Legislación y justicia

For some time now we have been hearing about high-value dataset, those datasets whose re-use is associated with considerable benefits for society, the environment and the economy. They were announced in Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information, and subsequently defined in Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 establishing a list of specific high-value datasets and modalities for publication and re-use.

In particular, six categories of dataset are concerned: geospatial, Earth observation and environment, meteorology, statistics, companies and company ownership, and mobility. The detail of these categories and how these datasets should be opened is summarised in the following infographic:

Click on the image or here to expand and access the accessible version

For years, even before the publication of Directive (EU) 2019/1024,Spanish organisations have been working to make this type of datasets available to developers, companies and any citizen who wants to use them, with technical characteristics that facilitate their reuse. However, the Regulation has laid down a number of specific requirements to be met.  Below is a summary of the progress made in each category.

Geospatial data

For geospatial data, the implementing regulation (EU) 2023/138 takes into account the categories indicated in Directive 2007/2/EC of the European Parliament and of the Council of 14 March 2007 establishing an Infrastructure for Spatial Information in the European Community (INSPIRE), with the exception of agricultural and reference parcels, for which Regulation (EU) 2021/2116 of the European Parliament and of the Council of 2 December 2021applies.

Spain has complied with the INSPIRE Directive for years, thanks to the  Law 14/2010 of 5 July 2010 on geographic information infrastructures and services in Spain (LISIGE), which transposes the Directive. Citizens have at their disposal the Official Catalogue of INSPIRE Data and Services of Spain, as well as the catalogues of the Spatial Data Infrastructures of the Autonomous Communities. This has resulted in comprehensive geographical coverage, with exhaustive metadata, which complies with European requirements.

• You can see the dataset currently published by our country in this category on the INSPIRE Geoportal. You can read more about it in this post.

Earth observation and environmental data

For the category of Earth observation and environment data, both the environmental and climate datasets listed in the annexes of the INSPIRE Directive and those produced in the context of a number of legal acts known as priority data, detailed in the Implementing Regulation, are taken into account.

As with the previous category, the fact of having the LISIGE law, which develops INSPIRE and goes further in the obligations set out, has meant that many of these datasets were already available prior to the Implementing Regulation.

• You can see the dataset currently published by Spain in this category in the INSPIRE Geoportal and read more about its publication in Spain here.

Meteorological data

The meteorological thematic category encompasses collections of data on observations measured by various elements, such as weather stations, radars, etc.

In Spain, the State Meteorological Agency (AEMET) has a portal, AEMET OpenData, which was a pioneer in Europe in terms of the availability of open meteorological data. In this portal we find that most of the high-value datasets are already available, grouped in the 14 categories of AEMET OpenData. Work is ongoing to expand the available datasets, their granularity and other technical aspects to further enhance their usability.

• You can see a more detailed review of the current status of the publication status of the datasets in this category in this post.

Statistical data

High statistical value data are covered by a number of legal acts detailed in the Annex to the Implementing Regulation. This category is based on the  European Statistical System, which ensures quality and interoperability between states.

In line with this system, Spain has the National Statistical Plan. This plan is developed and implemented through specific annual programmes detailing statistical operations, their objectives, bodies involved and budget appropriations, many of which are aligned with the statistical packages detailed in the Implementing Regulation.

• You can see the detail of the equivalence between the high value data and the datasets published as the result of the National Statistical Plan in this article. You can also see the details of the data published by the National Statistics Institute (INE) here.

Company data and company ownership

Company and company ownership data refer to datasets containing basic company information, including company documents and accounts.

In Spain, information from the Official Gazette of the Mercantile Registry (BORME in Spanish acronyms) is offered openly, with temporal coverage since 2009. However, work continues on opening up more datasets in this category.

Mobility data

The mobility category includes datasets falling under the domain "Transport Networks", included in Annex I of the INSPIRE Directive, together with those referred to in Directive 2005/44/EC of the European Parliament and of the Council of 7 September 2005 on harmonised River Information Services (RIS) on inland waterways in the Community.

As was the case for other categories where high value dataset were already covered by the INSPIRE Directive, Spain has a large amount of dataset available on the Geoportal of the Spatial Data Infrastructure of Spain (IDEE) and the infrastructures of the Autonomous Communities and the infrastructures of the Autonomous Communities.

• You can see the dataset published in the INSPIRE Geoportal and the details of the current situation in this content.

The large amount of dataset published reflects our country's continued commitment to transparency and access to high-value dataset. This is an ongoing effort, the result of the collaboration and involvement of various organisations. Work continues to provide the public with as much quality data as possible.

The European Union has devised a fundamental strategy to ensure accessible and reusable data for research, innovation and entrepreneurship. Strategic decisions have been made both in a regulatory and in a material sense to build spaces for data sharing and to foster the emergence of intermediaries with the capacity to process information.

European policies give rise to a very diverse ecosystem that should be differentiated. On the one hand, there is a deepening of open data reuse policies. On the other hand, the aim is to cover a space that has been inaccessible until now. We are referring to data that, due to the guarantee of the fundamental right to data protection, intellectual property or business secrecy, was inaccessible. Today, anonymization technologies, as well as data intermediation technologies, make it possible to process them with due guarantees. Finally, the aim is to provide resources through the promotion of data spaces, initiatives that propose federative models, such as Gaia X, or the European digital infrastructures (EDIC) promoted by the European Commission and the Digital Innovation Hubs aimed at promoting business and government in this field.  This scenario will boost different types of use in research, invocation and entrepreneurship.

This article focuses on the agreement signed by the National Statistics Institute (INE), the State Tax Administration Agency (AEAT), different Social Security bodies, the State Public Employment Service (SEPE) and the Bank of Spain to boost access to data, which is part of this EU strategy whose principles, rules and conditions must be explained in order to place it in context, underline its importance and understand the implications of the agreement.    

Competing by guaranteeing our rights

The EU competes at a structural disadvantage vis-à-vis the US or the People's Republic of China. On the North American side, the development processes of disruptive technologies in the context of the Internet and, particularly, the deployment of search engines, social networks and mobile applications have favoured the birth of a data broking market in which a few companies have an almost monopolistic power over data. The great champions of the digital world manage information on practically all sectors of activity, thanks to a business model based on the capitalisation or commoditisation of our privacy and their entry into sectors such as health or activity bracelets. Every time a user did a search, sent an email, commented on a social network or dictated a message to a mobile phone, it fuelled that position of dominance and underpinned the development of large language models in artificial intelligence or the deployment of algorithmic tools linked to neuroemotional marketing.

On the Chinese side, there is a closed internet model under state control, with a position of participation and surveillance over the large local multinationals in the sector and a global dominance over 5G network traffic. It is a vigilant state that has become the first power in the deployment of artificial intelligence through video surveillance and facial recognition and has a very clear state policy on the deployment of artificial intelligence (AI), creating advantages to compete in this race.

The EU starts from an apparently disadvantageous position. It is not at all a question of lack of talent or high abilities. Much of the Internet and IT ecosystem has been developed in Europe or by European talent. However, our market has not been able to generate conditions that would allow the emergence of major technological champions capable of supporting the entire value chain, from cloud infrastructures to the availability of large volumes of data that feed this ecosystem. Moreover, the EU adopted an ethical, political and legal commitment to freedoms, equity and democracy. This position, which has operated as a kind of barrier in terms of costs and processes, integrates within it the essential requirements for a democratic, inclusive and liberty-guaranteeing digital transformation.

The Data Governance Act

The legal substratum of data sharing is integrated by a complex modular structure integrating the General Data Protection Regulation (GDPR), the Open Data and Re-use of Public Sector Information Directive, the Data Governance Act (DGA), the Data Act (DA) and, in the immediate future, the artificial Intelligence Act and the European Health Data Space Regulation (EHDS). The rules should facilitate the re-use of data, including those under the scope of data protection, intellectual property and business secrecy. Several factors must operate to make this possible, which are set out below:

1. Data sharing from government should grow exponentially and generate a data market that is currently monopolised by foreign companies.
2. Digital sovereignty in legal terms will also be a growth driver insofar as it defines market rules based on the philosophy of the European Union centred on the guarantee of fundamental rights. This should have an immediate consequence when defining processes aimed at producing safe and reliable products.
3. Digital sovereignty will in turn have important technological consequences. Public data spaces, whether promoted from digital hubs or federations of nodes, such as Gaia X, should make data available to the individual researcher or start-up, including application dashboards and technical support.
4. The result of the regulation is to accelerate and increase the possibilities for freeing and sharing data. The EU and the convention under discussion seek to release data subject to trade secrecy, intellectual property or, in particular, the protection of personal data, in a secure manner through intermediation processes in secure data environments. This matter has occupied, among others, the Spanish Data Protection Agency and the European Cybersecurity Agency (ENISA). This implies a commitment to anonymisation and/or quasi-anonymisation environments through technologies such as differential privacy, homomorphic encryption and homomorphic encryption or multi-party computing.

All of this is based on the guarantee of fundamental rights and the empowerment of people. GDPR, DGA, DA and EHDS should make it possible to achieve the dual objective of creating a European market for the free movement and re-use of protected data. This ensures that individuals and organisations can exercise their rights of control and, at the same time, share these rights, while also encouraging data altruism. Moreover, the GDPR, DGA, EHDS and the artificial Intelligence Act define precise limits through prohibitions on use, regulated access conditions and ethically and legally sound design procedures. With an idea that should be considered central, there is a dimension of public or common interest that, beyond the epic battles of COVID, reaches the small but essential aspirations of the individual researcher, the disruptive entrepreneur, the SME trying to improve its value chain or the Administration innovating processes at the service of people.

Spain commits to the digital transformation of data spaces

The 2025 Plan, the Artificial Intelligence Strategy, the efforts of the Next Generation funds through its Strategic Projects for Economic Recovery and Transformation (PERTES in Spanish), the AI Missions and the Digital Bill of Rights exemplify Spain's alignment and leadership in this field. To make these strategies viable, secure data and process environments are essential. Now, the National Health Data Space has been joined by the agreement between the INE, the AEAT, different Social Security bodies, the SEPE and the Bank of Spain. As its explanatory memorandum states, it constitutes a first and encouraging step towards the deployment of DGA in our country.

They understand not only the scientific and business value of the statistical information they handle, but also the significant growth in demand and need for it. On the other hand, they take on a qualitatively relevant issue: the interest derived from the interconnection of datasets from the point of view of the value they bring. They therefore declare their willingness to maximise the added value of their data by allowing cross-referencing or integration when research is carried out for scientific purposes in the public interest.

The keys to the agreement to provide statistical data to researchers for scientific purposes in the public interest

Some of the questions that may arise with regard to this agreement are answered below.

• How can the data be accessed?

Access to data goes through a cross-information access request that must be individually accepted by each institution. This takes into account certain assessment criteria regarding the nature of the data and the interest of the proposal.

Facilitating this access implies for the signatory institutions an effort of de-identification and cross-checking carried out by each of them directly or through trusted third parties. The result, "depending on the security level of the resulting file", will entail:

• A direct and autonomous access.
• A processing of the data in one of the secure rooms or centres made available by the signatory entities.

Some of the rooms currently available are:

• INE
• Social Security (SS)
• Bank of Spain (BE)

Also noteworthy is the creation of ES_DataLab, which facilitates access to microdata in an environment that guarantees the confidentiality of the information. It allows cross-referencing data from different participating institutions, such as the INE, the AEAT, the Secretary of State for Social Security and Pensions, the Social Security General Treasury (TGSS), the National Social Security Institute (INSS), the Social Marine Institute (ISM), the Social Security IT Management (GISS), the State Public Employment Service and the Bank of Spain.

In implementation of the DGA 's plans, the Single National Information Point" (NSIP), managed by the General Directorate of Data, has been set up, from where citizens, business people or researchers can locate information on protected public sector data. This item is available at datos.gob.es.

• What data is shared?

The volume and typologies of data they handle are truly significant. The press release presenting the agreement stated that it would be possible to access "the microdata bases owned by the INE, the AEAT, the SS and the BE, with the necessary guarantees of security, statistical secrecy, personal data protection and compliance with current legislation. In addition to statistical databases from its surveys, INE may also provide access to administrative registers, both those compiled or coordinated by INE and those under other ownership but which INE uses to compile its statistics (in the latter case consulting all requests for access to the holders of the corresponding registers)".

• Who can access the data?

In order to grant access to the data, the confidentiality regime applicable to the data requested and its legal framework, the social interest of the results to be obtained in the research, the profile, trajectory and scientific publications of the principal investigator and associated researchers or the history of research projects of the entity backing the project, among other aspects, shall be taken into account.

One of the issues envisaged by the DGA in this area consists of establishing economic considerations that ensure the sustainability of the system. In any case, the third clause of the agreement provides for the possibility of receiving financial consideration from applicants for the services of preparing and making available the data contained in the databases owned by them, in accordance with the provisions of statistical legislation (Article 21.3 of the Law 12/1989 of 9 May 1989 on the Public Statistical Function - LFEP) and in the regulations governing each institution.

• What challenges do data access requesters and signatories face?

Regardless of the scientific conditions of the research proposal, it is essential to appeal to the deploying institutions to significantly increase the quality of their data protection and information security compliance processes. But this will not be enough, the deployment of artificial intelligence requires the incorporation of additional processes that we can find in the document of the Conference of Rectors of Spanish Universities CRUE ICT 360º, addressed in 2023 for the assumption of the university. While it is true that the artificial Intelligence Act proposes a scenario of less regulation in basic research, it also requires a high level of ethical deployment. And to do so, it will be essential to apply principles of artificial intelligence ethics, with the model ALTAI (Assessment List for Trustworthy Artificial Intelligence) or an alternative model, and to the Fundamental Rights Impact Analysis (FRAIA). This is without neglecting the high legal requirements for the development of market-oriented systems. Beyond the formal declarations of the Convention, the lessons learned from European projects affirm the need for a procedural framework of evidence-based legal and ethical verification of research projects and the capacities of institutions requesting access to data.

From the point of view of the signatory institutions, in addition to the challenge of the economic sustainability of the model, foreseen and regulated in the agreement, the need for a regulatory investment strategy seems evident. We have no doubt that each data repository and the processes underpinning them have been subject to a data protection impact assessment and security methodologies linked to the National Scheme. Data protection by design and by default or compliance with the recommendations on anonymisation and data space management mentioned above will be further elements considered. This translates into processes, but also into people - chief data officers, data analysts, other mediators such as data protection officers, etc. - together with a high level of security requirements. On the other hand, the duty of transparency vis-à-vis citizens will require efficient channels and a very precise risk management model in the event of a possible mass exercise of a right to object to processing, without prejudice to its feasibility.

Finally, the Spanish Data Protection Agency should approach this process in a proactive and promotional way without renouncing its role as guarantor of fundamental rights, but contributing to the development of functional solutions. This is not just any agreement but an essential test bed for the future of data research in Spain.

In our opinion, the most exciting statement of these institutions consists of understanding the agreement "as the embryo of the future System of access to data for research for scientific purposes of public interest, which must be in accordance with the Spanish and European strategy on data and the legislation on its governance, within a framework of development of public sector data spaces, and respecting in any case the autonomy and the legal regime applicable to the Banco de España".

Content prepared by Ricard Martínez, Director of the Chair of Privacy and Digital Transformation. Professor, Department of Constitutional Law, Universitat de València. The contents and points of view reflected in this publication are the sole responsibility of its author.

The recent Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules for fair access to and use of data (Data Act) introduces important new developments in European legislation to facilitate access to data generated by connected products and related services. In addition to establishing measures to boost interoperability in data spaces, data processing services and smart contracts, the new regulation also incorporates an important novelty by regulating data sharing with public entities in exceptional situations.

A new orientation in European regulation?

The main aim of the regulation on the re-use of public sector information was to facilitate access to data generated by public sector entities in order to foster the development of value-added services based on technological innovation. In fact, as expressly stated in the 2019 Directive, the reform it carried out was largely justified by the need to update the applicable regulatory framework to the new challenges posed by digital technology and, in particular, Artificial Intelligence or the Internet of Things.

Subsequently, under the European Data Strategy, a regulation on governance was approved, data spaces have been promoted and the Data Act was published only a few months ago. The latter implies an important shift from the point of view of the subjects concerned since, unlike the previous regulations focused on the obligations of public sector entities, on the one hand, it disciplines relations between private parties and, on the other hand, it establishes an important measure aimed at private entities providing data to public bodies under certain singular conditions.

In which situations should data be provided?

First of all, it is necessary to emphasise that the Data Act is not intended to extend the cases in which private entities have to hand over data to public bodies in compliance with their supervisory and enforcement powers, such as in the case of prevention, investigation and imposition of criminal or administrative sanctions. Thus, it does not affect the obligations that private parties already have to fulfil in order that, on the basis of the data requested, public bodies may carry out their usual activities in the exercise of a public service mission such as those indicated.

On the other hand, it is a regulation intended to deal with exceptional, unforeseeable and time-limited situations that may arise:

• or to the need to obtain data to respond to a public emergency that are not available by alternative means under equivalent conditions, such as the provision of data in existing environments and platforms that have already been deployed for another purpose (e.g. provision of a service, implementation of a collaborative project...);
• or, as the case may be, the impossibility for the public body to dispose of specific data in order to fulfil a task assigned by law and performed in the public interest when all other means at its disposal have been exhausted, such as the purchase of non-personal data on the market by the public body, the consultation of a public database or their collection on the basis of previously existing obligations for private subjects.

In the latter case, i.e. when the need for the data is not justified by the requirement to respond to emergency situations, the subject of the request may not refer to personal data unless, by the very nature of the request, it is essential to be able to know at some point in time the identity of the data subject. In this case, pseudonymisation will be necessary. Consequently, given that the data would not be anonymised, the guarantees established by data protection regulations must be taken into account. Specifically:

• Data must be separated from the data subject so that the data subject cannot be identified by another unauthorised person
• Technical and organisational measures must be taken to prevent the re-identification of the data subject, except by those entitled to do so where necessary.

For which purposes may the data not be used?

Unless expressly authorised by the private entity providing the data, public bodies may not use the data for a purpose other than that for which they were made available. However, in the field of official statistics or when it is necessary to carry out scientific research or analytical activities which cannot be carried out by the public bodies requesting the data themselves, it is permitted that the data may be transferred to other bodies for the purpose of carrying out such activities. However, there are important limitations to this possibility, as such activities must be compatible with the purposes for which the data were obtained, which would prevent for example using the data to train algorithms that can then be used for the exercise of other functions or competences of the public body not related to research or analysis. Furthermore, the data may only be made available to non-profit or public interest entities such as universities and public research organisations.

Nor may the data be used to develop or improve products and services related to the entity providing the data, or shared with third parties for such purposes. This would prevent, for example, the use of the data to train Artificial Intelligence systems by the public entity or one of its contractors that would negatively affect the object of the normal business of the entity that provided the data.

Finally, the data obtained in application of this regulation cannot be made available to other subjects under the open data and public sector re-use regulation, so its application is expressly excluded.

what safeguards are provided for the data subject obliged to hand over the data?

The request for the data must be made by the public body by means of a formal request in which it is necessary to identify the data needed and to justify why it is addressed to the entity receiving the request. In addition, it will be essential to explain the exceptional reasons supporting the request and, in particular, why it is not possible to obtain the data by other means.

As a general rule, the data subject has the right to lodge a complaint against the request for the data, which must be addressed to the competent authority designated by each State to ensure the application of the Regulation and which will be included in the register to be set up by the European Commission.

Finally, in certain cases, the data subject has the right to request reasonable compensation for the costs and a reasonable margin necessary to make the data available to the public entity, although the latter may challenge the requested compensation before the authority referred to above. However, where the request for access to the data is justified by the need to respond to public emergencies or the safeguarding of a significant public interest, no compensation to data subjects is envisaged. This would be the case of an event of natural origin (earthquakes, floods, etc.) or unforeseen and serious situations affecting the normal functioning of society in essential areas such as health or public order.

In short, the obligation of private parties to provide data to public entities in these cases goes beyond the objective of promoting a single market for data at the level of the European Union, a goal that had largely underpinned the progress in data regulation in recent years. However, the seriousness of the situation generated as a result of COVID-19 has highlighted the need to establish a general regulatory framework to ensure that public entities can have the necessary data at their disposal to deal with exceptional situations in the public interest. In any case, the effectiveness of these measures can only be verified as of September 2025, when they are expected to be effectively implemented.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). The contents and points of view reflected in this publication are the sole responsibility of its author.

Building the European Health Data Space is one of the challenges of our generation. The COVID 19 pandemic put us in front of the mirror and brought back at least two images. The first was none other than the result of the application of formalistic, bureaucratised and old-fashioned models of data management. Second, the enormous potential offered by data sharing, collaboration of interdisciplinary teams and the use of health information for the common good. The European Union is clearly committed to the second strategy. This article examines the challenges of building a National Health Data Space as an instrument to enhance the reuse of health data for secondary uses from a variety of perspectives.

The error of focusing on formalist visions

The data processing and sharing scenario prior to the deployment of the European data strategy and its commitment to data spaces produced not only counter-intuitive, but also counter-factual effects. The framework of the General Data Protection Regulation (GDPR) instead of favouring processing operated as a barrier.  Strict enforcement was chosen, based on the prevalence of privacy. Instead of seeking to manage risk through legal and technical solutions, the decision was made not to process data or to use technically complex anonymisations that are unfeasible in practice.

This model is not sustainable. Technological acceleration forces a shift in the centre of gravity from prohibition to risk management and data governance. And this is what Regulation of the European Parliament and of the Council on the European Health Data Space (EHDS) is committed to: finding solutions and defining guarantees to protect people. And this transformation finds Spain's healthcare sector in an unbeatable situation from any point of view, although it is not without risks.

Spain, a pioneer in the change of approach

Our country did its homework with the seventeenth additional provision on the processing of health data in Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD, in Spanish acronyms). The regulation circumvented most of the problems affecting the secondary use of health data and did so with the methodology derived from the GDPR and the jurisprudence of the Constitutional Court. To this end, he opted for:

• A clear systematisation and normative predetermination of use cases.
• A precise definition of treatment entitlements.
• Procedural, contractual and security guarantees.

The Provision was five years ahead of the EHDS in terms of its aims, objectives and safeguards. Not only that, it puts our healthcare system at a competitive advantage from a legal and material point of view.

From this point of view, the National Health Data Space as the backbone is a project that is as essential as it is unpostponable, as reflected in the National Health System's Digital Health strategy and the Recovery, Transformation and Resilience Plan. However, this assertion cannot be based on uncritical enthusiasm. Much work remains to be done.

Lessons learned and challenges to overcome

European research projects managed by the ecosystem of health foundations at the Carlos Tercero Institute, university and business, provide interesting lessons. In our country we are working on precision medicine, on the construction of data lakes, on mobile applications, on high capacities of pseudonymisation and anonymisation, on medical imaging, on predictive artificial intelligence..., and we could go on. This ecosystem needs a layer of governance innovation. Part of it will be provided directly by the EHDS. Data access bodies, the supervisory authority and cross-border access structures shall ensure the lifecycle from the formation of catalogued and reliable datasets to their actual processing. These governance infrastructures require an organisational and human deployment to support them. Previous experience helps to anticipate the risks that a stress test may pose for the whole value chain:

1. The training of human resources in crucial aspects of data protection, information security and new ethical requirements is not always adequate in terms of format, volume and profile segmentation. Not 100% of the workforce is trained, while voluntary continuing education for health professionals is of a high legal standard, causing an effect that is as counterproductive as it is perverse: curtailing the capacity to innovate. If instead of empowering and engaging, we offer an endless list of GDPR obligations, research staff end up self-censoring their ability to imagine. The content and the training target are confused. High-level training should focus on project managers and technical and legal support staff. And in these, data protection officer plays a vehicular role, as it is the person who must provide non-binary advice - of the legal or non-legal type - and cannot transfer all the responsibility to the research team.
2. Governance of treatment resources and processes needs to be improved. In certain research areas, and universities are the best example of this, information systems are segmented and managed at the smallest project or research team level. These are insufficient resources, with little control over risk management and security monitoring, including support for the management and maintenance of the treatment environment. Moreover, data access procedures are based on rigid models, anchored in the case study or clinical trial. Thus, more often than not, we handle datasets in very specific environments outside the main data processing centres. This multiplies the risk, and the costs, in areas such as data protection impact assessments or the deployment of security measures.

Lack of expertise can pose systemic risks. To begin with, Ethics Committees are confronted with issues of data protection and artificial intelligence ethics that overwhelm their habits, customs and knowledge, and mothball their processes. On the other hand, what we commonly refer to as big data is not something that happens by magic. Pseudonymisation or anonymisation, annotation, enrichment and validation of the dataset and the processes implemented on it require highly skilled professionals. 

Effects of EHDS

We should reflect on whether our leading position in digitisation could also be our Achilles' heel. Few countries have a high degree of digitisation of every level of healthcare, from primary to hospital. Virtually none have regulated the use of pseudonymised data without consent, nor the broad consent model of our LOPDGDD. In this sense, under the umbrella of the EHDS there could be two effects that we need to manage:

• New opportunities in research projects. Firstly, as soon as Spanish health institutions publish their data catalogues at European level, requests for access from other countries could multiply. And, therefore, the opportunities to participate in research projects as information providers, data holders, or as data users.
• Boosting the ecosystem of innovative companies. Moreover, the wide range of secondary uses foreseen by the EHDS will broaden the profile of actors submitting data access requests. This points to the possibility of a unique ecosystem of innovative companies for the deployment of health solutions from wellness to artificial intelligence-assisted medical diagnostics. 

This forces those responsible for the public health system to ask themselves a rather simple question: what level of availability, process capability, security and interoperability can the available information systems offer? Let us not forget that many trans-European research projects, or the deployment of Artificial Intelligence tools in the health sector, are backed by budgets running into millions.  This presents enormous opportunities to deepen the deployment of new models of health service delivery that also feed back into research, innovation and entrepreneurship. But there is also the risk of not being able to take advantage of the available resources due to shortcomings in the design of repositories and their processing capabilities.

What data space model are we pursuing?

The answer to this question can be found very clearly both in the European Union's data space strategy and in the Spanish Government's own strategy. The task that the EHDS attributes to data access bodies, beyond the mere granting of an access permit, is to support and assist in the development of the processing. This requires a National Health Data Space to ensure service level, anonymisation or pseudonymisation standards, interoperability and information security.

In this context, individual researchers in non-health settings, but especially small and medium-sized innovative companies, do not possess the necessary muscle and expertise to meet ethical and regulatory requirements. Therefore, the need to provide them with support in terms of the design of regulatory and ethical compliance models should not be neglected, if they are not to act as a barrier to entry or exclusion. 

This does not exclude or preclude regional efforts, those of foundations or reference hospitals, or nascent data infrastructures in the field of medical imaging of cancer or genomics. It is precisely the idea of a federation of data spaces that inspires European legislation that can bear fruit of the highest quality here. The Ministry of Health and public health departments should move in this direction, with the support of the new Ministry of Digital Transformation and Public Administration. The autonomous communities reflect and act on the development of governable models and participate, together with the Ministry of Health, in the governance model that should govern the national framework. Regulators such as the Spanish Data Protection Agency are providing viable frameworks for the development of data spaces. Entire hospitals design, implement and deploy information systems that seek to integrate hundreds of data sources and generate data lakes for research. Data infrastructures such as EUCAIM lead the way and generate high-quality know-how in highly specialised areas.

The work on the roll-out of a National Health Data Space, and each and every one of the unique initiatives underway, show us a way forward in which the federation of effort, solidarity and data sharing ensure that our privileged position in health digitisation stimulates leadership in research, innovation and digital entrepreneurship. The National Health Data Space will be able to offer differential value to stakeholders. It will provide data quality and volume, support advanced compute-intensive data analytics and AI tools and can provide security in software brokering processes for the processing of pseudonymised data with high requirements.

It is necessary to recall a core value for the European Union: the guarantee of fundamental rights and the human-centred approach. The Charter of Digital Rights promoted by the Spanish government proposes successively the right of access to data for scientific research, innovation and development purposes, as well as the right to the protection of health in the digital environment. The National Health Data Space is called to be the indispensable instrument to achieve a sustainable, inclusive digital health at the service of the common good, which at the same time boosts this dimension of the data economy, promoting research and entrepreneurship in our country. 

Content prepared by Ricard Martínez, Director of the Chair of Privacy and Digital Transformation. Professor, Department of Constitutional Law, Universitat de València. The contents and points of view reflected in this publication are the sole responsibility of its author.

The Council of Ministers approved in February this year the Sustainable Mobility Bill (PL), a commitment to a digital and innovative transport system in which open mobility data will play a key role.

Inaddition to regulating innovative solutions such as on-demand transport, car sharing or temporary use of vehicles, the regulation will encourage the promotion ofopen data by administrations, infrastructure managers and public and private operators. All this, as stated in Chapter III Title V of the Draft Law "will bring enormous benefits to citizens, e.g. for new mobility and their contribution to the European Green Pact".

This Bill is aligned with the European Data Strategy, which has among its objectives to create a single market for data that ensures Europe' s global competitiveness and data sovereignty through the creation of common European data spaces common European data spaces in nine strategic sectors. In particular, it foresees the creation and development of a common European mobility data space to put Europe at the forefront of the development of a smart transport system, including connected cars and other modes of transport. Along these lines, the European Commission presented its Sustainable and Intelligent Mobility Strategywhich includes an action dedicated to innovation, data and artificial intelligence for smarter mobility. Following in Europe's footsteps, Spain has launched this Sustainable Mobility Bill.

In this post we look at the benefits that the use of open data can bring to the sector, the obligations that the PL will place on data, and the next steps in building the Integrated Mobility Data Space.

Benefits of using open data on sustainable mobility

The Ministry of Transport and Sustainable Mobility, in the web section created for the Law, identifies some of the benefits that access to and use of open transport and mobility data can offer both to the business community and to public administrations and citizens in general:

• Encourage the development of applications that enable citizens to make decisions on the planning of their journeys and during the course of their journeys.
• Improve the conditions of service provision and the travel experience .
• Incentivise research, create new developments and businesses from the data generated in the transport and mobility ecosystem.
• Enable public administrations to have a better understanding of the transport and mobility system in order to improve the definition of public policies and the management of the system.
• Encourage the use of this data for other public interest purposes that may arise.

Ensuring access to open mobility data

In order to make good use of these data and thus take advantage of all the benefits they offer, the Draft Law determines a strategy to ensure the availability of open data in the field of transport and mobility. This strategy concerns:

•  transport companies and infrastructure managers, which must drive digitalisation and provide a significant part of the data, with specific characteristics and functionalities.
• administrations and public entities were already obliged to ensure the openness of their data by design, as well as its re-use on the basis of the already existing

In short, the guidelines for re-use already defined in Law 37/2007 for the public sector are respected, and the need to regulate access to this information and the way in which this data is used by third parties, i.e. companies in the sector, is also included.

Integrated Mobility Data Space

In line with the European Data Strategy mentioned at the beginning of the post, the PL determines the obligation to create the Integrated Mobility Data Space (EDIM) under the direction of the Ministry of Transport and Sustainable Mobility, in coordination with the Secretary of State for Digitalisation and Artificial Intelligence. In the EDIM, the aforementioned transport companies, infrastructure managers and administrations will share their data, which will optimise the decision making of all actors when planning the implementation of new infrastructures and the launch of new services. 

The Draft Law defines some characteristics of the Integrated Mobility Data Space such as the modular structure, which will include information in a systematic way on different areas of urban, metropolitan and interurban mobility, both for people and goods.

Specifically, the EDIM, according to Article 14, would collect data "in digital form in a free, non-discriminatory and up-to-date manner" on:

• Supply and demand of the different modes of transport and mobility, information on public transport services and mobility services under the responsibility of the administrations
• Financial situation and costs of providing services for all modes of public transport, investments in transport infrastructure, inventory of transport infrastructure and terminals, conditions and degree of accessibility.
• Other data to be agreed at the Sectoral Conference on Transport.

It identifies examples of this type of data and information on the responsibility for its provision, format, frequency of updating and other characteristics.

As referred to in the CP, the data and information managed by the EDIM will provide an integrated vision to analyse and facilitate mobility management, improving the design of sustainable and efficient solutions, and transparency in the design of public transport and mobility policies. In addition, the Law will promote the creation of a sandbox or test environment to serve as an incubator for innovative mobility projects. The outcome of the tests will allow both the developer and the administration to learn by observing the market in a controlled environment.

National Bimodal Transport Access Point

On the other hand, the Bill also provides for the creation of a National Bimodal Transport Access Point that will collect the information communicated to the Ministry of Transport and Sustainable Mobility in the framework of the priority action "Provision of information services on multimodal journeys throughout the Union" of Directive 2010/40/EU which refers to the transport of goods and/or persons by more than one means of transport.

This information will be freely accessible and will also serve to feed the EDIM in the area related to the characterisation of transport and mobility of persons, as well as the National Catalogue of Public Information maintained by the General State Administration.

The Bill defines that the provision of services to citizens using transport and mobility data from the National Multimodal Transport Access Point must be done in a fair, neutral, impartial, non-discriminatory and transparent manner. It adds that the Ministry of Transport and Sustainable Mobility will propose rules for the use of such data within 12 months after the entry into force of this law.

The Sustainable Mobility Bill is currently in parliamentary procedure, as it has been sent to the Spanish Parliament for urgent processing and approval in 2024.

The process of technological modernisation in the Administration of Justice in Spain began, to a large extent, in 2011. That year, the first regulation specifically aimed at promoting the use of information and communication technologies was approved. The aim of this regulation was to establish the conditions for recognising the validity of the use of electronic means in judicial proceedings and, above all, to provide legal certainty for procedural processing and acts of communication, including the filing of pleadings and the receipt of notifications of decisions. In this sense, the legislation established a basic legal status for those dealing with the administration of justice, especially for professionals. Likewise, the Internet presence of the Administration of Justice was given legal status, mainly with the appearance of electronic offices and access points, expressly admitting the possibility that the proceedings could be carried out in an automated manner.

However, as with the 2015 legal regulation of the common administrative procedure and the legal regime of the public sector, the management model it was inspired by was substantially oriented towards the generation, preservation and archiving of documents and records. Although a timid consideration of data was already apparent, it was largely too general in the scope of the regulation, as it was limited to recognising and ensuring security, interoperability and confidentiality.

In this context, the approval of Royal Decree-Law 6/2023 of 19 December has been a very important milestone in this process, as it incorporates important measures that aim to go beyond mere technological modernisation. Among other issues, it seeks to lay the foundations for an effective digital transformation in this area.

Towards a data-driven management orientation 

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). The contents and points of view reflected in this publication are the sole responsibility of its author.

The adoption of the Regulation (EU) of the European Parliament and of the Council of 13 December 2023 on harmonised rules for fair access to and use of data (Data Law) is an important step forward in the regulation of the European Union to facilitate data accessibility. This is an initiative already included in the European Data Strategy , the main aims of which are:

• Regulate the provision of data topublic entities in exceptional situations.
• Promote the development of interoperability criteria for data spaces, data processing services and smart contracts.
• And, from the perspective that interests us now, to promote the provision of the data generated by connected products and services, either to those who use them or to the third parties they indicate.

In this respect, in view of users' difficulties in accessing data, the Regulation seeks to facilitate their free choice of providers of repair and other services, as it has been found that in many areas manufacturers try to reserve their use on an exclusive basis. Among other issues, it is intended to promote the user's right to decide for what purposes and by whom the data may be used, without prejudice to the existence of a series of limitations and conditions that are provided for in the Regulation itself.

A major shift in regulatory focus

While the Open Data and Re-use of Public Sector Information Directive and the Data Governance Regulation focus on establishing rules and safeguards to promote access to data held by public bodies, the new regulation pays special attention to relations between private parties. In other words, it allows public bodies to demand data from certain private subjects under exceptional conditions and for reasons of public interest.

One of the main objectives of the Data Regulation is to encourage not only "the development of new and innovative connected products or related services and to stimulate innovation in the aftermarkets, but also to stimulate the development of entirely new services using the data inquestion, including those based on data from a variety of connected products or related services".

To this end, it has been considered essential to establish clear and precise obligations  for manufacturers of connected products, suppliers of connected products and related service providers to share the data generated with users.

What obligations are in place?

Prior to contracting the products and services, the owner of the data - i.e. the supplier of the product or service, which may also be the manufacturer -‑‑, shall provide the user with information on:

• The amount and conditions of the data that can be generated
• How this data can be accessed 
• How they can be suppressed

In this respect, the design of products and services is required to take appropriate measures to ensure that, by default, data are accessible, free of charge and directly, in particular in a structured, machine-readable format.

However, this right is subject to certain conditions and limitations in order to ensure that other legal interests and interests are not affected:

• The data subject may not make it difficult for the user to access his or her data, but may require the user to identify himself or herself, even if he or she is prohibited from keeping the information generated indefinitely.
• It may establish restrictions in the contract when, as a result of the user's access to the data, there is a risk to the functioning of the product that may affect the health or safetyof persons.
• Under no circumstances may you use the data obtained during the use of the product or the provision of the service to make them available to a third party, unless it is strictly essential for the fulfilment of the contract.
• It is also expressly forbidden to use the data to make enquiries about the user's circumstances and activity, such as, for example, the user's financial situation.

For his part, the user is also subject to a number of obligations specifically aimed at ensuring the good faith of his legal relationship with the holder:

• You are not allowed to use the data to compete with the latter, either directly or through a third party to whom you may provide it,
• You may not use access to them to make enquiries about the activity of the manufacturer of the product or, where applicable, of the data subject.
• In addition to these obligations, you have the right to share the data with a third party, who may only use it for the purposes for which you authorise them to do so. In particular, it may not create profiles unless this is necessary to provide the service, make them available to another party or develop a product that competes with the one from which the data originally originated.

In any case, the regulation establishes an important limitation to be taken into account by users, as micro and small enterprises are excluded from this regime. With one exception: they have been commissioned to develop the product or provide the service by a subject that falls within the scope of the Regulation.

what safeguards are in place to ensure the effectiveness of this regulation?

As is generally the case in any area, the user may bring the matter before a judicial body to enforce his or her rights. In addition, the new regulation establishes the possibility of approaching the designated authority at State level to ensure the application and enforcement of the provisions of the Regulation. If the problem concerns the processing of personal data, you may also exercise your rights before the competent authority in this area.

In this respect, the European Commission will have to make public a list of the relevant authorities on the basis of the information provided by the States. They may designate more than one authority, indicating which one has the coordinating role. These authorities shall have sufficient means: their members shall have the expertise required for the performance of their duties and their impartiality shall be guaranteed, so that they may not receive instructions from other entities.

Apart from this channel, the data subject and the user - or, where appropriate, the third party to whom the user permits the use of the data - may voluntarily agree to submit to a certified dispute resolution body, whose decision must be taken within a maximum of 90 days. Such a body shall be accredited to the State where it is established. To this end, he or she must justify his or her impartiality, capacity and independence. It must also demonstrate that it has adequate procedural rules and that it is easily accessible by electronic means.

In short, the new Data Law has not only established a regulatory framework that reinforces users' access to the data generated by the connected products they acquire and the related services they enjoy, but it has also enshrined a series of guarantees specifically aimed at ensuring effective compliance.

Download the infographic in PDF here

This infographic is also available in two pages

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). The contents and points of view reflected in this publication are the sole responsibility of its author.

The concept of High-Value data (High-Value datasets) was introduced by the European Parliament and the Council of the European Union 4 years ago, in Directive (EU) 2019/1024. In it, they were defined as a series of datasets with a high potential to generate "benefits for society, the environment and the economy". Therefore, member states were to push for their openness for free, in machine-readable formats, via APIs, in the form of bulk download and comprehensively described by metadata. 

Initially, the directive proposed in its annex six thematic categories to be considered as high value: geospatial, earth observation and environmental, meteorological, statistical, business records and transport network data. These categories were subsequently detailed in an implementing regulation published in December 2022. In addition, to facilitate their openness, a document with guidelines on how to use DCAT-AP for publication was published in June 2023. 

New categories of data to be considered of high value  

These initial categories were always open to extension. In this sense, the European Commission has just published the report "Identification of data themes for the extensions of public sector High-Value Datasets" which includes seven new categories to be considered as high-value data  

•  Climate loss: This refers to data related to approaches and actions needed to avoid, minimize and address damages associated with climate change. Examples of datasets in this category are economic and non-economic losses from extreme weather events or slow-onset changes such as sea level rise or desertification. It also includes data related to early warning systems for natural disasters, the impact of mitigation measures, or research data on the attribution of extreme events to climate change. 

• Energy: This category includes comprehensive statistics on the production, transport, trade and final consumption of primary and secondary energy sources, both renewable and non-renewable. Examples of data sets to consider are price and consumption indicators or information on energy security.   

• Finance: This is information on the situation of private companies and public administrations, which can be used to assess business performance or economic sustainability, as well as to define spending and investment strategies. It includes datasets on company registers, financial statements, mergers and acquisitions, as well as annual financial reports.  

• Government and public administration: This theme includes data that public services and companies collect to inform and improve the governance and administration of a specific territorial unit, be it a state, a region or a municipality. It includes data relating to government (e.g. minutes of meetings), citizens (census or registration in public services) and government infrastructures. These data are then reused to inform policy development, deliver public services, optimize resources and budget allocation, and provide actionable and transparent information to citizens and businesses. 

• Health: This concept identifies data sets covering the physical and mental well-being of the population, referring to both objective and subjective aspects of people's health. It also includes key indicators on the functioning of health care systems and occupational safety. Examples include data relating to Covid-19, health equity or the list of services provided by health centers.  

• Justice and legal affairs: Identifies datasets to strengthen the responsiveness, accountability and interoperability of EU justice systems, covering areas such as the application of justice, the legal system or public security, i.e. that which ensures the protection of citizens. The data sets on justice and legal matters include documentation of national or international jurisprudence, decisions of courts and prosecutors general, as well as legal acts and their content. 

• Linguistic data: Refers to written or spoken expressions that are at the basis of artificial intelligence, natural language processing and the development of related services. The Commission provides a fairly broad definition of this category of data, all of which are grouped under the term "multimodal linguistic data". They may include repositories of text collections, corpora of spoken languages, audio resources, or video recordings.  

To make this selection, the authors of the report conducted desk research as well as consultations with public administrations, data experts and private companies through a series of workshops and surveys. In addition to this assessment, the study team mapped and analyzed the regulatory ecosystem around each category, as well as policy initiatives related to their harmonization and sharing, especially in relation to the creation of European Common Data Spaces. 

Potential for SMEs and digital platforms   

In addition to defining these categories, the study also provides a high-level estimate of the impact of the new categories on small and medium-sized companies, as well as on large digital platforms. One of the conclusions of the study is that the cost-benefit ratio of data openness is similar across all new topics, with those relating to the categories "Finance" and "Government and public administration" standing out in particular. 

Based on the publicly available datasets, an estimate was also made of the current degree of maturity of the data belonging to the new categories, according to their territorial coverage and their degree of openness (taking into account whether they were open in machine-readable formats, with adequate metadata, etc.). To maximize the overall cost-benefit ratio, the study suggests selecting a different approach for each thematic category: based on their level of maturity, it is recommended to indicate a higher or lower number of mandatory criteria for publication, thus ensuring to avoid overlaps between new topics and existing high-value data.  

You can read the full study at this link. 

Since 24 September last year, the Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022, on European Data Governance (Data Governance Regulation) has been applicable throughout the European Union. Since it is a Regulation, its provisions are directly effective without the need for transposing State legislation, as is the case with directives. However, with regard to the application of its regulation to Public Administrations, the Spanish legislator has considered it appropriate to make some amendments to the Law 37/2007, of 16 November 2007, on the re-use of public sector information. Specifically:

• A specific sanctioning regime has been incorporated within the scope of the General State Administration for cases of non-compliance with its provisions by re-users, as will be explained in detail below;
• Specific criteria have been established on the calculation of the fees that may be charged by public administrations and public sector entities that are not of an industrial or commercial nature;
• And finally, some singularities have been established in relation to the administrative procedure for requesting re-use, in particular a maximum period of two months is established for notifying the corresponding resolution -which may be extended to a maximum of thirty days due to the length or complexity of the request-, after which the request will be deemed to have been rejected.

What is the scope of this new regulation?

As is the case with the Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the reuse of public sector informationthis Regulation applies to data generated in the course of the "public service remit" in order to facilitate its re-use. However, the former did not contemplate the re-use of those data protected by the concurrence of certain legal assets, such as confidentiality, trade secrets, the intellectual property or, singularly, the protection of personal data.

You can see a summary of the regulations in this infographic.

Indeed, one of the main objectives of the Regulation is to facilitate the re-use of this type of data held by administrations and other public sector entities for research, innovation and statistical purposes, by providing for enhanced safeguards for this purpose. It is therefore a matter of establishing the legal conditions that allow access to the data and their further use without affecting other rights and legal interests of third parties. Consequently, the Regulation does not establish new obligations for public bodies to allow access to and re-use of information, which remains a competence reserved for Member States. It simply incorporates a number of novel mechanisms aimed at making access to information compatible, as far as possible, with respect for the confidentiality requirements mentioned above. In fact, it is expressly warned that, in the event of a conflict with the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), the latter shall in any case prevail (GDPR), the latter shall in any case prevail.

Apart from the regulation referring to the public sector, to which we will refer below, the Regulation incorporates specific provisions for certain types of services which, although they could also be provided by public entities in some cases, will normally be assumed by private entities. Specifically, intermediation services and the altruistic transfer of data are regulated, establishing a specific legal regime for both cases. The Ministry of Economic Affairs and Digital Transformation will be in charge of overseeing this process in Spain

As regards, in particular, the impact of the Regulation on the public sector, its provisions do not apply to public undertakings , i.e. those in which there is a dominant influence of a public sector body, to broadcasting activities and, inter alia, to cultural and educational establishments. Nor to data which, although generated in the performance of a public service mission, are protected for reasons of public security, defence or national security.

Under what conditions can information be re-used?

In general, the conditions under which re-use is authorised must preserve the protected nature of the information. For this reason, as a general rule, access will be to data that are anonymised or, where appropriate, aggregated, modified or subject to prior processing to meet this requirement. In this respect, public bodies are authorised to charge fees which, among other criteria, are to be calculated on the basis of the costs necessary for the anonymisation of personal data or the adaptation of data subject to confidentiality.

It is also expressly foreseen that access and re-use take place in a secure environment controlled by the public body itself, be it a physical or virtual environment.  In this way, direct supervision can be carried out, which could consist not only in verifying the activity of the re-user, but also in prohibiting the results of processing operations that jeopardise the rights and interests of third parties whose integrity must be guaranteed. Precisely, the cost for the maintenance of these spaces is included among the criteria that can be taken into account when calculating the corresponding fee that can be charged by the public body.

In the case of personal data, the Regulation does not add a new legal basis to legitimise the re-use of personal data other than those already established by the general rules on re-use. Public bodies are therefore encouraged to provide assistance to re-usersin such cases to help them obtain permission from stakeholders. However, this is a support measure that can in no way place disproportionate burdens on the agencies. In this respect, the possibility to re-use pseudonymised data should be covered by some of the cases provided for in the GDPR. Furthermore, as an additional guarantee, the purpose for which the data are intended to be re-used must be compatible with the purpose for which the data were originally intended justified the processing of the data by the public body in the exercise of its main activity, and appropriate safeguards must be adopted.

A practical example of great interest concerns the re-use of health data for biomedical research purposes reuse of health data for biomedical research purposes, which the Spanish legislator which has been established by the Spanish legislator under the provisions of the latter precept. Specifically, the 17th additional provision of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rightsallows the reuse of pseudonymised data in this area when certain specific guarantees are established, which could be reinforced with the use of the aforementioned secure environments in the case of the use of particularly incisive technologies, such as artificial intelligence. This is without prejudice to compliance with other obligations which must be taken into account depending on the conditions of the data processing, in particular the carrying out of impact assessments.

What instruments are foreseen to ensure effective implementation?

From an organisational perspective, States need to ensure thatinformation is easily accessible through a single point. In the case of Spain, this point is available through the platform enabled through the platform datos.gob.esplatform, although there may also be other access points for specific sectors and different territorial levels, in which case they must be linked. Re-users may contact this point in order to make enquiries and requests, which shall be forwarded to thethese will be forwarded to the competent body or entity for processing and response.

The following must also be designated and notified to the notify to the European Commission one or more specialised entities with the appropriate technical and human resources, which could be some of the existing ones, that perform the function of assisting public bodies in granting or refusing re-use. However, if foreseen by European or national regulations, these bodies could assume decision-making functions and not only mere assistance. In any case, it is foreseen that the administrations and, where appropriate, the entities of the institutional public sector, according to the ‑‑according to the terminology of article 2 of Law 27/2007‑‑who make this designation and communicate it to the Ministry of Economic Affairs and Digital Transformationwhich, for its part, will be responsible for the corresponding notification at European level.

Finally, as indicated at the beginning, the following have been classified as specific infringements for the scope of the General Administration of the State certain conducts of re-users which are punishable by fines ranging from 10,001 to 100,000 euros. Specifically, it concerns conduct that, either deliberately or negligently, involves a breach of the main guarantees provided for in European legislation: in particular, failure to comply with the conditions for access to data or to secure areas, re-identification or failure to report security problems.

In short, as pointed out in the European Data Strategyif the European Union wants to play a leading role in the data economy , it is essential, among other measures, to improve governance structures and increase repositories of quality data , which are often affected by significant legal obstacles. With the Data Governance Regulation an important step has been taken at the regulatory level, but it now remains to be seen whether public bodies are able to take a proactive stance to facilitate the implementation of its measures, which ultimately imply important challenges in the digital transformation of their document management.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the "Innovation, Law and Technology" Research Group (iDerTec).

The contents and points of view reflected in this publication are the sole responsibility of the author.

Data activism is an increasingly significant citizen practice in the platform era for its growing contribution to democracy, social justice and rights. It is an activism that uses data and data analysis to generate evidence and visualisations with the aim of revealing injustices, improving people's lives and promoting social change. 

In the face of the massive use of surveillance data by certain corporations, data activism is exercised by citizens and non-governmental organisations. For example, the organisation Forensic Architecture (FA)a centre at Goldsmiths under the University of London, investigates human rights violations, including state violence, using public, citizen and satellite data, and methodologies such as open source intelligence (known as OSINT). The analysis of data and metadata, the synchronisation of video footage taken by witnesses or journalists, as well as official recordings and documents, allows for the reconstruction of facts and the generation of an alternative narrative about events and crises.

Data activism has attracted the interest of research centres and non-governmental organisations, generating a line of work within the discipline of critical studies. This has allowed us to reflect on the effect of data, platforms and their algorithms on our lives, as well as on the empowerment that is generated when citizens exercise their right to data and use it for the common good. 

Image 1: Ecocide in Indonesia (2015)

Source: Forensic Architecture (https://forensic-architecture.org/investigation/ecocide-in-indonesia)

Research centres such as Datactive o Data + Feminism Lab have created theory and debates on the practice of data activism. Likewise, organisations such as Algorights -a collaborative network that encourages civil society participation in the field of aI technologies- y AlgorithmWatch -a human rights organisation - generate knowledge, networks and arguments to fight for a world in which algorithms and artificial Intelligence (AI) contribute to justice, democracy and sustainability, rather than undermine them. 

This article reviews how data activism emerged, what interest it has sparked in social science, and its relevance in the age of platforms. 

History of a practice

The production of maps using citizen data could be one of the first manifestations of data activism as it is now known. A seminal map in the history of data activism was generated by victims and activists with data from the 2010 Haiti earthquakeon the Kenyan platform Ushahidi ("testimony" in Swahili). A community of digital humanitarianscreated the map from other countries and called on victims and their families and acquaintances to share data on what was happening in real time. Within hours, the data was verified and visualised on an interactive map that continued to be updated with more data and was instrumental in assisting the victims on the ground. Today, such mapsare generated whenever a crisis arises, and are enriched with citizen, satellite and camera-equipped drone data to clarify events and generate evidence.

Emerging from movements known as cypherpunk and technopositivism or technoptimism (based on the belief that technology is the answer to humanity's challenges), data activism has evolved as a practice to adopt more critical stances towards technology and the power asymmetries that arise between those who originate and hand over their data, and those who capture and analyse it.

Today, for example, the Ushahidi community map production platform has been used to create data on gender-based violence in Egypt and Syria, and on trusted gynaecologists in India, for example. Today, the invisibilisation and silencing of women is the reason why some organisations are fighting for recognition and a policy of visibility, something that became evident with the #MeToo movement. Feminist data practices seek visibility and critical interpretations of datification(or the transformation of all human and non-human action into measurable data that can be transformed into value). For example, Datos Contra el Feminicidio or Feminicidio.net offer maps and data analysis on femicide in various parts of the world. 

The potential for algorithmic empowerment offered by these projects removes barriers to equality by improving the conditions conditions that enable women to solve problems, determine how data is collected and used, and exercise power.

Birth and evolution of a concept

In 2015, Citizen Media Meets Big Data: The Rise of Data Activismwas published, in which, for the first time, data activism was coined and defined as a concept based on practices observed in activists who engage politically with data infrastructure. Data infrastructure includes the data, software, hardware and processes needed to turn data into value. Later, Data activism and social change (London, Palgrave) and Data activism  and social change. Alliances, maps, platforms and action for a better world (Madrid: Dykinson) develop analytical frameworks based on real cases that offer ways to analyse other cases.

Accompanying the varied practices that exist within data activism, its study is creating spaces for feminist and post-colonialist research on the consequences of datification. Whereas the chroniclers of history (mainly male sources) defined technology in relation to the value of their productsfeminist data studies consider women as users and designers of technology as users and designers of algorithmic systems and seek to use data for equality, and to move away from capitalist exploitation and its structures of domination.

Data activism is now an established concept in social science. For example, Google Scholar offers more than 2,000 results on "data activism". Several researchers use it as a perspective to analyse various issues. For example, Rajão and Jarke explore environmental activism in Brazil; Gezgin studies critical citizenship and its use of data infrastructure; Lehtiniemi and Haapoja explore data agency and citizen participation; and Scott examines the need for platform users to develop digital surveillance and care for their personal data.

At the heart of these concerns is the concept of data agency, which refers to people not only being aware of the value of their data, but also exercising control over it, determining how it is used and shared. It could be defined as actions and practices related to data infrastructure based on individual and collective reflection and interest. That is, while liking a post would not be considered an action with a high degree of data agency, participating in a hackathon - a collective event in which a computer programme is improved or created - would be. Data agency is based on data literacy, or the degree of knowledge, access to data and data tools, and opportunities for data literacy that people have. Data activism is not possible without a data agency.

In the rapidly evolving landscape of the platform economy, the convergence of data activism, digital rights and data agency has become crucial. Data activism, driven by a growing awareness of the potential misuse of personal data, encourages individuals and collectives to use digital technology for social change, as well as to advocate for greater transparency and accountability on the part of tech giants. As more and more data generation and the use of algorithms shape our lives in areas such as education, employment, social services and health, data activism emerges as a necessity and a right, rather than an option.

____________________________________________________________________

Content prepared by Miren Gutiérrez, PhD and researcher at the University of Deusto, expert in data activism, data justice, data literacy and gender disinformation.

The contents and views reflected in this publication are the sole responsibility of its author.