On November 25, 2020, the European Commission published its Proposal for a Regulation on European Data Governance (the “Data Governance Act”). The Data Governance Act is part of a set of measures announced in the 2020 European Strategy for Data, which is aimed at putting the EU at the forefront of the data empowered society. The European Commission also released a Questions & Answers document and a Factsheet on European data governance.
The Data Governance Act is aimed at fostering the availability of data by increasing trust in data intermediaries and strengthening data sharing across the EU and between sectors. “Data” under the Data Governance Act means any digital representation of acts, facts or information and any compilation of the same, including in the form of sound, visual or audiovisual recording.
The Data Governance Act outlines (1) the conditions for re-use of certain categories of data held by public sector bodies in the EU; (2) a notification and supervisory framework for the provision of data sharing services; and (3) a framework for voluntary registration of entities that collect and process data made available for altruistic purposes. It is intended to create a network of trusted and neutral data intermediaries and an oversight regime comprised of national supervisory authorities as well as a pan-EU coordinating body.
Below are some key takeaways from the draft Data Governance Act:
Re-Use of Protected Data by Public Sector Authorities
The Data Governance Act creates a framework for re-using certain categories of public sector data, including data protected on the grounds of (1) commercial or statistical confidentiality; (2) protection of intellectual property rights; or (3) protection of personal data. It also ensures that data can be widely re-used by including a general prohibition on agreements that create (or aim to create) exclusive rights for re-use, except under specific conditions when justified and necessary for the provision of a service of general interest.
Public sector bodies may set conditions around the re-use of data that must be non-discriminatory, proportionate and objectively-justified. Conditions may include, amongst others, the obligation to re-use anonymized or pseudonymized data only or to delete commercially confidential information, including trade secrets, when re-using data. The Data Governance Act also provides the European Commission with the right to impose further conditions regarding the re-use of highly sensitive non-personal data (such as certain datasets held by public health system actors), and in particular, with regard to transfer of such data to third countries. “Non-personal data” means data that does not qualify as personal data under the EU General Data Protection Regulation (“GDPR”).
The Data Governance Act requires the designation of one or more competent bodies, which may be sectoral, by the EU Member States to support public sector bodies granting access to the re-use of data.
Data Sharing Services
The Data Governance Act also sets out a framework for data sharing service providers (i.e., intermediaries between data “holders”, also known as data subjects, and data users). In particular, it imposes a prior notification obligation on data sharing service providers. In addition, the provision of data sharing services is subject to specific conditions including: (1) restrictions on the purposes for which data can be re-used and the use of metadata collected from the data sharing service; (2) conditions for access to the data sharing services; (3) the obligation to ensure the interoperability of the data; (4) the obligation to prevent fraudulent or abusive practices in relation to data access; (5) continuity obligations for the data sharing services; and (6) security obligations to prevent unlawful transfer or access to non-personal data and to ensure a high level of security for the storage and transmission of the data.
Data sharing service providers that are not established in the EU but offer those services in the EU are required to appoint a legal representative in one of the Member States in which the services are offered.
Each Member State must designate one or more authority competent to monitor both notifications and compliance with the requirements applicable to data sharing service providers. Data sharing service providers must share with the competent authorities any information necessary to verify compliance with their requirements under the Data Governance Act. The designated competent authorities should cooperate with the data protection authorities, national competition authorities, authorities in charge of cybersecurity and other relevant sectoral authorities to exchange information necessary for the exercise of their tasks in relation to data sharing service providers.
Data Altruism
The Data Governance Act aims to facilitate data altruism by creating a framework for voluntary registration of entities that collect and process data made available for altruistic purposes. “Data altruism” means “the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services.” It provides the possibility for data holders to make their data available for free or for a charge.
In order to qualify for registration, a data altruism organization must meet certain criteria, including being a non-profit organization established to meet objectives of general interest. Similar to data sharing service providers, data altruism organizations that are not established in the EU must appoint a legal representative in the EU. This representative must be located in the country where the organization intends to collect data. Additionally, data altruism organizations must register with the competent supervisory authority of the Member State where they (or their representative, if appropriate) are established. Each Member State must designate one or more authority competent to maintain the register of data altruism organizations and monitor compliance with the requirements applicable to data altruism organizations.
Registered data altruism organizations must keep full and accurate records regarding the (1) natural or legal persons processing data held by that entity; (2) data and duration of the processing and the processing purpose; and (3) fees paid by natural or legal persons processing the data, if any. Annual activity reports must be kept and provided to the competent national authority. The Data Governance Act also imposes specific requirements on registered data altruism organizations to safeguard the rights and interests of data subjects and legal entities with regard to their data, including transparency obligations and purpose limitation restrictions.
Further, the Data Governance Act foresees the development by the European Commission of a template European data altruism consent form to be used by data holders. The template consent form must take into account the consent requirements applicable under the GDPR where personal data is provided.
Additional Takeaways
- The Data Governance Act grants natural and legal persons the right to lodge a complaint with the relevant national competent authority against providers of data sharing services or data altruism organizations. It also provides a right to an effective judicial remedy.
- The Data Governance Act provides for the establishment by the European Commission of a European Data Innovation Board in the form of an Expert Group consisting of representatives of the Member States, the European Data Protection Board (“EDPB”) and representatives of relevant data spaces and specific sectors. The European Data Innovation Board will have several tasks, including advising and assisting the European Commission in developing consistent practice and cross-sector standards, enhancing the interoperability of data and data sharing services between different sectors and domains and facilitating the cooperation between the national competent authorities.
- The Data Governance Act also lays down the rules applicable in the event of a request by an administrative authority in a third country to gain access to or have non-personal data held in the EU transferred. In that case, the relevant entity must take all reasonable technical, legal and organizational measures to prevent the transfer of or access to non-personal data held in the EU where it would create a conflict with EU or Member State law, unless such transfer is required by a court judgment or decision of an administrative authority. The Data Governance Act provides additional conditions and safeguards in the event of such request, including a transparency obligation vis-à-vis the data holder and the obligation for the relevant entity to provide the minimum amount of data permissible.
Next Steps
The draft Data Governance Act will now be sent to both the European Parliament and the Council of Ministers to be negotiated and voted on. The European Commission also plans to publish proposals for a Digital Markets Act and a Digital Services Act, which are part of the 2020 European Strategy for Data.
Read the European Commission Press Release.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code