Regulating the data economy (Part II): how will the Data Act regulate government access to data?
by Angeliki Tsanta on 03 Feb 2022
As explained in our previous blog, the European Commission is working on a legislative proposal to ensure European businesses, consumers and governments fully benefit from the free flow of data and are empowered to make better-informed decisions. This initiative, known as the Data Act, will not only regulate data sharing among companies (business-to-business, B2B), but will also specify in which cases and under which conditions companies must share data with governments (business-to-government, B2G). This blog analyses the EU’s plans for the B2G data sharing and identifies outstanding issues for businesses.
In addition to its economic importance, data is crucial for effective policy-creation and informed decision-making by governments. The Covid-19 pandemic has provided a clear example of how data can be used for crisis management and prevention: anonymised health data relating to the number of Covid-19 cases, hospitalisations, deaths, and vaccinations guided governments’ response plans during the past two years. Other examples include urban traffic data which can be used to determine the appropriate number of buses per hour to best serve commuters along a given line, or the number of e-scooter providers getting a licence. Housing data can determine the caps placed on short-term rentals in a given neighbourhood.
With the Data Act, the Commission plans to facilitate data sharing in such cases; that is, to regulate business-to-government (B2G) data sharing for the public interest. The draft Act presented to the European Commission’s Regulatory Scrutiny Board in October 2021 failed to provide the necessary legal clarity to B2G data sharing. Unresolved issues included the definition of public interest, the specific conditions of access, as well as the method to calculate compensation. In the past three months, the Commission has worked to address these concerns, and in a recent leaked draft appears to have tried to limit mandatory B2G data sharing to cases in which an ‘exceptional need’ exists. Nonetheless, striking the right balance between the interests of public authorities and businesses remains a complex issue, as this blog will show.
What are the obstacles to B2G data sharing?
While businesses recognise the benefits to society of the data they produce and hold, they are often reluctant to share them with public authorities. This is because of the different rules in Member States, which lead the majority of respondents to the Data Act public consultation to note that the relevant legal framework is unclear. As a result, companies have to make significant investments to comply with all the different frameworks, and often to respond to multiple requests from different Member States covering the same datasets.
What is more, government requests often refer to data protected under other legislative frameworks – for example, personal data, trade secrets, or intellectual property (IP) rights. Businesses say that they are not always convinced that governments' requests appropriately balance the public interest against these competing interests, or that these requests include the appropriate safeguards to protect companies from liability. In that regard, further safeguards are needed to ensure that the data shared will be used only for the intended purposes.
Cost can impede B2G data sharing; without the appropriate infrastructure (such as interoperability standards for datasets, application programming interfaces (APIs) to facilitate data sharing processes, security standards to protect data from misuse or attacks) providing, processing, and storing the data requested are additional costs for businesses – often without any incentives to make up for these costs.
B2G requests may refer to datasets that businesses no longer hold, either because the data were irrelevant for business purposes and were never stored, or because they were stored and deleted after a time, or because storing them was too costly.
How can the Data Act offer solutions?
The Data Act aims to address these obstacles and facilitate B2G data sharing through a framework that would bring legal certainty for both businesses and public authorities. In addition to the elements identified in our previous blog, there are several issues specific to B2G data sharing that the Act will need to address.
Defining exceptional need: an obligation for B2G data sharing could either be based on a limited list of specific purposes relating to the public interest (such as environmental protection, emergencies and crisis management, crisis prevention and crisis resilience, and public health) or be mandated only in extraordinary circumstances. In the latest (leaked) draft of the law, the Commission seems to have opted for the latter, allowing public authorities to request data only in cases of ‘exceptional need’. The term refers to public emergencies and to situations where public sector bodies cannot obtain the data they need in a timely manner through enacting new legislation, by means of existing reporting obligations or by buying datasets on the market. Nonetheless, this option could create legal uncertainty for businesses, as it would be up to public authorities to determine when this exceptional need exists. Strict criteria or guidance from the Commission would help clarify this term.
Regular or occasional reporting: B2G data sharing can either take place on a regular basis through reporting obligations or upon request. By definition, in the context of a public emergency or an exceptional need, data sharing can only take place upon request. As such, the Data Act allows room for future sector-specific rules to clarify any obligations for a given sector (such as the long-awaited initiative addressing health data, mobility data spaces, and others), including how and for how long businesses should make their data available to public authorities.
Setting clear conditions of access: in addition to a clear legal basis for government access, the Data Act will put in place the necessary conditions and safeguards to ensure data sharing is proportionate and respects fundamental rights and competing interests. This should include a proportionality test to be applied when imposing an obligation to share data. As a result, businesses would be assured that the data shared is used only for the stated purposes and is protected – to the extent this is possible – from misuse or access by unauthorised third parties.
Striking the right balance: the framework is expected to put in place the necessary safeguards to ensure data privacy and security, as well as the protection of intellectual property rights and trade secrets. Specifically, the Data Act should consider the following rights:
- The role of the General Data Protection Regulation (GDPR) and the ePrivacy Directive should be considered when making requests for personal data. The (leaked) draft of the Act attempts to address this issue by mandating that government requests should focus ‘insofar as possible’ on personal data. This solution, however, might not be enough in itself to ensure the high standard of privacy protection required by the GDPR, as it leaves room for requests that refer to personal data. The Commission, as well as public authorities, will also have to consider the impact of the data minimisation principle which limits the personal data businesses can process and store, and the time they can hold these data. Moreover, as consumers have a right to object to further processing or even request that their data is deleted, data subjects’ rights often influence the data a company can make available to public authorities.
- The impact of the owner’s database rights as well as copyright and other IP rights would have to be reviewed in light of the public interest. It is not by accident after all, that the Data Act will also revise the Database Directive.
- Finally, necessary exceptions or safeguards to protect commercially sensitive information should be included in the framework regarding trade secrets. Additional limitations regarding how long public authorities may use or store the datasets could also alleviate some of these concerns.
Ensuring fair compensation: the EU aims to encourage businesses to share their data with public authorities by offering them monetary and non-monetary incentives. According to its Inception Impact Assessment (IIA), the Data Act could assist in that regard by offering tax incentives, setting up public funds to develop trusted technical tools and recognition schemes for data sharing or compensating businesses that share data with lower prices under a preferential treatment regime. Limiting the Act to cases of exceptional need, however, also limits businesses’ right to compensation. It is worth mentioning here that the Commission would like to exclude data requested in the context of public emergencies from any type of compensation. With regard to other data shared based on exceptional need business can only ask for the costs incurred to comply with the request.
The challenges identified in this blog will be key in the legislative process, as the answers offered by EU legislators will greatly impact how companies conduct business and what risks they face when complying with government access requests. The Commission is now due to publish its proposal by the end of February 2022, and Inline will be following it throughout the European legislative process.
If you have any questions about data policy, or are interested in an informal chat, please contact us at firstname.lastname@example.org
Written by Angeliki Tsanta
Angeliki provides policy analysis and monitoring for clients in the emerging technology sector on the regulation of online platforms, data protection and cybersecurity.