As part of my fellowship at the Datasphere Initiative, I attempt to explore the impact of legislative developments at the European level on the concept of the Datasphere — the complex system encompassing all types of data and their dynamic interactions with human groups and norms.1 Specifically, in this blogpost, I am focusing on the recently approved European Union (EU) Data Governance Act and its extraterritorial impact on the emergence of global data governance regimes.
On November the 30th, 2021 Brussels set the bar high once again for data governance legislation: the European Parliament and the Council of Ministers found provisional agreement on the final version of the Data Governance Act (DGA).2 And this happened only within a year after the European Commission’s initial publication of the proposal, a remarkable achievement which once again confirms the EU’s trendsetting role in the field as well as its commitment to data regulation.
As the first stepping stone of the European strategy for data, the DGA provides “a novel European way of data governance” by developing a blueprint for public sector bodies and private companies to engage in data sharing, both for personal and non-personal data.³ Not only that, the measure is characterized by a strong extraterritorial focus as it introduces new safeguards against unlawful cross-border transfer — as discussed below — and government access to non-personal data.
As such, the DGA seems to posit “a tale of two cities” scenario for global data governance as it bears contrasting effects on the Datasphere — an inherent dualism which is reflected in the internal and external consequences sparked by the new Regulation. On the one hand, the measure introduces provisions that encourage internal data sharing to increase the value derived from society-wide access to data between Member States. On the other hand, the new rules pose significant challenges to the cross-border exchange of non-personal data with the rest of the world, therefore reducing third countries’ access to knowledge and information held in Europe.
Internal sharing within the EU
The main changes to internal sharing within the EU introduced by the DGA can be largely summarized around four points.
First, the DGA targets public sector bodies in making data available for wider reuse by society. By upgrading the 2019 Open Data Directive, the new rules apply on “sensible information” held by public bodies, which includes personal data as well as information protected by intellectual property and trade secrets.4 On this matter, the DGA relegates exclusive agreements between public and private bodies to situations where sharing fulfils a purpose of general interest, and for a maximum period of 12 months. In addition, public sector bodies can charge access fees at discounted rates or at no costs for small and medium enterprises (SMEs), civil society organizations and educational institutions acting for noncommercial and scientific purposes.
Second, the Regulation develops a new framework — “data intermediation services” — for companies and individuals to engage in data sharing in a secure environment. This framework, based on the creation of a trusted and independent intermediary, aims to facilitate data sharing between data subjects and data holders, on the one hand, and data users, on the other hand. To ensure that the shared data is not used by entities providing the intermediary services themselves, the measure introduces structural separation requirements, which obliges intermediaries to be structurally separated from any commercial activity rather than offering intermediation services. On this point, the DGA also recognizes “data cooperatives” as a services intermediary, and thus empowers individuals and SMEs to choose if using intermediaries instead of consenting large corporations to access and use their data. By doing this, the DGA empowers user’s GDPR rights. In addition, with this blueprint, the DGA paves the way for the development of data stewardship models rooted in the collective exercise of users’ rights.
Third, the DGA introduces a new concept based on the idea of voluntary sharing for the common good by data subjects and data holders: “data altruism in the general interest”. This is applicable for interests related to health care, combating climate change, improving mobility, facilitating the establishment of official statistics, improving public services, public policy making, or scientific research in the general interest. Data altruism will be implemented through “data altruism organizations”, namely data pools administered by entities of not-for-profit nature which will be subject to transparency and structural separation requirements akin to those falling on data intermediation services. Data altruism organizations require the appointment of a legal representative in one of the Member States where data collection takes place, but need not necessarily be established in the EU.
Finally, with the new Act, the EU also defines the mandate of a new body: the European Data Innovation Board (EDIB). Accordingly, the EDIB will be tasked primarily with the monitoring of common data spaces in Europe, but will also advise the European Commission on a variety of areas covered by the DGA, including interoperability standards for data intermediation services, the protection of non-personal data, and higher cybersecurity standards for data sharing. The EDIB will take the configuration of a multistakeholder body, bringing together representatives from civil society, industry, national authorities as well as technical experts to support the uniformity of portability and interoperability standards.
External sharing with the EU
On the external dimension of data sharing, the DGA introduces new standards aimed at combating unlawful cross-border transfer and government access to non-personal data held by public sector authorities, data intermediation services, and data altruism organizations. Specifically, through a combination of implementing and delegated acts, the European Commission may declare the adequacy of third countries’ legal regimes vis-à-vis the EU in providing appropriate safeguards to non-personal data. Likewise, the European Commission is entitled to develop model contractual clauses to assist public sector bodies and re-users in the cross-border transfer of sensible non-personal data.
With these new rules, the DGA effectively aligns its international transfer regime of non-personal data with the one of personal data initially defined by the GDPR, and later complemented by the Schrems I5 & II jurisprudence.6 And this happened once again through Brussel’s preferred tool of external influence to project its geopolitical ambitions in the digital field: internal market regulation. By means of the Brussels Effect first described by Anu Bradford, the EU is with the DGA once more influencing markets’ and states’ conducts worldwide in the digital field. And it is doing so by implicitly translating its digital sovereignty ambitions into a new internal market structure for data which bears significant extraterritorial effects.7 And while there is nothing wrong with setting the bar high to regulate a free digital market which has recurrently caused significant harm to consumers, criticism can be raised in light of the external consequences of these policies. These in fact reveal a janus-faced role of the EU in international data regulation debates.
On the one hand, the EU portrays itself as a normative and value-based multilateral actor which first and foremost aims at protecting at all costs its citizens’ data from outright exploitation by governments and companies worldwide. On the other hand, the new rules introduced by the DGA reflect a unilateral approach to international cooperation based on adequacy decisions where Brussels de facto owns a privileged channel to its non-personal “European data”. In other words, as Antonio Casilli puts it, “one country’s digital sovereignty is another country’s digital colonialism”.
Although Thierry Breton has so far been explicit about the EU’s ambition to become a global powerhouse in the digital field with industrial data, the EU is silently setting up another global gold standard of data protection by making sure that “European data will be used for European companies in priority, for us to create value in Europe”.8 And while O’Hara and Hall have described “Brussels” Bourgeois vision of the Internet as rooted in the protection of individual liberty and civility through the anticipation and neutralization of harm, the DGA seems to suggest a new geoeconomic role for the EU in global data governance discussion.9 Namely, a position aimed at influencing global markets through a complex set of data protection standards which smartly camouflage its geopolitical ambitions in the field.
A second episode of the European tale?
With the newly adopted rules by Brussels in the digital field, Luciano Floridi has recently argued that the EU is slowly building up a “legislative square” of digital constitutionalist nature.10 With the approval of the DGA, it is clear that this order will bear a strong extraterritorial impact, given the strong effect of the measure on non-personal data flows.
But this might not be the only legislative initiative in the field from Brussels. The EU has recently proposed another key measure as part of its European strategy for data — the Data Act — which will also bear a strong focus on the protection of non-personal data in cross-border situations.11 This seems to suggest once again a tale of two cities scenario where the EU is, on the one hand, capitalizing on the economic value derived from internal data sharing while, on the other hand, it is leveraging its global position as a trendsetter in digital regulation. The following blogpost will indeed be dealing with the Data Act and its impact on the Datasphere and global data governance in general.
¹De La Chapelle, B. and L. Porciuncula (2021), “Hello Datasphere”, Datasphere Initiative Medium, https://medium.com/@thedatasphere/hello-datasphere-towards-a-systems-approach-to-data-governance-d602f96c9e1d
²Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52020PC0767
³European strategy for data (2020). https://digital-strategy.ec.europa.eu/en/policies/strategy-data
⁴Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information. https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1561563110433&uri=CELEX:32019L1024
⁵Judgment of the Court (Grand Chamber) of 6 October 2015 Maximillian Schrems v Data Protection Commissioner. C-362/14 — Schrems. https://curia.europa.eu/juris/liste.jsf?num=C-362/14
⁶Judgment of the Court (Grand Chamber) of 16 July 2020 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. C-311/18 — Facebook Ireland and Schrems. https://curia.europa.eu/juris/liste.jsf?num=C-311/18
⁷Bradford, A. (2020) The Brussels Effect: How the European Union Rules the World. New York: Oxford University Press. doi:10.1093/oso/9780190088583.001.0001.
⁸POLITICO (2020) ‘Thierry Breton: European companies must be ones profiting from European data’, POLITICO, 19 January. Available at: https://www.politico.eu/article/thierry-breton-european-companies-must-be-ones-profiting-from-european-data/ (Accessed: 28 March 2022).
⁹O’Hara, K. (2021) ‘The Second Internet: The Brussels Bourgeois Internet’, in Four Internets. New York: Oxford University Press. doi:10.1093/oso/9780197523681.003.0007.
¹⁰Floridi, L. (2021) The European Legislation on AI: A Brief Analysis of its Philosophical Approach. SSRN Scholarly Paper ID 3873273. Rochester, NY: Social Science Research Network. doi:10.2139/ssrn.3873273.
¹¹Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act). https://digital-strategy.ec.europa.eu/en/library/data-act-proposal-regulation-harmonised-rules-fair-access-and-use-data