Worldwide: A Canadian Perspective On The EU's Proposed Data Governance Act

In February 2020, the European Commission (EC) published a Communication titled the European strategy for data where it outlined policy measures designed to create a single market for data in the European Union (EU) that would strengthen the EU's global competitiveness and data sovereignty. The strategy identified factors threatening to inhibit the development of the EU's data economy, namely regulatory fragmentation between Member States and the insufficient availability of data for innovative re-use, including for the development of artificial intelligence.¹ Against this backdrop, in November 2020, the EC published a proposed Data Governance Act (DGA) which aims to foster a harmonized data ecosystem across Member States that facilitates and incentivizes voluntary data sharing by businesses, governments, and individuals. Following the conclusion of negotiations between the European Parliament and the European Council, the latest version of the DGA released in December 2021 focuses on three key aspects:

• increasing availability of publicly held data for re-use by researchers and businesses;
• establishing a legal framework to foster safe data sharing from consumers to businesses and between businesses via a service model coined as "data intermediation services" or "data intermediaries"; and
• facilitating data altruism, i.e. the donation of data to non-profit organizations that serve the public good.

The DGA's primary focus is on creating new opportunities for competitive re-use of data, rather than on imposing obligations on existing entities. The rest of this blog will address in greater detail the first two aspects of the DGA and provide insights on how the new Regulation may be of relevance to Canadian businesses.

Conditions for the re-use of protected data held by public sector bodies

A long-standing EU policy is that data generated or collected by public sector bodies should benefit society.² In line with this vision, the DGA seeks to create more opportunities for the re-use of publicly held data for commercial and non-commercial purposes. While the Open Data Directive already describes a wide array of publicly held data available for re-use, it specifically excluded several categories of data that are subject to the rights of others, notably personal data, data subject to commercial confidentiality (including business, professional or company secrets), data subject to statistical confidentiality, and data protected by intellectual property rights.³ The DGA complements the Directive by setting a legal framework for allowing re-use of such types of data in ways that protect third party rights. This would require that any data made available for re-use be void of personal or commercially confidential information, which will require the use of techniques such as anonymizing personal data and aggregating commercially sensitive data to prevent re-identification and misuse.⁴ Since this will require a secure processing environment and state-of-the-art privacy and confidentiality preserving methods, the DGA mandates Member States to designate competent bodies with adequate technical know-how to assist in making the new categories of data available.⁵

It is still difficult at this stage to assess which specific types of data sets will be made available and how useful they might be, due to the highly technical nature of data treatment processes. Moreover, the DGA does not create a positive right to re-use data, but only sets principles that Member States must respect when allowing re-use (e.g. providing reasons for denying requests and generally avoiding exclusive arrangements). Thus, the extent to which industrial data will be made available under the DGA will also depend on the decisions of competent bodies who will determine which data can be re-used without risking re-identification. With regards to personal data, the European strategy for data and the DGA have hinted at the possibility of opening up health data sets (albeit subject to strict controls due to the sensitivity of the data involved) an idea which has already been implemented in France through the Health Data Hub.⁶

The DGA also requires Member States to streamline access for re-use through a single information point that contains a searchable list with an overview of all available data resources and conditions for their re-use.⁷ A similar register will also be made available at the Union level and will provide information on how to request data via national information points.⁸ Recital 21 of the DGA hints at the possibility of using existing Open Data Portals, to accomplish this.⁹ In brief, the DGA not only intends to unlock more types of publicly held data for commercial re-use, but also to minimize the costs associated with data access.

Transfer of non-personal data to third countries and impact on Canada

The DGA is without prejudice to existing Union and national law on the protection of personal data. Thus, all processing and transfer of personal data made available for re-use will still have to be done in accordance with the General Data Protection Regulation (GDPR).¹⁰ With regards to the transfer of publicly-held non-personal (industrial) data to third countries by re-users, the DGA creates safeguards which mirror those found in the GDPR in order to prevent unlawful use such as intellectual property theft or industrial espionage.¹¹ Appropriate safeguards can be deemed implemented when a third country offers protection of non-personal data that is essentially equivalent to that offered by Union law, particularly with regards to the protection of trade secrets and intellectual property rights.¹² Similarly to the adequacy mechanism under the GDPR, the DGA grants the EC authority to adopt implementing acts to declare specific third countries as having adequate safeguards.¹³ Absent an adequacy designation, transfers to third countries will still be possible through contractual commitments on behalf of the re-user to protect the transferred data, but it is unclear at this stage what such undertakings would entail and if this will entail something akin to the GDPR's Standard Contractual Clauses.¹⁴

As seen with the aftermath of the Schrems II decision regarding transfers of personal data under the GDPR, being able to perform data transfers under an adequacy designation is usually much more stable and economical. For GDPR purposes, few countries currently benefit from such a designation, with Canada being one of them. While it is impossible at this stage to predict which countries will be considered to offer safeguards that are up to EU standards in terms of protection of industrial data, Canada's track record with respect to EC designations makes it a promising candidate, even more so with the current updates to federal and provincial privacy laws.

For Canadian businesses, this could potentially mean being able to leverage personal and industrial data from EU public bodies at a lower cost than competitors from countries without an EC designation. On the other hand, the DGA could potentially bring new issues for Canadian businesses dealing with European public bodies, as they might have to consider the possibility of the re-use of the data they exchange with such bodies.

A framework to govern data intermediation services

The DGA also develops a harmonized legal framework to foster the emergence of data intermediation services (which were called "data sharing service providers" in the 2020 version of the DGA). Data intermediation service providers (data intermediaries) would provide a space for the voluntary aggregation and exchange of industrial and personal data. They would operate as separate legal entities that specialize in establishing "commercial relationships for the purpose of data sharing between an undetermined number of data subjects and data holders, on the one hand, and data users on the other hand".¹⁵ As neutral actors in charge of managing data spaces, they would ensure secure and transparent data exchange can take place. In order to prevent conflicts of interest, data intermediaries will be prohibited from using the exchanged data for any other purpose than to make them available to data users, along with many other restrictions regarding the scope of their services.¹⁶ Moreover, data intermediaries facilitating exchanges between businesses and individuals must act in the best interest of the latter.¹⁷ This specific type of data intermediary is meant to assist individuals in exercising their GDPR rights, such as consenting to data processing or exercising rights of erasure and data portability.¹⁸

The DGA lists several services which cannot be considered data intermediation services, notably cloud storage and data analytics that add value to data and relicense it for profit.¹⁹ For clarity, while these services do not qualify as data intermediaries under the DGA, they will still be able to operate under their existing business model. The central idea behind ensuring the neutrality of data intermediaries is to increase trust in data sharing, which should result in more data being available for re-use at a lower transaction cost. Currently, businesses looking to pool data for common use or exchange must themselves enter into bilateral or multilateral arrangements, which involves vast amounts of coordination, technical know-how, and legal resources. The DGA thus allows for trusted third parties to bridge the gap between players who might otherwise be dissuaded from collectively leveraging the data they individually hold. This is meant to create an alternative to the current digital economy where data re-use is primarily benefiting a small number of players with significant market power. The DGA provides the following as examples of data intermediation services that could emerge: "data marketplaces on which companies could make available data to others, orchestrators of data sharing ecosystems that are open to all interested parties, [...] as well as data pools established jointly by several legal or natural persons with the intention to license the use of such pool to all interested parties in a manner that all participants contributing to the pool would receive a reward for their contribution."²⁰

Potential Inspiration for Canada

Canadian businesses that wish to operate as data intermediaries within the EU will be able to do so under the DGA, with the added requirement of appointing a legal representative in one of the Member States where the services are offered.²¹ In addition, just as EU entities, they will have to notify a competent authority about their intention to operate as data intermediaries.²² Upon notification, they will be allowed to start offering services, with compliance being monitored on an ongoing basis.²³

More importantly, European efforts to facilitate the emergence of new data governance models might inspire the development of similar policies in Canada. The EU's influence over Canada with respect to novel data-related legislation can notably be seen in the context of the development of Canadian regulation of artificial intelligence. Moreover, while the term "data intermediaries" is rarely used in Canada, many Canadians are more familiar with the term "data trusts", in part due to the proposal by Google's subsidiary Sidewalk Labs to create an Urban Data Trust as part of its former involvement with the smart city Quayside project, in Toronto.

Although it is too soon to tell if Canada will follow the European example, in 2020 the Office of the Privacy Commissioner of Canada commissioned a study on emerging digital stewardship models. The study produced by the Canadian Internet Policy and Public Interest Clinic discussed the concept of "responsible data stewardship," which shares conceptual similarities with data intermediaries but also differs in other respects. It defined responsible data stewardship as requiring three essential design elements: "(i) independent stewardship, (ii) a fiduciary-like obligation, and (iii) a public purpose."²⁴ Thus, independent stewardship is the main point in common between the two, requiring the intermediary or steward to avoid conflicts of interest with regards to the data that they mediate. In contrast, the DGA does not specifically require data intermediaries to assume fiduciary duties towards data holders, other than for individuals when intermediating the exchange of their data with legal persons, nor does the DGA require a public purpose to qualify as a data intermediary.²⁵ Despite these differences, this study still shows domestic interest in the possibility of novel data governance models – interest that could be re-sparked, depending on whether the DGA succeeds at achieving its objectives.

Conclusion

Before it becomes law, the DGA will require formal approval from the European Council and the European Parliament. The impact the DGA may have in increasing voluntary sharing of both public and private data will depend on a variety of technical, legal, and economic factors. With regards to encouraging re-use of publicly held data, the DGA's impact on businesses will largely depend on the quality and commercial usefulness of the new categories of data made available. As for whether the DGA succeeds at promoting sharing through data intermediaries, that will ultimately depend on market uptake and the cost of complying with an already complex web of privacy legislations. There is also legal uncertainty regarding the legal liability that data intermediaries might face, which might hinder their ability to compete with less regulated players.²⁶ Finally, success of the DGA in reshaping the digital economy will also depend on other upcoming legislative proposals, such as the Digital Markets Act, which aims at levelling the playing field by imposing new restrictions on large gatekeeping companies that operate digital platforms, as well as the Data Act which could possibly introduce contractual fairness tests to prevent unfair conditions for access and use of data, as well as measures to promote transparency over industrial data generated by connected products and equipment.

Footnotes

1. European strategy for data, page 6.

2. European strategy for data, page 7.

3. Open Data Directive, article 1(2); Proposed Digital Governance Act, article 3(1).

4. Proposed Digital Governance Act, article 5(3)(a).

5. Proposed Digital Governance Act, article 7.

6. European strategy for data, page 7; Proposed Digital Governance Act, recital 19.

7. Proposed Digital Governance Act, article 8. 

8. Proposed Digital Governance Act, article 8. 

9. For an example of an Open Data Portal at the Union level see: https://data.europa.eu/en

10. Proposed Digital Governance Act, recitals 3a and 6. 

11. Proposed Digital Governance Act, recital 15. 

12. Proposed Digital Governance Act, recital 16.

13. Proposed Digital Governance Act, article 5(10b) and recital 16.

14. Proposed Digital Governance Act, article 5(10); Briefing - EU Legislation in Progress: Data Governance Act, page 9, available at: (https://www.europarl.europa.eu/RegData/etudes/BRIE/2021/690674/EPRS_BRI(2021)690674_EN.pdf)

15. Proposed Digital Governance Act, article 2 (2c).

16. Proposed Digital Governance Act, article 11.

17. Proposed Digital Governance Act, recital 26.

18. Proposed Digital Governance Act, recital 23.

19. Proposed Digital Governance Act, recital 22.

20. Proposed Digital Governance Act, recital 22a.

21. Proposed Digital Governance Act, article 10(3).

22. Proposed Digital Governance Act, article 10(3).

23. Proposed Digital Governance Act, article 13.

24. The Price of Trust? An Analysis of Emerging Digital Stewardship Models, page 10, available at:

(https://cippic.ca/sites/default/files/file/Data_Governance_Submission_Draft_31_March_2020.pdf)

25. Proposed Digital Governance Act, recital 26.

26. Briefing - EU Legislation in Progress: Data Governance Act, page 10.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.