On 25 November 2020 the European Commission proposed new rules on data governance – a proposed Data Governance Regulation, which is the first of a set of measures announced in the 2020 European strategy for data.
The study conducted to support the impact assessment on the proposed Regulation emphasises that because data is doubling every 18 months, data-driven innovation has an enormous potential to bring benefits to citizens. At the same time, these data-driven innovations cannot compromise the EU’s fundamental rights and values, particularly its status as a world leader in data protection regulation. By ensuring that citizens control the data they generate and that everyone will benefit from this new wave of innovation, the EU can continue to be a global example of a data-empowered society.
To this end, the proposed Regulation recommends making data more available by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. The Regulation addresses four situations in which data is processed: re-use of public sector data; sharing data among businesses; data sharing intermediaries; and data altruism.
Re-use of certain public sector data
Chapter II of the proposed Regulation suggests harmonising the basic conditions for re-using certain categories of protected public-sector data. Data held by public undertakings, public service broadcasters, cultural establishments and educational establishments are exempt from the re-use provisions of the Regulation.
As a main rule, the proposed Regulation would prohibit granting exclusive rights for the use of public sector data. Public sector bodies will publish the conditions for allowing re-use of data, which must be non-discriminatory, proportionate and objectively justified regarding categories of data and purposes of re-use and the nature of the data for which re-use is allowed.
Public sector bodies allowing this type of re-use must be technically equipped to ensure that privacy and confidentiality are fully preserved. According to the proposed Regulation, EU member states have the following obligations:
- designating one or more competent bodies to support the public sector in re-use of data.
- setting up a single contact point supporting researchers and innovative businesses in identifying suitable data and transmitting requests for the re-use of data to the competent public-sector bodies.
Sharing of data
The proposed Regulation would also aim to increase trust in sharing personal and non-personal data and to lower transaction costs linked to B2B and C2B data sharing by creating a notification regime for data sharing providers. As a result, data sharing services will be subject to a notification procedure and providers can offer data-sharing services in all member states.
The proposed Regulation establishes detailed conditions for data-sharing services. Among others, these conditions include the following:
- data sharing services must be placed in a separate legal entity;
- the data can only be used for providing data-sharing services;
- providers must ensure that the procedure to access their service is fair, transparent and non-discriminatory;
- providers must ensure a high level of security for the storage and transmission of non-personal data.
Similar to the GDPR, the proposed Regulation states that a provider of data sharing services not established in the EU, but offering services within the EU, must appoint a legal representative in a member state where those services are offered. The provider will fall under the jurisdiction of the member state where the legal representative is established.
Each member state will designate a competent authority to be responsible for monitoring providers and ensuring that they comply with the requirements for the provision of these services.
The proposed Regulation will also try to facilitate data altruism (i.e. data voluntarily made available by individuals or companies for the common good) and set up the registry ‘Data Altruism Organisations recognised in the EU’ in order to increase trust in the operation of these organisations. In addition, a common European data altruism consent form will be developed to lower the costs of collecting consent and to facilitate data portability.
European Data Innovation Board
The proposed Regulation would also establish the European Data Innovation Board to facilitate the emergence of best practices by member state authorities when processing requests for the re-use of data (subject to the rights of others), to ensure consistency in the notification framework for data-sharing service providers and to further promote data altruism.
Impact of the proposed Regulation
The impact assessment report emphasises that the proposed Regulation would act as a catalyst for creating more efficient services and new data-based products, such as artificial intelligence, which would benefit the data economy as well as the EU economy and society as a whole.
For more information on this proposed Regulation and data-protection in the EU, contact your CMS partner or local CMS experts.