|
I. Re-use of data held by public sector bodies
The proposed Regulation addresses the re-use of public sector data that is subject to rights of others -hence falling outside the scope of the Open Data Directive. Therefore, the Regulation applies to data held by public sector bodies which are protected on grounds of:
-commercial confidentiality;
-statistical confidentiality;
-protection of intellectual property rights of third parties;
-protection of personal data.
It is worth noting that the Regulation does not oblige public sector bodies to allow re-use of data. However, in case it does allow re-use, this must be done without exclusivity or discrimination. For instance, the text prohibits the conclusion of exclusive arrangements between public sector bodies and entities re-using the data.
Conditions for re-use:
-Public sector bodies may impose obligations to re-use only pre-processed data where such pre-processing aims to anonymise or pseudonymise personal data or delete commercially confidential information, including trade secrets.
-Public sector bodies can also lay down obligations for the re-use of data to take place within a secure processing environment provided and controlled by the public sector.
-When anonymisation or secure processing is not possible, and where it is feasible, the public sector bodies shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected.
Conditions for transfer to third countries
The Commission may adopt implementing acts declaring that the legal, supervisory and enforcement arrangements of a third country:
(a) Ensure protection of intellectual property and trade secrets in a way that is essentially equivalent to the protection ensured under EU law;
(b) are being effectively applied and enforced;
(c) Provide effective judicial redress.
In case a third country does not comply with these requirements, and if confidential data or intellectual property rights is involved, the re-user needs to:
- guarantee confidentiality even after the data is transferred to the third country;
-accept the jurisdiction of the courts of the Member States of the public sector body at stake.
In case of highly sensitive non-personal data, the Commission is empowered to adopt delegated acts to lay down special conditions for transfers to third countries. In exceptional cases, this might take the shape of restrictions as regards transfers to third countries.
In all cases of data transfers to third countries, the public sector body shall inform the data holder about the transfer of data to that third countries.
Single point of contact
A single point of information is created in the Member States. This single information point receives all requests for the re-use of data and transmit them to the competent public sector bodies.
II. Framework for data sharing services
The proposed Regulation creates an obligation of notification for the provision of data sharing services.
The text applies to three types of services:
-intermediation services between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users;
-intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in Regulation (EU) 2016/679;
-services of data cooperatives, that is to say services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperative to negotiate terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal persons.
Obligation of notification
In case a provider of data sharing services intends to provide these services, it shall submit a notification to the competent authority. This can be the competent authority of the Member State where it is established or, for a provider not established in the EU, the Member State where it has its appointed legal representative (and where it provides services).
The notification entitles to operate in all Member States. Each notification is forwarded to all the other Member States and the Commission.
Requirements for data sharing services
Such services need to comply with a set of requirements, including:
-separation of data intermediation services from any other added-value services. The provider may not use the data for which it provides services for other purposes than to put them at the disposal of data users and data sharing services;
-the provider shall have procedures in place to prevent fraudulent or abusive practices in relation to access to data;
-the provider shall take measures to ensure a high level of security for the storage and transmission of non-personal data;
-the provider shall put in place adequate technical, legal and organisational measures to prevent transfer or access to non-personal data that is unlawful under EU law,
-where a provider provides tools for obtaining consent from data subjects or permissions to process data, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place.
-when it comes to personal data, GDPR applies.
Competent authorities shall monitor and supervise compliance with the Regulation.
III. Data altruism
The Regulation facilitates data altruism whereby data is voluntarily made available by individuals or companies for the common good.
Each Member State shall keep a register of recognised data altruism organisations.
Entities can register as such if they:
-are legal entities constituted to meet objectives of general interest;
-operate on a not-for-profit basis and are independent from any entity operating on a for-profit basis;
-perform the activities related to data altruism through a legally independent structure.
Entities which are not established in the EU must appoint a legal representative in one of the Member States where it intends to collect data based on data altruism.
Once completed, registration is valid in all Member States.
The Regulation also sets a list of requirements for the process of data on altruistic grounds.
IV. Creation of a European Data Innovation Board
The Commission plans to create a formal Expert Group called “European Data Innovation Board”. This Expert Group will ensure harmonisation of practices in the implementation of the Regulation.
It will also advise the Commission on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing.
The Expert Group will be composed of Member States’ representatives, the European Data Protection Board, the Commission, relevant data spaces and other representatives of competent authorities in specific sectors. Stakeholders and relevant third parties may be invited to attend meetings of the Board and to participate in its work.
V. International access (Article 30)
The public sector body, the natural or legal person re-using public sector data, the data sharing provider or the altruistic entity shall take all technical, legal and organisational measures to prevent transfer or access to non-personal data held in EU where such transfer or access would create a conflict with EU or national law.
If an authority from a third country order transfer or access to data, such order can only be valid if it is based on an international agreement (e.g. mutual legal assistance treaty). Alternatively, the addressee of the order can ask the opinion of the relevant EU competent bodies or authorities to determine whether the conditions for transfer/access are met.
Next Steps:
-Q1 2021: A Data Act will clarify the use rights of data in B2B and B2G contexts.
-More dedicated proposals on data spaces are also expected to follow in 2021.
-Q1 2021: Legislative follow up to the White Paper on AI: mandatory requirements and certification for high-risk AI applications / voluntary labelling for other applications.
If you have any questions, please do not hesitate to contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com
|
