Data Governance Act - Analysis

The Data Governance Act proposal compared to the GDPR and ePrivacy reglementations questions several points :

Re-using data and neutral technology

The proposal must be regarded with the use of existing European regulations including the GDPR and ePrivacy. Indeed, as such tools must be complementary even if we can see relevant divergences such as :

For example, the Data governance Act aims to facilitate the process of re using simple and sensitive data (confidential business data, data covered by statistical or business secrecy, data protected by intellectual property rights held by third parties, and personal data).

However, as far as we know a particular attention is paid at the European level to sensitive data. So, it is fundamental to have guarantees on their protection. As soon as large-scale processing of sensitive data is implemented, the process becomes more cumbersome, whatever the purpose is. Facilitating such a process would inevitably undermine data protection from GDPR.

Moreover, data protection measures must be guaranted by techniques that ensure privacy protection (pseudonymization, anonymization, etc.) and secure IT environments. However, the Data governance Act affirms that the entities "should take all reasonable measures" to prevent access to systems in which non-personal data is stored (data encryption and internal security policies), and highly sensitive data such as health data have special conditions.

We can notice here, that even if the applicable regulations must be technologically neutral (eIdas reglementation), meaning that the reglementation can’t point one particular technology but how to reach the objective. So data security is at the heart of current issues. Does the reference to "reasonable" meet a minimum European standards ? More specifically what about the respect to the principle of Privacy By Design which refers to "all technical and organizational measures" to protect data ?

 Personal and non personal datas

The distinction between personal and non personal datas is interesting at this point. Indeed there is a ? conceptual problem ? to recognize them. The Data governance Act adds difficulties with the distinction between datas non personal and personal used for public organism.

Next to this, GDPR defined personal datas and then created a dichotomy between sensitive datas and current datas. But in the Data governance Act this difference is not underligned, which can create a lot of problems later on.

Data transfer

The Data governance Act and the GDPR have the rules on data transfers outside the EU.

In this respect, the European Commission has already drawn up a list of countries that provide an adequate level of protection and there are appropriate guarantees through contracts (BCR et CCT) to which the Data governance Act does not refer.

Thus, the Data governance Act should be more specific on that matter.

Data sharing services

About data sharing services, Peter supports that they will ? protect the data controllers because the risk and burden that non personal dates become personal will be probably borne by the data sharing service provider. And not the data users receiving data from that sharing provider. ?.

However, we can assume that the Data governance Act indirectly reinforces the principle of neutrality of these intermediaries.

About these services, it is also interesting to note a long exclusion list in the Data governance Act : "cloud service providers, service providers that obtain data from data holders, aggregate, enrich or transform data, and license the resulting data to data users, without establishing a direct relationship between data holders and data users, e.g., advertising or data brokers, data consulting firms, suppliers of data products resulting from the value added to the data by the service provider".

Therefore the Data governance Act has a more specific list in comparison to the ePrivacy regulation.

It shows that the Data governance Act wants to be more precise in order to get efficiency.

Harmonization

The main point in the Data governance Act is to create a European harmonization on what constitutes reliable service of data sharing services.

The Data governance Act underlines that providers must comply with the GDPR obligations ? without prejudice ?. But is it possible ?

In relation to the ePrivacy regulation, the idea is to be sure that the services provided by these intermediaries are well secured and the consent of the users collected. So we recommend that the Data governance Act does the same by establishing reliability standards and well-targeted data governance as a vector of security.

Notification procedure

The Data governance Act retains a notification procedure in order to declare the intention to be an intermediation service.

It is interesting to see that data governance within the European Union is based on trustworthy data exchange.

In the new logic of empowerment of digital actors, we think that it is a bad thing that the Data governance Act encourages the good will in this procedure whereas it is an obligation in the GDPR and ePrivacy regulations. Using the good will may not encourage this notification process especially when large-scale processing is implemented.

Data altruism

The Data governance Act promotes data altruism but it doesn’t respect the GDPR consent strict conditions. Indeed, data altruism must be based on lawful informed consent. It is a complex notion at a time when regulations require that data to be strictly limited and collected in relation to its purpose.

The data altruism should be conditioned to a full information obligation in the Data governance Act

The aim of the ePrivacy reglementaiton was that the informations provided by online platforms are asymetric.

Now these platformes are evolving and being regulated and so this should also be the global dynamic of the Data governance Act.