Executive Vice-President, Margrethe Vestager, presented, on 25 November 2020, the European Commission’s new Data Governance Act (PDF), the first proposal to come out of its 2020 European Data Strategy. The Act was postponed several times since September, with a working draft leaked by several news outlets early November receiving serious criticism. The official document, published in November, has been adjusted and seems to have taken on board some of the concerns expressed. In this blog post, Publyon explains the main elements of this Act and its business implications.
Main elements of the proposed Data Governance Act
The European Commission decided to opt for a regulation as the legal instrument for its Data Governance Act due to the predominance of elements that require a uniform application which would not leave margins of implementation to the Member States, in order to create a fully horizontal EU framework. These are the key elements of the draft regulation:
Re-use of data produced by the public sector
The Data Governance Act proposal aims to increase the amount of data available for re-use within the EU by allowing public sector data to be used for purposes different than the ones for which the data was originally collected. The type of data targeted by the Act are, for example, data generated by GPS, or healthcare data, which if put to productive use, could contribute to improving the quality of services. The data collected could be re-used for commercial or non-commercial activities and the Commission estimates that the implementation of the measures proposed could increase the economic value of data by up to €11 billion by 2028.
The Commission believes that, in order to incentivize individuals to share their data, they should trust the process by which those data are handled. To this end, it proposes to create “data intermediaries”, which will handle the sharing of data by individuals, public bodies and private companies. These data sharing service providers will come as a European alternative to the existing major tech platforms.
To uphold trust in said intermediaries, the Commission proposes to put in place several protective measures. First, intermediaries will have to notify public authorities of their intention to provide data-sharing services. Second, they will have to commit to the protection of sensitive and confidential data. Finally, the Commission will impose strict requirements to ensure the intermediaries’ neutrality. These providers will have to distinguish their data sharing services from other commercial operations, and are prohibited from using the data exchanged for any other purposes. Certain services that have been excluded from becoming new data intermediaries as part of the regulation include cloud service providers and data advertising brokers, data consultancies, or providers of data products.
The early draft of the Data Governance Act, leaked in November, had caused controversy with regards to these intermediaries, as it required that they be legally established in the EU or EEA. This approach was strongly defended by Internal Market Commissioner, Thierry Breton, who has long been a champion of “data sovereignty”. The leaked proposal highlighted that this requirement was to facilitate the supervision of intermediaries’ compliance with the requirements of the Act.
However, several experts criticized the measures, saying that they would discriminate against foreign companies and therefore, violate the EU engagements as part of the World Trade Organization (WTO). The WTO forbids countries to require providers of data sharing services from abroad to be legally based within their own country.
Many businesses had also reacted with worry to the leaked document, claiming that the restriction of data flows could result in a loss of billions of euros in digital trade.
Despite Commissioner Breton’s strong defense of the so-called “data localization” aspect, other Commissioners, including Vice-President Vestager herself, were less favorable towards this approach, resulting in the Commission’s backtracking on this aspect in the final proposal. As it stands, the Data Governance Act only requires intermediaries to either have a place of establishment in the EU, or to designate a representative in Europe.
However, restrictions on the transfer of sensitive data to third countries remain in the final proposal.
Sector-specific data spaces
The proposed Act also aims at creating sector-specific data spaces to enable the sharing of data within a specific sector. For example, the Act plans for the creation of data spaces for transport, health, energy or agriculture.
The Data Governance Act also aims at creating favorable conditions for “data altruism”, meaning encouraging individuals to voluntarily donate personal data to serve the general interest. To do so, “personal data spaces” will be created to ensure that the data shared will only be used for purposes that individuals who donated it agreed to, such as, for example, medical research. Non-for-profit organizations will have the opportunity to sign up into a public register of “data altruism organization”.
European Data Innovation Board
Finally, the draft Data Governance Act plans for the creation of a European Data Innovation Board. Its missions would be to oversee the data sharing service providers (the data intermediaries) and provide advice on best practices for data sharing.
The Member of the European Parliament Miapetra Kumpula-Natri (S&D, Finland), who is the rapporteur for the Industry, Research and Energy Committee’s (ITRE) draft initiative report on the Data Strategy, welcomed the “ambitious” proposal. She called the Commission’s decision to leave it to national bodies to protect sensitive data “fair enough as compromise, but not good for the single market and harmonization”. The deadline for amendments of the draft report ended on 12 November and the final Committee vote is expected in January 2021.
European Parliament and Council review of Data Governance Act
The Data Governance Act is currently being reviewed by the Council of the EU and the European Parliament.
The Presidency of the Council of the EU presented a first compromise text of Data Governance Act on 22 February 2021. The compromise text notably focuses on better aligning the proposal with the GDPR, specifically with regards to the definition of certain concepts, such as ‘data sharing service provider’ or ‘data altruism’. The compromise text also amends the proposal to include obligations to ensure interoperability between data sharing services, or obligations for data altruism organizations to provide easy withdrawal mechanisms and high level of security for the storage and processing of data collected based on data altruism.
Within the European Parliament, the Industry, Research and Energy Committee (ITRE) is responsible for the Data Governance Act. It held a first exchange of views with the Commission on 18 March. Generally, MEPs welcomed the proposal, but joined the Council’s position in stressing the importance of guaranteeing the consistency of the DGA with existing Data legislation, such as the GDPR, ePrivacy Directive or Open Data Directive. MEPs also underlined the need to facilitate access to data-sharing for SMEs, and called for better clarification of the role of data intermediaries. Those concerns are transcribed in the amendments proposed in the ITRE Committee’s Draft Report on the file, presented by rapporteur Angelika Niebler (EPP, Germany) on 26 March 2021.
The Council of the EU, through the Working Party on Telecommunications and Information Society, is continuing its work towards the adoption of a Council position. Within the European Parliament, committees for opinion (Committee on Internal Market and Consumer Protection and Committee on Civil Liberties, Justice and Home Affairs) will vote on the Data Governance Act on 21 June and 1 July, respectively, followed by ITRE Committee on 15 July. The vote in plenary is planned for the September plenary session (13-16 September).
Data Governance Act’s potential implications for businesses and next steps
In terms of potential implications for businesses, some industry representatives have already raised concerns about the extra barriers to data flows that the draft Act risks creating through the assessment provision of third countries’ data protection regimes, with the option of blocking the transfer of highly sensitive data, the definition of which is, so far, unclear. An additional issue that has been also highlighted is that the Act could allow for discrimination on the basis of a quasi-licensing scheme it would set up, requiring companies to notify the authorities if they want to become service providers. Given the vague wording of the proposal, it could allow for selective revocation of said licenses, giving authorities the power to remove certain providers from the list.
In the third quarter of 2021, the Commission is also expected to present the Data Act, attempting to create an environment conducive to increased data sharing among businesses and governments.
Publyon continuously monitors the developments around the EU Data Strategy. Should you be interested in further information on the Data Governance Act proposal and how it could impact your organization, you can reach out to Publyon at firstname.lastname@example.org or find more information on our website.