Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part one of a series of three blog posts.  In this first blog post, we outline key aspects of the DGR, set it in the context of other reforms proposed by the EC, consider public-sector data sharing under the DGR, and look at its potential impact on businesses.

The DGR, proposed in the EC’s February 2020 Digital Strategy, is the first of a wave of regulatory and antitrust reforms targeting the digital sector, which will include additional legislative proposals in 2020 and early 2021, as well as significant changes to the EC’s enforcement of European Union (EU) competition rules.

What are the objectives of the Data Governance Regulation?

The DGR has three main objectives:

  • Sharing of public sector data: creating a mechanism to promote the sharing and re-use of certain categories of protected public sector data that are subject to personal data protection, intellectual property or commercial confidentiality rights and therefore fall outside the scope of the access envisaged by the 2019 Open Data Directive. The DGR does not create a right to re-use such data, but provides for a set of harmonized basic conditions under which the re-use of such data may be allowed.
  • Data sharing service providers: creating a new legal regime for so-called “data sharing service providers” in relation to both personal and non-personal data, who will: (1) be the only third parties able to run data exchanges (often referred to as “trusts” for “data pools”) envisaged by the DGR (including common European data spaces, described below); and (2) have to be neutral as regards the data exchanged, including by being prohibited from using data for other purposes and being subject to fiduciary duties (that is, a duty to safeguard best interests) towards individuals.
  • Data altruism: facilitating so-called “data altruism” – that is to say, individuals or companies voluntarily consenting to the use of their data (personal and non-personal) for the common good, and creating a new system to register organizations engaging in data altruism to increase trust in their operations.

What wider regulatory changes will the DGR be a part of?

The EC’s digital regulatory and antitrust agenda is highly ambitious, including not only the Digital Strategy, but also the EC’s white paper on artificial intelligence and consultations on the Digital Services Act package, a “New Competition Tool” (NCT) to allow the EC to investigate and require changes in market structure without showing an antitrust infringement, and the EC notice on market definition.

In December 2020 the EC is due to publish two important legislative proposals, the Digital Services Act and the Digital Markets Act (DMA).  The DMA will impose new transparency and other obligations on online platforms, create a new regulatory framework for so-called gatekeeper platforms and include investigative powers similar to the broader powers originally proposed as part of the NCT.

The EC is also engaged in the most far-reaching review in a decade of its approach to assessing antitrust compliance of agreements among competitors (horizontal agreements) and between suppliers of goods and services and their distributors or agents (vertical agreements), including notably the sharing of competitively sensitive information.

The EC’s Data Strategy sets out a vision of common European data spaces, a Single Market for data.  The Data Strategy  proposed the establishment of nine common European data spaces for data sharing and pooling, including health, mobility, manufacturing, financial services, energy, and agriculture.  Notably, the DGR does not:

  • Contain any provision specific to these data spaces, but rather aims to create an institutional framework that will apply to them as well as other data exchanges.  (Further measures will likely be set out in the Data Act, originally expected in the second quarter of 2021 but delayed until at least the third quarter.)
  • Create any obligation to share or right to re-use data or alter the intellectual property rights of third parties or limit the exercise of these rights in any way, except as set out in the DGR.

What does the Digital Governance Regulation provide for?

In this series of blogs we consider each of the following elements of the DGR:

  • The new legal framework to encourage sharing and re-use of data held by public sector bodies.
  • A new category of data broker called data sharing services providers.
  • “Data altruism” (established by creating a new framework for registered data altruism organizations).

Public-sector data sharing   

The idea that data generated at the expense of public budgets should benefit society has been part of EU policy for a long time. The Open Data Directive requires the public sector to make more data easily available for use and re-use, but commercially confidential data, data subject to statistical confidentiality, and data protected by intellectual property rights of third parties (including trade secrets and personal data) are generally excluded.

Due to the sensitivity of such data, certain technical and legal requirements must be met before they can be shared, leading to underutilization. Some Member States have taken measures to encourage this type of re-use, such as the French health data hub, but this is not the case across the EU.

What must public sector bodies do?

Under the DGR, public sector bodies (but not State-owned businesses, or “public undertakings”):

  • Will be required to establish principles for re-use of data they hold that are non-discriminatory, proportionate and objectively justified, while not restricting competition.
  • When entering into agreements for re-use of such data, must avoid as far as possible the conclusion of exclusive agreements, except when necessary for the provision of a service of general interest (for example, where there is only one entity specialized in the processing of a specific dataset). In any case, such agreements must be awarded consistently with EU public procurement and State aid rules and for periods of no more than three years.

How should public sector bodies treat the data at issue?

Under the DGR:

  • Any conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of third parties and the integrity of public sector bodies’ information technology and communication systems.
  • Personal data should be fully anonymized, and only be disclosed where allowed under the EU General Data Protection Regulation (the GDPR), including with the data subject’s consent.
  • Data subject to intellectual property rights should only be transferred where allowed by EU or national law or with the rightholder’s consent. Re-use of such data shall only be allowed in accordance with intellectual property rights.
  • When data is confidential, public sector bodies shall ensure that the confidential information is not disclosed as a result of the re-use. The DGR does not explain how this should be achieved, but approaches typically considered sufficient for competition law purposes include aggregating data in such a way that it is not possible to reverse engineer competitively sensitive information and, in some cases, anonymizing data, for instance, by removing names and sales amounts from lists of key customers or suppliers.  (The EC is reviewing its guidance on the assessment of information sharing, which currently focuses on anti-competitive information sharing – for example, in the cartel context.  The EC has recognized that more guidance is needed on pro-competitive information sharing, but updated guidance likely will not be available until 2022).
  • Public sector bodies should facilitate obtaining individuals’ or companies’ consent to the re-use of their data, without providing contact information that allows re-users to contact data subjects or companies directly.
  • Where provision of anonymized or modified data would be insufficient, on-premise or remote re-use of the data within a secure processing environment could be permitted.
  • There are localization requirements applicable to non-personal public sector data.  These are described in our second blog post.

Can public sector bodies charge fees for data sharing?

Under the DGR:

  • Public sector bodies could charge for the re-use of data.
  • Such fees must be non-discriminatory, proportionate and objectively justified and should not restrict competition.
  • Lower (or no) fees could be charged for certain categories of re-uses (such as non-commercial re-use, or re-use by small and medium-sized enterprises).

Single information point for public sector data requests

The DGR requires that Member States establish a single information point to act as the primary interface for re-users that seek to re-use data held by public sector bodies.

Member States must also designate bodies to support the public sector bodies allowing re-use of protected data, including by providing secure data processing environments to allow data analysis in a manner that preserves the privacy of the information. Such bodies could also support the management of consents.