Unlocking Europe’s big data for good
Industry perspectives on proposed European data governance
New EU data act aims to balance regulation and innovation
A year like no other, 2020 has been seismic for the digital global economy.
2020 has illuminated so much including our deep dependence on technology and collective reliance on aggregated, quality data to power innovation, train AI models and uncover critical insights like never before.
Without ‘the data’ how can our advisors interpret the Coronavirus’ spread, coordinate supply chains through the crisis or design useful policy interventions in the wake of economic and societal aftershocks? While we all recognise the need for good data and its interplay with trust, many challenges in obtaining, sharing and transferring information safely, legally and with fair distributed value remain.
How do you unlock flows to enable important research whilst respecting people’s data and Intellectual Property Rights (IPR)? How do you ensure the end to end data supply chain is accountable, in a web of fast moving sub processing? How do you overcome interoperability challenges across a patchwork of systems and standards? Just some of the tough, but incredibly pertinent questions.
And yet the reward for cutting through the Gordian knot of safe data sharing and striking the right balance between governance and innovation is great. It can lead us towards improved disease diagnostics, public services, a supply chain built on systems of intelligence, and much more.
The new Data Governance Act
On 25th November, the European Commission (EC) published a proposal for a Regulation on European Data Governance also known as the Data Governance Act (DGA) aiming to address many of these huge but vital challenges and power good information flows.
The Act seeks to foster trusted reuse of industrial data with a clearer legal pathway to enable ‘good data sharing’, to the benefit of European citizens, its economies and societies.
“The economic and societal potential of data use is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges. To realise this enormous potential, more data must be made available, shared with confidence and technically easy to reuse.” (European Commission)
7 Key features of the new Data Governance Act:
A European model for trusted data sharing
1. The DGA is the first implementation of Europe’s new strategy for data (published at the start of 2020, which seeks to create a single market for data and break Big Tech’s stranglehold and reduce the EU’s reliance on US or China for cloud services)
2. The DGA will govern data use and will take the form of a Regulation, directly applicable across EU member states once adopted. The DGA aims to facilitate safe access to data which would not otherwise have been shared due to protected characteristics (personal data, information subject to IPR etc.), provided ‘secure and privacy- compliant’ conditions are in place
3. It seeks to promote trusted data access with clear rules, structures and safeguards, to encourage more sharing of information
4. The Act offers us a broader definition of data, encompassing personal and non personal data (the Act is designed to comply with and sit alongside the GDPR). It also complements the Open Data Directive, addressing public data that cannot be made available as open data (e.g. private, confidential)
5. It introduces new rules on neutrality to allow data intermediaries to function as trustworthy organisers of data sharing. These EC registered intermediaries would aggregate data ‘neutrally to increase trust’; with this neutrality subject to strict compliance: the providers would be unable to use, sell or exchange data in its own interest
6. The Act will empower citizens, giving them greater control of how their data is used with ‘personal data spaces’ as new personal information management tools
7. Data altruism with oversight: the Act sets out a framework for entities who process data for ‘good’, intending to foster a network of trusted and data intermediaries, backed by a European oversight regime. A European Data Innovation Board will steer data governance and prioritise standards.
More data flows, with mechanisms and control
In summary, the proposed DGA seeks to encourage more data sharing based on trusted and accountable frameworks.
Economic impacts
The Commission has set out some of the potential benefits of the new governance (and relevant innovation) could bring to Europe across key areas like health, the environment and agriculture:
Industry perspectives in the UK
With Brexit talks at a critical stage (at time of writing), what do key industry voices think about the governance here in the UK? We sought out a handful of select thought leaders from the legal and tech space, largely based in the UK:
Paul McCormack, Lawyer and Founder of Kormoon, thinks the proposed regulation may create a ripple effect globally and down stream opportunities for privacy technologists:
“The EU’s Data Governance Act is an interesting policy benchmark in promoting and enabling the sharing, commercialisation and industrialisation of data. We’ve seen many countries around the world take the EU’s lead (following GDPR) introducing “EU-like” privacy laws and in many cases going further by introducing protectionist laws to keep data “on-shore” or within their oversight (i.e. data localisation requirements).
This new law may serve to open the door for other policy makers around the world to follow the EU’s lead once more. The EU’s introduction of “Providers of Data Sharing Services” may promote and build upon a growing data exchange market, presenting interesting business opportunities for enabling the sharing of data (including but not limited to personal data). This may also create down-stream opportunities for privacy-tech companies whose role will be ever more important to ensure compliance with privacy laws are considered and addressed.”
Morgan O’Neill Data Protection Director at Thornton’s Law, reflected on the controversial data localisation provision, which had appeared in leaked drafts, setting out that shared data should remain in the EU — which were criticised as protectionist. Morgan said:
“The news that data localisation requirements have been removed from the EU Data Governance Act will come as a relief for UK organisations already trying to prepare for the impact of the end of the Brexit transition period on EU to UK data flows.
However, UK organisations should be aware that the proposed regulation does contain restrictions around the transfer of sensitive data to non-EU countries. In the absence of an adequacy decision, UK data importers will be expected, like all other third countries, to demonstrate EU standards of data protection to ensure this data can flow without interruption.
David Goodbrand, Partner at Burness Paull Lawyer felt that the Act showed Europe’s intent towards a more open data culture:
“The legislation is at an early stage and will still need to be approved by the EU and the UK Government (if the UK decides to adopt similar legislation post-Brexit). However, it does show the EU’s desire to create a more open data culture in which data may be exploited rather than siloed.
The legislation is designed to complement the GDPR, although as personal data is very likely to be co-mingled with other data, the obligations set out in the GDPR to protect personal data will continue to impact and affect all data that is flowing.”
Finally, Graeme Johnston Lawyer and Founder of Juralio summed up the challenges typically still felt by organisations in the face of continued complexity in data regulations; he underlined the need for a proper process to decode this and remain on the front foot:
“Compliance in this area is ever more challenging — intensifying regulation and complex cross-border legal effects.
Having appropriate processes and tools for staying on top of it all is crucial.”
So what’s next for the Act?
Further plans for the 2020 European Strategy for Data include proposals for a Digital Markets Act and a Digital Services Act which will be published by the European Commission.
Before the proposed Data Governance Act is implemented, it will subject to negotiations and debate by the European Parliament and the Council of Ministers. We are therefore some time away from the implementation of the Act and challenges in practically how to reuse and share data whilst respecting privacy, assuring and data rights remain.
What’s next for the wider, global economy?
Making high quality data available to aggregate and fuel data science and data-driven decisions is vital for agendas of public health, the climate emergency, for governments and enterprises.
The importance of balancing tech-led innovation with responsible use of data, in the context of a more level playing field is not just limited to Europe: these are global issues. The imperative of protecting data usage rights and safeguarding information flows across the world is a complex issue, and it relies on corporations, law makers and on those who design processing technology and systems of governance making the right decisions, and indeed citizens must hold those entities to account toward responsible data sharing.
It is positive that the new Data Governance Act seeks to highlight and tackle a number of the macro themes and propose enablers in the European context; however, in practical terms the challenge of safeguarding but not inhibiting global data flows with agile and effective data governance remains complex for legal and data governance professionals working at the sharp end of building practical standards and protocols for good sharing.
This article was written by Sorcha Lorimer, on behalf of Trace with contributions from Privacy and Tech leaders, and is also available as a Trace paper for download on request.
