The Data Act introduces a framework for business-to-government (B2G) data sharing, but limited to public emergencies and narrowly-defined situations of exceptional need. The proposal treats B2G data sharing as limited to ad-hoc requests, made in special situations. As such, it is a missed opportunity for a proactive policy that gives public bodies greater information power and allows them to work, in a systematic way, with commercial data needed to fulfill public interest goals.
Strengthening the ability of the public sector to use data, by providing access to data held by business entities (and that otherwise would not be available in the public sector) is a necessary component of a policy that ensures fair allocation of value in the data economy.
In Chapter V, the proposal provides new rules for B2G data sharing, but limits them to situations of “exceptional need to use data”. These are primarily understood as public emergencies or situations when “the public interest resulting from the use of the data will outweigh the interests of the data holders to dispose of the data they hold” (recital 57).
In article 2(10), public emergencies are defined as “exceptional situations negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s)”. As suggested by recital 57, the definition covers public health emergencies, emergencies resulting from environmental degradation and major natural disasters as well as human-induced major disasters, such as major cybersecurity incidents. In these situations, public bodies can request access to privately-owned data for free.
The second scheme concerns situations where business data is necessary for public bodies to “prevent a public emergency or to assist the recovery from a public emergency” and “where the lack of available data prevents the public sector body (…) from fulfilling a specific task in the public interest, that has been provided by law” (article 15). In these circumstances, the public body needs to demonstrate that there are no other available means to obtain such data (including existing obligations or purchasing the data on the market). It is unclear what specifically are these cases of exceptional need. As these are not related to emergencies, the proposal allows for compensation, at the level of incurred marginal costs, plus a “reasonable margin” (article 20).
In all cases covered by these provisions, there are common obligations for public authorities and private businesses when engaging in B2G data sharing. Public bodies, when requesting access, need to define the purpose, demonstrate exceptional need and make sure that the request is proportionate to the need. They cannot use the data for other purposes or make it available for reuse. Ultimately, the data needs to be destroyed. They also shall make efforts to preserve the confidentiality of information when accessing trade secrets or commercially confidential information. On the other hand, private businesses shall transmit as little personal data as possible, while public bodies are required to make reasonable efforts to pseudonymize the data. The article also includes provisions that guarantee transparency of the process and compliance procedures.
The proposal includes exceptions for small and micro enterprises in article 14 (less than 50 employees and annual turnover and/or balance of less than €10M). Likewise, article 16 stipulates that B2G data sharing obligations cannot be exercised for activities related to law enforcement.
Finally, the proposal includes a significant exception to the prohibition on the reuse of obtained data. Article 21 allows public bodies to make data available to individuals and organizations carrying out scientific research or to national statistical institutions and Eurostat. To be eligible, third parties “shall act on a not-for-profit basis or in the context of a public-interest mission recognized in Union or Member State law”.
The article also stipulates that organizations upon which commercial undertakings have a decisive influence, or that could have preferential access to the result of such research, do not qualify for the purpose of this article. However, this exception for scientific research does not relieve public bodies from their obligations to protect trade secrets with appropriate technical measures nor to erase the data after having addressed the exceptional need.
The proposed Data Act is a missed opportunity to create a systemic approach to B2G data sharing – one that allows public bodies to proactively obtain and use data in the public interest. The need for such an approach has been signaled since 2017, when the Commission initiated consultations on what was at that time termed ‘reverse Public Sector Information’. And such an approach, meeting the needs of a strong public interest data sharing framework, has been considered – and ultimately scrapped in favor of a weaker intervention.
A framework limited to public emergencies and exceptional cases will not serve this goal. Public bodies should have the mandate to proactively identify datasets or categories of data and obtain access to them, as long as they can prove that there is a public interest in play. During consultations of the inception impact assessment of the Data Act, public authorities declared a strong public interest mandate for the sharing of health and environmental data. Such an option was also on the table as the Act was being drafted.
To improve the proposal, the provisions of Chapter V should be amended to include sharing requirements in situations where there is a clearly defined public interest, replacing “exceptional need” language. These should occur for situations where data is needed for purposes related to health care, combating climate change, improving mobility, job creation, the compilation of national and European statistics, and policymaking.
In order to ensure that B2G sharing becomes systemic in character, there is a need to establish a “data steward” – a public body with competencies that allow it to oversee and support the flow of data from business to the public sector. The report of the High-level Expert Group on B2G Data sharing signaled the necessity of establishing such structures and functions. Most importantly, such bodies should be tasked with managing the obtained data as a public good.
The much-needed exception to the prohibition on reuse for research organizations and statistical bodies shows the challenges to a B2G framework that assumes a very narrow data use mandate, limited in purpose and scope. Such data will have value for research organizations working on issues compatible with the purpose for which the data was requested, beyond the scope envisioned by the proposal. Unless there are public interest reasons not to do so, the B2G data sharing framework should envision public interest reuse of the data. In addition, it should also establish a systemic – instead of an ad-hoc – approach to the sharing of data for the purpose of the contribution of research organizations or statistical bodies. Furthermore, the exception in article 21 for contributions of scientific research should be expanded so that data is more broadly available to entities operating in the public interest. This should include, for example, journalists and media organizations, or non-profit organizations like Wikipedia.
An overall prohibition on making B2G data available for further reuse constitutes an overly strict limitation on the reuse of public sector information. Building on rules for the contribution of data for scientific research (article 21), a data stewardship body should have the mandate to designate data as available for further reuse, and in specific cases even make obtained data publicly available. The obligation to erase data after having fulfilled the need should therefore also be deleted from the proposal.
Finally, the effectiveness of B2G data sharing will also be limited by the proposed remuneration model (for cases other than public emergencies), which includes not only marginal costs but also a “reasonable margin”, that is up to the business entity to define. Open Data initiatives show that remuneration at the level of just the marginal costs of data sharing should be introduced in many data sharing cases.