MyData Global response to Data Governance Act, Feb 8th 2021
We congratulate the European Commission teams who have been working hard on the Data Governance Act proposal. It is not an easy task to bring forward a groundbreaking regulation. We welcome the regulation as a needed common ground for clarifying the role of data intermediaries, building trust in these intermediaries and setting the direction for data governance, similar to what GDPR did for data protection. We believe that the Data Governance Act can influence global norms on sustainable data governance in the same way as the GDPR pushed the data protection norms beyond the EU.
MyData is a human-centric approach to personal data that combines industry needs for data with digital human rights. The European Data Strategy recognises MyData as one of the movements that ‘promise significant benefits to individuals, including to their health and wellness, better personal finances, reduced environmental footprint, hassle-free access to public and private services and greater oversight and transparency over their personal data’.
MyData Global operates a self-regulatory process for intermediary services focusing on human-centric personal data. In 2020, 27 organisations providing intermediary services from 15 countries were awarded the status of MyData operator. In our interpretation, MyData operators are within the scope of the Chapter iii requirements applicable to data sharing services, and operators can also provide infrastructure for the data altruism organisations.
We comment on the Data Governance Act primarily from the perspective of MyData operators. Many members of MyData participated in open deliberation to draft this commentary. Still, it should not be considered comprehensively representative. Several MyData operators and other stakeholders in the MyData community may have also submitted their comments.
MyData Global focuses on personal data, but we welcome the approach that looks at personal data and non-personal data side-by-side. We consider it fundamentally important to embrace a deep understanding of personal data and non-personal data when developing common European data spaces and the related regulatory frameworks and governance structures.
Personal and non-personal data have many similarities, and in practice, most organisations need to manage both. One principle level similarity is that both people and organisations should have the capability of being self-determining (sovereign) concerning data about them. In the case of people and personal data, we advocate that the individuals must have the possibility of being active participants in data transactions and have real agency in determining how their data is used. We also strongly recommend that data should be managed in the same way across sectors to ensure cross-sectorial fertilisation and standardisation of data practices.
We look forward to the final regulation to be firm in setting the direction towards human-centricity and interoperability while at the same time leaving space for innovation around how different stakeholders implement these objectives.
Our top picks for potential improvements are:
- Explicitly include individuals as active participants in the definitions: define the key roles in data sharing (Art. 2 Definitions) so that data rights holders (data subject) and technical data holders (controller or processor) can be separated and acknowledge the type of data sharing where individuals are active participants in the transactions
- Clear and comprehensive scope: clarify the scope of the data sharing services (Art. 9 (2)) and extend it to include services that empower the data subject beyond compliance
- Moderate requirements: set the obligations placed on intermediaries at a level that maximises overall impact and encourages growth and innovation
- Interoperability between the data sharing services: address explicitly in the regulation the interconnectivity of the data sharing services
We comment on these in more detail and suggest specific amendments in the attached position paper.
1. Explicitly include individuals as active participants in the definitions
There seems to be no differentiation between the individual and organisation as a data holder, and there is no differentiation of technical data holder (data guardian) and the data rights holder. Data sharing is defined as a transaction between two primary parties: data holder and data user. In many cases, three or more primary parties are involved in the transaction:
- An organisation that technically holds the data and may also hold some rights over the data (technical data holder),
- Individual(s) that hold personal data rights,
- A data using service which receives the personal data and gains the rights required to process the data (data access is granted for specific purposes).
The Data Governance Act must acknowledge the type of data sharing, where individuals are active participants. If that is not the case, the regulation may unintentionally exclude some existing data sharing services and discourage further development of solutions where people are active participants in data sharing transactions between data sources and data users.
There is a precedence of challenges following the regulation that does not explicitly recognise the active role of the individuals in data sharing:
The Australian Government has introduced a consumer data right (CDR) to give consumers greater access to and control over their data. It also recognises only data holders and data users with no mechanism for individuals to exercise participation directly. Since the introduction of CDR, the Australian regulators have realised that there needs to be a mechanism for citizens to be included. They have now commissioned a new body of work for a policy or regulation around consent.
Data holder (Art. 2 (5))
The definition of ‘data holder’ reads ‘a legal person or data subject who, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal or non-personal data under its control’.
This definition has two issues:
- Data rights are not naturally always held by one entity only. Typically, the technical data holder has some rights over the data and individual(s) have other (personal) data rights over the same data.
- Data rights holders do not always have the actual control over the data, and the right to grant access to data might be held by more than one entity. In the case of personal data, the data subject holds personal data rights and is the principal actor in the data sharing transactions. Still, typically the technical data holder has the technical means to control the data flow and is also a necessary participant in the data transactions.
‘Data holder’ as currently in the draft would probably be more precise as the ‘data rights holder‘, especially considering the statement in Art 2 (8) that data access ”does not necessarily imply the transfer or download of such data”.
In addition to the ‘data rights holder’, the role of the ‘technical data holder’ should be made explicit with a definition in Article 2.
Data sharing (Art. 2 (7))
One of the most significant sources of confusion is that the regulation uses all of the following seemingly similar terms without defining any one of them precisely:
data sharing providers, data-sharing service providers, data sharing services, data intermediaries, personal data-sharing intermediary, data sharing intermediaries, trusted data intermediaries, intermediation services
Only the act of ‘data sharing’ is defined in Art 2. It seems that data sharing is a broader concept, while the critical part of the regulation in Art 9 only focuses on data sharing that happens via intermediation services (which are a subset of data sharing services?). We strongly recommend to harmonise terminology and define remaining terms explicitly in Art 2.
The definition of ‘data sharing’ reads: “the provision by a data holder of data to a data user for the purpose of joint or individual use of the shared data, based on voluntary agreements, directly or through an intermediary”.
(7) ‘data sharing’ means the provision of data by data rights holders and technical data holders to a data user for the purpose of joint or individual use of the shared data, based on voluntary agreements, directly or through an intermediary;
Add a new definition for data intermediary and data sharing service provider
2. Clear and comprehensive scope
The impact assessment section explains that the mandatory notification procedure for the data sharing services that the EU commission proposes is an intermediate solution between voluntary labelling (lower intensity regulatory intervention) and compulsory certification (higher intensity intervention). We fully support the intermediate approach that has the advantages of a compulsory regime, while limiting the market players’ regulatory burden.
We are pondering the status of data intermediaries not falling under Art 9(1). Are they henceforth ‘prohibited’ by the regulation or simply not subject to the notification procedure and compliance requirements? Under the second interpretation, intermediaries outside that framework are likely to be considered ‘less trustworthy’. Assuming the second interpretation as most likely, this may affect two markets developing in parallel under different legal frameworks. Too narrow scoping might inadvertently weaken the competitive position of those ‘more trustworthy’ data sharing services that the regulation is supposed to be helping. The regulation may also become a ‘paper tiger’ if most of the actual data sharing services fall outside its scope.
The scope of the regulation should capture the relevant existing and foreseen data sharing services. Comprehensive coverage creates a level playing field for different types of data sharing services. Under this new regulation, a critical mass of services would be needed to shift the European data economy to the state where transparent, interoperable and ethical data practices are the norm.
In our view, the definition of data sharing services in the regulation scope should be exact, and the possible scope-limiting exemptions should be minimised and clearly defined in the articles instead of the recitals. Furthermore, as the notification procedure is compulsory, then the enforcement and sanctioning should be made clear also in cases data sharing service does not submit a notification.
Providers of data sharing services (Art 9. (1))
Article 9 (1) defines the data sharing services subject to a notification procedure. The clause describes three classes of such services and, as written, makes no clear distinction between personal and non-personal data.
The clause relies on non-defined terms ‘data sharing service’ and ‘intermediation service’ and uses the problematic definition of data holder from Article 2. Therefore, it’s close to impossible to interpret when it comes to typical personal data transactions where three parties are involved: 1) a person, 2) original data controller and 3) new potential data using service.
In the definition of the first class of services (a), natural persons are excluded and may be interpreted that this class would not cover at all personal data. Part of the challenge with 9.1.a is that it focuses on bi-party transactions involving an organisation (legal person) on the data providing side – this is viable for non-personal data, but not for personal data. When working with personal data, the GDPR gives rights to individuals – these are not currently captured in 9.1.a if it used to transact personal data. This problem loops back to the Art 2 definitions that are missing the role of individuals in the data transactions.
If the intention is to exclude personal data from the first class of services, it should be made explicit in the text to avoid confusion. Similar functionalities described by 9.1.a would also be needed for personal data; therefore, a new class for personal data should be defined. This class would cover intermediation services that support data subjects to make personal data available to potential data users.
The definition of services in the class (b) is very narrow as it is tied only to the cases where the data subject exercises rights provided by the GDPR. The definition should be expanded to include services that empower the data subject beyond GDPR compliance. It must be clear that where the individual can select a data sharing service, they have a real choice and that ‘technical data holders’ recognise them as the legitimate representative of the individual.
While there may be risks of expanding these definitions, the idea that there could be data sharing services outside the regulation because they do not include GDPR compliance is undoubtedly a much greater risk.
Art 9 (1) (a) should be made explicit to non-personal data over which a legal person has exclusive rights
Art 9 (1) (b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, including in the exercise of the rights provided in Regulation (EU) 2016/679 and in coordinating other personal data services;
An additional class to be added to Art 9 (1):
intermediation services aimed at supporting data subjects to make available personal data, stored by one or multiple technical data holders, to potential data users, and the establishment of specific infrastructure for the interconnection of data rights holders, technical data holders and data users.
Exemptions from the scope (Recital 22)
Recital 22 currently contains numerous exemptions that are defined widely and vaguely. The actual articles do not reflect the exemptions mentioned in the recital. Out of the many suggested exemptions in recital 22, the following three in their current formulation are most problematic:
… only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between …
- The formulation of ‘only cover’ creates ambiguity in interpretation — it would be better to define the scope by precise characteristics and then set exemptions of particular activities if needed.
- It is hard for the authorities to define ‘main objective’ and very easy for the data sharing services to claim that their main objective is something else.
… only cover services aiming at intermediating between an indefinite number of data holders and data users, excluding data sharing services that are meant to be used by a closed group of data holders and users.
- ‘only cover’ → see above.
- It is hard for the authorities to define ‘indefinite number’ and very easy for the data sharing services to claim that their target customer group is not indefinite (for example offering services only particular region)
- The latter part of the sentence suffices if the closed groups of data holders must be excluded from the scope.
Providers of cloud services should be excluded …
- Most of the modern web services, including the data sharing services, are cloud-based.
We recommend re-writing recital 22 in a way that only justifies why some forms of data sharing are exempt from this regulation. The exemptions should be limited in number and scope and clearly specified in Art. 9 so that they become normative.
Monitoring of compliance (Art 13.)
Art 9. reads ‘The provision of the following data sharing services shall be subject to a notification procedure’. We understand that the Commission intends to make the regulation compulsory to all services in the scope. However, the intent falls short as there is no mention of enforcement mechanisms nor sanctions in the case if a data sharing service does not submit a notification.
Modify the paragraph (2)) of Art 13 so that it also addresses the cases where the provider of a data sharing service does not submit a notification. Suggested modifications are with red text below:
Art (13) (2) The competent authority shall have the power to request from providers of data sharing services all the information that is necessary to verify if the service falls in the scope of Article 9 and to verify compliance with the requirements laid down in Articles 10 and 11. Any request for information shall be proportionate to the performance of the task and shall be reasoned.
3. Moderate requirements
While we support the broad scope and mandatory nature of the regulation, we also ask to consider carefully what compliance requirements to include. The Data Governance Act will be regulating a market that is in its very early stages, with many cycles of innovation to come. Thus, the regulation will have a strong influence on the nascent market. It can help the market formation if it builds a framework for trustworthiness as intended. Still, there is also a significant risk of unintended consequences – for example, setting in law specific structures may inhibit innovation in the development of alternatives.
In their responses to this consultation, many stakeholders generally seem to support the new regulation. Still, they suggest that the type of data sharing activity they are involved with should be excluded from the scope. This tendency to wish for exclusion is understandable as often regulation causes more costs than benefits for regulated. We see this differently and believe that the Data Governance Act’s scope and compliance requirements could be formulated so that it is beneficial for the data sharing services to be governed by a common regulation.
We have paid attention to the questions of permissible business models, structural separation of functions (Art 11 (1)) and the legal implications of being a ‘fiduciary’ (Recital 26). Coupled with compliance measures in Art. 13 and exposure to private lawsuits, the framework would lay a severe burden on the service providers. While MyData Global is not arguing against fiduciaries duties or the neutrality of the intermediaries, we call for balancing the regulatory constraints in the proposals and the incentives for the data sharing services. The motivations for the data sharing services come through the level playing field, fair competition and sizable market; all these are related to the scope of the regulation discussed above. For instance, it would be beneficial that the Commission guarantees that all EU data spaces will be implemented according to the rata Governance Act’s rules. It is crucial to have the scope of the regulation wide enough, and in our view, the compliance requirements could be negotiated to a more moderate level if that justifies broader scope.
Structural separation (Art 11 (1))
Art 11(1) reads: ‘the provider may not use the data for which it provides services for other purposes than to put them at the disposal of data users and data sharing services shall be placed in a separate legal entity’.
That seemingly prohibits an original (primary purpose) controller and data holder from providing a data sharing service under the same entity. For example, a Member State or a municipality could not establish a data sharing service (enabling re-use of original personal data collected under 2016/679 legal basis of public interest) for its citizens but would have to organise such data sharing via a third party or other separate legal entity.
Art 11(1) would also prohibit the intermediary from doing any sort of data quality improvements or other processing on behalf of and by the data rights holder’s request. Intermediaries need to have room to innovate to serve better both data rights holders and data users.
Consider the pros and cons of the requirement of structural separation and potential alternatives in reaching the objectives of transparency, neutrality and common trustworthy governance. Whichever means are chosen it is elemental to guarantee that the scope of the regulation is broad enough so that intermediation services outside of the scope of this regulation can not unfairly compete and stifle the development of the market of trustworthy intermediation services under this regulation.
Fiduciary duty (Recital 26)
In the MyData Operators white paper, we proposed that it would suffice that the operators carry a duty of care, which is a lower threshold than the requirement for data sharing services to operate as fiduciaries. The legal concept of a fiduciary has a different scope and meaning in different legal systems.
The fiduciary requirement mentioned in recital 26 is at the strong end of the responsibility between the intermediary service and person. This impacts any self-regulatory and optional governance schemes below the legislation, and it may significantly limit the potential scope of these.
The fiduciary requirement would also impact the viable business models for organisations working as intermediaries. This requirement raises the cost of delivering the service, and it is hard to see what options there will be for pure intermediator-only services – they will need to be paid by the services they support or offer their own, separated services.
Consider the pros and cons of fiduciary duty and duty of care requirements on data sharing services. Whichever option is chosen make sure to set measures to compensate for the downsides of the selected option.
4. Interoperability between the data sharing services
We would like to highlight the absolute necessity of including interoperability between the data sharing services as a foundational principle in the Data Governance Act. The aim should be that the data intermediaries will form over time a network instead of isolated silos.
The interoperability between the data sharing services means, for example; the standard contractual framework between the data sharing services (operational interoperability); data model for agreements between organisations and individuals (semantic interoperability); standardised interfaces for transaction logs; encryption algorithms and file formats that shall be supported by the agents (technical interoperability); etc.
Such interoperability between the data sharing service enablessubstitutability and allows individuals and organisations to choose the best service providers. It fosters market innovation and prevents the market of data sharing services from evolving to a winner-takes-all situation. Interoperability will also create network effects and speed up the adoption of intermediary services. In an ecosystem with multiple mutually interoperable intermediary services, value is created from network effects and diminishing costs through collaboration, risk sharing and standardisation. If each intermediary makes their connections to data holders, data sources, and data users access to a shared ecosystem; these intermediaries collectively can then more quickly create functional markets (data spaces) with wide connectivity.
None of the details mentioned above can be defined at the level of technology-neutral general regulation. Instead of the details, we suggest that the regulation sets up clear direction and progressively evolving minimum requirements for data sharing services’ interoperability. We acknowledge the challenges of codifying in the law such minimum criteria for interoperability in a way that would not be prohibitively restrictive in the early stages of developing data sharing services.
Different ways to organise data sharing infrastructures exist and some of them are more aligned with the European data strategy than others. It is easy to imagine at least four different high-level scenarios for organising data sharing. These are not to be considered mutually exclusive, as co-existence and hybrids are possible.
- Fragmented: Markets where many small data sharing services compete to build small-scale use cases without interoperability between them.
- Monopolistic data platforms: A few platforms provide connectivity and data sharing inside their ecosystems with little competition and no incentives for interoperability between the platforms.
- Fully decentralised: A peer-to-peer world where standardised technical infrastructure and protocols enable data connections without any specific intermediary services.
- Competition-based interoperable network of intermediation services: Similar to the current network of telecom operators, energy providers, or banks where many mutually competing providers are interoperable and together provide global-level connectivity through shared standards and roaming arrangements.
The competition-based network should be enabled by setting mandatory minimum interoperability requirements. This would be the most crucial regulatory intervention as it is doubtful if such interconnectivity would emerge otherwise. Interoperability of data is also necessary, but we see that it will be developed voluntarily by market actors and use cases without any regulatory intervention.
Interoperability and standards are mentioned as important objectives in the foreground, but they are incorporated only very lightly in the actual articles. Only mentions of ‘standards’ are in the Art 27 Tasks of the Board:
(c) to advise the Commission on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing, cross-sectoral comparison and exchange of best practices with regards to sectoral requirements for security, access procedures, while taking into account sector-specific standardisations activities;
(d) to assist the Commission in enhancing the interoperability of data as well as data sharing services between different sectors and domains, building on existing European, international or national standards;
This is a very weak mention as neither the Data Innovation Board nor Commission would have any power to mandate interoperability requirements.
Chapter VI of the Data Governance Act mentions the establishment of a Data Innovation Board that will assist and advise the Commission on the strategic matters in data governance, such as enhancing interoperability and developing the actual requirements applicable to data sharing providers.
In our view, the Data Innovation Board – with its strategic focus – should be complemented by another governance body focusing on the more tactical and operational aspects of enabling data sharing and interoperability between the data sharing services in practice. This combination of strategic guidance and operational efficiency would ensure accomplishment of the real aims: to create trust in data sharing, and to co-create, organise and stimulate adoption of decentralised access to and exchange of data while maintaining transparency, security and interoperability.
MyData Global supports the proposal of setting up an operational governance body: Data Exchange Board. It should be tasked with agreeing upon the initial requirements for the data sharing services and updating the requirements going forward, driven by the needs of people, markets and public-sector use cases. We recommend building upon the existing science, research and practical experience from interoperable data sharing (e.g. IHAN, IDSA, Data Sharing Coalition, iSHARE and MyData Operators, to name but a few) and merging best practices to organise this on a pan-European scale.
The Data Exchange Board would create the living link between the aims of the regulation and the means and best practices emerging in the real-life use cases. We believe that this connection will be essential to drive large-scale adoption of the data sharing services in the coming decade.
Figure 1 – The relationship between the strategic Data Innovation Board and the proposed operational Data Exchange Board, with the European Commission on one side and the practitioners on the other.
Our recommendation is to add a new clause in the Art 11 Conditions for providing data sharing services:
Art 11 (12) the provider shall implement in due time the measures for interoperability between the data sharing services set out by the data innovation board.
5. Other notes
Notification of data sharing service providers (Art 10)
Article 10 specifies the required information to be notified for the competent authorities. The class (as defined in Article 9 (1)) for which a service is authorised is necessary information for transparency and the assessment of trustworthiness – this should be explicit in the service providers notification. We suggest that information about the class or classes for which a data using service provider has notified should be mandated. Furthermore, we recommend using semantic data governance standards and controls such as W3C Data Privacy Control Vocabulary in the implementation of the notification process.
Article 10 (5f) should be expanded to: “a description of the service the provider intends to provide including the class or classes of those services as described in Article 9 (1).
Definition of personal data spaces (addition to Art 1)
The term ‘personal data spaces’ should be defined as it is used in the regulation and other communications.
Personal data spaces should be understood as the data spaces over which individuals have physical or logical control. Each individual should have their own logical personal data space independent of what data is in it, where the data is held physically, and what technology or service provider is used to run the personal data space. These personal data spaces are horizontal and cross-cutting with the other data spaces, but we should not speak about a personal data space in singular. The individual should be supported to integrate data from multiple sources into their logical personal data spaces.
The definition of ‘personal data spaces’ should be made explicit in Article 2, making it clear that personal data spaces are personal to the individual.
Delegation of data related rights (Recital 24)
The recital 24 about the data cooperatives, states: In this context it is important to acknowledge that the rights under Regulation (EU) 2016/679 can only be exercised by each individual and cannot be conferred or delegated to a data cooperative.
We understand that this statement is an interpretation of the GDPR and a blanket transfer of data rights is not acceptable. However, the individuals’ possibility to defer some well-specified data rights would be necessary for the data cooperative model to work in practice. Otherwise, the citizens would have to separately give their consent for every operation of the data cooperative*.
It is outside of this regulation’s scope, but we would recommend developing the GDPR interpretation regarding the delegation of data rights between individuals and trusted intermediaries, including the data cooperatives. Individuals should be allowed to delegate some of their rights under well-specified circumstances, in the form of a standard contract. Such a standard contract needs to be reviewed and approved by an ethical board and EU DPA. The importance of delegation for data trusts is well-documented and analysed in literature** ***.
Remove the GDPR interpretation statement [In this context…] or if it can not be removed then amend the last part of the sentence into “cannot be conferred or delegated to a data cooperative without a contractual agreement, where terms and conditions are approved by the national DPA“.
* This is even more important in the context of a crisis like the COVID19 where time and volume of data are of utmost importance. To address this, WHO issued a recommendation that allows authorities to access personal data WITHOUT individual consent under the condition that this is approved by an independent ethical committee (section 4.3.2) A contractual agreement between the data cooperative and the individuals – approved by an independent ethical committee – would reach the same effect and be more respectful of data privacy rights.