The European Strategy for Data announced two main legislative initiatives to realize its ambitions for the European data economy of the future: the Data Act (DA) and the Data Governance Act (DGA). Both files aim at enhancing data sharing and reuse of data while safeguarding the privacy and data protection rights of EU citizens. However, in some aspects, they showcase significant inconsistencies, which might ultimately hinder the objectives laying beneath the strategy.
In this document, we assess the interconnectedness of the GDPR respectively with the DGA and DA. We particularly shed light on the different inconsistencies that risk hindering the overarching objective at the core of the European strategy for data, namely for the EU to:
“become a leading role model for a society empowered by data to make better decisions – in business and the public sector” (p. 1).
In total, we identified four areas of inconsistencies which relate to:
Article 5 of GDPR codifies data minimization as a core principle of EU data protection law by making clear that “personal data shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (’data minimization’).” Recital 78 provides more direction for data controllers by highlighting that
“(…) in order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data (…)”.
In this light, the GDPR is focused on protecting personal data when such data is processed. To appropriately safeguard data subjects’ position, data minimization involves the minimalistic approach – ‘the less personal data, the better’ – where processing can only be pursued to the extent necessary to achieve a legitimate purpose, based on users’ explicit and informed consent.
However, when looking at the DGA and the DA, this principle seems to collide with the regulatory intention underpinning the two acts. Both the DGA and the DA strive for more sharing and reuse of data – ‘the more data, the better’ – which equally applies to personal and non-personal data.
The DGA aims to create a new blueprint for the European data economy in the years to come. Recital 2 of the Act makes it clear that the core regulatory goal is to create “a Single Market for data in which data could be used irrespective of its physical location of storage in the Union in compliance with applicable law (p. 1)”. In this light, a crucial role will be played by new intermediating bodies – data intermediation services – to facilitate data sharing of both personal and non-personal data between data subjects and data holders, on the one hand, and data reusers, on the other hand.
Equally, the DA aims to “unlock such potential by providing opportunities for the reuse of data, as well as by removing barriers to the development of the European data economy” (p. 1). Here, the main objective is to provide new harmonized rules on fair access and use of data, both for personal and non-personal data. In this light, the data minimization principle particularly collides with business-to-government data sharing rules, which could involve significant transfers of users’ personal data from the private to the public sector.
These legislative ambitions introduced by the DGA and DA create substantial tensions at the policy level with the GDPR principle of data minimization. These need to be addressed by the European legislator to mitigate potential friction between the two acts and EU rules for personal data protection.
The GDPR embeds a special conception of personal data based on a “dignitarian approach” to information protection, where personal data is considered an extension of a data subject’s selfhood. In the EU acquis, a right to data protection is thus linked to the user’s exercise of individual autonomy and self-determination in the online sphere.
With the DGA and DA, the Commission is moving towards a different approach as both measures are “data-agnostic”: meaning that they regulate both personal and non-personal data with the core objective of fostering data availability and reuse. Although the two acts do not question the primacy of GDPR, they do not follow its rigorous approach to personal data protection since data agnosticism does not fully contemplate such a fundamental difference between personal and non-personal data. In other words, personal data is assumed to be sufficiently protected since it is subject to the GDPR’s specific rules and can therefore be safely shared and reused by a variety of actors.
Yet, this can be problematic. As first observed by Valentina Pavel at the Ada Lovelace Institute, the Commission’s approach assumes “no tension between the different types of data regimes (personal data, non-personal data, open data), or that this tension can be easily resolved.” This stance is questionable as current practice does not sustain such a special conception of personal data vis-à-vis non-personal data. This is because such a theoretical distinction omits a fundamental characteristic of personal information that it is a constantly dynamic and evolving concept. Such omission can severely impact personal data protection in policy practice, especially in data-agnostic regulations such as the DGA and DA. This danger is particularly evident in light of technological developments that have allowed for the identification of individuals from anonymized datasets through reverse engineering techniques.
This tension is also confirmed in the proposed definitions of ‘data’ in the DGA and DA. These are “highly contextual definitions”, in the sense that they clearly exemplify a data-agnostic approach while holding that such a theoretical distinction between personal and non-personal data can be easily held to be valid at the practical level. In both regulations, data is defined as:
“any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording” (article 2).
Given the DGA’s and DA’s objectives, such a theoretical distinction between personal and non-personal data is not so straightforward when applied in practice. This means that it will be hard for the Commission to bridge the specific GDPR-based regime for personal data protection with data-agnostic regulations at the core of the European strategy for data. In practice, this will lead to a substantial tension between personal and non-personal data processing and will therefore limit both DA’s and DGA’s ability to deliver on their policy objectives.
Across the GDPR, DGA, and DA, we notice three different conceptualizations of data: as a commodity (GDPR & DGA), a common-pool resource (DGA), and as a non-rivalrous resource (DA).
In the GDPR, a dignitarian approach to personal data protection is made operational with an “endowment of data ownership” where data subjects can determine the extent of third parties’ processing prerogatives. This takes place via a conceptualization of data as a ‘commodity with dignitarian connotations’: the personal agency is enhanced by treating personal data as one’s user capital of production.
A similar approach is present within the DGA, but not fully. On the one hand, the DGA’s main goal is to enable the broadest possible reuse of and access to information, both for personal and non-personal data. Here, data commodification is particularly evident given the function of data intermediation services. As we previously discussed, this new framework seems to foster a scenario tilted in favor of data monetization where data becomes an object of the transaction to obtain a service or compensation in return.
On the other hand, the DGA includes provisions that treat data as a common-pool-based resource. This conceptualization is more aligned with a reading of data as a freely available and accessible resource. In the DGA, this approach is evident in the design of data altruism organizations – information repositories of data donated by data users and holders in the general interest – which have as their main objective that of facilitating access to data that is voluntarily made available for the common good.
Finally, the DA embeds a conceptualization that is more aligned with an understanding of data as a non-rivalrous resource that generates economic benefits through widespread use. This is clear in recital 6 of the measure, which states that:
“In order to realize the important economic benefits of data as a non-rival good for the economy and society, a general approach to assigning access and usage rights on data is preferable to awarding exclusive rights of access and use”.
Non-rivalry is aligned with a “functionalist understanding” of data as a welfare-enhancing good: access rights are linked to the fulfillment of a variety of other users’ rights, such as freedom of expression, information, services, and competition. Specifically, this reading is present in the memorandum of the Act in the context of the review of the 1996 sui generis Database Directive. Here, the Commission states that:
“There is a need to balance the policy objectives of IP protection of such databases in the context of the data economy, where the exclusivity of data as a non-rival good is in general considered an impediment to innovation” (page 9).
Given these three different approaches underpinning the conceptualization of data across the GDPR, DGA, and DA, it will be important to provide the conditions for effective alignment between these policy initiatives. This will be crucial to realizing data sharing goals at the heart of the European strategy for data.
Finally, we notice that one of the key underlying concepts of the European strategy for data – common European data spaces – remains undeveloped across the DGA and DA. Neither the DA nor the DGA provides enough clarity: the term is left undefined across both measures as well as in the supporting documentation. Both the Digital Europe Working Programme for 2021-2022 and the Commission Staff Working Document on common European data spaces do not provide a definition, despite laying the groundwork for the funding and governance of common data spaces. The same lack of conceptual clarity is also observable for “operators of data space”: a new concept introduced by the DA to enhance interoperability between sectoral data spaces, but left undefined once again.
In addition, there is an apparent lack of alignment between the two acts, even when the same terminology is used. This is clear in the definition of ‘data holders’, central to achieving data sharing goals both in the DA and DGA, but differently defined across both measures, although they should advance the same objectives of the European strategy for data.
Last but not least, such a lack of coherence is also reflected in concepts that are introduced in one measure but not leveraged in the other, though they advance similar objectives. This is particularly striking for data intermediation services and the European Data Innovation Board (EDIB) – a new body tasked with advising the Commission on the governance of data spaces and on their interoperability requirements. Both are introduced in the DGA but not leveraged in the DA, although there are clear venues to apply them in the context of the mechanisms introduced by the DA. If not resolved, these will undermine the ambitions at the core of the European strategy for data while creating uncertainty and friction between the two acts.