Norton Rose Fulbright - Data Protection Report blog

On 25 November 2020, the European Commission (EC) published its proposed Data Governance Regulation (the DGR), which will create a new legal framework to encourage the development of a European single market for data.

This is part two of a series of three blog posts.  In this blog post, we outline the new regimes for data sharing service providers and data altruism under the DGR, and consider the potential impact on businesses.

New regime for data sharing service providers

The EC anticipates that providers of data sharing services, or data intermediaries, will play a key role in facilitating the aggregation and exchange of substantial amounts of relevant data (personal and non-personal data).

The basic principle reflected in the DGR is that such data intermediaries must be independent from both data holders and data users to facilitate the emergence of new data-driven ecosystems independent from online platforms with significant market power.

In what situations would the DGR apply to data sharing arrangements?

The DGR envisages data sharing service providers will play a role in three contexts:

  • Intermediation services between data holders which are legal persons and potential data users: those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users.
  • Intermediation services between data subjects that seek to make their personal data available and potential data users.
  • Services of data cooperatives: services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperative to negotiate terms and conditions for data processing before they consent.

These three areas are described in more detail below.

 

Any data sharing service provider who intends to provide data sharing services falling within the scope of one of the three types of data sharing services described above must submit a notification to the relevant Member State’s competent authority.
Requirement to notify

They will be the only third parties able to run so-called data exchanges or trusts for data pools. Operators of personal data stores will be covered by such requirements and will accordingly need to notify.

The DGR provides that, upon giving such notification, the provider of data sharing services may start the activity subject to the conditions laid down in the DGA.  The notification entitles the provider to provide data sharing services in all Member States.

What data sharing services will not be covered by the DGR?

Data sharing service providers covered by the notification requirement under the DGR would have as their main objective the creation of legal and potentially technical relations between data holders and potential users, assisting both parties in exchanging data.

Their business must aim at intermediating between an indefinite number of data holders and data users, rather than a closed group.

What are the other excluded categories?

Other categories excluded from the requirement to give notice under the DGR include:

  • Providers of cloud services.
  • Service providers that obtain data from data holders, aggregate, enrich or transform the data and license the use of the resulting data to data users, such as advertisement or data brokers.
  • Data consultancies.
  • Providers of data products resulting from value added to the data by the service provider.
  • Services that focus on the intermediation of content, in particular on copyright-protected content.
  • Data exchange platforms used by one data holder in order to enable the use of data they hold.
  • Platforms developed in the context of objects and devices connected to the Internet of Things.
  • Regulated entities such as consolidated tape providers and account information service providers.
  • Data altruism organizations (see below).

Under the DGR, providers of data sharing services would be required to have a place of establishment in the EU or to designate a representative in the EU.
Are data sharing service providers outside the EU covered?

This means that a provider of data sharing services that is not established in the EU, but which offers services falling with the scope of the DGR, must:

  • Appoint a legal representative in one of the Member States in which those services are offered.(The representative would act on behalf of the data sharing services provider under a written mandate. The provider would be deemed to be under the jurisdiction of the Member State in which the legal representative is established.)
  • Notify the competent authority in the relevant Member State.
  • Comply with the DGR conditions applicable to such data sharing arrangements.

Data service providers would have to be supervised by the competent authority in the Member State where they are established or their legal representative is located.

Intermediation services between data subjects: personal data

The DGR provides for a specific category of data intermediaries focusing exclusively on personal data and seeks to enhance individual agency and the individuals’ control over the data pertaining to them.

These service providers would assist individuals in exercising their GDPR rights, in particular managing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right “to be forgotten,” the right to restrict processing and the right of data portability.

The DGR would prevent misaligned incentives that could encourage individuals to make more data available for processing than what is in the individuals’ own interest. It provides that the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential data uses and standard terms and conditions attached to such uses.  The duty might also include, for example, making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices.

In certain situations, it could be desirable to collate actual data within a “personal data space” so that processing can happen within that space.

Data cooperatives

The DGR contains rules on data cooperatives, which would seek to strengthen the position of individuals consenting to data use, influencing the terms and conditions attached to data use or potentially solving disputes on how data can be used when such data pertain to several data subjects within that group.

To increase trust in data sharing services, the DGR creates an EU-level regulatory framework with highly harmonized requirements (called “conditions”) applicable to all three types of data sharing arrangements covered by the DGR (that is, intermediation services between data holders, intermediation services between data subjects, and data cooperatives).
What are the conditions applicable to providers of data sharing services?

Broadly speaking, the effect of the conditions is that:

  • Data sharing service providers would be required to be neutral as regards the data exchanged between data holders and data users, and could thus act only as intermediaries, without using the data exchanged for any other purpose.
  • Structural separation would be required between the data sharing service and any other services provided, so as to avoid conflicts of interest. Data sharing service providers should be separate legal entities that do not engage in other activities.
  • Data sharing service providers intermediating exchanges of personal data between individuals as data holders and legal persons should be subject to a fiduciary duties to those individuals (“the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights”).

Encouraging data altruism

The DGR aims to tap the potential to increase the use of data made available voluntarily by individuals or companies for purposes of general interest, such as healthcare, combating climate change, improving mobility, compiling official statistics, improving public services and supporting scientific research. The legal framework established by the DGR would contribute to the formation of data pools with sufficient size to enable data analytics and machine learning.

Companies seeking to support purposes of general interest by making available relevant data based on data altruism at scale and which meet certain requirements would be able to register as “Data Altruism Organizations recognized in the Union.”

Registration would be valid across the EU, facilitating cross-border data use within the EU and the emergence of data pools covering several Member States.

Engendering trust

The voluntary compliance of such registered entities with a set of requirements should foster trust that data made available for altruistic purposes serves the general interest. Such trust should result in particular from:

  • A place of establishment within the EU.
  • The requirement that registered entities have a not-for-profit character.
  • Transparency requirements.
  • Specific safeguards in place to protect rights and interests of data subjects and companies.

Further safeguards should include offering data processing within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, and the technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under the GDPR.

Recognized data altruism organizations would be able to collect relevant data directly from natural and legal persons or to process data collected by others.
What are data altruism organizations permitted to do?

Is consent required?

Typically, data altruism would rely on consent of data subjects in accordance with the GDPR.  Individuals and companies participating in these activities would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects.

For additional legal certainty, the DGR envisages that the EC will develop a European data altruism consent form to contribute additional confidence and transparency on how data subjects’ data will be accessed and used.

Use of the form could also streamline data altruism by companies and provide a mechanism allowing companies to withdraw their permission to use the data.

To take into account the specificities of individual sectors, including from a data protection perspective, there should be a possibility for sectoral adjustments of the European data altruism consent form.

Are there generally applicable localization requirements under the DGR?

Shielding: the DGR includes “shielding” provisions to limit EU citizens’ and companies’ obligation to provide data under non-EU Member State legal procedures. In functional outcome, these could have the effect of localizing some data within the EU.

Non-personal data: a public sector body in relation to public sector data, the re-user of such data, a data sharing provider, and data altruism organizations, as the case may be, must take all reasonable technical, legal and organizational measures in order to prevent transfer or access to non-personal data held in the EU where such transfer or access would create a conflict with EU law or the law of the relevant Member State, unless the transfer or access falls within one of the following two exceptions:

  • International agreement permits it:any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring them to transfer from or give access to non-personal data in the EU may only be recognized or enforceable if based on an international agreement (such as a mutual legal assistance treaty, in force between the requesting third country and the EU or any such agreement between the requesting third country and a Member State).
  • International judgment complying with minimum requirements: if they are directed by a decision of a court or of an administrative authority of a third country to transfer from / give access to non-personal data held in the EU, and compliance with that requirement risks conflict with EU / Member State law, the transfer or access shall take place only if: (1) the jurisdiction requires the reasons and proportionality to be set out, and the judgment/decision is sufficiently specific; (2) the objections of the addressee is subject to review of the foreign court; and (3) the foreign court is empowered to take into account the relevant legal interests of the provider of the data.

In either case, they must provide the minimum amount of data permissible in response to a request for transfer / access.

Are there localization requirements specific to public sector data?

There are additional localization requirements applicable to non-personal public sector data. To protect non-personal data protected by intellectual property rights or that is otherwise confidential, special requirements would apply under the DGR to transfers of data to non-EU countries:

  • The EC can declare that the legal, supervisory and enforcement arrangements of a third country: (1) ensure protection of intellectual property and trade secrets in a way that is essentially equivalent to the protection ensured under EU law; (2) are being effectively applied and enforced; and (3) provide effective judicial redress.
  • Public sector bodies may only transmit confidential data or data protected by intellectual property rights to a re-user which intends to transfer the data to a third country other than an EC approved country (see bullet above) if the re-user undertakes: (1) to comply with the obligations imposed by the DGR even after the data is transferred to the third country; and (2) to accept the jurisdiction of the courts of the Member State of the public sector body as regards any dispute.

Highly sensitive non-personal data

The DGR provides that public sector bodies may impose stricter conditions on transfers to non-EU countries of highly sensitive types of non-personal data, such as public health system data held by public hospitals.

To ensure harmonized practices across the EU, such highly sensitive data will be defined in EU measures – for example, in the context of the European Health Data Space or other sectoral legislation.

The DGR requires that the conditions:

  • Attached to the transfer of such data should be proportionate, non-discriminatory and necessary to protect legitimate public policy objectives, such as the protection of public health, public order, safety, the environment, public morals, consumer protection, privacy and personal data protection.
  • Should also correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re-identification of individuals.
  • Could include terms applicable to the transfer or technical arrangements, such as using a secure processing environment, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or who can access the data in the third country. In exceptional cases, they could also include restrictions on transfer of the data to non-EU countries to protect public interests.

Of course the GDPR continues to apply with its restrictive approach on international transfer of any personal data.