit transition period

Data trusts is a term used for legal mechanisms to promote multi-party data sharing with some form independent stewardship of data. A UK government-commissioned review in 2017, aimed at growing the UK's AI industry, led by Dame Wendy Hall, regius professor of computer science at the University of Southampton, said that data trusts can "facilitate the sharing of data between organisations holding data and organisations looking to use data to develop AI".

Exciting work has been ongoing in the area of data trusts in the UK and the EU subsequently. However, with the DGA proposals signalling the clear commitment of EU policy makers to give this data sharing mechanism a legal footing, the onus is on the UK government to ensure that the UK, through implementation of the national data strategy, is not left behind and can continue as a global leader in the area of data trusts, data sharing and data-related innovation after the end of the Brexit transition period.

There is an appetite for data sharing by reference to established principles. More than 300 organisations, including around 180 businesses, have already signed up to participate in the GAIA-X initiative – a Europe-wide drive to bolster data sharing infrastructures – and contribute to the planned sectoral data sharing projects, with others from outside Europe also seeking to get involved.

Addressing potential confusion

The DGA is just the latest piece in an increasingly complex puzzle of EU data law. From the General Data Protection Regulation (GDPR), which governs use of personal data, to the Regulation on the free-flow of non-personal data, the Open Data Directive that already supports re-use of public sector datasets, and the Database Directive which gives protection to those that invest in structuring data into an organised form, there is already a raft of legislation in existence.

A wide-ranging new Data Act, which the Commission has said could mandate business-to-business data sharing in some circumstances and also give individuals "more control over who can access and use machine-generated data", is set to be brought forward in 2021 too.

However, as the EU looks to enable a shift in emphasis to safer data utilisation, there are issues that need resolved to avoid potentially confusing businesses into non-compliance with their legal obligations.

The establishment criteria for the data sharing service providers

The DGA does not require data sharing service providers to have an EU establishment, though the provider will need to appoint a legal representative in the EU in order to act as a data sharing service provider for the purposes of the Act.

Prospective data sharing service providers that have multiple establishments in the EU will be deemed to have their main establishment where their central administration in the EU is located.

The establishment criteria are relevant for the purposes of determining which national regulatory framework providers will be subject to. Similar criteria are outlined in the GDPR. However, the GDPR also allows for the main establishment to be where the main decisions about personal data processing are taken if it is different from the central administration. With the new DGA, it might be that an organisation has two EU main establishments for the purposes of different types data use – one for GDPR and the other for DGA. That could become costly and an administrative burden for a company.

Territorial scope

The DGA does not contain an article defining the territorial scope of the provisions. However, recital 27 provides some detail of the factors to be considered as to whether non-EU based data sharing service providers will be said to be offering services within the EU and therefore required to appoint an EU-based representative.

There is, though, a lack of clear understanding of the liability or otherwise of a representative in the EU or how the territorial scope of the DGA will ultimately be determined. Without amendment or further guidance, this has the potential to cause confusion for multinational businesses.

Non-personal data transfers?

Added complexity to cross-border transfers of data also looks to be forthcoming.

The DGA has said that non-personal data that is subject to the rights of others should not be transferred from an EU country to a so-called 'third' country outside of the European Economic Area unless "appropriate safeguards" are in place to "ensure the protection of fundamental rights or interests of data holders".

To facilitate cross-border non-personal data transfers, however, provision is made in the DGA for the Commission to deem third countries as providing an "essentially equivalent" level of protection to what is available in the EU – in similar vein to the current framework of so-called adequacy decisions that help to underpin international transfers of personal data from the EU to select jurisdictions deemed to meet the same standards of data protection.

What is not clear, however, is whether we might see the Commission prepare model contract clauses to help organisations gain reassurance over the standard of protection applied to non-personal data transferred outside of the EU to jurisdictions that do not benefit from a non-personal data-related adequacy decision.

Model clauses and other legal mechanisms for personal data transfers have been the subject of legal challenge in recent years. An added layer of complexity, cost and uncertainty in the context of non-personal data would not be welcomed by businesses.

Oversight and regulation

While it is welcome that the DGA makes provision for the oversight of data sharing envisaged under the Act by competent authorities, there is the potential for uncertainty of responsibilities and for forum shopping by data sharing service providers.

Uncertainty could arise if providers are subject to regulatory oversight by a number of different authorities in the countries in which they have their main establishment – be that from the local data protection authority, competition regulator and, potentially in some member states, a different authority in respect of the e-Privacy regime too. It is entirely possible that a different body again would oversee compliance with the DGA in some member states. It is not immediately clear which authority would take charge of cases in which a provider was alleged to be in breach of two or more of the potentially overlapping frameworks.

As penalties for non-compliance with the DGA are to be set by EU member states individually, there may be an unintended consequence of encouraging providers to choose a member state where the penalties are more lenient to base their operations or select a legal representative.

Confusion over consent?

There is a risk that the DGA gives organisations the mistaken impression that a different standard of consent applies to personal data to be used for one type of broad based purpose than what applies for other broad based processing purposes under the GDPR.

An example of this risk arises in the context of the proposals on data altruism contained in the DGA. Those proposals include plans for the creation of data altruism consent forms to gather broad based consent from individuals to the use of their personal data. More specifically, recital 36 states: "…Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection..."

However, the concept of consent under the GDPR is clearly defined and strictly interpreted by data protection authorities. It must be freely given, specific, informed and an unambiguous indication of the data subject's wishes – either by a statement or by a clear affirmative action, signifying agreement to the processing of personal data relating to him or her.

In guidance on consent issued earlier this year, the European Data Protection Board explained that "a service may involve multiple processing operations for more than one purpose" but that in those cases "the data subjects should be free to choose which purpose they accept, rather than having to consent to a bundle of processing purposes". It also said: "If the controller has conflated several purposes for processing and has not attempted to seek separate consent for each purpose, there is a lack of freedom. This granularity is closely related to the need of consent to be specific."

It could be argued that what the DGA says around consent in the context of altruism fails to reflect the granularity required under the GDPR, and raises the prospect of permitting businesses to think that consent does not need to be granular for other purposes too.