The tide is turning: personal data protection has become yesterday’s news. The EU is now looking into the regulation of data sharing. The General Data Protection Regulation (GDPR), which became applicable in May 2018, is arguably the most influential legal instrument governing our digital lives. The Regulation has provided individuals with new and enhanced protection of informational privacy. By requiring companies and public authorities alike to process data according to specific rules and principles, it has had a major impact on digital markets as well as governmental practices. Enhanced by the case law of the European Court of Justice, the Regulation has also become effective in practice.
However, the EU has recently started to explore new ways of regulating data. The focus is now shifting towards opening up data flows to ensure a functioning digital market. Innovation is key and data is the material from which it is forged. The EU aims to compete on the global digital market by regulating how data can be used and re-used. These new endeavours are not easy to reconcile with data protection rules in the GDPR, which seek to protect fundamental rights to privacy in digital economies.
The Commission has been busy. In February 2020, it announced its European Data Strategy, according to which the EU wants to become a leading data-driven society. The purpose is to create a single market for data for the benefit of businesses, researchers and public administrations. In addition, the digital solutions are meant as one tool in the fight against climate change.
Data sharing in the EU: limited regulation so far
What has been done so far in terms of tangible legislation, however, is rather limited. The EU has adopted a directive on open data and a regulation on the free flow of non-personal data. Neither has received very much attention in public or academic debate. This is understandable because compared to the GDPR, both of these instruments play a minor role in shaping our digital environment.
The Open Data Directive has been in force since 2019. The main aim is to allow free re-use of data that is held by national public sector bodies. This is meant foster the emergence of new businesses that offer digital products and services. The Directive aims at increased transparency in public sector data agreements. According to Article 1, it establishes a set of minimum rules governing the re-use and the practical arrangements for facilitating the re-use of: (a) existing documents held by public sector bodies of the Member States; (b) existing documents held by certain public undertakings; and (c) certain types of research data. According to Article 12, it also limits the possibilities of the public sector bodies to enter into exclusive re-use agreements with private partners. The scope of the Directive is, however, rather limited. It allows for the Member States to legislate on exceptions and does not apply at all to documents for which third parties hold intellectual property rights. Most importantly, the Open Data Directive does not override the GDPR, according to Article 1, paragraph 4 of the Directive. It therefore only applies to data that is not personal. Therefore, the strong protection of personal data is still very much intact even after the Open Data Directive came into force.
There is, nevertheless, a trend emerging. The Open Data Directive may be a small step on the path towards opening up data, but there are other similar steps already taken. The Regulation on the free flow of non-personal data entered into force at the end of 2018. According to Article 1, this Regulation aims to ensure the free flow of data other than personal data. Article 4 prohibits the Member States from imposing data localisation requirements. Data shall move freely, just like goods, capital, services and labour. However, as Article 4 of the GDPR famously stipulates that ‘personal data’ means any information relating to an identified or identifiable natural person, the definition of personal data is very broad. Almost any data can potentially become personal data, and this means that the Regulation on free flow has rather marginal application.
The Commission’s proposed Data Governance Act and its compatibility with the GDPR
These instruments have obviously not been enough to enable the free flow of data. In November 2020, the Commission put forward a proposal for a Data Governance Act. The Act would facilitate data flows by regulating, among other things, the data sharing intermediaries that are used in different data spaces. The proposal states on several occasions it is “without prejudice” to the application of the GDPR. However, it is noteworthy that according to proposed Article 3, certain provisions on re-use of data would apply not to personal data but also to data protected by intellectual property rights.
The proposed Data Governance Act causes headache for lawyers because it is difficult to see how it would interact with existing legislation on EU as well as national level. It is safe to say, however, that the biggest obstacle in opening up data sharing is the GDPR. In order to make data sharing compatible with data protection, there needs to be leeway within the GDPR. After all, it seems highly unlikely that anybody would like to start amending the GDPR after all the hard work that went into it the last time around.
The GDPR, interpreted in systematic and teleological fashion, is an instrument that limits the processing of data. A key provision is Article 5 on the principles of processing. According to the purpose limitation principle, data can only be collected for specified, explicit and legitimate purposes. As a rule, data cannot be further processed in a manner that is incompatible with the original purposes it has been collected for. In addition, the data minimisation principle limits processing to data that is adequate, relevant and limited to what is necessary in relation to the purposes for processing.
These data protection principles are not easy to reconcile with the idea of data sharing or open data flows. In addition to the many individuals’ rights stipulated in the GDPR, such as the right to access data in Article 15, the right to rectification in Article 16 and the right to erasure in Article 17, the data protection rules form a complicated but very strong framework that protects individuals’ control of their data.
As yet, the exact meaning and scope of the Data Governance Act is unclear. What relationship it will have with the GDPR will need clarification. It seems, however, that the Commission aims at opening up the digital market in a more tangible fashion than has been achieved with the Open Data Directive or the Regulation on the free flow of non-personal data so far.
A nuanced interpretation of the GDPR would be one way to reconcile data protection with current open data aims. As is well known, the GDPR explicitly states two purposes in Article 1. One is informational privacy, i.e. the protection of natural persons’ data and the other is the free movement of data. The former has been the most important one so far, which is clearly visible in the judgments on data protection from the Court of Justice of the European Union. Cases such as Schrems II, Planet49 and Fashion ID are recent examples of this. However, the GDPR also stipulates that “The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data” (Article 1). It seems that the time has come to put this statement to the test.