Three and a half years after the entry into force of the GDPR, the European Commission releases a new ambitious legal framework about data, the Data Governance Act. It aims to encourage the sharing and re-use of data across sectors while protecting the economic interests of Europe and the privacy of its citizens. As Roberto Viola points out, “Global data volume will grow from 33ZB to 175ZB in 2025. We need to make the best use of this data”.
The Data Governance Act released today is the creature of the EU Commissioner for Internal Market Thierry Breton, and it follows a series of “bras de fers” between the Commissioner and American Big Tech, the latest one with Sundar Pichai, Google CEO. For Breton’s own admission, the Act is a mean for Europe to not lose the run on non-personal data, after losing to the US the one on personal data. This approach is tricky, as it legitimates assigning an economic value to personal data.
Today’s piece of legislation goes hand in hand with the Digital Services Act and Digital Markets Act, whose release has been pushed back a week to 09/12. In 2021, the Data Act will enforce the right to portability.
The Act is structured along four pillars:
1) Re-use of public sector data
The creation of a mechanism to re-use public sector data beyond the original public purpose for which the data was collected. The re-use can go both towards commercial and non-commercial exploitation. It is worth noting that public sector bodies allowing re-use “should have in place the technical means necessary to ensure the protection of rights and interests of third parties”, which is not for tomorrow.
2) Data sharing services providers as “trusted intermediaries”
Providers will have an obligation to separate data sharing services from other commercial operations and not to monetise further the data. They stand as a guarantee of independence for new data-driven ecosystems. A special category of data intermediaries will work only with personal data. As an extra guarantee, for the Act, “it could be desirable to collate actual data within a personal data storage space, or ‘personal data space’ so that processing can happen within that space”.
3) Data Altruism
Individuals and companies now have a framework to make their data available for the common good, without a reward. It entails an authorisation framework and a standard consent form. This part of the Act will likely lead to an explosion of data cooperatives and data unions. Entities will be able to sign up into a public register as a “data altruism organisation” — provided they have a not-for-profit character;
4) European Data Innovation Board
The Board will help streamline approaches across the Member States, oversee the data sharing services providers and advise the Commission on cross-sector standardisation.
A leaked version of the Act was highly criticised for infringing international regulation when excluding foreign companies to access the European data processing market from abroad. Namely, the World Trade Organisation rules, which prevent its members from forcing a foreign business to establish a siege to trade there. “Not even China goes that far. China discriminates on the basis of the licence alone”, pointed out Hosuk Lee-Makiyama from the European Centre for International Political Economy.
For Access Now, the Digital Rights charity, concerns were more addressed at the human rights side. By implying that data are a product to trade, the Act undermines the right to data protection, which is intrinsically out of any commercial considerations and promotes an approach that Access Now depicts as a step backwards from the GDPR.
The Finnish MEP Miapetra Kumpula-Natri stressed instead that without last generation connectivity infrastructures, Europe would not be able to harvest the benefits of a well-functioning data economy.
What to keep an eye on
The Act is a good step towards European data sovereignty since it provides a framework for a regulated exchange and re-use of data. Like GDPR, it will probably keep attracting criticisms and be labelled as just another Brussels’ kafkaesque exploit, and like GDPR it will be copied and adapted elsewhere (even in China).
Whether the WTO (and the new Washington administration) will be fine with its obligation for commercial intermediaries to have a legal representation in the EU is a matter to be defined. While the explicit data localisation requirements present in leaked drafts have been removed, restrictions on transferring commercially sensitive data to non-EU countries are maintained. I’d be more worried by the fact that the requirement causes an unequal competition, since only big companies will be able to afford a foot on the European ground: the market of non-EU intermediaries risks to be quickly monopolised.
The social impact of the Act
Despite the strategic economic need of leveraging industrial data, the Act formulation stresses benefits for citizens, such as personalised medicine and the Green Deal. It also launches reassuring messages on personal data usage, although, as noted above, putting them in the same pot of industrial ones could be counterproductive for human rights.
Increasing collaboration among States on topics of public interest can only benefit the original European plan, and providing citizens with a lever to engage directly in the “data economy for good’ (whatever) can increase their awareness about how the digital world works. It can also create a new strain of activism around data led by data cooperatives, or even better by data trusts and MyData Operators, which could be vital in providing a voice to underrepresented groups like precarious gig workers.