13 Apr 2021

DIGITALEUROPE’s recommendations for the Data Governance Act

Key messages

The European data economy will be a key driver of the EU’s growth this decade. DIGITALEUROPE welcomes the Data Governance Act[1] as first major initiative under the 2020 Data strategy, to enable increased access to data, bring trust to data sharing and create the foundations to build the European data spaces upon.

To ensure that the Data Governance Act framework will effectively boost the EU’s data economy, we propose the following recommendations:

  • Prudently unlock re-use of sensitive data: While the benefits of re-using sensitive publicly-held data are immense, which kind of data is concerned needs to be carefully assessed. The re-use of personal data, IP-protected and commercially-confidential data presupposes the creation of a robust framework preventing any misuses (averting data breaches, etc.).

  • Safeguard existing data sharing initiatives: The proposed requirements for data intermediaries should not affect existing value-added B2B platforms and data partnerships, used for instance by companies to serve their customers or exchange data with suppliers. The proposal’s scope and requirements should be clarified accordingly and remain proportionate.

  • Leverage data altruism: The proposal should allow companies to access data donations if the data is collected for “general interest” goals (to support innovation for healthcare, smart mobility, etc.) and if consent is granted.

  • Keep the framework simple: Single information points should act as data sharing one-stop shops for stakeholders, to reduce uncertainty and raise awareness, particularly towards smaller businesses. The European Data Innovation Board should guide the work of competent authorities and information points, notably to ensure EU harmonisation and simplification.


Introduction

Europe has a strong data potential, but it remains untapped. As of 2020, the data economy is estimated to contribute only to 3% of the EU’s GDP[2]. We believe that this can change. As DIGITALEUROPE, we have been developing KPIs to set attainable objectives for the digital economy: Europe can, and must, grow its data economy to 6% of GDP by 2025[3].

Therefore, we welcome initiatives to increase data availability and improve access to, and re-use of public sector data, as well as helping facilitate greater private data sharing by increasing trust. Our members support the principles of voluntary, trustworthy and responsible data sharing and enhanced access to public sector data for European innovators, key principles which underpin the Data Governance Act proposal (hereafter “the Regulation”, or “DGA”). Such principles will encourage more trusted, responsible data sharing and the re-use of public sector data to address today’s societal challenges in relation to health, environment or mobility, and more generally to support Europe’s economic growth, global competitiveness, and the development of technologies such AI and high-performance computing.

We believe that digital ecosystems, based on European values, can help further promote data exchange across borders and sectors, and contribute to the competitiveness of EU industry and research. The DGA can be instrumental in driving an important paradigm shift towards embracing the potential of data for the common good along the principles of openness, participation, and transparency.

The benefits of data sharing and a more open, collaborative approach to data can arise across wide scenarios, with varying numbers and types of actors involved. In fact, successful collaboration models already exist across many of these different scenarios – and across projects on which DIGITALEUROPE members are already engaged in – that allow organisations to share more data while maintaining contractual freedom and driving important, valuable results and learnings.

We believe that data collaboration within and across Europe’s industries will be key to future innovation and economic growth. The DGA is a promising starting point which could provide an important foundation to the European Single Market for Data that the EU wishes to build.

We provide below key considerations and recommendations for policymakers to help ensure that the DGA achieves its objective of increasing data sharing in Europe.


Crosscutting aspects

Relationship with other rules and initiatives

The European data legislative framework is a set of growing initiatives addressing many different aspects of the data economy. Some pieces of legislation have been in force for some time, while others should be released in the coming years as part of the Commission’s Data strategy.

The DGA proposal should be fully integrated within this regulatory framework. Regarding personal data, avoiding any conflict with the General Data Protection Regulation (GDPR) is key to provide legal certainty to entities in scope. The DGA should be entirely consistent with the GDPR and rely on all the key legal bases provided for processing – i.e., not only consent. When it comes to sharing of publicly-held data, the DGA should leverage existing provisions from the recently revised PSI / Open Data Directive[4] to avoid discrepancies between publicly-held non-personal data (under PSI) and sensitive non-personal and personal data (under DGA).

The Regulation should also fit into the broader European data ecosystem, including initiatives such as the Common European data spaces. It is surprising to see so little references to the latter, given the fact that the DGA was initially supposed to be a “legislative framework on the governance of Common European data spaces”; and because the released proposal is still very much focused on the data spaces’ inception – without naming them – with provisions to build trust in the spaces and to ensure they would have access to wide ranges of data.

The European Data Innovation Board envisioned in the proposal should ensure proper coordination between the different initiatives within the EU data framework, whether legislative or not. It could act as forum for stakeholders to discuss data issues, monitor the implementation of the EU Data strategy and its initiatives, and improve the coherence of the overall framework. This is particularly important for activities such as developing interoperability and cross-sector standardisation, which are part of the Board’s mandate but would need input from representative of the different data spaces, industry initiatives such as GAIA-X, and standards developing organisations.

Our recommendations:

  • The relationship with the wider legal framework (GDPR, Open Data Directive, Free flow of non-personal data Regulation) needs to be further explained.
  • Related non-legislative initiatives should be taken into account (e.g. data spaces, GAIA-X).

EU harmonisation

Despite being a regulation and not a directive, the DGA offers considerable flexibility for Member States to implement the provisions as they see fit, through their designated competent authorities. This is particularly true on a number of provisions, from granting or refusing re-use of data under chapter 2 to defining applicable fees or penalties relative to infringement.

As DIGITALEUROPE, we believe that the European data economy can only prosper in a harmonised EU Single Market. Therefore, we call for the implementation of requirements to be unified. Without additional safeguards to ensure coordination and harmonisation among competent authorities, the integrity of the internal market on data could be compromised:

  • Competent authorities in one Member State may respond positively to data re-use requests more often than other countries, and with divergent re-use conditions. This may lead to companies having better access to data depending on where their operations are based and their capacity to request access in other countries.

  • Measures and penalties to be decided by competent authorities pursuant to the Regulation may be strict or lenient depending on each Member State. For data intermediaries in the scope, some Member States may charge administrative fees when handling the notification procedure and related compliance monitoring, according to article 10(10). This could lead to forum shopping, with legal representatives to be designated in countries more favourable by organisations in scope. This would undermine entities acting in good faith, particularly European ones as their country of main establishment would be the one notified under the DGA.

To avoid such situations, effective and consistent oversight from the Commission and the European Data Innovation Board is needed, combined with harmonised interpretation.

We believe that the Commission and the European Data Innovation Board should develop guidance and mechanisms to limit divergence in the application of the Regulation. When possible, binding rules to direct authorities’ actions could even be developed at EU level. This would support a level playing field for all companies, regardless of their country of origin.

We understand that in some cases, discrepancies between Member States may happen due to lack of resources or know-how. The Commission and the European Data Innovation Board should stand ready to support authorities in the efficient, proportionate and harmonised implementation of the DGA’s provisions.

Our recommendation:

  • To enhance the Single Market, a unified implementation of requirements at EU level is needed (including data access conditions, penalties, etc.).


      Definitions

      The DGA proposal is promising but a general lack of clarity may counter the positive impact expected from the Regulation. Finetuning of existing definitions and insertion of new ones may help address the uncertainty for data economy actors.

      Our recommendations:

      • Fine-tuning and insertion of new definitions in article 2 could help clarify the proposal’s scope, notably for chapters 3 and 4.

        • Including introducing a definition of ‘data sharing intermediary’.
        • More details in the dedicated section.
      • The definition of ‘data’ should also include non-digital data.

        • For instance, many hospitals have paper records not yet digitalised.
      • A new definition should be introduced to define the concept of ‘general interest’, extensively used for chapter 4. The definition should be wide and integrate the support to research and innovative uses, including the development of new services and products by companies.

       


      Access and re-use of sensitive publicly-held data

      Data potential

      The provisions outlined in chapter 2 of the Regulation proposal are a positive step towards increasing re-use of public sector data by addressing categories of data not covered by the Open Data Directive.

      This can be of high societal and economic benefit, for instance the re-use of medical records or genetic data in the health field could help develop personalised medicine and research cures for rare diseases. In the mobility field, the re-use of user and service provider transport data could support the establishment of multimodal passenger transport – allowing to buy tickets for different transport modes and from different operators in one payment – which could lead to increased public transport use over private personal vehicles use.

      DIGITALEUROPE is in favour of nurturing innovation and addressing societal challenges through the re-use of data, and the public sector data can play a vital role in such endeavours. We are committed to the further use of open government data beyond the Open Data Directive and welcome the steps taken by the DGA to make EU public authorities pioneers in supporting the re-use of sensitive data.

      The COVID-19 pandemic has demonstrated the collective efforts and collaboration required, including the re-use of data, to support public health management strategies across the EU. When aiming to foster such collaboration, the public sector should act as a role model in providing data access and ensure secondary use. To achieve such goal, DIGITALEUROPE recommends an Open-by-Default obligation with clear policy measures.

      In order to tap the greatest possible potential from open government data, close cooperation and networking among actors involved is required, i.e. between data providers and data users. Many relevant actors are not yet connected in a comprehensive and systematic way. An intensified exchange between open government data actors throughout Europe is necessary for making better use of existing offers and benefitting from untapped potential.

      Frameworks for the re-use of data must be based on strong principles which ensure a trustworthy environment for all stakeholders. The acceptance, understanding and motivation to use open government data needs to be promoted by increasing confidence in its responsible handling. The DGA can be an important step in this direction.

      Our recommendation:

      • Initiatives such as the Open Data Directive or the Data Governance Act need to become part of a larger EU and national open data ecosystem, supported by the European Data Innovation Board.


      Categories of data covered

      While the DGA’s provisions on sensitive data are very promising, the resulting regulatory framework needs to be perfectly secure given the sensitivity of the data to be re-used.

      The scope of the proposed provisions must be clear, and should not cover data which is licensed to government bodies by commercial actors and restrict choice of contracting terms. We believe that such measures would disincentivise collaboration between industry and public sector. Provisions for sensitive data held by the public sector should also ensure that personal data, trade secrets, confidential business information or IP rights and protections are not undermined. It is also unclear how businesses can be sure that the public sector body 1) accurately determines which data must be protected and 2) effectively removes any protected (commercially-confidential) information from the datasets it holds.

      If this cannot be assured, it would mean that data suppliers would have to factor in new costs of doing business with governments and the public sector. It would ultimately disincentivise corresponding industry collaboration, given the possibility of sensitive commercial information being made available to third parties (whether comprised by the data itself, proprietary data containers or formats, or insights into technology that the data may provide), and the risk that competitors could receive an unfair advantage by benefiting from significant investment made in generating, collecting and processing data.

      Additionally, in our view, ‘highly sensitive’ commercial data subject to the rights of others should not be re-used (nor, by definition, transferred) by determination of a public body, or delegated acts, as put forward in the draft proposal. In general, we believe that further clarity is needed on the concept of ‘highly sensitive’ data in the DGA. While recital 19 notes that such types of data should be defined in EU law, it only allows for future sectoral legislation to do so, which may create lasting uncertainty for Member States and stakeholders wishing to re-use sensitive publicly-held data.

      Our recommendations:

      • While allowing the re-use of data beyond the scope of the Open Data Directive is very promising, which kind of data is concerned needs to be carefully assessed.

      • Categories of publicly-held ‘protected data’ should be further defined, while considering the risks for citizens’ privacy and industry competitiveness with any ambiguity in the wording (cf. article 3) and on how such data can be used.

        • The concept of ‘highly sensitive’ data should also be defined and clarified in the Regulation.
      • The re-use of personal data and commercially-confidential data presupposes the creation of a robust framework preventing any misuses (averting data breaches, etc.).

      • It is crucial to ensure that companies’ data is not shared with competitors. The provisions should not cover data licensed to government bodies by commercial actors and restrict choice of contracting terms, as it would disincentivise public-private collaboration.


      Data processing and arrangements

      The DGA lacks clarity regarding the potential re-use obligations, for instance to process data in a secure environment or to pre-process sensitive data, whether to anonymise or pseudonymise its content, or remove the confidential information it contains. Language in article 5 paragraphs 3 and 4 notes that public sector bodies “may impose obligations” to re-use only pre-processed data or use a secure processing environment, allowing public institutions to decide not to define re-use conditions at all, or, on the contrary, to go beyond the provisions of article 5.

      We understand the need to provide different possibilities to protect the data before or during re-use, to ensure proportionality and reduce impact on re-users and/or the public sector, but also to provide additional safeguards when deemed necessary. However, to avoid fragmentation, application of such re-use conditions should be harmonised at EU level. This means that Member States, supported by the European Data Innovation Board, could for instance define categories of sensitive data for which some of the conditions laid down in article 5 may be used. This would ensure that a specific category of data would not undergo pre-processing in one Member State, real-time secure processing in another, additional rules in others, etc.

      In practice, the provisions set in paragraphs 3, 4 and 5 of article 5 may be complicated to implement as competent authorities are likely to lack the necessary expertise to oversee pre-processing or manage secure environment processing. Such activities would be costly for Member States, which would need appropriate resources (more details in the dedicated section). We believe it is important to avoid carrying over the inferred costs to the re-users as much as possible, to ensure fairness to all interested re-users, particularly smaller businesses. In any case, potential fees should be reasonable, proportionate to the re-use costs and should not exceed the marginal costs, as detailed in the Open Data Directive[5], particularly its recitals 36 and 40. The Commission and the European Data Innovation Board should support Member States in managing (pre-)processing activities and related tasks, such as defining marginal costs.

      Clear rules on accountability and liability should also be provided regarding the risk assessment and management between data holders and users, to avoid any legal uncertainty for re-users of sensitive data under the DGA framework. For example, a re-user should not be liable if information jeopardising the rights and interests of third parties is leaked due to a failure or malfunction of the secure processing environment provided and controlled by the public sector.

      We welcome the provisions in article 5(6) requesting the public sector to support re-users in seeking data subject consent and/or authorisation from the legal entities, when re-use could not be granted otherwise. The necessary actions to be taken by public bodies to complete such task should be defined by the European Data Innovation Board – in coordination with the European Data Protection Board when relevant – and should result in clear guidelines ensuring efficiency and compliance with EU law.

      Finally, we support the prohibition of exclusive arrangements as set in article 4 and believe that derogations should be restricted. However, such provisions should not be interpreted as preventing public sector bodies from agreeing to license in data on normal commercial terms. For instance, this should not affect public procurement contracts between companies and public bodies which contain restrictions on data for re-use on the basis of the companies’ IP rights in the data (e.g., data containing proprietary information about product design or maintenance data originating from the operation of a system that the public sector body holds).

      Our recommendations:

      • The language regarding data re-use conditions (such as pre-processing) should remain consistent in the whole text.

      • Re-use conditions of article 5 should be uniformly applied across Member States. The European Data Innovation Board should support and ensure harmonisation and coordination.

      • Fees for re-users should be reasonable and proportionate, and should not exceed marginal costs.

      • Clear rules on accountability and liability should be provided to re-users.

      • The European Data Innovation Board should develop guidelines on public bodies’ support to re-users seeking consent or authorisation for re-use.

      • The prohibition of exclusive arrangements should not prevent public sector bodies from contracting private companies.


      Good practices

      Currently, the multitude of (technical) possibilities for data provision leads to a very heterogeneous data offer as well as to different levels of data usability. To facilitate access and use of open government data, we need harmonised and standardised technical implementation – particularly regarding formats and systems used. Public administrations need to address relevant issues, such as the collection and processing of data, early on, when IT systems are procured. Developing usability and accessibility of data can be assisted by promoting the adoption of internationally recognised technical and security standards to format, structure and share data.

      We see the creation of single contact points for data access, such as Findata[6], as a fundamental measure to connect data sources and data re-users under clear, transparent and consistent conditions. Such central open government data competence centres can aggregate expertise at national level and help sectoral or local administration. This includes consulting and training on data anonymisation, implementation of quality assurance and uniform provision of such data.

      Single information points can act as first points of contact for the open government data community. They should make data available through a portal that includes a catalogue with standardised metadata (uniformly structured descriptions). The data itself remains decentralised, held by the data providers. National metadata catalogues should be compiled at EU level by a European single information point. For this framework to work, there should be harmonisation at EU level in the actions of the contact points, to avoid further fragmentation in accessing the data.

      Open government data should be easily retrievable and machine-readable. User-friendly provision of Open Data cannot be in restrictive or illegible formats, and to achieve maximum benefits, data should be provided via machine-readable interoperable formats and open interfaces (open APIs).

      Through open interfaces, previously invisible back-end systems can be made visible and usable for third-party developers. This fosters innovation and, for businesses, results in greater customer reach in external app and web markets, and increases sales of data provided via APIs. Therefore, the development of capabilities for planning, setting up and operating proper APIs is of high importance. Providing open interfaces for open government data requires a joint and institutionalised discourse between administration, business, science and civil society stakeholders.

      Our recommendations:

      • To foster data sharing, the public sector should support international and European standardisation efforts in identifying and defining interoperability protocols, APIs and semantics (common taxonomies, data formats, models, etc.).

      • Single contact points should be created in each Member State to act as one-stop shops for stakeholders regarding data access, re-use, sharing, etc.


      Data sharing intermediaries and activities

      Scope

      To foster trust in data sharing frameworks, greater clarity is needed on the scope of data sharing intermediaries impacted by the proposal. Removing any ambiguity would provide more legal certainty and less potential hurdles to encourage increased data sharing in Europe. It is still unclear which data flows between companies and which scenarios will be affected, and might therefore be subject to compulsory notification requirements, whose compliance will be monitored by national authorities in potentially 27 different ways.

      Greater clarity on the Regulation’s scope is found in the recitals, notably 22, which should be reflected in chapter 3, along with scope definitions.

      The DGA’s provisions, particularly article 9, are vague and could be interpreted as covering existing B2B platforms operating in Europe, already developed by private players, and through which data is collected from several types of stakeholders (clients, suppliers notably), centralised and processed to allow the provision of value-added services (predictive maintenance, for instance). If such platforms were included in the scope of the DGA, they would be made subject to very strict new obligations to authorities, such as notification (de facto authorisation) to authorities, requirement to comply with predefined data governance terms and conditions, obligation to unbundle the operation of the platform from the rest of the digital activities, the prohibition to use the data for other purposes than to put it at the disposal of data users, etc. (cf. article 11).

      Such existing platforms, developed by private players based on significant private investment, involving significant risk, and requiring massive convincing efforts, cannot be made subject to such severe obligations. This would de facto remove any incentive from the private side to innovate and further develop data platforms. Such platforms providing value-added services would have to consider drastic changes to their functioning and business models, potentially terminating their activities. This would be disastrous in a situation of scarcity of B2B platforms in the EU.

      The proposal itself seems to recognise the vagueness of its scope provisions, by setting a specific article with exceptions (article 14), to ensure that data altruism organisations would not fall under the requirements of chapter 3.

      Our recommendations:

      • Article 9 and recital 22 should be refined to ensure that the proposal would not apply to a wide range of data sharing services which would be negatively affected by the proposed measures. We understand the Commission’s intent was only to encompass a selected group of services.

        • Integrating into article 9 the notion of neutrality and independence developed in article 11 would clarify the scope and ensure that only platforms which purpose is to facilitate data sharing are covered. Article 9(1)(a) could for instance be amended as follows:

      “intermediation services which sole purpose is to facilitate data sharing between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services”.

      Similar changes could be applied to points (b) and (c) of article 9(1).

      • The broad and vague concept of ‘data sharing service’ should be replaced in the context of chapter 3 (and its article 9) by the specific notions of ‘data intermediary’ or ‘data intermediation service’.

      • The proposed wording of article 9(1)(c) may create legal uncertainty as data cooperatives already exist, with business models different to the concept developed in the DGA. Replacing ‘data cooperative’ by ‘data intermediary’ in article 9(1)(c) would align provisions with points (a) and (b), bring certainty and avoid overlaps with existing cooperatives as defined in national law.


      Requirements

      Certain requirements, such as notification, unbundling and complete neutrality, go beyond what is legitimate, and depart from the Commission’s approach to promote voluntary data sharing. It would also contradict key competition law principles, which only apply such drastic approaches in situations where essential facilities are characterised, i.e. where the infrastructure/asset concerned is unique and can by no means be duplicated.

      For example, companies should not be required under article 11(1) to take on the administrative burden and cost of creating and operating a separate legal entity to provide data sharing services if companies can otherwise implement appropriate internal safeguards and controls according to industry standards. Even for the most powerful digital companies, the Commission considers that unbundling is not the right solution. It would be surprising that what is not considered legitimate with regards to major actors be regarded as appropriate for platforms of all types and sizes in the EU.

      Regarding specifically the notification procedure set in article 10, it is important to ensure that such process does not create any administrative burden and barriers to entry in the EU data intermediation market. To ensure fairness and consistency across the EU, no fee should be charged by Member States authorities in relation to the notification procedure and related monitoring of compliance and other market control activities: the provisions in article 10(10) should be deleted.

      It should also be made clearer how providers mentioned in article 9(1)(b) are expected to manage consent, and the proposed wording – “in the exercise of the rights provided in [the GDPR]” – is to be understood.

      Our recommendations:

      • The requirements set in article 11 should be carefully crafted to achieve the Regulation’s objectives while remaining proportionate.

      • To ensure a level playing field, the notification procedure should not create administrative burden and no fees should be charged.


      Diversity of sharing models

      The establishment of new forms of trusted data intermediaries alongside existing models is a promising aspect of a functioning data economy in certain fields of application in Europe. However, there are already existing well-functioning data sharing models in the B2B context in various sectors, where data exchange is not restricted by a lack of trust or technical limitations.

      In industrial contexts, huge volumes of IoT-generated data must often be processed and organised. This leads to significant challenges regarding the data layer architectures and the costs entailed by additional layer structures for a data trustee. In such cases, it is often more efficient to define data access and the purpose of data usage clearly and directly in contracts between the partners involved, and to offer independent audits of these contractual agreements.

      Data intermediaries in the DGA should therefore be designed and applied in regard to only specific sectors and scenarios. A data trustee could have a valuable role particularly in the area of health or GDPR-related data. In other areas, especially in an industrial context – in which huge volumes of machine data are transferred and processed, often directly at the edge – an intermediary is often not necessary and implies additional complexity and a decrease in efficiency.

      If the intention of this chapter of the DGA is to encourage the emergence of new specific European players, models and services, and not to restrict the activities of existing data sharing services, we believe this should come across more clearly in the corresponding articles.

      Data access and data sharing outside of the specific data-sharing models captured by the DGA should continue to be regulated according to existing rules (e.g. GDPR in the context of personal data) and the principles of companies’ freedom of contract and right to self-determination. Where there is no need for an intermediary and where additional layers in the B2B data-sharing would not reduce but rather increase transaction costs, access and use should be regulated between partners in fair contracts that take the interests of both sides into account in an appropriate manner. DIGITALEUROPE believes that such mutual contractual agreements, which already capture a large range of successful and growing data sharing activities, should remain out of scope.

      Our recommendations:

      • The data sharing models developed in the DGA must be carefully designed to ensure that they do not undermine existing data sharing models and contractual freedom.


      Data altruism

      DIGITALEUROPE supports the objective of creating a framework of registered data altruism organisations to encourage data holders to share their data for general interest purposes.

      General interest use

      The voluntary registration framework laid out in the DGA is only accessible to non-profit organisations and it is unclear how for-profit organisations can access the data collected by those organisations. We believe that the registration framework should explicitly allow data altruism organisations to collect data for companies, if donated data would be used for “general interest” purposes and if data holders originally gave consent to such transfers.

      The Regulation proposal does not contain any definition of “general interest” and only lists a few examples of general interest purposes in recital 35. While flexibility is useful, a definition would provide legal certainty to data altruism organisations and their potential partners.

      Because DIGITALEUROPE and its members believe that digitally transforming industries can help tackle global challenges, research and innovative uses undertaken by companies should be included in the definition of “general interest”. This should include the development of new services and products by companies, as long as they participate in general interest purposes. For instance, this could be the case for donated data used to make product or services more accessible for persons with disabilities and elderly people, data used to develop sensors reducing heat losses of buildings to reduce energy consumption, or data used to advance medicine by developing innovative therapies and medication.

      Our recommendations:

      • The proposed framework should make possible for companies to access data donations from citizens if the data is collected for “general interest” objectives and if consent was given.

      • A definition for the concept of “general interest” should be inserted, and include the support to research and innovative uses, including the development of new services and products by companies.


      Managing consent

      Relying on consent as basis of the data altruism model may be challenging depending on the uses projected for the donated data. For instance, as recital 36 notes, it is not always easy to outline in great details at the time of data collection why such data is needed for research purposes – this issue is also acknowledged by the GDPR. The DGA should find the right balance between ensuring enough information is provided for data collection to be allowed by data holders, while giving enough flexibility for data re-users. Clear and generic processing purposes categories would facilitate control for data holders but also enable data re-use. The competent authorities listed in the Regulation should support data users in seeking data holders’ consent.

      DIGITALEUROPE would also welcome more information regarding modification or withdrawal of consent from data holders. Consent withdrawal may create legal uncertainty for businesses which have obtained data through registered data altruism organisations. Accountability and liability of re-users may be at stake if they have not been notified by data altruism organisations or if information provided is insufficient to act.

      The Commission should therefore develop guidance regarding modification or withdrawal of consent under the data altruism framework. Such guidance should also detail the actions to undertake if consent is withdrawn (e.g. whether the data provided should no longer be used, but also be removed from the projects it was being used for).

      Our recommendations:

      • Data altruism organisations should provide clear and generic processing purposes categories, providing sufficient information on potential re-use to data holders while giving enough flexibility to re-users.

      • The Commission should provide guidance on consent withdrawal, including accountability and liability risks, and the actions to undertake to mitigate them.


      EU consent form

      We welcome the development of a harmonised consent form for data altruism, which would facilitate data donations collection and bring certainty to data donors. The form should be adapted to donations from all data holders (data subjects) but also companies (legal persons).

      Taking into account sector-specificities is essential but the possible deviations to the form should be channelled by criteria to be defined by the Commission. Otherwise, it is likely that important changes to the form in different sectors would counter the initial objective of bringing legal certainty to data altruism.

      Many stakeholders will be impacted by the publication of this form, which may become a prominent tool to collect data donations. Thus, relevant interested parties should be able to participate in the drafting of the consent form, via consultation and dialogue. Regular reviews of the form should be scheduled, including an assessment of its use and the need for a revision.

      Our recommendations:

      • The Commission should guide sectoral changes to the EU consent form, to avoid major divergence.

      • Relevant stakeholders should be consulted before and during the form’s drafting process.

       


      International data transfers

      Transfers and adequacy mechanisms

      DIGITALEUROPE supports the development of frameworks that encourage the cross-border flow of data, while protecting intellectual property (IP) rights and commercially-sensitive information. The importance of cross-border exchanges is particularly inherent to many of the goals and benefits of enhanced data sharing and collaboration.

      In its paragraphs 9 to 13, article 5 of the DGA imposes restrictions on international transfers of publicly-held non-personal data comparable to those applicable to personal data in chapter 5 of the GPDR. As written, and potentially interpreted differently across Member States, such requirements could potentially inhibit, rather than promote, greater European industrial data sharing and research collaboration and impact current well-functioning arrangements.

      Indeed, article 5, notably its paragraph 12, is not clear enough about which kind of personal data it refers to. Thus, we believe that the provisions in article 5 should be more consistent and better indicate which type of data for re-use is intended to be restricted from data transfers to third countries.

      Clarification is also needed regarding the process for determining adequacy of non-EU countries, given there is no such process in place for non-personal data, and on guidance for business on technical and non-technical measures. In addition, we welcome the introduction of equivalence tests to review IPR and trade secret frameworks of third countries and ensure the protection of sensitive non-personal data held by the public sector. Such equivalence assessments should be aligned with the EU’s international commitments.

      Our recommendation:

      • Further clarity is needed in paragraphs 9 to 13 of article 5 on the different provisions to avoid potential restrictions on international transfers of non-personal data (e.g. type of data to be restricted, process for determining adequacy of non-EU countries).


      Access requests

      The DGA, in its article 30 paragraph 3, sets provisions in case of a court or administrative decision from a third country to give access to non-personal data, when there is no international agreement applicable. Such provisions are similar to those of the eEvidence legislative proposal on cross-border access to electronic evidence[7].

      As the eEvidence Regulation is still being discussed in trilogue negotiations by the EU legislators, we ask policymakers to avoid any parallel work that would create legal uncertainty by leading to different provisions in those two separate frameworks. It should also be considered whether there is a need for such provisions under the DGA instead of a reference to the eEvidence Regulation.

      As part of the eEvidence negotiations, we believe that the resulting framework should be balanced and pragmatic. It should address conflicts with third country law by taking the needs of law enforcement into account while helping avoid untenable conflict-of-law situations for service providers. Ensuring proper notice to affected users is also key, with secrecy orders being the exception, rather than the rule – therefore service providers should be allowed to inform users when their data has been requested.

      One of the key provisions of the eEvidence framework looks to address situations that may arise with lawful requests to data that conflict with third country laws (Article 15 and 16). It is important that service providers be able to highlight any problematic requests that are in direct conflict with third country law. In addition, courts of third countries must be respected and if any conflicts arise, then such requests should be uplifted, preventing service providers from having to prioritise either EU or third country laws.

      Our recommendation:

      • As the provisions of article 30(3) are already being addressed and negotiated as part of the eEvidence Regulation framework, the DGA must avoid any duplication of the ongoing work, especially by ensuring alignment with the eEvidence provisions that would address the conflicts that may arise with third country laws.


      Competent authorities

      Framework simplification

      The legislative proposal allows Member States to designate various competent authorities for the different provisions set in the Regulation. While it brings flexibility to Member States, it may also lead to unnecessary complexity.

      DIGITALEUROPE calls for simplification of this framework of authorities. Existing authorities and institutions should be used to apply and implement the provisions set in the Regulation. On top of reducing conflicts of competences and ensuring economies of scale for Member States, such simplification and synergies would also make it easier for stakeholders to know which authority to contact regarding data issues.

      Leveraging single information points to encompass all data-related authorities would also provide clarity to stakeholders about their rights and obligations regarding data. If Member States decide to designate different authorities, single information points would act as one-stop shops to give access to resources and capacities provided by the various institutions, including a public catalogue of the data available for re-use. Ideally, there should be only one contact point for each Member State to provide practical advice on data with clear, simple and user-friendly guidance tools – particularly benefitting SMEs, which do not necessarily have the knowledge to profit from the data economy.

      A European single information point should be created to provide a public register of all data available for re-use under the DGA and the Open Data Directive, as well as information on how to request re-use and contact the national information points. Preferably, this role should be assumed by the European Data Innovation Board to avoid duplicating institutions with similar roles.

      Our recommendations:

      • The framework of competent authorities set in the proposal should be simplified.

      • The concept of single contact points should be extended and leveraged to create one-stop shops for stakeholders regarding data access, re-use, sharing, etc.

      • A European single contact point should provide information on national contact points, on the data available and how to request it for re-use.


      Resources

      Competent authorities need to receive sufficient support from Member States, including enough personnel, with the relevant skills. Otherwise, the competent authorities may not be able to carry the tasks assigned by Member States under the DGA.

      The case of sensitive data re-use requests

      A lack of support from Member States would be particularly problematic for the re-use of sensitive publicly-held data, as competent authorities granting or refusing access may quickly be overwhelmed by an important amount of data re-use requests. Ultimately, this could lead to major delays in granting or denying access if the proper resources are not provided.

      The Commission and the European Data Innovation Board could also work with Member States on guidance and templates to fast-track the approval of data re-use requests. A risk-based approached could be developed, allowing authorities to focus their resources on assessing complex requests while quickly granting access when the data would not be a risk.

      Decisions-making processes on whether to grant access to data should be fair and transparent. This would create certainty and ensure that companies can rely on data re-use to research innovative digital solutions or develop new business models.

      Member States should report to the Commission and the European Data Innovation Board on the allocation of resources to competent authorities and their plans to address potential and existing shortcomings.

      Even though the DGA provisions entail non-negligible costs for Member States, the proper implementation of the legislation would generate major benefits for the European data economy. Additionally, developing processes regarding sensitive data handling would also allow Member States to know better the data they possess and leverage benefits from its use, as happened with the creation of the Public sector information (PSI) Directive.

      Our recommendation:

      • Member States should allocate enough resources for competent authorities to carry their tasks properly, and report to the Commission and the European Data Innovation Board.


      European Data Innovation Board

      We welcome the creation of a European Data Innovation Board to advise the Commission in its implementation of the DGA, notably to ensure uniform practices by Member States.

      Representatives

      The DGA, in its article 26, only foresees the following participants to the Board: Member States’ competent authorities enforcing the different provisions of the Regulation (cf. chapter 5), the European Data Protection Board, and “relevant data spaces” and “other representatives of competent authorities in specific sectors”.

      Sectors should not be only represented by authorities, but also by the industry. We call for the digital technology industry to be amongst the specific sectors listed as Board representatives in recital 40. The ICT sector is now worth almost €500 billion in Europe, equivalent to nearly 3.7% of the EU’s GDP[8]. Its impact is actually greater as those figures do not fully comprise the data economy (3% of EU GDP[9]) and do not take into account the digitalisation of other fields enabled by the ICT sector. Manufacturing, for example, a sector undergoing a deep digital transformation, remains the backbone of the Europe’s economy and contributes to over 14% of the EU’s GDP[10].

      The proposal only allows for limited ad-hoc invitations to other stakeholders and interested parties. We believe that the Board would benefit from having relevant stakeholders providing input and supporting its activities under a regular and formal setting. This is particularly significant for tasks listed in points (c) and (d) of article 27, as industry players have unparalleled experience working on standardisation and interoperability at international and European levels.

      Our recommendations:

      • The structure of the Board should be representative of the diverse data economy ecosystem. The list of sectors in recital 40 should be expanded to include the digital industry.

      • Industry stakeholders should be able to regularly participate in a formal setting in the activities of the Board.


      Powers

      As defined in the DGA, the Board should only advise and assist the Commission in the different activities listed in article 27. However, ensuring consistent practices among Members States in implementing the Regulation is key. This not only means monitoring and reporting, but actual enforcement capabilities.

      Thus, we consider that the Board must enforce the harmonisation of practices at national level, either by itself or via the Commission. The Board should be able to develop:

      • Guidelines, recommendations, best practices to provide Member States with enough knowledge to ensure consistent practices.
      • Opinions on the status in given countries.
      • Binding decisions in the cases where some Member States would develop inconsistent practices that could lead to market fragmentation.

      The above competencies would ensure that the tasks mentioned in point (a) and (b) of article 27 can be effectively carried.

      We also propose that the Board plays a wider role in the development of the EU Data strategy’s initiatives, by advising the Commission and by acting as forum for stakeholders to discuss data economy issues and improve the coherence of the overall EU framework.

      Finally, the Board should also liaise with the Support Centre for Data Sharing[11] and possibly integrate the centre within its operations. The centre’s work to research and analyse data exchange practices and raise awareness on data sharing should be leveraged by the Board and by single information points, with the goal of creating national or transnational support centres.

      Our recommendations:

      • The responsibilities of the Board should be clearer and better defined.
      • The Board should have the capacity to draft binding decisions to tackle inconsistent implementation practices.
      • The Board should act as a forum to advise the Commission on its data economy initiatives.
      • The activities of the Support Centre for Data Sharing should be supported and potentially integrated within the Board.

      DIGITALEUROPE looks forward to discussing with EU policymakers how to best implement the recommendations outlined in this document.


      References:

      [1] European Commission, Proposal for a Regulation on European data governance (COM/2020/767), https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52020PC0767

      [2] EU Data Market study, 2020, https://datalandscape.eu/european-data-market-monitoring-tool-2018

      [3] DIGITALEUROPE, https://www.digitaleurope.org/key-indicators-for-a-stronger-digital-europe/

      [4] Directive 2019/1024 on open data and the re-use of public sector information, https://eur-lex.europa.eu/eli/dir/2019/1024/oj

      [5] Directive 2019/1024 on open data and the re-use of public sector information, https://eur-lex.europa.eu/eli/dir/2019/1024/oj

      [6] https://www.findata.fi/en/

      [7] Proposal for a regulation on European Production and Preservation Orders for electronic evidence in criminal matters https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2018:225:FIN 

      [8] Eurostat, 2018, https://ec.europa.eu/eurostat/statistics-explained/index.php?title=ICT_sector_-_value_added,_employment_and_R%26D

      [9] EU Data Market study, 2020, https://datalandscape.eu/european-data-market-monitoring-tool-2018

      [10] World Bank, 2019, https://data.worldbank.org/indicator/NV.IND.MANF.ZS?locations=EU

      [11] https://eudatasharing.eu/


      For more information, please contact
      Julien Chasserieau
      Associate Director for AI & Data Policy
      Back to Digital Health
      View the complete Policy Paper
      PDF
      Our resources on Digital Health
      26 Nov 2024 Publication & Brochure
      Winning the Tech Race. Cut-Simplify-Incentivise: Our three-step gameplan
      20 Nov 2024 Policy Paper
      Legitimate interest: One of six legal bases to process personal data
      20 Nov 2024 Policy Paper
      Copyright and AI: For effective implementation of existing rules
      Hit enter to search or ESC to close
      This website uses cookies
      We use cookies and similar techonologies to adjust your preferences, analyze traffic and measure the effectiveness of campaigns. You consent to the use of our cookies by continuing to browse this website.
      Decline
      Accept