Is the European proposal on data governance a step forward?

Fecha de la noticia: 22-12-2020

Data Governance Act

The proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act) was recently made public. This is an initiative that was already announced in the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled "A European strategy for data", one of whose main objectives is to promote a single market for data that favours its rapid handling and, at the same time, is based on the principles and values of the EU.

The text of this proposal has been preceded by a public consultation process with wide participation, especially with regard to the data governance model (section 2.1) whit almost eight hundred contributions. Furthermore, as highlighted in the preamble of the proposal itself, the regulatory options finally adopted have considered the previous analysis in which the different possible alternatives for achieving the objectives sought were analysed.

Although this new initiative has initially been assessed positively, the truth is that it could raise doubts about its necessity, given that Directive (EU) 2019/1024, of 20 June 2019, on open data and the re-use of public sector information, was approved a little over a year ago.

Why then a new regulation now?

Firstly, the new proposal takes the form of a Regulation - not a new Directive - to establish a mandatory, directly applicable regime throughout the Union to harmonise the EU internal market, given the risk that unilateral regulation by States will end up fragmenting it if there is no minimum harmonisation to help boost cross-border digital services. However, the competence of the Member States with regard to the organisational measures to be taken is respected, as is their ability to legislate on access to public sector information, so that the Regulation will not affect existing state rules in this area.

Secondly, it should be noted that the regulation is complementary to the 2019 directive, given that the achievement of the objectives set out above requires an approach which goes beyond the limitations to which that party is subject. Specifically, it is a question of establishing new regulations for those sets of data on which third parties have rights that make their re-use difficult, as is the case in particular with the protection of personal data, intellectual property or, among other legal assets, statistical or commercial confidentiality. Indeed, the existence of these legal barriers may seriously hinder - and even prevent - the re-use of data of enormous value when it comes to implementing projects of great impact in the current social and technological context, such as those relating to research and those based on the innovation required by the digital transformation. The measures incorporated in the proposal for a Regulation are intended to offer solutions specifically aimed at addressing these obstacles, incorporating mechanisms that provide greater legal certainty and therefore strengthen the confidence of the holders of these rights and interests.

It is also intended to establish a number of identical mechanisms throughout the Union to encourage reuse, as is the case with:

  • The establishment of a reporting regime for data sharing providers, which will be neutral, i.e. they will not be able to use the data for purposes other than making it available to re-users. The services they provide must also be transparent and non-discriminatory.
  • The promotion of altruism in order to facilitate the use of data for the common good on a voluntary basis, including the implementation of a form at European level to facilitate the provision of consent for the transfer of data.
  • The obligation for States to establish a single point of information which, in addition, must have a register in which to submit requests for re-use so that, once received, they are sent to the corresponding bodies and entities for resolution within a maximum period of two months.
  • The creation at European level of a committee of experts with the aim of facilitating re-use, which will also have an advisory role for the Commission.

What are the main legal guarantees of the Regulation?

With these objectives in mind, the initiative aims to lay the foundations for building a model of European data governance based on transparency and neutrality as a counterweight to trends in other areas. Specifically, the aim is to establish a regulatory framework that reinforces the confidence of citizens, businesses and other organisations that their data will be reused in accordance with minimum legal standards, thus facilitating control over the uses made by third parties. Thus, among the main novelties of the proposal:

  • Public bodies that allow the re-use of this type of data affected by the rights and interests of third parties are obliged to adopt the technical, organisational and legal measures that guarantee their protection.
  • The possibility is established for public bodies to impose an obligation that data may be re-used only if it has been subject to "pre-processing", which consists in making it anonymous, pseudonymous or, where appropriate, deleting confidential information.
  • It is foreseen that re-use is only allowed in environments directly controlled by the public body if there is no other alternative that can meet the needs of the re-user.
  • Public bodies are recognised as having the power to prohibit the use of the results of data processing that contains information that endangers the rights and interests of third parties.
  • The collaboration of public bodies in the collection of consent from the data subjects is facilitated without the re-users having direct contact with them.
  • Effective conditions and guarantees are established for cases in which the processing of the data is to take place outside the European Union, including express acceptance of submission to the jurisdiction of the State in which the public sector body that facilitated the re-use is located.

As the European Commission emphasised in a recent Communication on the occasion of the review carried out after two years of application of the General Data Protection Regulation, its provisions " helps to  foster  trust-worthy innovation, notably through its risk-based approach and principles such as privacy by design  and  by  default ". This is precisely the approach of the new proposal: to establish the bases of a regulatory model based on the protection of the rights and interests affected, thus facilitating the optimal legal conditions that will allow the re-use of public sector information to be promoted with the appropriate guarantees.

Content prepared by Julián Valero, professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec).

Contents and points of view expressed in this publication are the exclusive responsibility of its author.