Technology | The New Data Governance Act to Ban Certain Data Sharing Practices Starting September 2023
In 2020 the European Commission (“Commission”) launched its European strategy for data, which aim is creating a single market for data in Europe. The Commission believes that the data economy in the EU will increase from 301 billion euro in 2018 to 829 billion euro within 2025. According to the Commission, this will happen by using data as a catalyst for economic growth, competitiveness, innovation, job creation and societal progress in general. This will in turn improve health care, create safer and cleaner transport systems, generate new products and services, reduce the costs of public services, and improve sustainability and energy efficiency. In its strategy, the Commission proposed several initiatives and regulations meant to ensure data sharing in line with European values and rights:
- The set-up and development of European data spaces, involving both private and public bodies, in sectors such as health environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills.
- The Data Act which intends to regulate and promote data sharing between businesses in the private sector, and between private businesses and public authorities.
- The Artificial Intelligence Act which introduces a risk-based approach to use of artificial intelligence (AI), where the requirements for use increase in proportion with the risk present, as well as a ban on the use of certain types of AI.
- The Data Governance Act (the “DGA”) that aims to create a market for sharing non-personal data (industrial data) in line with the EU’s principles and values, including privacy, consumer protection, IP-rights, and competition rules.
How will the DGA work in practice?
The public sector holds vast amounts of protected data (e.g., personal data and commercially confidential data) that cannot be re-used as open data but that could be re-used under specific EU or national legislation. By boosting data sharing through the regulation of data intermediaries, encouraging the sharing of data for altruistic purposes and by implementing rules and safeguards. The Commission aims to make a lot more publicly/held, protected data, available for re-use. It is important to note that the DGA includes a broad definition of data, defining it as “any digital representation of acts, facts or information and any compilation of such”. This means that the DGA will affect a large number of public and private bodies.
Single Information Point and Competent Bodies
The DGA will force member states to establish a single information point for data, where re-users can find relevant information on what data is held by which public authorities. Given that only 10% of public data is available in Norway today, the public authorities will be forced to step up its efforts in making more data available if the DGA comes into force in the EEA. Under the DGA, member states can establish competent bodies which will support public sector bodies granting access to data, for example by providing the latter with a secure processing environment and by advising them on how to best structure and store data to make it easily accessible.
Many companies currently fear that sharing their data would result in a loss of competitive advantage and represent a risk of misuse. The DGA defines a set of rules for providers of data intermediation services (so-called data intermediaries, such as data marketplaces) to ensure that they will function as trustworthy organisers of data sharing or pooling within the European data spaces.
In practice, data intermediaries will function as neutral third parties that connect an undetermined number of data subjects and data holders on the one hand and data users on the other hand. They cannot monetise the data (e.g., by selling it to another company or using it to develop their own product based on this data) and will have to comply with strict requirements to ensure this neutrality and avoid conflicts of interest. However, data intermediaries will be able to charge for their services. Under the DGA, data intermediaries will be required to notify a competent authority of their intention to provide such services.
In addition to supervising the notification procedure and granting data intermediaries that fulfil the requirements a right to act as a data intermediary in the EU, the competent authority will supervise compliance with the DGA’s regulations. This includes data intermediation services, but also extends to for example the probation of certain types of exclusive data sharing agreements and cross-border transfer of non-personal data.
The DGA will have a large impact on European and global businesses. The DGA will add several layers to the regulation of data protection. Given that it also regulates personal data, it must be read together with the General Data Protection Regulation (“GDPR”). This will surely result in an increased difficulty in staying compliant with applicable regulations. Additionally, the requirements in the DGA will create a new ecosystem of, public and private actors, giving rise to new economic possibilities. We believe that those who position themselves correctly will be able to take advantage of these possibilities. While others, will be heavily restricted and suffer losses due to the impact on certain business models.
The European data strategy signals a shift from an almost single-minded focus on personal data, to a now, broader focus on data in general. Where private actors were largely left unattended before, the DGA now heavily restricts certain types of data sharing and use. The other proposed regulations, the Data Act, and the Artificial Intelligence Act, will also further affect the access to share and use data.
The DGA entered into force in the EU on 23 June 2022 and will be applicable from September 2023. The proposal is currently being assessed in Norway and in the EEA/EFTA countries.