Hogan Lovells 2024 Election Impact and Congressional Outlook Report
In Europe, the current conditions for sharing data between companies are so complicated that the potential of the industry is not fully exploited. This results in the loss of competitiveness of the European industry compared to other jurisdictions where data sharing is much simpler. With the Data Governance Act, which shall apply from September 2023, the European Union has taken corrective actions by creating a legal framework for data sharing. One interesting option provided by this Act is the regulation of data pools.
The Data Governance Act (DGA) aims at creating an EU single market for data (personal or otherwise) including a new strategy for data sharing through data intermediation service providers. The latter should strengthen the reliability of European common data spaces and allow stakeholders to share data more easily through these intermediaries that could act as a “data marketplace” or trusted third parties. This new approach is based on neutrality and transparency while leaving companies and individuals in control of their own data.
Data pools are centralized spaces where commercial partners may share, obtain and/or maintain data, which may be useful within commercial relationships involving several companies feeding the same data pool with their own data (e.g. to reduce costs), for the same or other companies to access and make use of this information within predetermined conditions.
Undoubtedly, this new system offers many possibilities for industries - such as algorithm training, machine learning, process optimization, new product development, research and development initiatives, etc.
Participants of the data pool will be able to decide which data to share, who will be allowed to access the data and under which conditions, taking into account the rules and technical conditions of the data intermediation services (and other regulations, like competition laws). Sharing of data could be multilateral for data participants, or be opened for third parties wanting to access that data, for “the joint or individual use of such data”.
One of the goals of data pools under the DGA is promoting the sharing of information and the creation of European data spaces or data markets that will benefit industry and research. One option for these data pools is the open and available access by any interested party on equal terms (e.g. through licensing
Data pools shall not necessarily be accessed for free. Participants, through this mechanism, will be able to receive "royalties” or “compensation” for their contribution, which is an incentive for the creation of data spaces.
Other types of data pools that are not covered by the DGA are not necessarily prohibited but will not follow this new legal framework. Besides, data pools and data intermediation services, are different from cloud or analytics services, data sharing software, web browsers or email services, which are not under the umbrella of the DGA. Such services only provide technical tools for companies to share data with others and/or do not aim to establish a commercial relationship between data holders and data users.
What data can be shared in data pools? All data that companies have the right to communicate to third parties, with certain limited exceptions, such as copyrighted content. In other words, any non-personal data can feed the data pools provided it is not protected by sectorial laws (e.g., trade secrets, IP, etc.).
As for personal data, it can be shared as long as this sharing complies with the General Data Protection Regulation (“GDPR”). In this context, the use of anonymisation or pseudonymisation could make it easier to share personal data in pools in compliance with the GDPR. In any case, as long as data remains personal data, pools must allow data subjects to exercise their data protection rights.
Information shared in data pool should not be enriched or modified by the intermediation service provider. It should be offered as provided by the participants, with some format adaptation for harmonisation standards or improved interoperability.
Data pools must be managed by a new stakeholder defined in the DGA: the data intermediation service provider. Data intermediation service is defined as,
“a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other”.
This new role providing intermediation services for data sharing will bring business opportunities for technology companies. The data intermediation services allow the interconnection between the participants of the pool with the data users, and will need to ensure that data security and that the principles of DGA are observed.
Data intermediation service providers face a very strict regime and should comply with strict conditions. They must be neutral and consider the companies and entities using the pools in a fair and transparent manner, and ensure that prices are not discriminatory. Within the framework of their data intermediation activity, they may not be subject to a conflict of interest, nor use and process the pool data (not even the metadata collected in the framework of the provision of their services) for purposes other than that of offering the data to the companies that are users of the data pool. They may not use the pool data for their own purposes. In addition, they must ensure the security of their services and provide procedures to prevent fraudulent practices. Finally, the data intermediation services provider “shall maintain a log recording all data intermediation activity”.
Their activity is subject to prior notification to the competent authority appointed by each Member State. Such authority could either be created per se to that effect, or be managed by existing authorities such as the data protection authority, the competition authority or any other public authority. The appropriate authority will have to be chosen by September 24, 2023.
In any case, when several companies agree on the creation of a data pool, the governance and compliance model is key. Clear definition from the beginning of the project of the controls, who carries them out and how they are reviewed and updated is essential.
The DGA will apply as of September 24, 2023, so companies that want to take the lead in becoming intermediaries need to start planning without delay, as the conditions for activity reporting and the requirements for becoming an intermediary are quite arduous.
All in all, the fact that the rules for data pools are recognized in an EU regulation is a positive development. It provides legal certainty to companies wishing to provide or obtain data and the certainty that by complying with this regulation (and, as the case may be, others that could apply such as GDPR or competitions laws), this data exchange is legal. It will be interesting to see how this regulation interacts with other regulations that are already appearing on the horizon in certain sectors, such as the Regulation to create the European Health Data Space.
Authored by Juan Ramón Robles, Anais Ligot, Joanna Rozanska, Remy Schlich, Josephine Beaufour and Leanne Fortuna.