Back in February 2020, the European Commission communicated its European strategy for data, with the aim of establishing EU leadership in our data-driven society by creating a single market for data and encouraging data sharing. To make this strategy concrete, it came up with two legislative proposals: the Data Governance Act (DGA) and the Data Act (DA). The final version of the DGA was published on 3 June 2022 and will be applicable from September 2023. The DA is currently still at proposal stage.
Together, the DGA and DA are intended to (i) give individuals, research institutions, public authorities and companies – and, in particular, small and medium-sized enterprises – access to certain data; and (ii) harmonize the framework for data use and re-use.
In a series of blog posts, we will examine the contours of these new data regulations and take a look at some of their data sharing aspects.
The impetus behind these legislative initiatives was the undisputed importance of data in today’s digital economy. The Internet of Things (i.e., connected objects such as fitness trackers, windmills or electric vehicles) is producing tremendous quantities of data, which are useful to the person or company producing the data, but also to service providers and public authorities.
Also important to bear in mind is that the DGA and DA cannot be read without reference to European ambitions in the field of artificial intelligence (AI) – notably the attempt to start regulating AI through the proposed AI Act – and the promise that AI technologies hold for solving important challenges in important sectors such as health care, mobility and energy. For example, allowing EU-wide access to hospital and research data to researchers working on rare diseases could significantly enhance their ability to find appropriate AI solutions where their Member State data is insufficient. It would also help streamline public investment.
For the first time, the concept of “data” is defined in a legislative act: data means “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” (Art. 2(1) DGA and Art. 2(1) DA).
This definition is broad: it covers both personal and non-personal data generated in the public or private sector, regardless of the data’s meaning, content or function. Telecom-carried communications and audio-visual productions viewed through a streaming service are “data” within the meaning of this definition.
Complex Legislative Landscape
Importantly, the DGA and the DA are not all-encompassing regulations: other regulations, such as those concerning personal data protection or intellectual property, will continue to apply. This creates a complex legislative landscape, which is likely to be difficult to navigate for undertakings, public sector bodies and individuals alike.
In order to determine which rules are applicable you will first need to classify the information under consideration as (i) containing personal data, (ii) containing non-personal data or (iii) containing a mixed dataset. You will also have to decide whether it is public sector information or private sector information. Depending on this classification, the access to and re-use of the data will be governed by different legal instruments, as the following figure shows:
Moreover, there may be additional restrictions because of the data’s protection under intellectual property rights (such as copyright, database rights or other related rights) or trade secrets.
The DGA and the DA are thus the latest additions to a regulation-heavy field, and it remains to be seen whether they will make it easier for companies, individuals and public sector bodies to understand their rights and obligations as “data subjects”, “data holders” or “data users”, and whether they will provide sufficient legal certainty to incentivize the sharing of data.
Part 2 in this series of blog posts, which will be released next week, will look in more detail at how the EU proposes to harmonize the rules on data sharing.