27 EU ambassadors have adopted the general approach to the Data Governance Act on Friday (1 October), providing a mandate that forms the basis for negotiations with the EU Commission and Parliament.
The Data Governance Act (DGA) is a legislative proposal to establish a data governance framework for sharing industrial data. The initiative is intended to bring together the vast amount of data produced by Europe’s industrial base to provide the critical mass needed for big data analytics and artificial intelligence.
Most European companies, especially SMEs, are reluctant to share their data because they fear breaching privacy laws or confidentiality requirements. The DGA’s objective is to address this gap by setting up a governance structure for data sharing markets. This will include establishing common standards, interoperability, and reciprocity of access in the context of Common European Data Spaces.
“This law will not oblige anyone to share their data, but for those who want to make their data available for certain purposes, it creates a safe and easy way to do it and to stay in control,” said Boštjan Koritnik, Minister for Public Administration for Slovenia, the country holding the rotating presidency of the EU Council.
The positions of the co-legislators are not dissimilar; hence EU diplomatic sources close to the negotiations told EURACTIV they are expecting a final agreement to be reached shortly, with the first session between the European Parliament, Council, and Commission planned for 20 October.
“The good news is that there is not going to be a tug-of-war between the Parliament and the Council – we are pulling into the same direction, and I don´t see any substantial differences,” said Angelika Niebler, the lead negotiator on the Parliament’s side.
However, there are still some essential differences that need to be addressed.
In the data sharing markets, the DGA introduces the principle of neutrality for data intermediation service providers. Namely, they will not use the data shared for their benefit or any other service.
For member states, that definition means that “cloud infrastructure services cannot be considered as data intermediation services,” as stated in the general approach.
In contrast, Parliament did not consider the specification of excluding cloud services as redundant.
“There is work to be done to agree on the precise wording for the scope of the regulation,” Niebler noted.
The Parliament’s report proposes a European certification system based on an ex-ante compliance assessment by the relevant public authority for data intermediaries. The idea is that the pre-approval stamp would increase trust and lower the entry cost to data marketplaces, especially for smaller players.
The DGA also introduces the idea of data altruism, which relates to individuals and organisations that collect and share data on a not-for-profit basis for the public benefit, for example, in health research.
In the Commission’s initial proposal, these entities must be registered as a recognised data altruism organisation.
EU countries proposed the introduction of codes of conduct, to be developed by the European Commission in close cooperation with data altruism organisations. These would be adopted in the form of implementing acts. These self-regulatory codes should also include recommendations on interoperability standards.
“Both sides introduced some new concepts that I am eager to talk about,” Niebler stressed. “We will see if those ideas will fly.”
A more sensitive subject could be the reuse of certain types of data held by the public sector. This directly impacts national competencies and introduces obligations for the member states. A condition for public bodies to share this data will ensure personal data protection and intellectual property rights are respected.
EU countries will have to designate one or more public bodies to support the public sector in sharing this data in an anonymised form.
According to the general approach, they hope to “ensure that there is more flexibility for member states regarding their internal administrative setups for supporting the public sector bodies which grant access to the re-use of protected categories of data,” according to the general approach.
Member states also deleted references to the harmonisation of fees because they violate EU laws from the European Data Innovation Board (EDIB), the body responsible for overseeing the DGA implementation. In their view, the Board should merely have a coordination role, while the penalties would remain at the discretion of the competent national authorities.
“It is in the nature of the Council to give member states a certain degree of discretion to implement those acts. Our goal for the trilogues is to avoid too much fragmentation. A European data economy will only work smoothly if we have common rules,” MEP Niebler added.
As for the transfer of public-sector data to third countries, the Council proposes the Commission adopts model contractual clauses in the form of implementing acts and under advice from the EDIB. These provisions are intended to prevent unlawful data transfers on the model of GDPR’s data adequacy decisions.
[Edited by Alice Taylor]