Ley de Datos

The importance of data in today's society and economy is no longer in doubt. Data is now present in virtually every aspect of our lives. This is why more and more countries have been incorporating specific data-related regulations into their policies: whether they relate to personal, business or government data, or to regulate a range of issues such as who can access it, where it can be stored, how it should be protected, and so on.

However, when these policies are examined more closely, significant differences can be observed between them, depending on the main objectives that each country sets when implementing its data policies. Thus, all countries recognise the social and economic value of data, but the policies they implement to maximise that value can vary widely. For some, data is primarily an economic asset, for others it can be a means of innovation and modernisation, and for others a tool for development. In the following, we will review the main features of their data policies, focusing mainly on those aspects related to fostering innovation through the use of data.

A recent report by the Centre for Innovation through Data compares the general policies applicable in several countries that have been selected precisely because of differences in their vision of how data should be managed: China, India, Singapore, the United Kingdom and the European Union.

CHINA

Its efforts are focused on building a strong domestic data economy to strengthen national competitiveness and maintain government control through the collection and use of data. It has two agencies from which data policy is directed: the Cyberspace Administration (CAC) and the National Data Administration (NDA).

The main policies governing data in the country are:

• The five-year national informatisation plan, published by the end of 2021 to increase data collection in the national industry.
• The data Security Law (DSL), effective from September 2021, which gives special protection to all data considered to have an impact on national security.
• The cybersecurity law (CSL), effective since June 2017, prohibits online anonymisation and also grants government access to data when required for security purposes.
• The personal Information Protection Act (PIPL), effective from November 2021, which establishes the obligation to keep data on national territory.

INDIA

Its main objective is to use data policy to unlock a new economic resource and drive the modernisation and development of the country. The Ministry of Electronics and Information Technology (MEITy) governs and oversees data policies in the country, which we summarise below:

• The digital Personal Data Protection Act of 2023, which aims to enable the processing of personal data in a way that recognises both the right of individuals to protect their data and the need to process it for legitimate purposes.
• The data protection and empowerment architecture (DEPA), which was launched in 2020 and gives citizens greater control over their personal data by establishing intermediaries between information users and providers, as well as providing consent to companies based on a set of permissions established by the user.
• The non-personal data governance framework also adopted in 2020, which states that the benefits of data should also accrue to the community, not just to the companies that collect the data. It also indicates that high-value data and data related to the public interest (e.g. energy, transport, geospatial or health data) should be shared.

SINGAPORE

It aims to use data as a vehicle to attract new companies to operate within the country. The Infocomm Media Development Authority (IMDA) is the entity in charge of managing the data policies in this case, which includes the control of the Personal Data Protection Commission (PDPC).

Among the most relevant regulations in this case we can find:

• The personal Data Protection Act (PDPA), which was last updated in 2021 and is based on consent, but also provides for some exceptions for legitimate public interest.
• The trust Framework for Data Sharing published in 2019, which sets out standards for data sharing between companies (including templates for establishing legal sharing agreements), albeit with certain protections for trade secrecy.
• The data Portability Obligation (DPO), which will soon be incorporated into the PDPA to establish the right to transmit personal data to another service (provided it is based in the country) in a standard format that facilitates the exchange.

UNITED KINGDOM

It wants to boost the country's economic competitiveness while protecting the privacy of its citizens' data. The Office of the Information information Commissioner's Office (ICO) is the body in charge of data protection and data sharing guidelines.

In the case of the United Kingdom, the legislative framework is very broad:

• The core privacy principles, such as data portability or conditions of access to personal data, are covered by the General Data Protection Regulation (GDPR) of 2016, the law of Data Protection Act (DPA) of 2018, the Electronic Communications Privacy Regulation of 2013 and the proposed Digital Data and Information Protection Act still under discussion.
• The law on Digital Economy established in 2017, which defines the rules for sharing data between public administrations for the development of public services.
• The Data Sharing Code which came into force in October 2021 and sets out good practices to guide companies when sharing data.
• The Payment Services Directive (PSD2), which initially came into force in 2018 requiring banks to share their data in standardised formats to encourage the development of new services.

EUROPEAN UNION

It uses a human rights-based approach to data protection. The aim is to prioritise the creation of a single market that facilitates the free flow of data between member states. The European Data Protection Board (EDPB) and the European Data Protection and Innovation through Data Board are the main bodies responsible for supervising data protection in the Union.

Again, the applicable rules are very broad and have continued to expand recently:

• The General Data Protection Regulation (GDPR), which has become the most comprehensive and descriptive regulation in the world, and is based on the principles of legality, fairness, transparency, containment, minimisation, accuracy, storage, integrity, confidentiality and accountability.
• The programme for the Digital Decadeto promote a single, interoperable, interconnected and secure digital market.
• The Declaration on Digital Rights and Principleswhich expands on the digital and data rights already existing in the standard of protection.
• The Data Act and the Data Governance Regulation which facilitate accessibility to data horizontally accessibility to data horizontally, i.e. across and within sectors, following EU principles. The Data Law drives harmonised rules on fair access to and use of data, clarifying who can create value from data and under what conditions. The Data Governance Regulation regulates the secure exchange of data sets held by public bodies over which third party rights concur, as well as data brokering services and the altruistic transfer ofdata for the benefit of society for the benefit of society.

The keys to promoting innovation

In general, we could conclude that those data policies that adopt a more innovation-oriented approach are characterised by the following:

1. Data protection based on different levels of risk, prioritising the protection of the most sensitive personal data, such as medical or financial information, while reducing regulatory costs for less sensitive data.
2. Sharing frameworks for personal and non-personal data, encouraging data sharing by default in both the public and private sector and removing barriers to voluntary data sharing.
3. Facilitating the flow of data, supporting an open and competitive digital economy.
4. Proactive data production policies, encouraging the use of data as a factor of production by collecting data in various sectors and avoiding data gaps.

As we have seen, data policies have become a strategic issue for many countries, not only helping to reinforce their goals and priorities as a nation, but also sending signals about what their priorities and interests are on the international stage. Striking the right balance between data protection and fostering innovation is one of the key challenges. Before addressing their own policies, countries are advised to invest time in analysing and understanding the various existing approaches, including their strengths and weaknesses, and then take the most appropriate specific steps in designing their own strategies.

Content prepared by Carlos Iglesias, Open data Researcher and consultant, World Wide Web Foundation. The contents and views expressed in this publication are the sole responsibility of the author.

The adoption of the Regulation (EU) of the European Parliament and of the Council of 13 December 2023 on harmonised rules for fair access to and use of data (Data Law) is an important step forward in the regulation of the European Union to facilitate data accessibility. This is an initiative already included in the European Data Strategy , the main aims of which are:

• Regulate the provision of data topublic entities in exceptional situations.
• Promote the development of interoperability criteria for data spaces, data processing services and smart contracts.
• And, from the perspective that interests us now, to promote the provision of the data generated by connected products and services, either to those who use them or to the third parties they indicate.

In this respect, in view of users' difficulties in accessing data, the Regulation seeks to facilitate their free choice of providers of repair and other services, as it has been found that in many areas manufacturers try to reserve their use on an exclusive basis. Among other issues, it is intended to promote the user's right to decide for what purposes and by whom the data may be used, without prejudice to the existence of a series of limitations and conditions that are provided for in the Regulation itself.

A major shift in regulatory focus

While the Open Data and Re-use of Public Sector Information Directive and the Data Governance Regulation focus on establishing rules and safeguards to promote access to data held by public bodies, the new regulation pays special attention to relations between private parties. In other words, it allows public bodies to demand data from certain private subjects under exceptional conditions and for reasons of public interest.

One of the main objectives of the Data Regulation is to encourage not only "the development of new and innovative connected products or related services and to stimulate innovation in the aftermarkets, but also to stimulate the development of entirely new services using the data inquestion, including those based on data from a variety of connected products or related services".

To this end, it has been considered essential to establish clear and precise obligations  for manufacturers of connected products, suppliers of connected products and related service providers to share the data generated with users.

What obligations are in place?

Prior to contracting the products and services, the owner of the data - i.e. the supplier of the product or service, which may also be the manufacturer -‑‑, shall provide the user with information on:

• The amount and conditions of the data that can be generated
• How this data can be accessed 
• How they can be suppressed

In this respect, the design of products and services is required to take appropriate measures to ensure that, by default, data are accessible, free of charge and directly, in particular in a structured, machine-readable format.

However, this right is subject to certain conditions and limitations in order to ensure that other legal interests and interests are not affected:

• The data subject may not make it difficult for the user to access his or her data, but may require the user to identify himself or herself, even if he or she is prohibited from keeping the information generated indefinitely.
• It may establish restrictions in the contract when, as a result of the user's access to the data, there is a risk to the functioning of the product that may affect the health or safetyof persons.
• Under no circumstances may you use the data obtained during the use of the product or the provision of the service to make them available to a third party, unless it is strictly essential for the fulfilment of the contract.
• It is also expressly forbidden to use the data to make enquiries about the user's circumstances and activity, such as, for example, the user's financial situation.

For his part, the user is also subject to a number of obligations specifically aimed at ensuring the good faith of his legal relationship with the holder:

• You are not allowed to use the data to compete with the latter, either directly or through a third party to whom you may provide it,
• You may not use access to them to make enquiries about the activity of the manufacturer of the product or, where applicable, of the data subject.
• In addition to these obligations, you have the right to share the data with a third party, who may only use it for the purposes for which you authorise them to do so. In particular, it may not create profiles unless this is necessary to provide the service, make them available to another party or develop a product that competes with the one from which the data originally originated.

In any case, the regulation establishes an important limitation to be taken into account by users, as micro and small enterprises are excluded from this regime. With one exception: they have been commissioned to develop the product or provide the service by a subject that falls within the scope of the Regulation.

what safeguards are in place to ensure the effectiveness of this regulation?

As is generally the case in any area, the user may bring the matter before a judicial body to enforce his or her rights. In addition, the new regulation establishes the possibility of approaching the designated authority at State level to ensure the application and enforcement of the provisions of the Regulation. If the problem concerns the processing of personal data, you may also exercise your rights before the competent authority in this area.

In this respect, the European Commission will have to make public a list of the relevant authorities on the basis of the information provided by the States. They may designate more than one authority, indicating which one has the coordinating role. These authorities shall have sufficient means: their members shall have the expertise required for the performance of their duties and their impartiality shall be guaranteed, so that they may not receive instructions from other entities.

Apart from this channel, the data subject and the user - or, where appropriate, the third party to whom the user permits the use of the data - may voluntarily agree to submit to a certified dispute resolution body, whose decision must be taken within a maximum of 90 days. Such a body shall be accredited to the State where it is established. To this end, he or she must justify his or her impartiality, capacity and independence. It must also demonstrate that it has adequate procedural rules and that it is easily accessible by electronic means.

In short, the new Data Law has not only established a regulatory framework that reinforces users' access to the data generated by the connected products they acquire and the related services they enjoy, but it has also enshrined a series of guarantees specifically aimed at ensuring effective compliance.

Download the infographic in PDF here

This infographic is also available in two pages

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). The contents and points of view reflected in this publication are the sole responsibility of its author.

Updated 02/29/24

At the end of 2021, an agreement was reached between the European Parliament and Member States to push forward the proposed Data Governance Act. The aim was to create processes and structures to facilitate the exchange of data between all relevant actors.

Shortly thereafter, it was followed by another new regulatory initiative launched by the European Commission: the so-called Data Act. It is a new regulation that aims to promote harmonised rules on access and fair use of data within the framework of the European Strategy. Once the appropriate public consultation has been completed and, in view of the conclusions of the corresponding impact analysis, this proposal has been formulated, which is set to profoundly transform the European regulatory framework on data.

What are the objectives of the new regulation?

The initiative is based on a basic premise: despite the progress made, there is still a general problem regarding the insufficient availability of data in the European Union as a whole. In this sense, it has been noted that this is not simply a problem specific to the national sphere, so that it has seemed necessary to promote a new European regulation whose main objectives are:

• To increase legal certainty with regard to rights relating to access to and use of data, especially in a technological environment of interconnected objects.
• To address imbalances in contractual relations between companies whose subject matter concerns the availability of data.
• Establish the conditions under which private entities should provide data to public bodies in exceptional situations.
• Promote a framework for efficient interoperability of data from a cross-sectoral perspective.
• Establish minimum guarantees for users of data processing services when they change provider.

Let us look at each of these points in detail.

Boosting access to and use of data

One of the main novelties of the Regulation concerns the adoption of measures to facilitate access to data generated by connected objects (IoT). In particular, it has been identified that there are insufficient incentives for data owners to make data available to the users of the objects and services, who are ultimately the ones who generate the data when they use or enjoy them. In this respect, the lack of adequate regulation means that there is clear uncertainty about the rights and obligations that correspond to each of the parties, i.e. manufacturers of the objects, persons using them and, where appropriate, third parties providing services.

The approach is to oblige manufacturers of the objects to share, under appropriate conditions, data generated during the use of products or services - which may even include reasonable compensation - with the users themselves and even with third parties, in particular for the purpose of facilitating after-sales and maintenance services. As a result, rights of access and use are assigned, as opposed to the recognition of exclusive rights arising from the greater ability to control that would initially be vested in manufacturers and designers.

Moreover, specific measures are laid down to strengthen the legal position of those who use the objects, in particular with regard to data generated during the enjoyment of the related products or services. In this respect, the right to information prior to purchase is reinforced, and the user must be informed of the nature and volume of the data to be generated, how he can access the data and how it will be generated, or, inter alia, who will use the data or how to request that it be shared with third parties. Moreover, the manufacturer of the object or service provider is required to guarantee the user access to the data generated, without being able to require any additional information from the user beyond what is strictly necessary to verify the user's status as a user.

Contractual imbalances between companies

As regards business-to-business relations, the Regulation has established measures aimed at ensuring that there is a reasonable balance and, in particular, at avoiding unfair impositions in business-to-business contracts when negotiating conditions relating to access to and use of data. Thus, on the one hand, the cases in which a clause is considered unfair for a micro/small/medium-sized enterprise are specified, as would be the case, for example, when it would be prevented from making a copy of the data it has itself generated or when undue restrictions are imposed on the means of redress in the event of non-compliance. Moreover, it is specified in which circumstances the conditions have been unilaterally imposed in an undue manner, with the onus being on the company that proposed the clause to prove that there has been no such imposition. The mandatory nature of these measures is reinforced by the express prohibition to ignore them even if there is an agreement to that effect between the two parties.

Provision of data to public entities

With regard to relations between companies and public bodies, the Regulation envisages the mandatory provision of certain data to meet exceptional needs linked to emergencies or even situations where the public interest so requires. This is a measure that would not be applicable to smaller companies and that, in any case, would be subject to a series of limits and conditions, among which the following stand out:

• The requirement to demonstrate the exceptional need that justifies making the data available, specifying the purpose of the use and its duration.
• The regulations on open data and re-use of public sector information shall not apply to the data provided.
• If the purpose of the provision relates to personal data, reasonable measures for pseudonymisation shall be required, provided that this is not incompatible with the intended purpose.
• The purpose of making the data available is for the performance of a task of public interest, the existence of a legal provision is required and that the data could not have been obtained by any other means, including their purchase on the market.
• In any case, this regulation does not affect cases in which the provision of the data by the companies takes place within the framework of the fulfilment of legal obligations derived from the exercise of surveillance or verification functions, as would be the case, in particular, with the performance of inspection tasks by the public authorities.

In any case, this regulation does not affect cases in which the provision of data by companies takes place in the framework of the fulfilment of legal obligations derived from the exercise of surveillance or verification functions, as would be the case, in particular, with the performance of inspection tasks by public authorities.

A strong commitment to interoperability

One of the main problems that the new Regulation seeks to address is the high level of fragmentation of data, in particular due to the existence of "silos" that prevent their interconnection in the absence of effective rules on interoperability. In this respect, an obligation is laid down for data space operators to comply with a number of minimum requirements to facilitate interoperability, in particular as regards the specification of technical and legal conditions allowing automated data processing. Specific conditions are also laid down for smart contracts, i.e. software that executes and settles transactions on the basis of pre-determined conditions from the perspective of data provision, including a European declaration of conformity system and even the establishment of standardisation criteria.

Interoperability requirements may be general in scope or, where appropriate, sector-specific, for which a broad legal approach will be essential, taking into account the requirements of the respective regulatory frameworks applicable in each case. To this end, the definitive boost to European data spaces can undoubtedly be of great importance in order to specify the scope of regulation in some areas of great strategic relevance and of unquestionable public interest.

Safeguards against switching providers

Another of the main novelties of the proposal consists of recognising minimum rights for users of data processing services when they change provider, so as to extend their ability to choose and ensure that they can dispose of their data, applications and other digital assets without unjustified restrictions. It also establishes certain minimum contents that must be included in the corresponding contract with providers, including the obligation to facilitate and actively collaborate in the migration process, the exhaustive identification of the categories of exportable data and applications or, among other aspects, the establishment of a minimum period for the recovery of data once the contract is terminated.

Although all these aspects may represent significant improvements in terms of facilitating access to data, the fact is that the proposal has raised some doubts, especially with regard to the mandatory nature of their transfer in B2B and B2G environments, the possible increase in costs that the new data processing conditions would entail or, among other aspects, the possible contradiction with the principle of minimisation in force in the area of personal data protection and, in general, the coherence with the rest of the European regulatory framework. These are undoubtedly important challenges whose regulation will have to take shape in the coming months during the long and intense process that is now beginning.

Download the infographic in PDF here

This infographic is also available in two pages

Content prepared by Julián Valero, professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec). Contents and points of view expressed in this publication are the exclusive responsibility of its author.