Since the entry into force of the European General Data Protection Regulation (EU GDPR) in 2018, strict rules apply to the processing and sharing of personal data within the Union and beyond. While the GDPR essentially intends to limit the number of actors handling personal data, access to massive amounts of data is immensely valuable for research and industrial development. To further the access and sharing of such data, the European Commission first presented its European Strategy for data in February 2020.
In this post, we will be introducing the European Strategy for data and briefly outline its two most important legal instruments. Each of them will then be discussed in depth in a separate post.
The ESD is based on the premise that data constitutes an essential resource for economic growth, competitiveness and innovation. As such, data should be more easily accessibly for businesses and institutions engaging in innovation. One might for instance think about the big data sets that are required to effectively train an algorithm. The Commission strives to establish a single European market for data that ensures Europe’s global competitiveness and data sovereignty. This way, various sectors including health care, transport, product development etc. should benefit from easier access to important data. The strategy evolved as part of the Commission’s broader action plan to establish Europe’s digital sovereignty by 2030. Simultaneously, new rules and practices of data sharing shall not reduce the high level of data protection within the EU. The ESD is implemented in the Union primarily through two legal instruments: The Data Governance Act which has been adopted in May 2022 and the Data Act, which still awaits its final adoption.
The DGA will be applicable from September 2023 onwards. It creates the legal framework and processes to allow the sharing of industrial data within the European economy. For this, it establishes various mechanisms: Firstly, it attempts to facilitate the re-use of protected public sector data, which cannot just be made openly available otherwise. Here, one might think about confidential business information, intellectual property or personal data. Next, it paves the way for the establishment and growth of “data intermediation services”. These are entities that facilitate the data sharing process between the access-seeking and access-giving entities. The DGA establishes a mandatory certification process for these data intermediaries. Lastly, optional certifications are offered for organisations which voluntary donate their data for the public good.
The EU Data Act then contains the substantive data-sharing obligations mainly for manufacturers of connected products (Internet of Things devices, such as smart home technology), providers of cloud services and some other data holders. In essence, the EDA regulates which entity can access which data under what conditions. The Act requires IoT providers to design their products and services in a way that users can easily access the data generated through their use. Additionally, users have the right to be given access to generated data themselves or to grant such access to a determined third party. Some exceptions exist, where the data concerned is protected by trade secrets or likely to be made available to competing businesses. Similarly, cloud service providers underlie various requirements to facilitate switching between different providers. The EDA further regulates the terms and conditions which businesses can adopt to govern their data-sharing processes.
Both acts generally apply to the sharing of non-personal as well as personal data. In theory, at least, they stipulate that the rules on the protection of personal data enshrined in the EU GDPR prevail. Accordingly, personal data may only be shared if such processing of the data is lawful under the GDPR. Similarly, data intermediary services must fully comply with the GDPR when carrying out their services. However, potential practical problems have not been sufficiently addressed yet. Inevitably, so-called “mixed data sets” will be subject to the data-sharing obligations. These data sets comprise both, personal and non-personal data. Where it is difficult to adequately separate the different data categories, companies will face increasing complexity. When confronted with overlaying requirements, they might fear being subjected to fines for non-compliance under one or the other regime.
Conflicts with data protection might further arise when it is not the data subject himself who requests access to personal data produced by a connected device. This could for instance be the case when the owner of a smart speaker or a smart car demands access to the data generated by his devices. If the data encompasses voice recordings of visitors or personal information of a driver who had occasionally borrowed the car, it would be challenging to obtain consent for the sharing of the personal data of each data subject. Provided that none of the other legal bases for the processing of personal data under the GDPR applies, businesses sharing the data nonetheless would act in breach of the GDPR. We will further explore the intersections of data sharing and data protection in the post on the EU Data Act and outline certain issues that demand clarification before the Act’s final adoption.