On November 30th, EU Parliament and Council of the EU found a middle ground on the Data Governance Act (DGA) by adopting new rules for data sharing, marking the first step of the European data strategy.
The new data law will provide a framework for sharing industrial data across the bloc. It aims to increase trust in data sharing, creates new EU rules on the neutrality of data marketplaces and facilitates the reuse of certain data held by the public sector, e.g. certain health, agricultural or environmental data. It sets up common European data spaces in strategic domains, such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills.
Wider reuse of protected public-sector data
The Data Governance Act will create a mechanism to enable the safe reuse of certain categories of public-sector data that are subject to the rights of others. This includes, for example, trade secrets, personal data and data protected by intellectual property rights. Public-sector bodies allowing this type of reuse will need to be properly equipped, in technical terms, to ensure that privacy and confidentiality are fully preserved.
In this respect, the DGA will complement the Open Data Directive from 2019, which does not cover such types of data.
Exclusive arrangements for the reuse of public-sector data will be possible when justified and necessary for the provision of a service of general interest. The maximum duration for existing contracts will be 2.5 years and for new contracts 12 months.
The Commission will set up a European single access point with a searchable electronic register of public-sector data. This register will be available via national single information points.
A new business model for data intermediation
The DGA creates a framework to foster a new business model – data intermediation services – that will provide a secure environment in which companies or individuals can share data.
For companies, these services can take the form of digital platforms, which will support voluntary data-sharing between companies or facilitate the fulfilment of data-sharing obligations set by law. By using these services, companies will be able to share their data without fear of its being misused or of losing their competitive advantage.
For personal data, such services and their providers will help individuals exercise their rights under the general data protection regulation (GDPR). This will help people have full control over their data and allow them to share it with a company they trust. This can be done, for example, by means of novel personal information management tools, such as personal data spaces or data wallets, which are apps that share such data with others, based on the data holder’s consent.
Data intermediation service providers will need to be listed in a register, so that their clients know that they can trust them.
The service providers will not be allowed to use shared data for other purposes. They will not be able to benefit from the data – for example, by selling it on. They may, however, charge for the transactions they do carry out.
Data altruism for the common good
The DGA also makes it easier for individuals and companies to make data voluntarily available for the common good, such as medical research projects.
Entities seeking to collect data for objectives of general interest may request to be listed in a national register of recognised data altruism organisations. Registered organisations will be recognised across the EU. This will create the necessary trust in data altruism, encouraging individuals and companies to donate data to such organisations so that it can used for wider societal good.
If an organisation wants to be recognised as a data altruism organisation under the DGA, it will have to comply with a specific rulebook.
Easy identification of service providers
Voluntary certification in the form of a logo will make it easier to identify compliant providers of data intermediation services and data altruism organisations.
European Data Innovation Board
A new structure, the European Data Innovation Board, will be created to advise and assist the Commission in enhancing the interoperability of data intermediation services and issuing guidelines on how to facilitate the development of data spaces, among other tasks.
International access to and transfer of non-personal data
The DGA creates safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data. For personal data, the EU already has similar safeguards under the GDPR.
In particular, the Commission – through secondary legislation – may adopt adequacy decisions declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU. These decisions would be similar to adequacy decisions relating to personal data under the GDPR. Such safeguards should be considered to exist when the country in question has equivalent measures in place that ensure a level of protection similar to that provided by EU or member state law.
The Commission may also adopt model contractual clauses to support public-sector bodies and re-users in the case of transfers of public-sector data to third countries.
“We are at the beginning of the age of AI and Europe will require more and more data”
“Our goal with the DGA was to set the foundation for a data economy in which people and businesses can trust. Data sharing can only flourish if trust and fairness are guaranteed, stimulating new business models and social innovation. Experience has shown that trust – be it trust in privacy or in the confidentiality of valuable business data – is a paramount issue”, stated the German MEP (Member of European Parliament) Angelika Niebler.
“We are at the beginning of the age of AI and Europe will require more and more data. This agreement should make it easy and safe to tap into the rich data silos spread all over the EU. The data revolution will not wait for Europe. We need to act now if European digital companies want to have a place among the world’s top digital innovators”, she said.
The informal agreement will now have to be formally endorsed by Parliament and Council of the EU to come into force. The new rules will apply 15 months after the entry into force of the regulation.
Sources : European Parliament, Council of the EU