The European Commission has decided against imposing geographical restrictions on the establishment of so-called “data sharing services” as part of ambitious new plans laid out in the executive’s landmark Data Governance Act, presented on Wednesday (25 November).
As a means to facilitate greater sharing of non-personal and industrial data across the bloc, the European Commission believes that such data-sharing processes should be set up as a means to act as a go-between for exchanges between data producers and acquirers.
Previous drafts of the new regulation, which was finally published on Wednesday (25 November), had laid down the obligation that new data sharing services acting as intermediaries between data holders and secondary users would have to be established in the EU.
Yet the final version stipulated that any such data sharing services should either have a place of establishment in the EU, or at least “designate a representative” in Europe.
On Wednesday, the European Commission’s executive vice-president for digital, Margrethe Vestager, disclosed more details on the operation of such data intermediaries, which the executive hopes will prove instrumental in helping Europe achieve a certain sense of data sovereignty and independence from third-country service providers.
“The principle behind the intermediaries is to boost voluntary data sharing whilst preserving control over the data from companies and individuals. This will only work if those intermediaries are fully trusted,” Vestager said, adding that such organisations will be subject to certain criteria that verifies their ‘trustworthiness’ on the market.
“Intermediaries are required to notify the competent public authority of their intention to provide data-sharing services. They will ensure the protection of sensitive and confidential data. And they will have to comply with strict requirements to ensure their neutrality,” Vestager added.
In practice, the Commission believes that demonstrating such neutrality is only possible by way of a clear “structural separation” between the eventual data acquirer and the data intermediary.
“It is, therefore, necessary that data sharing service providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose,” the draft regulation states.
“This will also require structural separation between the data-sharing service and any other services provided, so as to avoid issues of conflict of interest,” it adds.
Certain services that have been excluded from becoming new data intermediaries as part of the regulation include cloud service providers and data advertising brokers, data consultancies, or providers of data products.
However, some in Brussels believe that unintended consequences in the operation of data intermediaries needed to be looked at more carefully by the Commission.
“I like the idea to label safe actors, but there are a few questions that still remain at this stage,” said Miapetra Kumpula-Natri, a socialist MEP from Finland who is rapporteur for the data strategy in the European Parliament’s industry committee.
“How do we avoid that new ecosystems will not fall into a hand of few big actors?” Kumpula-Natri asked. “What are the incentives or motivation for companies, organisations, or persons to provide their data for intermediaries to further share the data?”
“Usually, consent is given in exchange for some service,” she pointed out.
While the Commission seems to have watered down previous attempts at ringfencing European industrial data to the bloc, Wednesday’s text still establishes requirements for transfers to third-countries.
“In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non-personal data that have been identified as highly sensitive, as regards the transfer to third countries,” the text notes.
“The conditions attached to the transfer of such data to third countries should be laid down in delegated acts,” the document adds, citing also the plans to establish a European Health Data Space, which will further classify such highly sensitive datasets.
This triggered mixed reactions from US tech lobby groups, which accused the EU executive of adopting too much of a protectionist approach, despite having taken a step back on localising data in the EU.
“While the Commission has removed the explicit data localisation requirements found in earlier drafts, it still maintains restrictions on transferring commercially sensitive data to non-EU countries and would require commercial data intermediaries to establish legal representation in the EU,” said Eline Chivot from the Center for Data Innovation, a US-based think tank.
Elsewhere as part of the Data Governance Act, the Commission would like to encourage the concept of “data altruism” in order to encourage businesses and public sector organisations to foster data sharing for the “common good”. This may go some way in helping the bloc remain resilient in certain crisis situations such as COVID-19, where rapid and efficient sharing of health data is paramount.
Moreover, the Commission would also like to establish an expert group in the form of a European Data Innovation Board, which will offer advice on best practices for data sharing methodologies. The Board will consist of Member States representatives, the Commission and representatives of relevant data spaces, and certain sectors. The EU’s umbrella data protection organisation, the European Data Protection Board, will also be invited to appoint a representative.
The noises coming out of the European Parliament were broadly positive on Wednesday, in response to the general direction of travel for greater industrial data liberalisation that the new Data Governance Act aims to put in place.
“The Commission’s proposal for industrial data is a step in the right direction: data intermediaries and the promotion of data altruism can increase our data resources and exchange,” said Axel Voss, a German MEP from the centre-right European People’s Party (EPP).
“Pooling high-quality data for research – for example as a contribution to a common European Health Data Space – with the respective safeguards for sensitive data is also a big step forward,” he added, however lamenting that he would have liked to see the executive make more on the added value of cross-border interoperability for data exchanges between member states.
[Edited by Frédéric Simon]