In this policy brief, we present five issues related to the proposal for the Data Governance Act (DGA) that are crucial to achieving the policy goal of building Data Commons in the European Union.
The Proposal for a Regulation on European Data Governance – the DGA – was released by the European Commission last November. Since then, a consultation round has been held in February (you can find our submission here). Currently, the proposal is making its way through the European Parliament where the ITRE committee, with Angelika Niebler as rapporteur, is in charge of the file. Meanwhile, the LIBE committee released its opinion on 11 May.
Not only that but another notable event took place recently: on the 25th of May, the GDPR officially turned three years old. While this may initially seem unrelated to the DGA, there are two important considerations to be made. First, the two measures are extremely interconnected as the former specifies users’ rights in the current data economy while the latter lays down the regulatory infrastructure for data sharing. Second, according to the Commission, the DGA potentially bears the same transformative capacity as the GDPR since it can serve as a global model for trusted data sharing across intermediaries.
As such, open movement activists and civil society organizations involved in digital regulation should definitely keep the DGA on their radars. Although the political focus has so far been mainly centered on the Digital Services Act and the Digital Markets Act, the DGA constitutes a crucial legislative development because it opens important opportunities for the formulation of policies rooted in the concept of Data Commons. The rules established by a new European data governance framework, and encoded in the proposed DGA, should empower public institutions in the online sphere, strengthen the role of Open Access Commons (OAC) in the current data economy, and unleash the society-wide benefits derived from open data.
A main point of discussion concerns the relationship between the GDPR and the DGA. Specifically, there is a risk that data protection rules enshrined in the former might be undermined by the legislative framing of the latter if its scope is not sufficiently narrowed down. Recently, MEP Axel Voss has called for a revision of the GDPR to facilitate “Europe’s digital transformation and reduce compliance costs.” In this light, the DGA might be used as a scapegoat to silently advance Europe’s economic interests in the current data economy to the detriment of users’ data protection and privacy rights. This is highly problematic since EU data protection rules have provided much-needed data subjects’ rights and obligations for controllers and processors, thus constituting the gold standard for data protection worldwide. For this reason, it is fundamental to clarify the relationship between the two measures by establishing the primacy and centrality of the GDPR.
Similarly, another major issue concerns the inclusion/exclusion of personal data in the scope of the proposal. This is highly contentious as the potential presence of personal data might once again constitute a threat to the GDPR, with its framing of data so closely tied to fundamental rights. Likewise, concerning other categories of data that presumably fall into the scope of the proposal, there emerges an overall lack of consistency with the GDPR language, especially for the definition of metadata and highly sensitive data.
On these issues, the comments submitted by Access Now and EDRi perfectly encapsulate the problem at stake and suggest improvements to restrict the scope of the proposal in light of existing GDPR rules.
At the same time, it is important to ensure that the provisions do not introduce any new intellectual property rights in data. Instead, as explained in the previous section, the proposed DGA must be built on the data subject rights established by the GDPR. So far, one of the underpinning principles of the proposal is that GDPR provisions take precedence over the rules that would be introduced by the DGA. Consequently, the data subject rights codified by the GDPR provide an important baseline and must not be altered by the provisions of the DGA.
Still, it is equally important that the DGA does not introduce any new intellectual property rights. In this context, the use of language and terminology that could imply the existence of sui generis data rights must be removed. Some amendments put forward by the S&D group contain references to “data rights” where they are referring to data subject rights. To avoid the impression that there are ownership rights in data, this language should be made more precise.
Chapter IV of the Regulation introduces a new concept: data altruism. This refers to situations in which data is voluntarily made available (donated), by individuals or companies for the common good. According to the proposed rules, this is to take place through common European data altruism consent forms to facilitate the collection of users’ consent and the portability of their data. In exchange, they are to be registered as ‘Data Altruism Organizations recognized in the EU.’
However, at this stage, it remains unclear what data altruism really means. This is because the act does not clearly delineate the activities related to data altruism and in defining the concept refers to a vague category of “general interest.” The latter is described as purposes related to healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics and improving public services.
In this light, it is not clear whether the proposed data altruism framework will constitute more than a bureaucratic burden to data sharing. This becomes even more evident in light of proposed amendments as all political groups demand higher technical requirements, spanning from cybersecurity to data protection. This raises the question of incentives for individuals and organizations to voluntarily make data available in the first place.
In addition, data altruism is subject to different interpretations running across partisan lines. Here, what catches the eye is the S&D and Greens’ objective to tie data altruism to the concept of public interest. In the original proposal, this is worded as general interest, but lacks sufficient definitional clarity as it opens room for interpretation – for example, does research undertaken by private entities qualify as such? The inclusion of a reference to the public interest – a concept much clearer than that of general interest – could be an important step to providing legal certainty. Otherwise, the purpose and scope of general interest activities need to be precisely defined.
Finally, an important issue is the lack of consideration of existing forms of voluntary data sharing, such as Open Access Commons (OAC) resources. This is problematic because existing initiatives, such as Wikipedia and Europeana, are inherently incompatible with rules pertaining to data altruism. Article 18 indeed requires data altruism organizations to monitor users and uses of data made available by OAC initiatives. However, the core tenet of OAC data sharing rests on the acceptance of pre-defined licensing terms but does away with direct transactional relationships between the stewards (data holders) and users of the commons-based resources.
Amendments proposed by the S&D and the Left would clarify this by specifying that the DGA is without prejudice to the ability of non-profit organizations to make data and content available to the public under open licenses. Including such language in the final act would be an important protection for existing Open Access Commons initiatives.
Another important concept, though largely overlooked by all political groups so far, is the notion of data cooperatives. The cooperative model has a high transformative capacity for data governance and can be leveraged across various use cases. Cooperatives empower individuals to make informed choices about their data and are a way for collective data rights to emerge. The Mozilla Data Futures Lab defines data cooperatives as constructs that “aim to facilitate the collaborative pooling of data by individuals or organizations for the economic, social, or cultural benefit of the group.”
In the DGA, this definition seems to apply, first, to collectives that seek to strengthen the position of data subjects vis-à-vis processors in exercising their rights under GDPR. Second, to those organizations that leverage the position of one-person companies, micro, small and medium-sized enterprises in terms of data sharing knowledge. In this light, services of data cooperatives would negotiate terms and conditions for data processing in users’ interest before they consent, thus guiding them in making informed choices.
This concept should be better developed as it bears potential for users’ empowerment in the online sphere. Existing initiatives, such as FairBnB, Driver’s Seat, and Resonate have already demonstrated their impact in safeguarding the position of certain data subjects’ groups’ vis-à-vis controllers. Therefore, amendments clarifying the scope of data cooperatives, such as those submitted by the Greens and the Renew group, are important steps in the right direction.
Interoperability is an important principle that will ensure that data sharing is possible for a greater exchange, and conducted in a standardized way. It is a principle that supports innovation and competition. The proposal to introduce interoperability, in particular to data intermediaries defined in Chapter III, is made by the S&D group. Interoperability is one of the key components of the FAIR data principles, which are referred to in the European Data Strategy.
Related to this is the concept of common sectoral data spaces, which are also defined in the Strategy as key components of the European data governance framework. These spaces have been missing from the original DGA proposal. The amendments proposed by the S&D group, which outline a new Chapter V by defining data spaces together with design principles for their creation, would substantially improve the proposed Regulation by providing greater definitional clarity.
On a similar note, Chapter VI deals with the creation of a governance body of the DGA: the Data Innovation Board. The original proposal, in Article 26, foresees the creation of an Expert group consisting of the representatives of competent authorities from all Member States, the European Data Protection Board, the Commission and key sectors. The Board would advise the Commission on increasing data sharing in the Union. So far, the submitted amendments reflect different political stances on the assigned powers to the Board, its competencies, and governance structure. Most notably, these include diverging opinions on the setting of the Board as an expert group or as a stakeholders’ body. There are currently on the table two proposals for an ancillary body to the Board: a “Data Exchange Board” and a “Data Innovation Advisory Council”. Although this difference seems insignificant at first glance, these two terms embed different regulatory preferences. The Data Exchange Board would consist of an expert group aimed at supporting the emergence of European data spaces and interoperability across intermediaries. And the Data Innovation Advisory Council would in turn be concerned with more broad advice on innovative data practices. The creation of a dedicated ancillary body responsible for data interoperability would be an important addition to the proposal. In this context, it will be crucial that broad, society-wide representation is ensured in all DGA governance bodies – especially from academia, civil society, and public institutions. This is necessary to avoid the capture of the European data governance process by particular private interests.
In addition to these new rules for data sharing, the DGA also contains provisions that further modify the data sharing regime for public sector bodies in the EU. Chapter II addresses some of the questions that have been left out by previous regulatory interventions in this area, most recently by the 2019 Open Data Directive. In this light, two main issues emerge.
First is the issue of which categories of data, used by public sector bodies, fall under the scope of the Regulation. On this point, the Left group is proposing changes that would remove personal data from the scope of the proposal, together with data processed in the context of employment. The Greens and S&D propose to exclude data held by cultural and educational establishments when protected by fundamental rights provisions or third-party intellectual property rights. Such attempts to limit the obligations imposed on public institutions are understandable, but it is important that they are well-defined. Specifically, the exclusion of data protected by intellectual property rights must be limited to situations where such rights are held by third parties and not by institutions themselves. Otherwise, the existence of (highly problematic) database rights might render the provisions introduced by the proposed DGA ineffective from the start, which would result in a substantial weakening of policies aimed at increasing access to culture or educational resources.
Secondly, there is considerable discussion on the issue of data transfer by public sector bodies to third countries. The Left group, in line with its overall interpretation of the Schrems II ruling, aims not to enable data transfers to third countries lacking an adequacy decision by the Commission. The EPP and Renew are in favor of keeping dataflows as open as possible provided that, as stipulated in art. 5(10), confidential information is not disclosed and the re-user accepts the jurisdiction of the Courts of a Member State of the public sector concerned in the case of a dispute. Finally, the Greens take a middle stance as they aim to halt the transfer of personal data while keeping non-personal dataflows open if the two above-mentioned conditions are met.
The controversy around this issue is once again linked to the Schrems II ruling that significantly altered dataflows in the global economy. To shed more light on this issue, it is fundamental to strike a fair balance between data protection and economic interests, provided that such a compromise is sufficiently applicable. In the absence of a new EU-US deal on data exchanges, an important contribution is offered by the LIBE draft opinion which contains important additions to the empowerment of public bodies in evaluating the legality of data transfers toward third countries. Accordingly, reusers would not be granted the prerogative of transferring data unless they are compliant with the above-mentioned conditions spelled out in article 5. This would provide at least temporary clarity for the transfer of users’ data to third countries.
The discussions around these five themes are likely to endure for quite some time during the next legislative phases As highlighted throughout the text, the DGA is an important legislative cornerstone for Europe’s pursuit of strategic autonomy and digital sovereignty. As such, it is highly interconnected with parallel legislative initiatives, most notably the Artificial Intelligence Act, the ePrivacy reform, and the Data Act. The Data Act, in particular, will be at the center of our attention as the measure is set to supplement the DGA on the use of privately-held data by the public sector, Business-to-Business data access, competition in the cloud computing market, and the sharing of non-personal data to third countries. As the Data Act proposal matures, we will analyze how it can contribute to strengthening the Data Commons in Europe.