Key lessons from the EU Data Act proposal
This is the fourth in a series of posts on data-sharing between public and private sectors. Last summer, we wrote about how governments can gain access to data from phone companies, the identity crisis of Mobile Network Operators, and the European debate on public sector access to privately held data.
From “clear public interest” to “exceptional need”
A breakthrough in government's access to privately-held data happened last month in Europe with the publication of the long awaited Data Act proposal. This represents the first large-scale attempt to establish cross-sectoral legislation granting public sector access rights to data collected and held by private companies. The rules contain provisions aimed at giving users more control over the data they generate and unlocking access to such data for the benefit of society.
I wrote last summer that, to formulate this proposal, the European Commission needed first to clarify and define the notion of “clear public interest,” which at the time was the key justification for establishing these new access rights. Since then, the debate has evolved considerably as a result of governments’ need to access privately-held data during the pandemic.
The COVID-19 crisis highlighted the public sector’s need to rapidly access private sector datasets for emergency response. Before the pandemic, “emergencies and crisis management” was only one of many possible cases for establishing compulsory business-to-government data sharing; the other cases concerned policy domains in which there is generally less sense of urgency and which are not triggered by exceptional circumstances. The open consultation on the Data Act, for instance, showed stakeholders’ support for establishing public sector access rights in areas considered “business as usual” by governments, such as environmental protection and production of official statistics. However, the European Commission decided to put the concept of “exceptionality” at the core of its new Data Act proposal. The final text establishes that “a (private) data holder shall make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested.” According to the Data Act, the notion of exceptional need refers to three specific situations:
- Public emergency response (i.e. public health emergencies or major natural or human-induced disasters);
- Public emergency prevention or recovery;
- Situations involving an “exceptional need” in which lack of data prevents the public sector from fulfilling a specific task in the public interest, and the necessary data cannot be purchased on the market or would otherwise require a burdensome process to access.
The newest proposal treats these three situations differently. Data to respond to a public emergency shall be provided for free. In the other two cases, compensation for the data holder is limited to the marginal cost of providing the data. By differentiating among these scenarios, the Data Act acknowledges that there is a balance to be drawn between public and private interests and that governments should distinguish between 'must have' and 'nice to have' datasets.
While the Data Act is only at the proposal stage, all eyes are on this text as private data holders anticipate the consequences on business operations and public sector authorities look forward to exercising these new data access rights.
Stakeholders from outside Europe are also following these developments with interest; as with the General Data Protection Regulation (GDPR), other governments are likely to emulate the EU approach. At this stage, four key aspects of the Data Act are relevant to the global debate:
- In situations in which the private sector can charge to provide data under the Data Act, the proposal establishes that the price should not exceed the costs incurred by businesses to comply with their requests (i.e. costs for cleaning datasets, anonymizing data). Furthermore, companies must be able to explain their prices. This means that companies that receive requests from the public sector which fall under the Data Act (that is to say, are justified in terms of the standard of exceptional need), their ability to set prices for access to their datasets will be externally constrained and necessarily transparent.
- In limited situations, private data holders can reject requests to share data with the public sector. This applies specifically in situations in which the requested data is unavailable or has already been shared with another public sector body. In the latter case, government agencies must coordinate to share data with each other instead of multiplying requests to data holders.
- The public sector must ensure that data requests are necessary, legitimate, and proportionate. Importantly, the public body making the request must specify what data is needed, why there is an exceptional need, how the data will be used, for how long, etc. Furthermore, the public sector should limit its requests for non personal data, i.e. "any information that relates to an identified or identifiable living individual,” according to categories established by the EU’s General Data Protection Regulation (GDPR) These safeguards are intended to prevent the public sector from abusing this new data access right.
- Data obtained by the public sector through the Data Act can be shared with research institutions and national statistical offices for broader research and analytics activities—as long as they are compatible with the purpose for which the data was originally requested. Through the Data Act, these actors therefore gain new direct (through data requests) and indirect (through secondary data sharing) avenues for accessing privately held data.
Potential consequences of the Data Act
In fact, most private data holders already provide datasets for free for emergency response. Mobile Network Operators, for example, reached such agreements with governments during COVID-19. But other cases, such as the production of official statistics, are still seen as business opportunities for selling data. The suggested rules on pricing will affect the revenue data holders generate and change their relationships with governments from a business to a compliance approach.
On the government side, the requirement that public authorities ask for specific datasets only once will likely strengthen internal collaboration and rules and approaches for internal data sharing across agencies and institutions. Enhanced collaboration may lead to the emergence of public sector data stewards in charge of managing relationships with private sector data providers and through whom requests can be channeled.
The following months will show the extent to which legislators within the European Parliament and Council see eye-to-eye with the European Commission on how to govern public sector access to privately held data. They could still substantially modify this proposal and suggest alternative approaches. Surely, the private sector will intensively lobby these legislators to modify the provisions on pricing and lighten the obligations on them. The European debate around public sector access to privately held data is therefore far from being closed. Interesting negotiations are about to start.