This is Part 3 in a series of blog posts on recent developments in the EU’s data strategy, which aims to establish EU leadership in our data-driven society by creating a single market for data and encouraging data sharing. The series looks in particular at the recently adopted Data Governance Act (DGA) and the proposed Data Act (DA). (See also Part 1 and Part 2).
In this post we will consider business to government (B2G and G2B) relations and examine how the European legislature intends to facilitate data sharing here.
As a general rule, data holders are free to decide whether to share their data with public authorities – except where specific legal obligations require the legal or natural person to provide information to tax, administrative or public prosecution authorities.
The DA and the DGA add to this path and contain provisions making it possible for public authorities to gain access to data held by private entities in case of “exceptional need”, and by allowing certain data to become available to third parties (such as researchers) even when the Open Data Directive does not apply.
B2G data sharing in case of “exceptional need”
The DA imposes a new obligation upon data holders (except SMEs) to make data available if public sector bodies or EU institutions, agencies or bodies have an “exceptional need” for the data. The data may also be re-used for non-commercial research or statistical purposes in this context.
Such “exceptional need” may exist in case of a “public emergency”, defined as an “exceptional situation negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s).” A pandemic or a war may qualify as a “public emergency”.
More broadly, an “exceptional need” may exist where a public authority does not have the data it needs to fulfil a specific task in the public interest, despite having tried to obtain such data in accordance with market conditions or by virtue of other legal provisions. Although data made available in response to a public emergency must be provided free of charge, compensation can be claimed for data provided in other cases of exception need.
To take a concrete example, during an emergency like the COVID 19 pandemic, a government agency competent for public health would be able to collect aggregated telecom data if these data were necessary in order to respond to or recover from the epidemic (e.g., to predict or analyse its development). What’s more, the public authority would be able to share such data with researchers working on an urgent vaccine who needed access to medical data – provided that this data re-use remained within the purposes for which the public authority had requested the data.
The DA sets out an elaborate procedure by which public authorities must request data, and data holders must comply, decline or modify such requests.
Once a public authority has gained access to the requested data, the data may be used for the stated purposes (this principle is similar to the purpose limitation principle contained in the GDPR). Public authorities may not use the DA data sharing obligations to gain access to or re-use data in the context of criminal, customs or tax proceedings. Moreover, the acquired data may not be made available to the public as “open data”, although its re-use for non-commercial research or statistical purposes is permitted in the context of exceptional need. Public authorities must take all necessary measures to protect personal data and trade secrets, and they must destroy data after use (this is analogous to the “storage limitation” principle in the GDPR).
G2B – access to public sector data
It has long been acknowledged that public sector information must be accessible to the public, citizens and undertakings alike. Not only does such access safeguard the transparency of public administrations and governments, information obtained through the investment of public means can also be a considerable asset to the private sector.
The 2019 Open Data Directive (which replaced the 2003 Directive on the re-use of public sector information) requires Member States to promote the use of open data and stimulate innovation in products and services by establishing minimum rules for the re-use of public sector information. As a result, a national meteorological institution, for example, if financed by public means, may be under an obligation to make “high value” sets of weather data available to the public in a machine-readable form, via an application programming interface, and, where possible, for download. However, the Open Data Directive contains important exceptions covering, for example, information protected under intellectual property rights and trade secrets, and personal data: public authorities in the Member States are under no obligation to make such information accessible to the public.
Although the DGA does not oblige Member State public authorities to allow the re-use of information that is outside the Open Data Directive, it does create a legal framework for the re-use of “data” in general (which includes data protected on grounds of commercial or statistical confidentiality, third-party intellectual property or personal data).
Where a public sector body (PSB) agrees to make such data available for re-use, the data should normally be made available to all third parties, without restrictions or exclusivity. Only if the exclusivity is required for the provision of a service or product in the general interest may the PSB consider granting an exclusive right – which should in any event be limited to a maximum of 12 months.
The PSB may impose conditions for the re-use of data upon the re-user (e.g., fees, measures to protect personal data or creations subject to intellectual property rights or trade secrets) but there must be transparency, and the PSB must make sure that the conditions, which must be fair, non-discriminatory, proportionate and objectively justified, are publicly accessible.
A re-user who agrees to such conditions will be held by a confidentiality obligation, must comply with intellectual property rights, and may not identify data subjects. Importantly, a re-user who intends to make international data transfers must notify the PSB (even if no personal data are involved).
The DA and DGA thus acknowledge both the importance of data for the public sector and the secondary use of public sector data by the private sector, while attempting to safeguard third party rights. This could result in a complex web of legal and contractual restrictions, which could make it difficult for both the PSB and the data acquirer to understand which use is permitted and under which conditions. Much will depend on the whether the PSBs can adapt to their new role: to clear all third-party rights and to formulate such rights and interests in clear contractual conditions (and warranties) for the data users.
Part 4 in this series of blog posts will look at the role of the newly defined data intermediaries that are intended to facilitate data sharing.