The exchange and use of data are of great importance for the competitiveness of European companies and for a smooth adminstration. The EU Commission has recognized this and has presented its Data Strategy on February 19, 2020. In doing so, it hopes to combine efficient data access with an effective competition policy and a high level of data protection. The Data Governance Act and the Data Act form the regulatory pillar of the European Data Strategy and could bring significant benefits but also new challenges for companies and citizens.
The Data Governance Act and the Data Act of the EU
Sara Nesler, Mag. iur. (Torino), LL.M. (Münster)
Data Governance Act
The draft regulation on data governance (Data Governance Act) was already published by the EU Commission in November 2020. It aims to promote the availability of data for use by strengthening data sharing mechanisms across the EU and improving trust in data intermediaries. To do this, it focuses mainly on three measures.
Making public sector data available
Data held by the public sector will be made increasingly accessible. To achieve this, agreements that restrict the reuse of data held by public sector bodies will be prohibited, even beyond the „Open Data“ Directive. This includes, for example, data that is protected because of the intellectual property rights of third parties or because of its sensitivity. An exception is provided for, among others, when such an agreement is necessary for the provision of a service or product in the general interest.
The competent public sector bodies designated by the Member States must make the conditions for the re-use of the data publicly available. They may also impose obligations, such as that only processed data may be used (through anonymization, pseudonymization, and deletion of confidential information), or that the reuse must take place in a controlled processing environment. Fees may be charged for permission to reuse this data.
Data sharing services
In order to increase trust in the data intermediaries, in the future, the provision of certain data sharing services will be subject to notification. The new regulation also imposes a series of requirements on providers regarding their own use of data, the access process, the interoperability of data, and the prevention of abusive and unlawful behavior.
Those providing services to data subjects must act in their best interests under the Data Governance Act and facilitate the exercise of their rights under the GDPR. In particular, they must provides advice on the possible types of data use and customary terms and on the conditions for such uses.
The competent authorities will supervise and enforce compliance with these rules. For this purpose, they will be able to impose fines and penalty payments and/or order the suspension of the data sharing service.
New regulations are also foreseen for data altruistic organizations. These are organizations established for the pursuit of general interest and perform data altruistic activity through structure wich is legally independent and separate from other activities. Recognized data altruistic organizations subject to special transparency requirements will be entered in a register attesting to their credibility.
The draft also provides for the establishment of a Data Innovation Council in the form of a group of experts to advise and assist the EU Commission. In addition, to reduce the risk of data leakage, access by foreign courts and authorities to the data collected will be restricted.
The draft has been well received for the most part. Nevertheless, there has been criticism that it lacks a clear systematic demarcation from other regulations, in particular the General Data Protection Regulation, the planned ePrivacy Regulation and the Directive on the Protection of Business Secrets. Concerns were also expressed about the bureaucratic burden.
The EU Commission announced on November 30, 2021 that the EU Parliament and Council had reached political agreement on the proposed Data Governance Act. The regulation now needs final approval from the EU Parliament and Council. Businesses and citizens interested in using the data made available, as well as affected service providers and organizations, should prepare accordingly.
The second measure presented by the EU Commission as part of its communication on data strategy in 2020 is called “Dat Act” and appears somewhat more controversial. It is intended to promote the exchange of data by and between companies in order to advance the development of the EU data economy. A first draft of the regulation is expected soon. Nevertheless, it is already partly foreseeable in which direction the Commission’s proposals will go. It can be gleaned from the impact assessment published by the Commission on 28/05/2021 and from the results of the public consultation conducted from June 3 to September 3, 2021.
Several problem areas have been identified that inhibit or prevent data sharing between and by companies. These include general factors such as the lack of fairness in digital markets or low legal certainty, but also more specific issues such as the lack of portability when using cloud services and the need for harmonized standards for smart contracts.
To address these issues, different measures could be introduced. They play out in both B2G and B2B relationships.
Data sharing B2B
- Data access plays a major role in the digital economy. For startups and small companies it is often difficult to gain it, due to their weak bargaining power. This creates an imbalance in the market and prevents innovation. The Commission therefore proposes to introduce data access and usage rights. Unfair contract terms are to be prevented by a fairness test.
Part of the business community has objected that the exchange of data can also lead to a restriction of competition, especially if it includes sensitive, competition-relevant information. For this reason, the exchange of data should take place on a voluntary basis. Only where a market distortion has been identified should access be regulated on a sector-specific basis. In order to make it easier to ensure data protection, guidance for companies should also be made available.
- Access to machine-generated data is to be expanded. This could require a reform of the database directive.
- The market for cloud computing services is also to become more competitive. Organizations and companies are increasingly dependent on cloud services for processing data, and these services often already have a great deal of market power. In order to avoid lock-in effects, portability between cloud services shall be secured by a portability right.
In its statement on the Data Act, the DIHK (Association of German Chambers of Commerce and Industry) called for the negotiating position of cloud users to be strengthened by standard contractual clauses. This requires that the right to data portability is extended to the commercial users of cloud services. Currently, this is only incompletely regulated in Article 20 of the GDPR, and the technical implementation of the transfer has not yet been standardized. The Data Act is intended to concretize the general right to data portability. For example, the Commission is considering obliging providers of smart devices to enable real-time data transfer via interfaces. This is also intended to promote competition.
Data sharing B2G
The public sector could benefit from the use of data processed by private companies. However, access is limited, partly because of the lack of clarity in the legal framework, and partly because companies have no incentive to share their data with the state.
The Data Act aims to introduce mandatory data sharing for certain public interest purposes. In addition, the agreement on rights of use and their remuneration shall be facilitated by requirements for data sharing and transparency, through protective measures and through the creation of intermediary structures.
In the interest of companies, a clear demarcation between the mandatory and voluntary transfer of data, which is to be preferred for them, would be desirable. An appropriate incentive system (for example, through tax advantages) should take into account the costs of data transfer and the increased risk of disclosing trade secrets. Strict protection of confidential business information and transparency regarding the use of the data could also increase the trust and willingness of companies.
„Smart contracts,“ are automated binding agreements written in codes and blockchains. They could play an important role in facilitating the agreement on rights of use in both B2G and B2B relationships. However, the EU currently lacks harmonized standards for these types of contracts, making international use difficult even within the EU. The Data Act is intended to provide the necessary regulatory framework and technical standards.
International data protection
The problem of international data protection also arises in the context of the Data Act. One particular issue is the international handling of non-personal data (for example, at the request of foreign authorities), which has not been regulated to date. One solution could be to oblige service providers to inform users of such a request and not to grant it if it is prohibited under EU law or the law of the Member States.
Only the draft legislation will be able to better clarify what specific benefits and challenges will arise from the Data Act and allow for preparation. Its publication was originally planned for the end of 2021 and is expected shortly.
The Alliuris Group consists of 20 law firms and 400 business lawyers within Europe, Asia and America. (www.alliuris.law).
Fon 0049-511-307 56-0
Fax 0049-511-307 56-10