With the adoption of the Data Governance Act the EU moves toward a data sharing model
Attempting to scale up the competitive advantage of an economy increasingly dependent on data in May of this year the European Union institutions put a final stamp on the adoption of the Data Governance Act (DGA).
This novel European Regulation will be applicable starting with September 2023 and will reverse the position of dominance of the big tech companies also known in the market as the data gatekeepers. Once in full swing, the DGA data will be made available to the public administration, smaller companies, SMEs, and start-ups, thus opening new business opportunities for all.
The DGA is built upon the premises of a larger spectrum of EU regulations on data protection, competition laws and consumer protection. This strong foundation let aside, the DGA presses its teeth into the shortcomings of the current regulatory framework (i.e., the Open Data Directive). In this respect, the DGA complements the Open Data Directive, which does not cover the use of data such as, for i.e., trade secrets, personal data, data protected by intellectual property rights identified as protected data under the DGA. Furthermore, the DGA will facilitate the creation of common European data spaces where various types of data (i.e., production data, cellular resolution images, agricultural data, mobility data, environmental data, public administration data, etc.) will be securely shared.
Setting up the scene
Data is regularly generated, collected, or received when using a connected product or a related service. Nevertheless, EU organizations currently fear that sharing their data would generate a loss of competitive advantage and create a risk of misuse. At the same time, individuals exhibit a lack of confidence in data sharing a prerequisite to making more data available on the market.
Ad-hoc solutions proved inconvenient. For example, the guidelines provided by data protection oversight bodies such as the European Data Protection Board (EDPB) on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak have not significantly relaxed the conditions regarding access to and re‐use of data. At the same time researchers faced barriers in accessing health and patient information during the COVID-19 pandemic due to inadequate data‐sharing infrastructure but also because of regulatory restrictions, notably imposed by the GDPR.
Data intermediaries as a new business model
The implementation of the DGA will entail considerable effort and thus, offering opportunities, such as enabling new business models. DGA includes provisions on data intermediaries as providers of data marketplace/data-sharing infrastructure/data-sharing platforms/data wallets.
Data intermediaries can assist data holders and data users (i.e., hospitals, public institutions, research bodies), as well as data subjects (i.e., patients) with sharing data for commercial and altruistic purposes. The activities of such data‐sharing services will be subject to oversight by competent authorities according to the DSA. Such platforms and other data‐sharing infrastructure should be compatible with the GDPR, among others, ensuring that databases can only be accessed by authorized users for authorized purposes only.
The DGA defines a set of rules for data intermediaries to ensure that they will function as trustworthy managers of data sharing activities.
Thus, data intermediaries are neutral third parties that connect individuals and companies on one side with data users on the other side. Data intermediaries require a licence to carry out such services. The licensing workaround will be arranged by supervisory authorities to ensure that the intermediary service is independent and has appropriate security measures to protect individual’s privacy and data confidentiality. Authorized intermediaries will be permitted to use a common DGA compliance logo and be listed in a registry so that they can be trusted for data sharing.
The data intermediaries are prohibited to monetise the data (e.g., by selling it to another company or using it to develop their own product based on this data) and must comply with strict requirements to ensure this neutrality and avoid conflicts of interest. In this sense, the DGA notes that data intermediation service providers will be able to charge a fee for the provision of their services but will be prohibited from profiting from the data they handle by, for example, selling such data. According to the legal provisions the fee must be reasonable, transparent, published online and non-discriminatory.
A new model of consent through altruism
Under the DGA the lawful basis for altruistic use of a data subject's data is consent given by the data subject. The DGA defines data altruism and general interest as the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non‐personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services. This consent should be considered as an additional legal certainty contributing to additional transparency for data subjects.
The Commission is to develop a European consent form for the altruistic transfer of data, to reduce the costs involved in obtaining consent and to facilitate data portability. The form is to be modular, allowing for customisation for sector-specific consent templates.
Introducing a new consent model for data sharing can be both an opportunity and a challenge. At first sight, the proposed uniform consent model can be seen as another legal requirement on top of the other consent requirements for processing personal data. On the other hand, a uniform consent for altruistic uses may become an opportunity to harmonize legislation across the EU Member States and thereby ease datasharing at least within the EU.
Furthermore, in certain cases, a consent for altruistic use can complement public interest as a legal basis for using data,which has been endorsed by the European Data Protection Supervisor (EDPS) in their preliminary opinion on the European Health Data Space.
Individual control on data and the role of data cooperatives
Data co-operatives are specialised forms of data intermediaries owned by the data subjects they represent and whose principal objective is to support data subjects in exercising their rights, another step towards empowerment of individuals with regards to the protection of their personal data. According to the DGA data cooperatives will strengthen the position of individuals in making informed choices before consenting to data use, influencing the terms and conditions of data user organisations attached to data use or potentially solving disputes between members of a group on how data can be used when pertaining to several data subjects within the group.
In recent years, the issue of empowerment of individuals with regards to the processing of their personal data has been accentuated notably by the desire of a better control over who can access the data and for which purposes. However, individuals often lack the adequate expertise to fully understand the technicalities of the data‐sharing ecosystems. Adding this to the imbalance of power between data subjects and institutions who process data, the negotiating power of individuals regarding the terms and conditions of data use is significantly restricted. In reality, individuals are facing a so‐called consent dilemma or a take‐it‐or‐leave‐it approach when consenting to the use and re‐use of their data. At times, this has led to frustration among individuals and a lack of trust in sharing their data.
Data transfer restrictions extended to non-personal data
Living up to the EU desire to act independently in the digital world the DGA has been drafted to include restrictions on international access and transfer of data. Thus, the DGA Chapter Vll includes the legal obligation for re-users of the DGA data, including data intermediaries, to prevent international transfer or governmental access to data held in the Union where such transfer or access would create a conflict with the Union law or the national law of the relevant Member State. Furthermore, per Article 5 regarding conditions for re-use when protected data are to be transferred to a third country, a notification is required to be produced and flowed down to the entity whose rights and interest may be affected by the transfer and who must accept or deny the transfer.
The enormous amount of protected data is extremely valuable for the economic development of the EU and thus, the need to address all core elements of a robust governance framework for data in particular, the tools for empowering individuals to keep control over how their data is being used and shared in a transparent manner. The DGA efforts to ease the flow of data by providing a regulatory framework for data‐sharing infrastructure is a welcome step towards orchestrating data sharing for commercial and altruistic purposes. This way, we can hope that the upcoming data‐sharing programmes would succeed in wining public trust and support by the public, which would greatly benefit of it in return.
This article has been published on Research Gate at https://www.researchgate.net/publication/363770764_Classification_Public