EC Releases Data Governance Act

The European Commission launched, on 25 November, the European Data Governance Act, creating the framework and the conditions for data-sharing across Europe. As the first of a set of measures announced in the 2020 European strategy for data, the Data Governance Act is focused on increasing the volume of data shared and create new business models through so-called data intermediaries or data sharing providers. The Commission has launched a short feedback process to gather views on the new proposed rules by 1 February. techUK will be working with its members to gather input to feed into this process.

The key provisions of the Commission’s proposal are outlined below.

Making public sector data available for re-use

The new regulation lays down the conditions for making public sector data available for re-use. The proposed rules would apply to data held by public sector bodies which is sensitive on the grounds of personal data, protection of intellectual property rights, and commercial or statistical confidentiality. Public sector bodies may impose an obligation to re-use only pre-processed data where personal data is anonymized or pseudonymised, or commercially confidential information is deleted. 

National public sector bodies are entrusted to oversee data re-use requests, with a single information point in each Member State. The conditions for re-use should be “non-discriminatory, proportionate and objectively justified”, and shall not be used to restrict competition or encroach on intellectual property rights. Requests must be granted or refused within two months and the public bodies can charge fees for allowing re-use of data based on the costs of processing these requests for re-use.  

Public sector bodies have the power to impose new obligations to access and re-use the data within a secure processing environment provided and controlled by the public sector. This also applies to mandating access within the physical premises in which the secure processing environment is located, if remote access cannot be allowed.  

There is a prohibition of exclusive data re-use arrangements, unless necessary for the provision of a service or product in the general interest. In such cases, the period of exclusivity of the right to re-use data shall not exceed three years. 

Where non-personal data held by public sector bodies is highly sensitive, the Commission may adopt additional rules laying down special conditions applicable for transfers to third countries.   

A new framework for data sharing intermediary services 

The Data Governance Act aims to boost sharing of data among businesses through a new framework for data sharing services.  Designed to help individuals exercise their rights under the GDPR, providers of data sharing services – such as B2B data spaces, marketplaces, data cooperatives or data trusts - will be subject to a new notification procedure, enabling them to operate across all Member States. The data sharing service providers must either already be established in the EU or appoint a legal representative in one of the Member States in order to operate in the bloc. 

Once the provider of the data sharing service has notified the competent national authority, the authority shall issue a standardised declaration within one week and notify the Commission who will update its register of providers of data sharing services.  

The provision of data sharing services is subject to several conditions, including ensuring that the procedure and price for accessing its service is fair, transparent, and non-discriminatory for both data holders and data users. The competent authority is tasked with ensuring compliance. In cases of noncompliance, the authority can impose financial penalties with retroactive effect or demand the provision of the data sharing service to delay or cease activities.  

Data use on altruistic grounds  

The proposal includes provisions to allow data use on altruistic grounds.  To facilitate the opening-up of public sector data, the Data Governance Act encourages consumers to voluntarily share personal data through a common European data altruism consent form. The consent form can be customised for different sectors and consumers must be provided with the option to withdraw consent at any moment. 

The Commission and competent national authorities shall develop a register of data altruism organisations which collect, and process data made available for altruistic purposes. To qualify for registration, such organisations must be operating on a not-for-profit basis or ensure that its activities related to data altruism have a functional separation from the rest of the business. The data altruism organisations shall be subject to transparency requirements.

To safeguard the rights of consumers, the data altruism organisations shall inform data holders about the purposes of general interest for which their data is being processed in an “easy-to-understand manner” as well as of any processing of their data outside the EU. The competent national authority is responsible for monitoring compliance and organisations which do not comply with one or more of the requirements may be removed from the register. 

New European Data Innovation Board

A new European Data Innovation Board will be set up to assist with implementation.  The Board will be  a Commission-supported expert group consisting of representatives of competent national authorities as well as representatives of EU data spaces and sectors. It is tasked with advising and assisting the Commission in developing consistent practices when implementing the Data Governance Act; monitoring the activities of the competent national authorities; and facilitating cooperation between Member States, including the standardisation and interoperability activities for the common EU data spaces. While under the direction of the Commission, stakeholders may be invited to participate in the Board’s meetings and activities. 

Next steps 

In addition to the European Commission feedback process (which closes on 1 February), the European Parliament and the European Council will start developing their own positions on the Commission’s proposal, following which they’ll enter the trilogue stages with the European Commission for a compromise text. After publication in the Official Journal, due to the choice of mechanism, the Regulation will then apply automatically in all Member States after a transition period of 12 months.  

Commenting on today’s proposal, Antony Walker, deputy CEO of techUK said: 

“techUK welcomes the vision that Europe’s success lies in a strong data driven digital economy. Here in the UK, we share many of the European values included in these proposals including empowering citizens to make best use of data, getting responsible innovation right and building public trust and confidence in data-driven technologies.  

As the legislative process continues, we are keen to work together with EU policymakers to support the completion of a digital single market for data, that is competitive and open to global data innovators.

The use of data in the fight against the current Covid19 pandemic in the UK, Europe and around the world has shown the powerful role data sharing across borders can play. As these legislative proposals move forward, this is a key opportunity for Europe to show the world how to develop standards that support innovation, unlock the power of data and embody an ethos that data should be global not local and, thus, put the EU at the heart of the global data debate.”