This is Part 4 in a series of blog posts on recent developments in the EU’s data strategy, which aims to establish EU leadership in our data-driven society by creating a single market for data and encouraging data sharing. The series looks in particular at the recently adopted Data Governance Act (DGA) and the proposed Data Act (DA). (See also Parts 1, 2, and 3).
The DGA introduces two new types of “intermediaries” – data intermediation service providers and data altruism organizations – to help with the legal and technical practicalities and facilitate data sharing between data holders and data users. These new intermediaries will be able to garner the necessary expertise to establish a contractual and technical framework that fosters trust among data holders, data subjects and users.
Both types of organization are intended to support data holders or data subjects in making their data available for re-use by third parties. However, data intermediation service providers may operate in a commercial context, while data altruism organizations are not-for-profit entities pursuing general interest objectives.
Although it is not yet entirely clear exactly what types of organizations may qualify as these intermediaries, new notions in the European legal order, and the purpose and the contours of the regulation are becoming apparent. The DGA does provides a general description of the type of organization that will qualify as a “data intermediation service” or a “data altruism organization”. It also imposes some restrictions regarding the conditions for data re-use and, importantly, it introduces new regulatory mechanisms handled by national authorities.
Data intermediation services
Providers of data intermediation services help data subjects and data holders establish commercial relationships with data users for the purpose of “data sharing” (i.e., the provision of data for the purpose of joint or individual use, based on voluntary agreements or Union or national law, in this case through an intermediary, under commercial or open license terms).
The intermediation service may organize data pooling or the bilateral exchange of data. On the data provider side, the permitted number of data subjects or data holders is undetermined. Data cooperatives are covered but closed groups, such as consortia, are not. Only actual “intermediaries” are targeted: entities that aggregate, enrich, or otherwise add value to datasets in order to exploit the result for their own purposes, such as data brokers or consultancies, are not within the DGA’s scope. Similarly, providers of copyright protected content (such as streaming services) are not considered to be data intermediaries.
Data intermediation service providers will put in place the technical, legal or other means for the data holders/data subjects and the data users to enter into a commercial relationship. The DGA explicitly mentions the case of data subjects exercising their rights regarding their personal data through a data intermediation service: before the data subject gives consent to the data user, the intermediary should inform and even advise on the intended use of the data and the conditions of such use. It may then also provide tools to facilitate the giving and withdrawing of consent.
Because of their quality as intermediaries, providers of these services may not use the data for any purpose other than putting them at the disposal of data users. They may not use the data holders’/data subjects’ data for their own purposes, nor may they make the data intermediation service dependent on other services they may offer. Similarly, the meta-data relating to the use of their services may only be used for developing the data intermediation service. These restrictions are intended to foster a climate of trust, something that would be jeopardized were the trusted intermediary to be at the same time a data user.
Data intermediation service providers must offer access to their services on transparent, non-discriminatory terms (including price). Where the data contain personal data, the DGA explicitly provides that the intermediaries should pursue the data subjects’ best interests.
Data intermediation service providers also have a role to play on the technical level, in particular as concern the data’s format and the tools available to the data holders and data subjects (e.g., conversion, curation, anonymization or pseudonymization).
As far as the data intermediation service itself is concerned, the providers must take sufficient security measures, ensure interoperability with other service providers (e.g., open standards) and ensure a continuity of service (and the possibility for the data subjects/data holders to retrieve their data, in case of insolvency).
Data intermediation service providers are subject to new regulatory obligations: they must notify the (new) national authority of their intent, according to a procedure set out in the DGA, before they are allowed to start offering their services. Although no permit or prior authorization is required, data intermediation service providers may obtain a declaration from the competent national authority confirming compliance with the notification obligations. Much like the GDPR, this notification procedure targets service providers with activities in several Member States and service providers established in third countries (which must then designate a representative in the EU).
Data Altruism Organizations
Immense quantities of data (including health data) are needed in order to advance research into technologies that can be used for the public good (such as AI-based health tech applications). At the same time, the GDPR imposes a strict framework for the processing of personal data, which complicates the use and especially the re-use of personal data (for secondary purposes), even if a data subject consents and even if the processing operations pursue non-commercial or public interest purposes.
For example, a data subject may agree to the re-use of their medical results in the context of non-commercial, scientific research, without knowing in advance for which precise research projects the data will be used. GDPR data processing principles, such as purpose limitation or data minimization, complicate such open-purpose processing.
To address this issue, the DGA has introduced data altruism organizations. These organizations may organize the sharing of personal or non-personal data, for general interest purposes (e.g., healthcare, climate change, mobility), scientific research or statistics, without financial compensation for the data subject or data holder (beyond compensation related to the costs that they incur). Importantly, the sharing of such data is voluntary and based on the consent of the data subject or the permission of the data holder.
However, the DGA does not specify how the data altruism organizations should collect the data from the data subjects and data holders, or which conditions must be met. It merely imposes some conditions and restrictions as to the use of the data in the general interest.
Data altruism organizations must comply with specific requirements to safeguard the rights and interest of both data subjects and data holders. They have certain information obligations (e.g., to provide information, before the data processing, concerning the purposes and location of the intended processing, and to inform data holders and data subjects about a data breach) and they may not use the data for other objectives than the general interest objectives for which the data processing is allowed. From a technical point of view, they must provide tools for obtaining and withdrawing consent, in addition to their security obligations.
The DGA imposes an obligation upon data altruism organizations to register with a Member State “competent authority”, which must verify whether the organization meets the requirements as to its activities, its legal persona and its general interest objectives, and the organization of its activities (in an independent, functionally separate entity from other activities). Like the GDPR, the DGA provides rules on the registration of data altruism organizations with activities in several Member States, or with an establishment outside the EU.
Data altruism organizations are subject to transparency obligations, meaning that they have to keep extensive records of the data users and the data use (date, period, purposes, fees), and draft an annual activity report.