Spain: The new European Data Governance Act arrives

published on 15 June 2022 | reading time approx. 4 minutes

Over the last few years, the European Commission has been really focused to make the EU a “leading role model for a society empowered by data to make better decisions – in business and the public sector”. It is also no news that the fourth industrial revolution is in full swing with the development of technologies such as AI, Big Data, and other modalities that require the use and reuse of data. In its “Coordinated Plan on Artificial Intelligence”, the European Commission considers that the data generated by the public sector is often of very high quality, making it an important asset for innovation.

Indeed, the Commission has emphasised that creating “common European data spaces” is essential to facilitate the exchange of data held by the public and private sectors, and to make it available to benefit the general interest of Member States, in activities such as enabling AI on a scale that allows the development of new products and services. To this end, the EU Data Strategy has introduced the creation of Regulation (EU) 2022/868 (also known as Data Governance Act, hereinafter “DGA”) to establish a harmonised framework for these data exchanges and certain basic requirements and conditions for data governance, while facilitating cooperation between Member States.

Many companies are already benefiting from the convenient use of large amounts of data. Therefore, the aim of having a regulation that dictates “data governance”, in addition to enhance innovation and to reduce the digital gap, it is also to ensure a fair competition in data economy, i.e., that more companies compete on the quality of their services rather than on the amount of data they control. Likewise, it seeks to build trust among individuals and companies through greater transparency regarding the purpose of use of their data, the conditions under which companies store it, as well as the effective exercise of their rights and the compliance with cybersecurity requirements.

This Regulation essentially consists of establishing conditions for both public and private entities to access and use the data lawfully, in affinity to the provisions already established by Union law (i.e., GDPR and other applicable sectoral rules). The critical factor in this case is that the data economy is mostly developed for research, innovation and statistical purposes that require certain categories of data that could be identified as highly sensitive, thus a series of technical and legal requirements are crucial to guarantee the rights and protection of personal data and to avoid discrimination and other negative effects.

To this end, the DGA focuses on regulating three activities, setting out a regulatory framework consisting of: (i) the re-use, within the Union, of certain categories of data held by public sector bodies; (ii) the establishment of a notification and monitoring framework for the provision of data intermediation services; and (iii) a framework for the voluntary registration of entities that transfer data for altruistic purposes. Let’s take a closer look to each one of them:

Re-use of data: It is defined as the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial basis for which they were generated. In these cases, the secure processing of data must be ensured, and exclusive arrangements are prohibited unless they are indispensable for the achievement of a purpose of general interest.

Both the control and the access or refusal of re-use shall be carried out by the public bodies themselves with the assistance of competent bodies designated by the Member States.
Data intermediation services^[1]: These services represent the business of exchanging personal and non-personal data for commercial purposes between data subjects and users (i.e., data marketplaces).

They will be subject to a notification procedure and, in addition, to conditions laid down in the Regulation, which will have to be carried out by the intermediation services providers. They must apply all necessary measures to prevent unlawful access or transfer of data and thus ensure security and fair competition in the data economy.

Relevant authorities for data intermediation services will be appointed by the Member States to monitor the compliance with all requirements for correct and lawful intermediation. In case of non-compliance, they will impose appropriate sanctions.
Altruistic transfer of data: This is to be understood as the voluntary provision of data for the “common good”.

To this end, the figure of data altruism organisations will be created, whose function will be to collect and transfer data for the sake of general interest. They will be registered in a Public National Register, as well as in the Public Register of the Union.

The EU’s objective in this matter is to provide a safe space that creates a trustworthy environment and, consequently, encourages individuals to donate their data based on well-founded trust. As a guarantee, States will also designate competent authorities to oversee compliance with the requirements for registration and, subsequently, for transparency and protection of data subjects.

This regulatory framework provides a basis for Member States to enable the development of these activities and the fulfilment of the conditions laid down in the DGA, with the advice of the European Data Innovation Board, an institution created by the Regulation to support Member States, competent authorities and the European Commission on this single data market journey that is only just beginning.

[1] Recital No. 28 of the Regulation indicates that this concept excludes “services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users. This would also exclude services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things”.