The EU Data Governance Act: what privacy professionals need to know

By Joaquin Muñoz Rodriguez  and Ruth Boardman of Bird & Bird

Last December, political agreement was reached on the Data Governance Act. The remaining (largely) procedural steps are likely to be completed by March 2022 and the Act will become applicable 15 months after the date of its entry into force – i.e. Summer of 2023. The Data Governance Act applies to “data” – “any digital representation of acts, facts or information…” – in general, not just to personal data. It is the first of the European Union’s new initiatives on “data” to get to the legislative finishing line. In this article, we highlight the provisions of most relevance to privacy professionals. For those wanting a quick read, the key points are listed below. The full article contains an overall summary of the Act and longer analysis on the impact for privacy professionals.

  • The Act encourages wider re-use of data held by the public sector bodies, including personal data. This is to be achieved by making use of secure processing environments and anonymisation techniques such as differential privacy and creation of synthetic data. This part of the Act may drive more development of, and guidance on, use of such techniques which may be of wider use, beyond the immediate goal of re-use of public sector data.
  • A licensing regime is set up for “data intermediaries”. These are organisations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data. Data intermediaries will need to meet licence conditions designed to ensure their independence and restrict their re-use of data and metadata. The requirements will affect those offering data marketplaces and (possibly) consent management platforms. Ad-tech companies should take careful note.
  • Data altruism is to be encouraged. Those wanting wider access to data – in particular for scientific research – may find that this facilitates access to more data. Those operating on a not-for-profit basis for general interest purposes may want to consider becoming a recognised data altruism organisation.
  • The Act contains the first steps towards restriction of transfers of non-personal data. Data intermediaries and recognised data altruism providers will need to consider if third countries offer appropriate protections for non-personal data and will need to resist attempts by public authorities in third countries to access EU originating non-personal data. There are additional restrictions applicable to those involved in re-use of public sector data, as well as mechanisms for the Commission to recognise countries as offering adequate protection and to adopt model contractual clauses for transfer of non-personal data.

RAPUNZEL: SPINNING DIFFICULT DATA INTO GOLD

Chapter II of the Act aims to unlock more value in data held by the public sector, by opening up this data for re-use. Recital 5 explains the objective well:

“The idea that data that has been generated or collected by public sector bodies or other entities at the expense of public budgets should benefit society has been part of Union policy for a long time [via the Open Data Directive] … However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data) in public databases is often not made available.. not even for research or innovative activities in the public interest…”.

Chapter II aims to promote use of these “difficult” types of data. The provisions apply to public sector bodies and aim to facilitate “re-use” of the data – that is, use for commercial, or non-commercial purposes, other than the initial public task for which the data were produced. There are exclusions – for example, the Act does not cover data held by public undertakings (owned by public bodies), broadcasters, cultural establishments, data which are protected for reasons of national security, defence or public security.

Like the Open Data Directive, the Act does not oblige public sector bodies to allow re-use of data, but where data are made available for re-use then it requires that access arrangements must be non-discriminatory, transparent, proportionate, objective and may not restrict competition. Exclusive access arrangements are restricted. There are also restrictions on fees payable for access.

Public sector bodies who do provide access must ensure that they preserve the protected nature of the data. By way of example, this could mean only releasing data in anonymous form. Or it could mean using secure processing environments – physical or virtual environments which allow access to data, whilst ensuring compliance with other laws and preserving the protected nature of the data. Recital 6 specifically calls put the potential for use of differential privacy and synthetic data as ways of allowing exploitation of data. Those who wish to re-use the data, must agree to continue to respect the protected nature of the data; where data has been released that was originally personal, then this would include agreeing not to attempt to re-identify data subjects.

If a public sector body receives a request to release data, but cannot do so in a compliant way, even by using the techniques above, then it has an obligation to use best efforts to seek consent to re-use from the data subject/ affected person, unless this would involve disproportionate effort.

Allowing re-use of data which is personal, confidential, or otherwise protected by IPRs, whilst simultaneously not prejudicing those same interests, will be difficult. To assist in this, the Commission requires each member state to have a competent body to support public authorities in these tasks. To facilitate re-users of the data, the member state must also ensure that there is a single point, to which requests for re-use can be directed. This must also list all datasets available for re-use. The Commission will also create an EU wide single access point.

RELEVANCE TO PRIVACY PROFESSIONALS

The re-use provisions will be relevant to privacy professionals working for organisations which make use, or would like to make use, of public sector data comprising personal data. There could be opportunities for new data sources.

They will also be highly relevant to organisations offering consultancy services on privacy preserving techniques such as differential privacy and synthetic data.

Outside of these two groups, the provisions do not have immediate and direct relevance for privacy professionals. However, they do throw a spotlight onto anonymisation and privacy enhancing techniques – and possible developments in this area will be wider relevance to privacy professionals.

In its Opinion 05/2014 on Anonymisation Techniques, the Article 29 Working Party stated:

“… ‘the means likely reasonably to be used to determine whether a person is identifiable’ are those to be used ‘by the controller or by any other person’. Thus, it is critical to understand that when a data controller does not delete the original (identifiable) data at event-level, and the data controller hands over part of this dataset (for example after removal or masking of identifiable data), the resulting dataset is still personal data. Only if the data controller would aggregate the data to a level where the individual events are no longer identifiable, the resulting dataset can be qualified as anonymous.”

The Opinion seems to foreclose the possibility of the release of any individual level anonymous dataset, whilst the source data set remains in existence. This approach would restrict the ways in which public sector bodies could make data available under the Act.

The European Data Protection Board stated in its Work Programme 2021/2022 that it is working on new guidance on anonymisation and pseudonymisation. This is needed. The Opinion above dates from 2014. In particular, it predates the 2016 CJEU decision in Breyer (Case C 582/14), where the CJEU held that:

“a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data …, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person” (emphasis added).

The CJEU also referred approvingly to the Opinion of the Advocate General, noting that data would not be personal if the “risk of identification appears in reality to be insignificant” which would be the case “if the identification of the data subject was prohibited by law or practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power”.

In Breyer, the fact that the ISP would always be able to identify the website visitor did not mean that the dynamic IP address would always be personal data in the hands of other parties. Instead, the CJEU considered the likelihood of the fully identifying information being used to identify the website visitor – taking into account legal constraints on the party processing the data whose status was at issue. The Act requires that public sector bodies impose legal constraints (through access conditions) on parties wishing to re-use data, which include a prohibition on attempted re-identification. Following Breyer, this approach – combined with technical measures in a secure processing environment – should allow anonymous access to data, which remains personal in the hands of the public sector body.

INTERMEDIATION: DATA-AS-A (NEUTRAL) SERVICE

Chapter III of the Act aims to encourage a new market in neutral data intermediation services. This is on the basis that, “specialised data intermediation services that are independent from data subjects and data holders [person with a right to license data], and from data users [person with a right to use data], could have a facilitating role in the emergence of new data-driven ecosystems…”. The Chapter seeks to achieve this by imposing a licensing regime on data intermediation services, where the licence conditions are designed to ensure independence.

Data intermediation services are services which aim to establish commercial relationships, for the purpose of data sharing, between an indeterminate number of data holders (or data subjects) and data users. These commercial relationships could be established through technical, legal or other means. The concept is limited to pure facilitation of data sharing – accordingly, providers who enrich data or otherwise add value to it are not included. Providers who intermediate copyright protected content; closed group arrangements; and arrangements by a single data holder to allow exploitation of its own data are all excluded, as are intermediation services provided by public sector bodies without “aiming to establish commercial relationships for purpose of data sharing”. Browsers and email service providers and account information service providers under the PSD2 Directive are also excluded. However, data marketplaces are specifically mentioned as a type of intermediation service.

Intermediation services could also include services set up to intermediate between data subjects who want to make their personal data available, and data users who want to use such personal data. Here, the Act notes the risk of “misaligned incentives”. Any intermediation service provider offering services to data subjects must “act in their best interests” when facilitating the exercise of their rights, in particular in providing information about the intended uses of data (and any uses of consented data outside the EU). The Act also anticipates the creation of specialised forms of data intermediaries, “data co-operatives”, which are – in effect – owned by the data subjects they represent and whose principal objective is to support data subjects in exercising their rights.

The Act sets up a two-tier licensing structure. All intermediation service providers must notify (i.e. complete a filing with) the relevant competent authority and must meet specified conditions. Intermediation service providers may also (but are not required to) ask the competent authority to confirm if the provider meets these conditions. If the competent authority issues this confirmation, the provider is then able to use a to-be-developed Commission logo and to use the legend “provider of data intermediation services recognised in the Union” in communications. The competent authority for a service provider is the authority in the member state where the service provider has its main establishment and service providers with no EU presence must appoint a legal representative in the EU – all concepts familiar from the GDPR.

Those offering intermediation services must meet conditions set out in Art.11, all designed to ensure independence. These conditions include the following: intermediation services have to be offered by a separate legal person (i.e. not offering other services); separate use of the data is prohibited; pricing cannot be linked to take up of other services; metadata about service use cannot be used for other purposes (but prevention of fraud/ cyber risk and service development is acceptable); data must be provided in the format received; it can only be converted if this is to enhance interoperability and the provider must allow an opt-out from this; the provider can offer tools to facilitate exchange of data – but must have approval of the data holder/ data subject to do this; licences must be on FRAND type terms; the provider must ensure availability and interoperability with other intermediation services; must put in place technical, organisational and legal measures to prevent transfer or access to non-personal data that would be unlawful & must notify the data holder of any unauthorised access/ use of non-personal data that has been shared and appropriate security measures must be maintained (in other words, GDPR style protections are introduced for non-personal data which is shared via an intermediation service) and, lastly, logs of all intermediation activity must be maintained.

The recitals to the Act give the impression that data intermediation services will be new types of services, tied to yet-to-exist developments in the data economy. However, it seems possible that many existing organisations may be offering data intermediation services. The provisions seem to be particularly applicable in the ad-tech space. For example:

  • Those offering data marketplaces; and
  • (possibly) consent management platforms

could well be in-scope.

Organisations offering services which facilitate access to personal data should, therefore, review the provisions in Chapter III carefully. If in scope, they have 24 months from the date the Act becomes applicable to meet the requirements in the Act.

DATA ALTRUISM

The Act defines “data altruism” as “the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward that goes beyond a compensation related to the costs they incur making their data available, for purposes of general interest, …, such as healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics, improving public services, public policy making or scientific research purposes in the general interest”.

The provisions in the Act on data altruism are relatively light touch. The Act notes that Member States may wish to promote altruism (including by allowing individuals to make personal data held by public sector bodies more widely available), but there is no obligation to do so. Likewise, the Act sets out a registration scheme for data altruism organisations, but – unlikely data intermediaries – registration is voluntary. Member states must designate a competent authority to manage the registration process and, as with data intermediaries, there are arrangements for organisations operating in multiple member states to register via their main establishment and for those with no EU establishment to nominate a representative.

Organisations who do register will then be able to promote themselves in this way, by using a Commission developed logo and the legend “data altruism organisation recognised in the Union”, the rationale presumably being that this imprimatur will give individuals and data holders the confidence make data available to registered organisations.

Recognised data altruism organisations must meet specified conditions. In particular, they must be not for profit bodies and must be established to meet objectives of general interest. The European Data Protection Board had criticised the Act for not imposing sufficiently detailed requirements on recognised data altruism organisations. To meet this, there is a mechanism for the Commission to introduce a more detailed rulebook, which such organisations will need to follow.

Under the Act, the lawful basis for altruistic use of a data subject’s data is consent given by the data subject. The Commission is to develop an European consent form for the altruistic transfer of data, in order to reduce the costs involved in obtaining consent and to facilitate data portability (when the data to be transferred are not in the possession of the data subject).The form is to be modular, allowing for customisation for sector-specific consent templates. Some sector-specific working groups have already been working along these lines in order to explore this concept of data altruism, e.g. in the area of health and scientific research. Particularly relevant for this purpose is the project “Towards European Health Data Space” which develops European principles for the secondary use of health data and has recently produced a first set of data altruism definitions, use cases and conclusions that can be taken as a reference document when establishing a methodology for carrying out impact assessments aimed at mitigating possible risks that may arise.

The term altruism seems to imply that data should be given without expectation of anything in return, and to suggest that the provisions are of relevance solely to not-for-profit organisations, but this is not necessarily the case. Many public bodies will probably participate in this data exchange without receiving anything in return in the first instance, but with the intention of being rewarded in the future with a much larger and more diverse set of information than they currently handle, which will likely bring them some kind of benefit. On the other side are projects that seek to directly benefit society and that seek to make a profit. In the era of Big Data, some projects are not entirely effective due to the lack of a truly large volume of information that allows for reliable data analysis. Being able to access wider sources of information will be a benefit. Such projects would not be able to become recognised data altruism organisations but could potentially still benefit from wider data altruism initiatives, facilitated by data subject consent and portability initiatives. These altruistic exchanges share certain features with free distribution systems regarding copyrighted works, such as Creative Commons or Copyleft licensing schemes. In both cases, the proliferation of information is based on the principles of altruism, collaboration, and the removal of restrictions for access to resources.

Under the GDPR, an informed consent form must be express and specific. It seems that this Act may allow a more generic consent that opens the door to broader, future, purposes. It is worthy of note that a similar provision already exists in Recital 33 of the GDPR, which recognises that it may not be possible to fully identify the purpose of particular scientific research purposes at the time of data collection and which allows consent to be given more broadly, to certain areas of scientific research, in line with recognised ethical standards.

DATA TRANSFER

The Act starts to extend restrictions on transfers of data into non-personal data. Privacy professionals are likely to be the people in any organisation who have most experience of navigating these restrictions. Accordingly, while the restrictions do not apply to personal data (because the GDPR already contains similar, or more extensive, restrictions), they may still be of relevance.

Most restrictions are introduced into re-use of public sector body data. If a re-user intends to transfer non-personal data to a third country, then it has to notify the public sector body of this at the time that it requests re-use of the data. The public sector body, in turn, must notify the parties who may be affected by this – and may only grant the re-use request if those parties give permission for the transfer. It is unclear if the use of secure processing environments may – of themselves – allow an argument to be made that no other parties will be affected by the transfer. Such an argument would seem plausible if the effective of such facilities was to provide effective protection for those parties’ interests.

Where transfers are permitted, then the re-user must give contractual assurances to comply with IPR & confidentiality requirements post transfer and to accept the jurisdiction of the courts of the Member State where the public sector body is based. The Act also introduces a possibility for the Commission to adopt model contractual clauses and to declare certain countries to offer adequate protection for non-personal data, or to introduce additional restrictions for certain categories of non-personal data which pose a high risk. The recitals to the Act set out the types of factors which the Commission must consider when assessing the adequacy of the level of protection offered – these will be familiar from Schrems II.

So far, the non-personal data transfer restrictions may sound of limited relevance: primarily affecting public sector bodies, or those receiving data form such bodies. However, Art.30 extends these restrictions. This introduces a general obligation on public sector bodies, those allowed data for re-use, as well as data intermediation and data altruism organisations to take all reasonable measures to prevent international transfers of or government access to non-personal data held in the Union, where this would conflict with EU or Member State law.

The Act also contains a provision equivalent to GDPR Art.48 – noting that third country judgments or decisions requiring access to data are only recognised in the EU if based on an international treaty. Further, any re-user of public sector data, an intermediation service provider and any recognised data altruism organisation who receives a third country request for non-personal data that would conflict with EU or Member State law must provide the minimum possible data in response to such a request and may only co-operate with it, where either the request is recognised under an international treaty etc. or where conditions set out in the Act (addressing proportionality; court authorisation; and recognition of interests protected under EU or Member State law) are met. The provider must also notify data holder of request – unless request is for law enforcement purposes (not national security) and where this is necessary to preserve effectiveness of the law enforcement activity. Providers of intermediation services, or data altruism services, which relate to non-personal data will, therefore, have to use transfer risk assessments and processes for dealing with public authority requests to access data.

CREATION OF A EUROPEAN DATA INNOVATION BOARD, COMPLIANCE AND ENFORCEMENT

The Act requires an European Data Innovation Board, made up of a group of experts in the field, to be created. The Board should consist of representatives of the Member States, the Commission and relevant data spaces and specific sectors (such as health, agriculture, transport and statistics). The European Data Protection Board should be invited to appoint a representative.

Member States must designate one or more competent authorities to administer the register of data altruism organisations and of data intermediaries and to enforce the legislation. These designated competent authorities must coordinate with other authorities that may have an interest, such as data protection authorities, national competition authorities, cybersecurity authorities and other relevant sectoral authorities.

Article 31 of the Act states that fines are to be set and implemented by each Member State. Unlike the GDPR, the Act does not prescribe the specific amounts and weighting factors applicable to the corresponding monetary sanctions. However, similarly to Article 83 GDPR, the Act provides that Member States must ensure that the decided penalties are “effective, proportionate and dissuasive”.