Explanatory Memorandum to COM(2020)767 - European data governance (Data Governance Act) - Main contents

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier	COM(2020)767 - European data governance (Data Governance Act).
source	COM(2020)767
date	25-11-2020

1. CONTEXTOFTHE PROPOSAL

• Reasons for and objectives of the proposal

This explanatory memorandum accompanies the proposal for a Regulation of the European Parliament and of the Council¹ on data governance. It is the first of a set of measures announced in the 2020 European strategy for data². The instrument aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. The instrument would address the following situations:

- Making public sector data available for re-use, in situations where such data is subject to rights of others³.

- Sharing of data among businesses, against remuneration in any form.

- Allowing personal data to be used with the help of a ‘personal data-sharing intermediary’, designed to help individuals exercise their rights under the General Data Protection Regulation (GDPR).

- Allowing data use on altruistic grounds.

• Consistency with existing policy provisions in the policy area

The current initiative covers different types of data intermediaries, handling both personal and non-personal data. Therefore, the interplay with the legislation on personal data is particularly important. With the General Data Protection Regulation (GDPR)⁴ and ePrivacy Directive⁵, the EU has put in place a solid and trusted legal framework for the protection of personal data and a standard for the world.

The current proposal complements the Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (Open Data Directive)⁶. This proposal addresses data held by public sector bodies that is subject to rights of others and therefore falls outside the scope of this Directive. The proposal has logical and coherent links with the other initiatives announced in the European strategy for data. It aims at facilitating data sharing including by reinforcing trust in data sharing intermediaries that are expected to be used in the different data spaces. It does not aim to grant, amend or remove the substantial rights on access and use of data. This type of measures is envisaged for a potential Data Act (2021)⁷.

The instrument draws inspiration from the principles for data management and re-use developed for research data. The FAIR data principles⁸ stipulate that such data should, in principle, be findable, accessible, interoperable and re-usable.

¹ The final form of the legal act will be determined by the content of the instrument.

² COM/2020/66 final.

³ “Data the use of which is dependent on the rights of others” or “data subject to the rights of others” covers data that might be subject to data protection legislation, intellectual property, or contain trade secrets or other commercially sensitive information.

⁴ OJ L 119, 4.5.2016, p. 1-88.

⁵ OJ L 201, 31.7.2002, p. 37-47.

⁶ OJ L 172, 26.6.2019, p. 56–83.

⁷ See COM/2020/66 final.

⁸ www.force11.org/group/fairgroup/fairprinciples">https://www.force11.org/group/fairgroup/fairprinciples

Consistency with other Union

policies

Sector-specific legislation on data access is in place and/or under preparation to address identified market failures in fields such as the automotive industry⁹, payment service providers¹⁰, smart metering information¹¹, electricity network data¹², intelligent transport systems¹³, environmental information¹⁴, spatial information¹⁵, and the health sector¹⁶. The current proposal supports the use of data made available under existing rules without altering these rules or creating new sectoral obligations.

Similarly, the proposal is without prejudice to competition law, and it is designed in compliance with Articles 101 and 102 TFEU, and it is also without prejudice to the provisions of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market¹⁷.

2. LEGALBASIS, SUBSIDIARITYAND PROPORTIONALITY

• Legal basis

Article 114 of the Treaty on the Functioning of the European Union (TFEU) is identified as the relevant legal basis for this Regulation. Pursuant to this Article, the EU has to adopt measures for the approximation of the provisions laid down by law, regulation or administrative action in Member States which have as their object the establishment and functioning of the internal market in the EU. This initiative is part of the 2020 European strategy for data that aims to strengthen the single market for data. With a growing digitalisation of the economy and society, there is a risk that Member States will increasingly legislate data-related issues in an uncoordinated way, which would intensify fragmentation in the single market. Setting up the governance structures and mechanisms that will create a coordinated approach to using data across sectors and Member States would help stakeholders in the data economy to capitalise on the scale of the single market. It will contribute towards the establishment of the single market for data, by ensuring the emergence and cross-border functioning of novel services through a set of harmonised provisions.

Digital policies are a shared competence between the EU and its Member States. Article 4(2) and (3) of the TFEU specifies that, in the area of the single market and technological development, the EU can carry out specific activities, without prejudice to the Member States’ freedom to act in the same areas.

• Subsidiarity (for non-exclusive competence)

2. Businesses often need data from several Member States so they can develop EU-wide products and services, as data samples available in individual Member States often do not

9

10

11

12

13

14

15

16

OJ L 188 18.7.2009, p. 1 as amended by OJ L 151, 14.6.2018, p. 1. OJ L 337, 23.12.2015, p. 35-127.

OJ L 158, 14.6.2019, p. 125-199; OJ L 211, 14.8.2009, p. 94-136. OJ L 220, 25.8.2017, p. 1-120; OJ L 113, 1.5.2015, p. 13-26. OJ L 207, 6.8.2010, p. 1-13. OJ L 41, 14.2.2003, p. 26-32. OJ L 108, 25.4.2007, p. 1-14.

A legislative proposal for the European health data space is envisaged for the fourth quarter of 2021. https://eur-lex.europa.eu/resource.html?uri=cellar%3A91ce5c0f-12b6-11eb-9a54-01aa75ed71a1.0001.02/DOC_2&format=PDF OJ L 178, 17.7.2000, p. 1-16.

7

have the richness and diversity allowing ‘Big Data’ pattern detection or machine learning. In addition, data-based products and services developed in one Member State may need to be customised to suit the preferences of customers in another Member State, and this requires local data on the Member States’ level. As such, data needs to be able to flow easily through EU-wide and cross-sector value chains, for which a highly harmonised legislative environment is essential. Furthermore, only action at Union level can ensure that a European model of data sharing, with trusted data intermediaries for B2B data sharing and for personal data spaces, takes off, given the cross-border nature of data sharing and the importance of such data sharing.

A single market for data should ensure that data from the public sector, businesses and citizens can be accessed and used in the most effective and responsible manner possible, while businesses and citizens keep control of the data they generate and the investments made into their collection are safeguarded. Increased access to data would have as a result that companies and research organisations would advance representative scientific developments and market innovation in the EU as a whole, which is particularly important in situations where EU coordinated action is necessary, such as the COVID-19 crisis.

• Proportionality

The initiative is proportionate to the objectives sought. The proposed legislation creates an enabling framework that does not go beyond what is necessary to achieve the objectives. It harmonises a series of data-sharing practices, while respecting the Member States’ prerogative to organise their administration and legislate on access to public sector information. The notification framework for data intermediaries, as well as the mechanisms for data altruism serve to attain a higher level of trust in these services, without unnecessarily restricting these activities, and help develop an internal market for the exchange of such data. The initiative will also leave a significant amount of flexibility for application at sector-specific level, including for the future development of European data spaces.

The proposed Regulation will give rise to financial and administrative costs, which are to be borne mainly by national authorities, while some costs will also burden data users, and data sharing providers in order to ensure compliance with the obligations set in this Regulation. However, the exploration of different options and their expected costs and benefits led to a balanced design of the instrument. It will leave national authorities enough flexibility to decide on the level of financial investment and to consider possibilities to recover such costs through administrative charges or fees, while offering overall coordination at EU level. Similarly, the costs to data users and sharing providers will be counterbalanced by the value emanating from broader access and use of data, as well as the market uptake of novel services.

• Choice of the instrument

The choice of a regulation as the legal instrument is justified by the predominance of elements that require a uniform application that does not leave margins of implementation to the Member States and that creates a fully horizontal framework. These elements include the notification for data sharing service providers, the mechanisms for data altruism, the basic principles that apply to the re-use of public sector data that cannot be available as open data or are not subject to sector-specific EU legislation, and the set-up of coordination structures at European level. The direct applicability of the Regulation would avoid an implementation

period and process for the Member States, enabling at the same time the establishment of the common European data spaces in the near future, in line with the EU recovery plan.¹⁸

At the same time, the provisions of the Regulation are not overly prescriptive and leave room for different levels of Member State action for elements that do not undermine the objectives of the initiative, in particular the organisation of the competent bodies supporting public sector bodies with their tasks relating to the re-use of certain categories of public sector data.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

Contents

CONSULTATIONS

Businesses often need data from several Member States so they can develop EU-wide products and services, as data samples available in individual Member States often do not

The approach is designed to ensure that data sharing services function in an open and collaborative manner, while empowering natural and legal persons by giving them a better

1.

CONSULTATIONS

ANDIMPACTASSESSMENTS

Stakeholder

consultations

An online public consultation was launched on 19 February 2020 on the day the European strategy for data¹⁹ was adopted, and was closed on 31 May 2020. The consultation explicitly indicated it was launched in order to prepare the current initiative, and it addressed the items covered in the initiative with relevant sections and questions. It targeted all types of stakeholders.

In total, the Commission received 806 contributions, of which 219 were from a company, 119 from a business association, 201 from EU citizens, 98 from academic / research institutions, and 57 from public authorities. Consumers’ voices were represented by 7 respondents, and 54 respondents were non-governmental organisations (including 2 environmental organisations). Among the 219 companies / business organisations, 43.4% were SMEs. Overall, 92.2% of the replies came from the EU-27. Very few respondents indicated whether their organisation had a local, regional, national or international scope.

230 position papers were submitted, either attached to questionnaire answers (210) or as stand-alone contributions (20). The papers provided different views on the topics covered by the online questionnaire, in particular in relation to the governance of common data spaces. They provided opinions on the key principles for those spaces, and expressed a high level of support for the prioritisation of standards as well as the data altruism concept. They also indicated the need for safeguards in developing measures related to data intermediaries.

• Collection and use of expertise

In order to explore with the relevant experts the framework conditions for creating common European data spaces in the identified sectors, a series of 10 workshops on common European data spaces took place in 2019 and an additional workshop was organised in May 2020. Gathering a total of more than 300 stakeholders, mainly from the private and public sectors, the workshops covered different sectors (agriculture, health, finance/banking, energy, transport, sustainability/environment, public services, smart manufacturing) and more cross-cutting aspects (data ethics, data market places). The Commission departments dealing with these areas participated in the workshops. The sectoral workshops helped to identify the common elements across the sectors, which need to be addressed by way of laying down a horizontal governance framework.

¹⁸ COM(2020) 456

¹⁹ COM/2020/66

final.

final.

• Impact assessment

An impact assessment was carried out for this proposal. On 9 September 2020, the Regulatory Scrutiny Board issued a negative opinion. On 5 October 2020 the Board delivered a positive opinion subject to reservations.

The impact assessment examines the baseline scenarios, policy options and their impacts for four intervention areas, namely (a) mechanisms for the enhanced use of public sector data that cannot be available as open data, (b) a certification or labelling framework for data intermediaries, (c) measures facilitating data altruism, and (d) mechanisms to coordinate and steer horizontal aspects of governance in the form of an EU-level structure.

For all intervention areas, policy option 1 of having coordination at EU level with soft regulatory measures was found to be insufficient, since it would not significantly change the situation compared to the baseline scenario. Thus, the main analysis concentrated on policy options 2 and 3, which involved a low and high intensity regulatory intervention respectively. The preferred option turned out to be a combination of regulatory interventions of lower and higher intensity, in the following manner:

Regarding mechanisms to enhance the use of certain public sector data, the use of which is subject to the rights of others, both the low and high intensity options would introduce EU-wide rules for re-using such information (in particular non-exclusivity). The low intensity regulatory intervention would require that individual public sector bodies allowing this type of re-use to be technically equipped to ensure that data protection, privacy and confidentiality are fully preserved. It would also contain an obligation for Member States to provide for at least a one-stop shop mechanism for the requests to access such data, without determining its exact institutional and administrative form. The high intensity option would have prescribed the establishment of one single data authorisation body per Member State. Given the costs and issues of feasibility related to the latter, the preferred option is the lower intensity regulatory intervention.

For the certification or labelling of trusted data intermediaries, a lower intensity regulatory intervention was envisaged to consist in a softer, voluntary labelling mechanism, where a fitness check of the compliance with the requirements for acquiring the label as well as awarding the label would be carried out by competent authorities designated by Member States (which can also be the one-stop shop mechanisms also established for the enhanced reuse of public sector data). The high intensity regulatory intervention consisted of a compulsory certification scheme managed by private conformity assessment bodies. As a compulsory scheme would generate higher costs, this could potentially have a prohibitive impact on SMEs and startups, and the market is not mature enough for a compulsory certification scheme; therefore the lower intensity regulatory intervention was identified as the preferred policy option. However, the higher intensity regulatory intervention in the form of a compulsory scheme was also identified as a feasible alternative, as it would bring significantly higher trust to the functioning of data intermediaries, and would establish clear rules for how these intermediaries are supposed to act in the European data market. After further discussions in the Commission, an intermediate solution was retained. It consists of a notification obligation with ex post monitoring of compliance with the requirements to exercise the activities by the competent authorities of the Member States. The solution has the advantages of a compulsory regime, while limiting the regulatory burden on the market players.

In the case of data altruism, the low intensity regulatory intervention consisted in a voluntary certification framework for organisations seeking to offer such services, while the high intensity regulatory intervention envisaged a compulsory authorisation framework. As the latter would ensure a higher level of trust in making data available, which could contribute to more data being made available by data subjects and companies and result in a higher level of development and research, while generating a similar amount of costs, it was flagged in the Impact Assessment as the preferred option for this intervention area. However, the further discussions within the Commission revealed additional concerns around the potential administrative burden on organisations engaging in data altruism, and the relation of the obligations with future sectoral initiatives on data altruism. For this reason an alternative solution was retained, giving organisations engaging in data altruism the possibility to register as a ‘Data Altruism Organisation recognised in the EU’. This voluntary mechanism will contribute to increase trust, while presenting a lower administrative burden than both a compulsory authorisation framework and a voluntary certification framework.

Finally, for the European horizontal governance mechanism, the low intensity regulatory intervention referred to the creation of an expert group, while the high intensity regulatory intervention consisted in the creation of an independent structure with legal personality (similar to the European Data Protection Board). Given the high costs and the low level of political feasibility surrounding the inception of the higher intensity option, the low intensity policy option was chosen.

The impact assessment support study²⁰ indicated that, while under the baseline scenario the data economy and the economic value of data sharing are expected to grow to an estimated EUR 533 to 510 billion (3.87% of the GDP), this would increase to between EUR 540.7 and EUR 544.4 billion (3.92% to 3.95% of the GDP) under the preferred, packaged option. These amounts take into account only in a limited way the downstream benefits, in terms of better products, higher productivity and new ways for tackling societal challenges (e.g. climate change). Indeed, these benefits are likely to be considerably higher than the direct benefits.

At the same time, this packaged policy option would make it possible to create a European model for data sharing that would offer an approach that is alternative to the current business model for integrated tech platforms through the emergence of neutral data intermediaries. This initiative can make the difference for the data economy by creating trust in data sharing and incentivising the development of common European data spaces, where natural and legal persons are in control of the data they generate.

• Fundamental rights

Since personal data falls within the scope of some elements of the Regulation, the measures are designed in a way that fully complies with the data protection legislation, and actually increases in practice the control that natural persons have over the data they generate.

Regarding the enhanced re-use of public sector data, both the fundamental rights of data protection, privacy and property (concerning proprietary rights in certain data, which is e.g. commercially confidential or protected by intellectual property rights) will be respected. Similarly, data sharing service providers offering services to data subjects will have to comply with the applicable data protection rules.

European Commission (2020, forthcoming). Support Study to this Impact Assessment, SMART 2019/0024, prepared by Deloitte.

20

The notification framework for data intermediaries would touch on the freedom to conduct a business, as it would place certain restrictions in the form of different requirements as a prerequisite for the functioning of such entities.

4. BUDGETARYIMPLICATIONS

This proposal will not have any budgetary implications.

5. OTHERELEMENTS

• Implementation plans and monitoring, evaluation and reporting arrangements

Due to the dynamic nature of the data economy, monitoring of the evolution of impacts constitutes a key part of the intervention in this domain. To ensure that the selected policy measures actually deliver the intended results and to inform possible future revisions, it is necessary to monitor and evaluate the implementation of this Regulation.

Monitoring the specific objectives and the regulatory obligations will be achieved through representative surveys of stakeholders, through the work of the Support Centre for Data Sharing, via records of the European Data Innovation Board on the different intervention areas reported by the dedicated national authorities and through an evaluation study to support the instrument’s review.

Detailed

explanation of the specific provisions of the proposal

Chapter I defines the subject matter of the regulation and sets out the definitions used throughout the instrument.

Chapter II creates a mechanism for re-using certain categories of protected public sector data which is conditional on the respect of the rights of others (notably on grounds of protection of personal data, but also protection of intellectual property rights and commercial confidentiality).This mechanism is without prejudice to sector-specific EU legislation on access to and the re-use of this data. The re-use of such data falls outside the scope of Directive (EU) 2019/1024 (Open Data Directive). Provisions under this Chapter do not create the right to re-use such data, but provide for a set of harmonized basic conditions under which the re-use of such data may be allowed (e.g. the requirement of non-exclusivity). Public sector bodies allowing this type of re-use would need to be technically equipped to ensure that data protection, privacy and confidentiality are fully preserved. Member States will have to set up a single contact point supporting researchers and innovative business in identifying suitable data, and are required to put structures in place to support public sector bodies with technical means and legal assistance.

Chapter III aims to increase trust in sharing personal and non-personal data and lower transaction costs linked to B2B and C2B data sharing by creating a notification regime for data sharing providers. These providers will have to comply with a number of requirements, in particular the requirement to remain neutral as regards the data exchanged. They cannot use such data for other purposes. In the case of providers of data sharing services offering services for natural persons, the additional criterion of assuming fiduciary duties towards the individuals using them will also have to be met.

3. The approach is designed to ensure that data sharing services function in an open and collaborative manner, while empowering natural and legal persons by giving them a better

overview of and control over their data. A competent authority designated by the Member States will be responsible for monitoring compliance with the requirements attached to the provision of such services.

Chapter IV facilitates data altruism (data voluntarily made available by individuals or companies for the common good). It establishes the possibility for organisations engaging in data altruism to register as a ‘Data Altruism Organisation recognised in the EU’ in order to increase trust in their operations. In addition, a common European data altruism consent form will be developed to lower the costs of collecting consent and to facilitate portability of the data (where the data to be made available is not held by the individual).

Chapter V sets out the requirements for the functioning of the competent authorities designated to monitor and implement the notification framework for data-sharing service providers and entities engaged in data altruism. It also contains provisions on the right to lodge complaints against the decisions of such bodies and on the means of judicial redress.

Chapter VI creates a formal expert group (the ‘European Data Innovation Board’) which will facilitate the emergence of best practices by Member States’ authorities in particular on processing requests for the re-use of data which is subject to the rights of others (under Chapter II), on ensuring a consistent practice regarding the notification framework for data sharing service providers (under Chapter III), and for data altruism (Chapter IV). In addition, the formal expert group will support and advise the Commission on the governance of cross-sectoral standardisation and the preparation of strategic cross-sector standardisation requests. This chapter establishes also the composition of the Board and organises its functioning.

Chapter VII allows the Commission to adopt implementing acts concerning the European data altruism consent form.

Chapter VIII contains transitional provisions for the functioning of general authorisation scheme for data sharing providers and provides for final provisions.