The European Union (EU) is a global regulatory powerhouse in the data rights space, with the General Data Protection Regulation (GDPR) being the most well known example. The upcoming Data Governance Act may be the next globally influential, data-related regulation benefiting citizens at home and abroad. In this blog, MyData Chair, Antti “Jogi” Poikola explains the EU Data Governance Act and how it supports achieving the goals in the MyData Declaration.
Since MyData Global’s creation three years ago, it has expanded rapidly with 30 hubs established globally. The EU has been an important forum for putting into practice a human-centric, ethical approach to personal data. The development of the Data Governance Act (DGA) is exciting for MyData because it shows a clear link to the MyData Operators white paper, which describes the operations and functions of what the EU terms as “data intermediaries”. Data intermediaries are organisations that facilitate the flow of personal data across services in such a way that the individuals stay in the driver’s seat. Seeing this come to fruition through legislation is a significant step, but implementation of the DGA will be the key test.
By defining data intermediaries, the DGA shapes the underlying structures of the data economy to be more human-centric. With regulated data intermediaries, the use of personal data will become more transparent and more ethical. The regulation also ensures a level playing field for data intermediaries by requiring them to all follow the same rules and practices. The DGA aligns with the MyData Declaration by facilitating people to benefit from the data about them. Furthermore, it encourages interoperability between companies, thereby unlocking the full potential of personal data to revolutionise the services and products that we all rely on.
The DGA goes beyond existing EU regulations and laws by making sure all stakeholders – from small to large companies, governments, citizens, and other organisations – benefit from the flow of personal data. Whilst the law itself is robust, as ever, implementation will be the real test. The DGA requires each country to assign or set up a competent authority by 2023 to oversee the implementation of the legislation. There is a risk that by the time national authorities start implementing the legislation, common guidelines for interpreting the requirements nationally as well as between member states may not yet be harmonised.
A bigger question remains around whether and how the authorities will actually monitor the compliance whilst the common guidelines are being developed. Companies will be “validated” once by competent authorities, but not monitored thereafter – this opens the door to companies changing their policies once they have been through the validation process. There is also the risk that authorities could change their monitoring practices once the interpretation guidelines are in place, which could create regulatory uncertainty for the data intermediaries. Assessments should be ongoing and continuous as intermediaries are a nascent area for both technology and the law, but at the same time the interpretation rules should be transparent and predictable, and any changes should be communicated well in advance.
As with most new legislation, there are costs involved and the regulation allows authorities to charge for registering data intermediaries. These fees may vary between countries. There is a risk that, with a lack of guidance, some national authorities may put in place overly heavy processes, and the costs may become too burdensome for small- or medium-sized companies, undermining the goal of creating a level playing field. The existing unregulated system had costs, too, of course, by giving an implicit advantage to established companies as well as non-financial costs associated with unethical data practices. Moving forward, companies that are data intermediaries and data users will now have to split their operations into separate companies, and they will need to be clear on how their operations cross the line between these two functions.
Whilst the EU sphere is key for the reasons stated above, data intermediaries exist in all jurisdictions and there are probably similar regulations coming into force elsewhere. For example, in Japan there is already soft regulation for information banks. MyData Global has a role to play in helping businesses understand, meet, and exceed legislation. We can help companies stay competitive and ahead of the curve by defining best practice. We are already doing this through the MyData Operator Awardees, which are data intermediaries that come from around the world.
If you want to keep up to date with MyData Global’s thoughts on the EU DGA and MyData Operators you can join the Slack channel. For more information on MyData Operators, view the factsheet and the white paper. The 2021 My Data Operator Awards will be announced in November in Amsterdam.