The European Union has already enacted several directives to enable (or mandate) the ability for companies to access and reuse data held by EU public administrations within the European Union. However, in many cases, this access is still not authorized, as the data is protected by laws that prevent access by private entities. This is the case of personal data, data protected by certain intellectual property provisions or by specific trade secret laws, etc. which generally cannot be shared by public administrations. The future law on data governance (still in the legislative process) aims to provide new legal tools to enable the sharing of this data.
Background: the European data strategy
The institutions and bodies of the European Union (EU) are aware that data is an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general. In order to maximize the possibilities of using data, while protecting the rights of EU citizens, the European Commission has developed the European data strategy. The European Data Strategy aims to create a single data market that will ensure Europe’s global competitiveness and data sovereignty.
As part of this strategy, the EU intends, through new legal tools, to facilitate initiatives that would make data more widely available by opening up high-value public datasets across the EU. EU, allowing their reuse free of charge or at a proportionate cost. .
In the words of the European Commission,
“the Data Governance Act will increase trust in data sharing, strengthen mechanisms to increase data availability, and overcome technical barriers to data reuse” and “will also support the establishment and development of common European data spaces in strategic areas, involving both private and public actors: health, environment, energy, agriculture, mobility, finance, industry, public administration and skills“.
Current Weaknesses of the EU Open Data Directive
The EU has enacted several legal tools to enable society at large to access data held by public administrations. The main directive that has been promulgated in this regard is the Open Data Directive. The main objective of this directive is to enable the re-use of all data held by public administrations by anyone (including companies), by promoting standard, machine-readable, accessible, interoperable formats, etc., thanks to Well-designed APIs. The term “data” in the directive should be interpreted as having an extremely broad scope, to include all types of documents and dynamic data, for example environmental, traffic, satellite, weather and sensor-generated data.
However, the Open Data Directive has excluded from its scope data protected by different laws or provisions. For example:
Documents, such as sensitive data, which are excluded from access, including for reasons of commercial confidentiality (including business, professional or company secrets);
Data protected by the intellectual property rights of third parties; and
Documents containing personal data.
The problem here is that the exception for data access is so broad, that ultimately a large amount of data cannot be accessed and reused, which as stated in the Data Governance Act data,”has led to the underuse of this data“.
In the context of the aforementioned purposes, it is important to understand that certain categories of information will remain protected and outside the scope of the data governance law, such as data held by public companies, service providers public, data protected for reasons of national security, defense.
Open the reuse of “restricted” information via the Data Governance Act
In view of this under-use of data, the European Commission has drawn up its proposal for Data Governance Act. The key elements are:
- That each EU Member State will have to create one or more bodies with the aim of helping public administrations to enable the reuse of data, by providing technical and organizational support.
- That in principle, each public administration will have to make available to the public the conditions allowing the reuse of data, which must be non-discriminatory, proportionate and objectively justified. In this sense, there is a general prohibition of exclusive agreements aimed at restricting the availability of data for reuse (with some narrow and specific exceptions for reasons of public interest).
Data reuse conditions may include:
- The need to anonymize/pseudonymize information before sharing it;
- The need to access this information only in technical environments provided and controlled by the Administration (even in the physical premises in which the secure processing environment is located, if remote access is not possible).
- The public sector body must be able to verify the results of the data processing carried out by the re-user and reserves the right to prohibit the use of the results which contain information infringing the rights and interests of third parties.
- If under the GDPR there is no other legal basis to allow the sharing of personal data than the consent of the persons concerned, the public administration must help reusers to obtain the consent of the persons concerned and/or the authorization of the legal persons whose rights and interests may be affected by such reuse.
- The intellectual property right of the creator of a database as provided for in Article Directive 96/9 should not be exercised by public sector bodies in order to prevent the re-use of data.
Access may be subject to fees, but these fees must be proportionate, objectively justified, non-discriminatory and must not restrict free competition.
Potential bans on data transfer outside the EU
The EU is aware that the conditions of reuse imposed by the public administration may not be applicable in third countries, with the risk of “illegal access that may lead to intellectual property theft or industrial espionage“. Therefore, if the public administration has considered that the data available for reuse should be considered confidential or protected by intellectual property rights, it may prohibit the transfer of such data outside the EU.
There are a few exceptions to this prohibition:
- Countries that the European Commission has declared to offer an equivalent level of protection.
- In cases where the country has not been declared “safe”, the re-user will still be able to access the data if they accept contractual obligations to ensure data protection, such as a declaration of compliance with governance law data and accepting the jurisdiction of the courts of the EU in this regard.
Where data qualifies as “highly sensitive”, additional restrictions may be imposed to allow data transfer outside of the European Union.
Data Sharing Services
One of the main opportunities for companies under the Data Governance Act is the creation of data sharing service providers, which will act as intermediaries between public administrations and companies for the purpose of reuse. These data sharing services will be responsible for preparing the data to adapt them to the needs of the reuser, while ensuring compliance with the conditions of reuse imposed by the public administration.
There is a strict framework for data sharing services. For example, these service providers will be required to notify the relevant authorities under data governance law and will not be permitted to use the data for their own purposes.
The Data Governance Act will provide new opportunities for companies interested in data held by the public sector in the European Union. In this direction:
- The legislative process of the data governance law should be carefully monitored. Companies may be interested in lobbying as the final wording may change.
- Companies specializing in providing algorithms as a service to other companies or administrations must identify business opportunities to qualify as data sharing providers.
- Companies interested in data reuse should start identifying specific jurisdictions with “interesting” data, to be at the forefront of this opportunity.
- Companies should consider having in place all adequate measures to ensure that any resulting intangible assets are properly protected and to ensure compliance with applicable laws (in particular data protection laws).