The European Commission (EC) has taken an all-important first step in implementing its European Data Strategy, which was announced in February 2020. (Read more in our blog post.)
On 25 November 2020, the EC published its proposal for a new regulation on data governance, the so-called Data Governance Act (DGA). This is the first legislative proposal to provide the necessary framework for achieving the ambition set out in the European Data Strategy, namely to ‘enable the EU to become the most attractive, most secure and most dynamic data-agile economy in the world’.
In line with this strategy, the EC plans to build on the DGA, with horizontal proposals (including in the forthcoming Digital Services Act package and European Data Act) and sector-specific measures, including in the financial services, transport and industrial sectors. Although the EC’s DGA proposal is still subject to change, it sets an important benchmark and gives us an important insight into how the EC will address data- and technology-related issues in future EU legislation.
Within the overarching concept of the European Data Strategy, the DGA is supposed to strengthen data-sharing mechanisms across the EU, thereby enhancing the intrinsic development of a common European data space.
However, the specific subjects covered are manifold and not necessarily interconnected. They include, among other things, the creation of a mechanism for re-using certain categories of protected public sector data, measures to increase trust in sharing personal and non-personal data, as well as efforts to facilitate data altruism, which is the idea of companies and individuals making their data voluntarily available for the common good.
However, from a business standpoint the most relevant measure might be the envisaged EU-level regulatory framework and the associated notification regime for data sharing service providers (DSSPs), which must be seen in light of the EC’s strong emphasis on enhancing trust in data intermediaries. This can supposedly be done by mitigating data holders’ and data users’ concerns regarding the intermediaries’ reliability, neutrality and possible conflicts of interest. Furthermore, data owners should be able to rely on the fact that the conditions they have established with regard to the use of their data are complied with. Interestingly, when announcing the proposal, EC Executive-Vice President Margrethe Vestager added that this proposal also aims to offer ‘an alternative model to the current data-handling practices offered by Big Tech platforms’.
Therefore, the DGA proposal contains a rather extensive list of conditions for DSSPs. This includes, among other things, the limitation of data usage to the mere provision to users, the isolation of data-sharing services from any other service provided in a separate legal entity, and the obligation to ensure fair and non-discriminatory access, including as regards to pricing. In addition, it contains restrictions on the use of metadata for business purposes, requirements on the continuity of business in case of insolvency, an obligation to ensure a high level of security for the storage and transmission of non-personal data, and fiduciary duties towards individuals using the respective services.
These conditions shall be then monitored by competent authorities designated by each member state. In turn each DSSP will have to notify the intent to undertake data-sharing services to the competent authority in its ‘member state of main establishment’, which will be the place of its central administration in the EU.
If a DSSP offers data-sharing services within the Union yet has no such establishment there, it will have to appoint a legal representative in one of the member states in which those services are offered for that purpose. However, to avoid concerns regarding data localisation requirements envisaged in an earlier draft, the EC has not gone as far as to mandate legal establishment in the EU.
To prevent any kind of forum shopping, the DGA plans to set up an European Data Innovation Board, which is, among other things, supposed to assist the EC in ensuring a consistent practice regarding the requirements applicable to DSSPs.
In addition to all of the soon-to-be-expected difficulties in determining the scope of those obligations as well as a DSSP’s main establishment within the EU or its obligation to appoint a representative, an even more relevant question pops up: what actually is a DSSP in the first place?
The DGA’s answer is still rather vague. Currently its definition includes the provision of the following:
- intermediation services between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users;
- intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in the GDPR; and
- services of data cooperatives, seeking to strengthen the position of individuals or small companies with respect to the processing of their data.
While the second and third variant of this definition is primarily focused on – at least until now – rather rare entities that enhance individual agency regarding personal data, the first one is very different.
Given the by-now overwhelming importance of data analysis in everybody’s daily life as well as the many varieties of data-driven business models, a provision covering almost any facilitation of data exchange between data holders and potential data users is much more far-reaching. It therefore might subject an enormous and presumably ever-growing number of enterprises to the new regulatory framework under the DGA. Despite several limitations in the recitals with regard to, among other things, data-sharing services in closed groups, cloud services and value-added services, it appears likely that the definition set forth by the EC, in effect, could cover a huge variety of data-reliant entities.
As we are only at the beginning of the legislative process, and the European Parliament and member states will now have to come forward with their amendments, the concrete commercial and legal implications of the DGA as well as its definition of DSSPs are difficult to assess at this point. However, any business providing data-related services within the EU is well advised to carefully monitor the upcoming developments of the DGA and its scope.