European Fee publishes draft Information Governance Act
On November 25, 2020, the European Commission published its proposal for a regulation on European data governance (the “Data Governance Act”). The Data Governance Act is part of a series of measures announced in the European Data Strategy 2020 that aim to bring the EU to the forefront of the data-driven society. The European Commission has also published a question and answer document and factsheet on European data management.
The Data Governance Act aims to promote the availability of data by building trust in data brokers and increasing data exchange across the EU and between sectors. “Data” within the meaning of the Data Governance Act is any digital representation of actions, facts or information as well as their compilation, including in the form of sound, image or audiovisual recordings.
The Data Governance Act regulates (1) the conditions for the reuse of certain categories of data stored by public authorities in the EU; (2) a notification and monitoring framework for the provision of data exchange services; and (3) a framework for voluntary registration of companies that collect and process data provided for altruistic purposes. It is intended to create a network of trustworthy and neutral data brokers and a supervisory system made up of national supervisory authorities and an EU-wide coordination body.
Here are some key takeaways from the draft Data Governance Act:
Reuse of protected data by public sector authorities
The Data Governance Act provides a framework for the reuse of certain categories of public sector data, including data that is protected for reasons of (1) commercial or statistical confidentiality. (2) protection of intellectual property rights; or (3) personal data protection. It also ensures that data can be largely reused by including a general ban on agreements that create (or are intended to create) exclusive rights to reuse, except under certain conditions when this is justified and for the provision of a service of general interest is required .
Public authorities can set conditions for the reuse of data that must be non-discriminatory, proportionate and objectively justified. The conditions may include, but are not limited to, an obligation to only reuse anonymized or pseudonymized data, or to delete commercially sensitive information, including trade secrets, when data is reused. The Data Governance Act also gives the European Commission the right to lay down further conditions for the reuse of highly sensitive non-personal data (such as certain datasets from public health actors) and in particular for the transfer of such data to third countries. “Non-personal data” is data that is not considered personal data according to the General Data Protection Regulation of the EU (“GDPR”).
The Data Governance Act requires EU member states to designate one or more competent bodies, which can be sectoral, to support public sector bodies that provide access to reuse data.
Data exchange services
The Data Governance Act also establishes a framework for data exchange service providers (ie intermediaries between data owners, also known as data subjects, and data users). In particular, a prior notification obligation is imposed on the providers of data exchange services. In addition, the provision of data exchange services is subject to certain conditions including: (1) restrictions on the purposes for which data can be reused and the use of metadata collected by the data exchange service; (2) conditions for access to the data exchange services; (3) the obligation to ensure the interoperability of the data; (4) the obligation to prevent fraudulent or abusive practices related to data access; (5) continuity obligations for the data exchange services; and (6) security obligations to prevent unlawful transmission or access to non-personal data and to ensure a high level of security for the storage and transmission of the data.
Data exchange service providers that are not based in the EU but offer these services in the EU must appoint a legal representative in one of the Member States where the services are offered.
Each Member State must designate one or more authorities responsible for monitoring reports and compliance with the requirements for data exchange service providers. Data exchange service providers must provide competent authorities with any information necessary to verify compliance with their requirements under the Data Governance Act. Designated Competent Authorities should cooperate with data protection authorities, national competition authorities, cybersecurity authorities and other relevant sectoral authorities to exchange information necessary for the performance of their duties with regard to data exchange service providers.
The Data Governance Act seeks to facilitate data altruism by providing a framework for voluntary registration of companies that collect and process data provided for altruistic purposes. “Data altruism” means “the consent of the data subjects to the processing of personal data or the permission of other data owners to allow the use of their non-personal data without asking for a reward for purposes of general interest such as scientific research purposes or public service improvement. “It offers data owners the option of making their data available free of charge or free of charge.
To qualify for registration, a data altruism organization must meet certain criteria, including a nonprofit that was formed to achieve goals of general interest. Similar to data exchange service providers, non-EU data altruism organizations are required to appoint a legal representative in the EU. This representative must be in the country where the organization wants to collect data. In addition, data altruism organizations must register with the competent supervisory authority of the Member State in which they (or their representatives, if any) are established. Each Member State must designate one or more authorities responsible for maintaining the register of data altruism organizations and monitoring compliance with the requirements applicable to data altruism organizations.
Registered data altruism organizations must keep complete and accurate records of (1) any natural or legal person processing data held by that facility. (2) Data and duration of processing and processing purpose; and (3) fees paid by any natural or legal person processing the data, if any. Annual activity reports must be retained and made available to the competent national authority. The Data Governance Act also places specific requirements on registered data altruism organizations to protect the rights and interests of data subjects and legal entities in relation to their data, including transparency obligations and limitations of purpose.
In addition, the Data Governance Act provides for the European Commission to develop a model consent form for European data altruism to be used by data owners. The sample consent form must take into account the consent requirements that apply under the GDPR when providing personal data.
Additional food stalls
- The Data Governance Act gives natural and legal persons the right to lodge a complaint against data exchange service providers or data altruism organizations with the relevant national competent authority. It also offers a right to an effective remedy.
- The Data Governance Act provides for the European Commission to set up a European Data Innovation Committee in the form of an expert group composed of representatives from the Member States, the European Data Protection Board (“EDPB”) and representatives of the relevant data spaces for certain sectors. The European Data Innovation Board will have various tasks, including advising and supporting the European Commission in developing uniform practices and cross-sectoral standards, improving the interoperability of data and data exchange services between different sectors and areas, and facilitating cooperation between the relevant national authorities .
- The Data Governance Act also sets out the rules that apply in the event that an administrative authority in a third country requests access to or transfer of non-personal data in the EU. In this case, the body concerned must take all appropriate technical, legal and organizational measures to prevent the transfer or access to non-personal data in the EU if this would lead to a conflict with the law of the EU or the Member States, provided that if this is not the case, this is required by a court judgment or a decision by an administrative authority. The Data Governance Act provides additional conditions and safeguards in the event of such a request, including an obligation to be transparent to the data owner and the company concerned to provide the minimum amount of data allowed.
The draft Data Governance Act will now be sent to both the European Parliament and the Council of Ministers for negotiation and voting. The European Commission is also planning to publish proposals for a law on digital markets and a law on digital services, which are part of the European Data Strategy 2020.
Read the European Commission’s press release.