EU data governance regulation – A wave of digital, regulatory and antitrust reform begins - Part Two
On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.
This is part two of a series of three blog posts. In this blog post, we outline the new regimes for data sharing service providers and data altruism under the DGR, and consider the potential impact on businesses.
New regime for data sharing service providers
The EC anticipates that providers of data sharing services, or data intermediaries, will play a key role in facilitating the aggregation and exchange of substantial amounts of relevant data (personal and non-personal data).
The basic principle reflected in the DGR is that such data intermediaries must be independent from both data holders and data users to facilitate the emergence of new data-driven ecosystems independent from online platforms with significant market power.
In what situations would the DGR apply to data sharing arrangements?
The DGR envisages data sharing service providers will play a role in three contexts:
These three areas are described in more detail below.
Requirement to notify
Any data sharing service provider who intends to provide data sharing services falling within the scope of one of the three types of data sharing services described above must submit a notification to the relevant Member State’s competent authority.
They will be the only third parties able to run so-called data exchanges or trusts for data pools. Operators of personal data stores will be covered by such requirements and will accordingly need to notify.
The DGR provides that, upon giving such notification, the provider of data sharing services may start the activity subject to the conditions laid down in the DGA. The notification entitles the provider to provide data sharing services in all Member States.
What data sharing services will not be covered by the DGR?
Data sharing service providers covered by the notification requirement under the DGR would have as their main objective the creation of legal and potentially technical relations between data holders and potential users, assisting both parties in exchanging data.
Their business must aim at intermediating between an indefinite number of data holders and data users, rather than a closed group.
What are the other excluded categories?
Other categories excluded from the requirement to give notice under the DGR include:
Are data sharing service providers outside the EU covered?
Under the DGR, providers of data sharing services would be required to have a place of establishment in the EU or to designate a representative in the EU.
This means that a provider of data sharing services that is not established in the EU, but which offers services falling with the scope of the DGR, must:
- Appoint a legal representative in one of the Member States in which those services are offered.(The representative would act on behalf of the data sharing services provider under a written mandate. The provider would be deemed to be under the jurisdiction of the Member State in which the legal representative is established.)
- Notify the competent authority in the relevant Member State.
- Comply with the DGR conditions applicable to such data sharing arrangements.
Data service providers would have to be supervised by the competent authority in the Member State where they are established or their legal representative is located.
Intermediation services between data subjects: personal data
The DGR provides for a specific category of data intermediaries focusing exclusively on personal data and seeks to enhance individual agency and the individuals’ control over the data pertaining to them.
These service providers would assist individuals in exercising their GDPR rights, in particular managing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right “to be forgotten,” the right to restrict processing and the right of data portability.
The DGR would prevent misaligned incentives that could encourage individuals to make more data available for processing than what is in the individuals’ own interest. It provides that the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential data uses and standard terms and conditions attached to such uses. The duty might also include, for example, making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices.
In certain situations, it could be desirable to collate actual data within a “personal data space” so that processing can happen within that space.
The DGR contains rules on data cooperatives, which would seek to strengthen the position of individuals consenting to data use, influencing the terms and conditions attached to data use or potentially solving disputes on how data can be used when such data pertain to several data subjects within that group.
What are the conditions applicable to providers of data sharing services?
To increase trust in data sharing services, the DGR creates an EU-level regulatory framework with highly harmonized requirements (called “conditions”) applicable to all three types of data sharing arrangements covered by the DGR (that is, intermediation services between data holders, intermediation services between data subjects, and data cooperatives).
Broadly speaking, the effect of the conditions is that:
- Data sharing service providers would be required to be neutral as regards the data exchanged between data holders and data users, and could thus act only as intermediaries, without using the data exchanged for any other purpose.
- Structural separation would be required between the data sharing service and any other services provided, so as to avoid conflicts of interest. Data sharing service providers should be separate legal entities that do not engage in other activities.
- Data sharing service providers intermediating exchanges of personal data between individuals as data holders and legal persons should be subject to a fiduciary duties to those individuals (“the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights”).
Encouraging data altruism
The DGR aims to tap the potential to increase the use of data made available voluntarily by individuals or companies for purposes of general interest, such as healthcare, combating climate change, improving mobility, compiling official statistics, improving public services and supporting scientific research. The legal framework established by the DGR would contribute to the formation of data pools with sufficient size to enable data analytics and machine learning.
Companies seeking to support purposes of general interest by making available relevant data based on data altruism at scale and which meet certain requirements would be able to register as “Data Altruism Organizations recognized in the Union.”
Registration would be valid across the EU, facilitating cross-border data use within the EU and the emergence of data pools covering several Member States.
The voluntary compliance of such registered entities with a set of requirements should foster trust that data made available for altruistic purposes serves the general interest. Such trust should result in particular from:
Further safeguards should include offering data processing within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, and the technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under the GDPR.
What are data altruism organizations permitted to do?
Recognized data altruism organizations would be able to collect relevant data directly from natural and legal persons or to process data collected by others.
Is consent required?
Typically, data altruism would rely on consent of data subjects in accordance with the GDPR. Individuals and companies participating in these activities would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects.
For additional legal certainty, the DGR envisages that the EC will develop a European data altruism consent form to contribute additional confidence and transparency on how data subjects’ data will be accessed and used.
Use of the form could also streamline data altruism by companies and provide a mechanism allowing companies to withdraw their permission to use the data.
To take into account the specificities of individual sectors, including from a data protection perspective, there should be a possibility for sectoral adjustments of the European data altruism consent form.
Are there generally applicable localization requirements under the DGR?
Shielding: the DGR includes “shielding” provisions to limit EU citizens’ and companies’ obligation to provide data under non-EU Member State legal procedures. In functional outcome, these could have the effect of localizing some data within the EU.
Non-personal data: a public sector body in relation to public sector data, the re-user of such data, a data sharing provider, and data altruism organizations, as the case may be, must take all reasonable technical, legal and organizational measures in order to prevent transfer or access to non-personal data held in the EU where such transfer or access would create a conflict with EU law or the law of the relevant Member State, unless the transfer or access falls within one of the following two exceptions:
In either case, they must provide the minimum amount of data permissible in response to a request for transfer / access.
Are there localization requirements specific to public sector data?
There are additional localization requirements applicable to non-personal public sector data. To protect non-personal data protected by intellectual property rights or that is otherwise confidential, special requirements would apply under the DGR to transfers of data to non-EU countries:
Highly sensitive non-personal data
The DGR provides that public sector bodies may impose stricter conditions on transfers to non-EU countries of highly sensitive types of non-personal data, such as public health system data held by public hospitals.
To ensure harmonized practices across the EU, such highly sensitive data will be defined in EU measures - for example, in the context of the European Health Data Space or other sectoral legislation.
The DGR requires that the conditions:
Of course the GDPR continues to apply with its restrictive approach on international transfer of any personal data.