A new draft EU Regulation aims to encourage the sharing and re-use of data and foster a data-driven economy that shares the benefits of Big Data whilst respecting individuals’ rights in personal data and commercial rights in data. Innovative businesses, from AI to medical research, will welcome new opportunities to access data from which they can draw insights and develop technologies.
The European Commission cites that the volume of data produced globally is likely to grow from “33 zettabytes in 2018 to an expected 175 zettabytes in 2025”. Whilst the legislation is at an early stage and still needs to be approved by the European Parliament and the EU Council, the proposed Regulation, and the European data strategy more generally, show the EU’s desire to shift the legal framework to create a more open data culture in which this data is fully exploited rather than siloed.
The draft Regulation covers three key areas: (1) access to data held by public sector bodies, (2) regulation of data sharing services, and (3) encouraging ‘data altruism’ – donating data for the common good (e.g. for scientific research). The draft Regulation seeks to create mechanisms and markets to facilitate data sharing, rather than requiring data to be disclosed or watering down existing laws that protect data (such as confidentiality, intellectual property and the regulation of personal data).
A new draft EU Regulation aims to encourage the sharing and re-use of data. It forms part of the EU’s mission to foster a data-driven economy that shares the benefits of Big Data whilst respecting individuals’ rights in personal data and commercial rights in data. Innovative businesses, from AI to medical research, will welcome new opportunities to access data from which they can draw insights and develop technologies.
In early 2020, the European Commission published its European strategy for data setting out a vision for the sharing and exploitation of commercial and public data to drive economic growth and innovation. The strategy paper took aim at tech giants, highlighting that the concentration of data among a small number of Big Tech firms risked stifling the emergence of data-driven businesses in the EU. The measures in the strategy paper aim to increase the use of data and data-enabled products across all sectors of the EU economy. The paper mentions specifically the value that increased access to data could have in the fields of artificial intelligence, healthcare and medical research, amongst other key industries.
The European Commission has now published a draft Regulation (the Data Governance Act) to implement the goals of the strategy paper. This Regulation is envisaged to sit alongside further legislation, including sector-specific laws to establish common European ‘data spaces’ in strategic industries. For example, a legislative proposal for a European health ‘data space’ is anticipated in late 2021.
The draft Regulation covers three key areas: (1) access to data held by public sector bodies, (2) regulation of data sharing services, and (3) encouraging ‘data altruism’ – donating data for the common good (e.g. for scientific research).
The European Commission’s goals of increased data sharing and re-use sit alongside existing regimes that empower organisations and individuals to restrict the dissemination of data: confidentiality, data protection and intellectual property. The Regulation seeks to encourage broader access to data in a way that respects these private rights in data.
1. Unlocking public sector data
The European Commission sees public sector data as a resource with untapped commercial potential that should be publicly available. It aims to unlock data held by public sector bodies for re-use in the private sector.
The new Regulation will ban public bodies from granting private entities with exclusive access to data. The data must be made generally available on a non-discriminatory basis. This does not mean that the data must be freely available. Public sector bodies are required to comply with third parties’ rights in the data (e.g. rights under data protection law, IP rights and confidentiality) and they can therefore impose conditions on the use of the data. However, such conditions must be published and applied consistently, as well as being proportionate and justified. Conditions envisaged by the Regulation include (a) only allowing access to data that has been pre-processed (e.g. to anonymise data or remove trade secrets) or (b) only allowing access through a secure environment.
The new Regulation applies to data that cannot be made freely available because the data is subject to third party rights and will therefore complement the existing Open Data Directive, which provides similar rules in respect of other types of data.
2. Regulating data sharing services
The draft Regulation would introduce a regulatory framework for data brokers in order to foster greater trust in data sharing services and to encourage individuals and businesses to engage in data sharing. The services covered by the regime are: (a) acting as an intermediary between data holders and organisations seeking to use data, (b) intermediation services between individuals who seek to make their personal data available for use and potential data users, and (c) cooperatives who negotiate data sharing on behalf of data holders or data subjects.
Before providing data sharing services, organisations will need to register with a regulatory authority and (if based outside the EU) appoint a representative in the EU. In addition, the Regulation sets out various rules relating to the operation of the data sharing service, including:
- Data sharing service providers must not use the data for their own purposes (i.e. their use of the data must be limited to their role as an intermediary).
- If the provider offers a service to individuals to enable individuals to share their personal data, it will have a fiduciary duty to act in the best interests of these individuals when it comes to their rights under the GDPR.
- Procedures must be in place to prevent the services being used for fraudulent or abusive purposes.
- Access to the service must be fair, transparent and non-discriminatory.
- Adequate security measures must be in place to protect the data.
Regulatory authorities will have the power to impose ‘dissuasive’ financial penalties for breach of the rules.
3. Data Altruism
A public consultation on the European Data Strategy took place between February and May 2020, where 69.7% of respondents were in agreement that law and technology should facilitate data sharing for the public interest, such as for scientific research. ‘Data altruism’ is the term used by the European Commission to describe making data available voluntarily for the purposes of general interest (such as scientific research or improving public services).
Data altruism is likely to be of particular interest to organisations operating in the life sciences sector. The European Commission specifically refers to the benefits of increased data sharing to “develop personalised medicine or advanced research to find cures for specific diseases” and the ‘donation’ of information by pharmaceutical companies in the context of COVID-19. However, the European Commission wants data altruism to become more widespread (in addition to making the practice of data sharing in the life sciences sector more efficient).
The draft Regulation addresses data altruism by creating a voluntary registration procedure for not-for-profit organisations involved in collecting and sharing data that has been voluntarily provided for the common good. Those registering will be required to meet certain standards, including with respect to transparency and record-keeping. This will enable the non-profit to hold itself out as a ‘data altruism organisation recognised in the Union’. This moniker is intended, in turn, to provide reassurance to organisations using the not-for-profit’s data, as well as data holders and data subject who provide data to the not-for-profit.
Importantly, individuals do not relinquish their rights in ‘donated’ personal data, which will still need to be processed in accordance with the GDPR. The draft Regulation envisages that the European Commission may produce a ‘data altruism consent form’ to facilitate the collection and use of data, including personal data that is subject to the GDPR. Data subjects will retain the right to withdraw consent to the use of their personal data at any time. The not-for-profit’s platform will therefore need to be designed with data subjects’ rights in mind.
The European Commission cites that the volume of data produced globally is likely to grow from “33 zettabytes in 2018 to an expected 175 zettabytes in 2025.”1 Whilst the legislation is at an early stage and still needs to be approved by the European Parliament and the EU Council, the proposed Regulation, and the European data strategy more generally, show the EU’s desire to shift the legal framework to create a more open data culture in which this data is fully exploited rather than siloed. However, precedence is granted to confidentiality, intellectual property rights and individuals’ rights in their personal data. Therefore, the provisions in the draft Regulation seek to create mechanisms and markets to facilitate data sharing rather than requiring disclosure or watering down existing laws that protect data. For most players the regime is one of encouragement rather than compulsion. It will therefore likely be some time after the Regulation comes into force that its effectiveness can be judged. Incremental reform is unlikely to threaten Big Tech’s dominance in the short term.
1) A zettabyte is 1,000,000,000,000,000,000,000 bytes.