On 25 November, the European Commission presented the Data Governance Act, which aims to create a secure infrastructure for data sharing. This is the first proposal from the Commission’s broader Data Strategy. The Act had been postponed several times since September, with a working draft being leaked by several news outlets early November and receiving strong criticism. However, the current proposal has been updated compared to previously available versions.
Elements of the proposal
The proposed regulation will open access to sensitive data held by the public sector and introduce a mechanism for so-called “data altruism” which will allow users to donate their data for the public good. It also includes rules for “data intermediaries” or data brokers that will act as neutral clearinghouses for data sharing. The Commission has decided against imposing geographical restrictions on the establishment of so-called “data sharing services”, which existed in a previous leaked draft of the Regulation and raised concerns about the EU violating its international trade commitments. Rather than requiring that businesses be legally established in the EU, as first suggested, they will be required to have a representative in the EU.
The data intermediaries will be overseen by a newly established European Data Innovation Board, whose mission will be to provide advice on best practices in terms of data sharing. In addition, the Data Governance Act has a so-called “shielding provision” that requires companies handling sensitive data to have “adequate measures” that will prevent the data from getting in the hands of authorities in third countries against EU laws. The proposal aims to replicate restrictions currently in place on the flow of personal data outside of the EU to non-personal data, by giving, for instance, the Commission the power to assess third countries’ intellectual property and trade secrets regimes to check whether they are up to EU standards (similar to “adequacy” assessments of countries’ data protection regimes).
Finally, the Act aims at creating sector-specific data spaces to enable the sharing of data within a specific sector. For example, the Act foresees the creation of data spaces for transport, health, energy or agriculture.
First reactions from the institutions and industry
MEP Miapetra Kumpula-Natri (S&D, Finland), who is the rapporteur for the Parliament’s initiative report on the data strategy, welcomed the “ambitious” proposal. She called the Commission’s decision to leave it to national bodies to protect sensitive data “fair enough as compromise, but not good for the single market and harmonisation”. Some industry members, however, have raised concerns about the extra barriers to data flows through the assessment provision of third countries’ data protection regimes with the option of blocking the transfer of highly sensitive data, the definition of which is so far unclear. Additionally, the Act could allow for discrimination on the basis of the quasi-licensing scheme it sets up, requiring companies to notify the authorities if they want to become service providers. Given the vague wording of the proposal, it could allow for selective revocation of said licenses, giving authorities the power to remove certain providers from the list.
The Commission is collecting feedback on the adoption of the Data Governance Act until 25 January 2021.