It seems there’s no respite for the data community these days. The COVID-19 pandemic has put data in the spotlight as a key ingredient for effective public response amidst rising concerns around personal data access, protection and privacy. The public debate has rarely been so lively nor data practitioners so busy.
The European Commission’s recent launch of public consultations on the Data Act adds another heated topic to the current debates, with the possibility—among other provisions—of imposing binding rules to give governments access to private-sector data. The Data Act is a legislative proposal by the European Commission that “aims to create a fair data economy by ensuring access to and use of data for legitimate purposes, including in business-to-business and business-to-government [B2G] situations.” Building on the work of the Expert Group on B2G Data Sharing and its 2020 report, the public consultation articulates some of the fundamental questions around government access to business and privately-held data, including:
- In which cases or areas should B2G data-sharing be compulsory? The consultation establishes a long list of possible situations, areas and contexts including: (1) emergencies and crisis management, prevention and resilience, (2) production of official statistics, (3) protecting the environment, (4) promoting a healthier society, (5) providing better public education services, (6) fostering an inclusive society and (7) evidence-based public service delivery and policymaking. This list of use cases requires accessing data from a range of private sector players such as Mobile Network Operators for mobility data, retailers for consumer statistics, manufacturers for emissions data, companies for employment data, etc.
- Should the public sector have to pay to access privately-held data? And if so, how much? The proposal includes a range of cost model options to compensate the private sector for providing data to the public sector: (a) for free, (b) at market prices, (c) at marginal cost (corresponding to the cost of production and a cost-recovery model for the private sector), (d) at a preferential rate at or below market price or (e) at differing costs (including at no cost) depending on circumstances.
- Which safeguards should protect the private sector when sharing data? Safeguards might invoke special rules for commercially sensitive information, set criteria for proportionality and reasonableness of data-sharing requests, oblige public authorities to report transparently on the use of data, and limit public sector data usage and data sharing, among other options.
To European legislators, the notion of “clear public interest” is the cornerstone of B2G data-sharing and the justification for imposing obligations on businesses. This idea comes from the work of the Expert Group on B2G Data Sharing. However, the expert group has highlighted that, “while ‘public interest’ broadly refers to the welfare of individuals in society, its exact boundaries remain largely undefined, being heavily dependent on socioeconomic, cultural and historical factors.” Furthermore, as noted in recent legal research, “governments are free to define public interest and designate public tasks accordingly.” This is why it is extremely difficult to identify which use cases justify obliging businesses to share data. Balancing private and public interests in a rule of law context is the biggest challenge to establishing this legislation in Europe.
Takeaways for other countries
That the European Union is considering obliging businesses to share data with the public sector through legislation provides food for thought to other countries struggling to gain access to privately-held data. Paradoxically, it would be easier to adopt similar legislative measures in countries where the rule of law is weaker and where—in the relationship between public and private stakeholders—the public sector has the upper hand.
Because this example could lead other nations to adopt similar policies, it’s important to debate and learn from the European experience. The public consultation will be open until September, and the European Commission’s analysis of the responses and concrete policy options will follow later in the year. Nonetheless, it's not premature to identify a few takeaways and considerations of potential help to countries weighing similar decisions:
- Public vs. private interest trade-offs: As the notion of ‘public interest’ is the starting point for B2G regulatory initiative in Europe, its meaning will vary a lot across countries, situations and cultures. If not balanced against private interests, the concept of public interest can lead to regulations encompassing the vast majority of private-sector data. It is important for governments to draw a line between 'must have' and 'nice to have' datasets from a public interest perspective. Such definitions should include objective proportionality tests to determine whether data requests are valid. Civil society and non-governmental organizations can help governments to establish such boundaries and should be included in debates on the balance between public and private interests.
- Compensation for private companies: Compensation in exchange for access to private-sector datasets is not taboo. Reality is complex: While some situations might necessitate the free provision of data (i.e. for emergency response in the context of data for development) other use cases may call for access at marginal cost or even at market price. The level of compensation depends on the relevance of the datasets to the public interest, the public sector’s available resources, the urgency of the situation and the time horizon of the data-sharing initiative. For instance, one-off data-sharing for emergency response might be appropriate on a pro bono basis, but sustainable and regular data-sharing for the production of statistics might require a cost-neutral approach for businesses.
- Safeguards to prevent abuse: Safeguards must ensure that the public sector does not abuse its privileges of access to business data. Such safeguards are important not only for businesses but also for citizens and consumers. People may entrust their personal mobile data to telecommunications operators, but not—as the COVID-19 crisis has shown—to the public sector for a variety of reasons. Public sector use of private data should therefore be framed as a set of rules to allow both business and private citizens to appeal and defend their interests.
These takeaways provide initial food for thought to non-European Union countries and development practitioners working on public-private data-sharing agreements. The outcome of the public consultation and the release of the text of the Data Act will shed further light on where European legislators will land in imposing obligations on the private sector.
A balance in Europe between public and private interests may not fit the needs of low and middle-income countries. Nonetheless, the key concepts and guiding questions posed in the European debate will foster dialogue across regions and may lead to the emergence of a new General Data Protection Regulation situation in which a number of countries follow the European Union’s lead.