Legal Business Blogs

Sponsored briefing: Data Governance Law. Is Europe getting enough out of data?

When trying to coin a definition of today’s economy, many are inclined to refer to one driven by data (the data-driven economy). As a region, the European Union considers data to be an essential resource for its economic growth, competitiveness, innovation, job creation and the general progress of society. This begs the question: is Europe getting enough out of data?

The volume of data – both personal and non-personal – that citizens, private entities and public bodies generate and collect is enormous and continues to grow exponentially as emerging technologies continue to expand. The EU’s diagnosis, however, is that data’s potential – as an asset – is not exploited enough. Data could be used to innovate, research and make new technologies more efficient. To close this gap and boost Europe’s competitiveness and digital transformation, data must be exploited more efficiently and securely in a consistent way across the EU. To this end, data should be available to be exchanged and re-used for lawful purposes, such as research or innovation.

However, there are a number of obstacles to creating an ecosystem in which data can circulate and be exchanged easily at the European level. On the one hand, from a legal perspective, transferring specific types of data is restricted, such as where they are protected by third-party rights (intellectual property rights, data protection or commercial and statistical confidentiality, etc.). On the other hand, technical and operational constraints make sharing and interoperability more difficult. In addition, Europe has offered no incentives to counter the private economic benefits (of citizens or private entities) of retaining ‘title’ over the rights to exploit such data. These and other factors have led to the current situation where data is underused at the European level.

‘Market participants are already intermediating the exchange of data without a specific regulation.’ Leticia López-Lapuente Gutiérrez and Laia Reyes Rico, Uría Menéndez

The EU, having made this diagnosis, and with the aim of creating a standardised, transparent and neutral European data market (both personal and non-personal), has published – as part of the European Digital Strategy – a proposal for an EU Regulation on data governance (Data Governance Law). It is not the only attempt to regulate this matter, as there are already rules on the exchange and exploitation of data from public bodies, known as ‘open data’ regulation (ie, Directive (EU) 2019/1024 and Law 37/2007). However, the Regulation proposal aims to go a step further and set the basic parameters to promote data exchange and create a single market for data. The main developments the Data Governance Law would introduce can be divided into three sets of measures.

The first regulates the basic guidelines for public bodies to make data in their possession that are protected by third-party rights available to the market. The aim is for natural or legal persons to be able to re-use them even for commercial purposes. Among other strategies, this involves anonymising or pseudonymising personal data before sharing them in order to ensure data subjects are protected under the General Data Protection Regulation (EU).

Secondly, the Data Governance Law would designate data exchange service providers as intermediaries to speed up the exchange of data between private parties or from natural persons to private parties. The providers of such services will be subject to a set of reporting, monitoring and sanctioning rules to ensure entities and citizens trust these intermediaries and thus enable a single European data market to be created and then grow.

The third block of proposals contains a framework designed to enable the voluntary transfer of data for altruistic activities, for no profit and in the general interest (such as scientific research or improving public services). In order to encourage this type of transfer, the Data Governance Law would designate data management organisations to act as intermediaries in this type of data transfers for altruistic activities, establishing a public register, transparency and operational requirements and a supervisory regime. It also proposes a consent form for data subjects to consent to their data being used. Once again, the regulation aims to generate confidence for citizens and entities through a series of features and instruments that encourage data exchange including for altruistic activities.

While adopting the instruments described above will help to boost data flow (at least by public bodies), the Regulation proposal presents some practical challenges. Establishing formal requirements such as a notification, registration or supervisory regime will bring certainty and confidence to the market but may create obstacles for its own development if these requirements do not materialise in an appropriate way. The fact is that market participants are already intermediating the exchange of data without a specific regulation. What is clear is that with this proposal, the EU identifies and intends to address a challenge in which the whole region has much at stake: the efficient use of data as a driver of our future society and economy.

For more information, please contact:

Leticia López-Lapuente GutiérrezLaia Reyes Rico

Leticia López-Lapuente Gutiérrez (left) and Laia Reyes Rico
Lawyers at Uría Menéndez

C/ Príncipe de Vergara, 187, Plaza de Rodrigo Uría, 28002 Madrid . España.
T: +34 915 860 400
E: madrid@uria.com

www.uria.com