Privacy & Information Security Law Blog

On February 5, 2020, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the European Commission’s (the “Commission’s”) public consultation on the Commission’s Proposal for a Regulation on European Data Governance (the “Data Governance Act,” or “DGA”). This proposal is the first set of initiatives announced under the broader European Data Strategy.

The Commission first released a draft of the DGA on November 25, 2020. The proposed regulation aims to increase trust in the data sharing ecosystem and promote data availability. The three primary objectives are to (1) promote the re-use of certain categories of public sector data; (2) create requirements applicable to data sharing services; and (3) create a framework for data altruism organizations. The proposal also would create a new expert group, the European Data Innovation Board (“EDIB”), which would work with the European Data Protection Board (“EDPB”) on a number of tasks, including promoting best practices in data sharing.

CIPL welcomed the opportunity to respond to the proposed regulation and agrees with the goals of the DGA, as data availability and data sharing are foundational to a data-driven economy. CIPL’s response to the Consultation includes specific comments regarding the DGA, as well as broadly applicable comments for future proposals on European data spaces, high-value datasets or the future Data Act. The DGA and upcoming initiatives provide an important opportunity to further promote a principles-driven, risk-based and accountable approach to data sharing and related initiatives.

CIPL’s key recommendations to the Commission are to:

• Include organizational accountability as a building block of the DGA and upcoming initiatives of the European data strategy, supported by a light-touch, principles-based and agile regulatory approach to data sharing;
• Integrate a risk-based approach to data sharing to properly balance benefits, risks and reticence risks to data sharing and to apply the relevant mitigations;
• Enable trust across the entire data sharing ecosystem, including data providers, intermediaries and recipients, whether public or private entities;
• Enable the co-design by regulators and industry of a consistent governance framework for accountable data sharing;
• Promote regulatory sandboxes to enable responsible data sharing and innovation through experimentation in consultation with regulators;
• Clarify the relationship between the DGA and the GDPR and provide that Data Protection Authorities (DPAs) are the sole regulators responsible for matters regarding personal data;
• Avoid overreliance on consent to the detriment of other available legal bases and the statistical and research exemptions under the GDPR;
• Ensure a simple, agile and harmonized approach to request access to datasets and sharing processes across EU Member States;
• Clarify the international data transfer toolkit for non-personal data, giving consideration to the GDPR experience for personal data transfers to third countries;
• Enable the use of cloud services to promote data sharing while still providing a secure processing environment;

• Create a level playing field within and beyond the different mechanisms and approaches to data sharing to enable both new players and incumbents to innovate and compete; and
• Recognize and support the already-existing mechanisms in place that enable organizations to share data in an accountable way for socially beneficial purposes and in the public interest.

Download CIPL’s full response to the Consultation.