The Data Governance Act: New rules for international transfers of non-personal data held by the public sector
In November 2020, the European Commission (EC) published its proposal for a Data Governance Act (DGA proposal). Among other aspects, the DGA proposal sets out a legal framework for the re-use of public sector data which are covered by third parties’ rights, namely data covered by intellectual property (IP) rights and confidential data of non-personal nature as well as personal data. This legal framework aims to unlock the re-use of public sector data that falls outside the scope of the Open Data Directive. While the General Data Protection Regulation (GDPR) regulates international transfers of personal data, the DGA proposal includes rules regulating international transfers of non-personal data by a re-user that was granted access to such data by the public sector. After presenting these rules, this blogpost assesses their potential effects on international data transfers and, accordingly, cross-border trade regarding data processing activities. It also analyses whether these rules may have a broader impact going beyond their scope, in particular on business-to-business (B2B) data sharing and on third countries’ intellectual property (IP) and trade secrets regimes.
Proposed rules for international transfers of protected data held by the public sector
The public sector collects large volumes of data at the expense of public budgets. The European Commission considers these data should benefit society and be made available for re-use, in particular by companies for commercial purposes but also by the scientific community for research purposes.
However, data that are subject to third parties’ rights cannot be made available for re-use as open data. Before such data can be made available, certain technical and legal requirements must be met in order to protect third parties’ rights. This concerns personal data (information on individuals) and non-personal data that are covered by IP rights or that are confidential (e.g., information on companies). For now, the re-use of these data is only regulated by national legislation. However, most Member States do not have the structures and processes in place to allow the re-use of such protected data. As a result, these valuable data are often not made available.
Against this background, the DGA proposal aims, inter alia, to unlock the re-use of data held by the public sector that are subject to third parties’ rights. In that respect, the DGA proposal does not create a right to re-use protected data held by the public sector but lays down conditions under which the re-use of such data may be allowed.
Under these conditions, the public sector may grant the right to re-use personal data, confidential data and data protected by IP rights to a natural or legal person (the re-user) for commercial or non-commercial purposes, provided that such re-use takes place in a manner that respects the rights and interests of businesses (non-personal data) and data subjects (personal data). The re-user may only transfer these data to non-EU countries under strict conditions. While international transfer of personal data is subject to the GDPR, the DGA proposal introduces rules for international transfers of confidential data and data covered by IP rights.
According to the proposed rules, and in a similar way to what exists under the GDPR, confidential data and data covered by IP rights may be transferred to third countries under an adequacy system. International transfer of such data may take place only provided that the relevant third country offers a level of IP and trade secrets protection which is essentially equivalent to that provided by Union or national laws. In the absence of an adequacy decision adopted by the EC with regard to the relevant country, the transfer may then only take place under an accountability system, under which the re-user undertakes obligations in the interest of protecting the data (Article 5(9)-(11) DGA proposal).
In addition, the DGA proposal establishes specific conditions applying to international transfers of certain categories of non-personal data, identified as ‘highly sensitive’ (Article 11 and Recital 19 DGA proposal). Such ‘highly sensitive’ non-personal data will be identified by Union law, for instance in the context of the European Health Data Space (e.g. certain datasets held by public hospitals could be identified as highly sensitive health data) or other sectoral legislation. International transfers of such data may be subject to even stricter conditions, in the event that it could jeopardise public policy objectives (such as public health, public order, privacy and personal data protection). The conditions attached to the transfer of these data – which will be laid down in delegated acts to be adopted by the European Commission – should correspond to the risks identified in relation to the sensitivity of the data, including in terms of the risk of re-identification of individuals.
The rationale for introducing these rules restricting international transfers of protected non-personal data held by the public sector is allegedly the protection of sensitive and valuable data from unlawful access in third countries that may lead to IP theft or industrial espionage or the endangerment of public policy objectives (Recitals 15 and 19 DGA proposal).
Towards a ban on international transfers?
While the DGA proposal intends to regulate international transfers of protected data held the public sector, in practice it may however render such transfers impossible. In that respect, adequacy systems have significant drawbacks, such as the length of the process to assess the legal and judicial systems of a country and the influence of political factors. These drawbacks may translate into a very limited implementation of the system that would significantly affect international data transfers. This has been proven to be the case for international transfers of personal data, where the ill-fated EC’s decisions on the adequacy of protection provided by the US Safe Harbour and later the EU-US Privacy Shield were both invalidated by the Court of Justice (Schrems I and II case-law, C-362/14 and C-311/18, see C. Kuner). This situation has led to legal uncertainty to the detriment of companies dealing with EU-US data transfers that may result in soft data localization. While the DGA proposal provides for a fallback solution with the accountability system, the commitment to protect such data even after the transfer is done is particularly burdensome for the re-user and may in practice have a chilling effect on any intention to transfer data outside of the EU (see T. Christakis).
In addition, the conditions attached to the transfer of ‘highly sensitive’ data may include limitations – or even restrictions – to the re-use of data in third countries or categories of persons that are entitled to transfer such data in order to protect the public interest (Article 5(11) DGA proposal). While it is not clear from the text of the DGA proposal whether conditions applying to international transfers of ‘highly sensitive’ data could include an outright ban, it is however likely that in practice such transfers would be rendered significantly difficult.
A possible conflict with EU trade commitments?
While the conditions governing international transfers of protected non-personal data held by the public sector aim to protect the rights and interests of EU businesses, they may be trade restrictive. Just as it may be the case in relation to personal data (see S. Yakovleva; F. Velli; C. Kuner), restricting (or de facto banning) international transfers of protected non-personal data held by the public sector may be in conflict with EU trade commitments under the General Agreement on Trade in Services (GATS), that aims at liberalizing cross-border flow of services, including digital services. Under its GATS Schedule of specific commitments, the EU committed without restriction to ensure market access and national treatment with respect to data processing services for all modes of supply, including cross-border trade. Thus, limiting or banning international transfers would be in breach of the market access obligation (Article XVI GATS) as it would hinder cross-border trade with regard to data processing services. In addition, foreign data processing operators might have to invest in facilities located in the EU to access the market, which may be financially impossible for foreign SMEs. As the conditions of competition between EU and foreign data processing services suppliers may be modified to the detriment of the latter, foreign operators would be subject to a less favourable treatment. This would constitute a breach of the national treatment obligation, which prohibits discrimination between foreign services suppliers, on the one hand, and like domestic services suppliers, on the other hand (Article XVII GATS).
One could wonder whether, if adopted, the DGA provisions on international data transfers could end up getting challenged in the WTO dispute settlement system. Taking the GDPR that establishes a similar regime as an example, the EU trade policy has undertaken a successful campaign of promotion, circumventing the multilateral WTO channel and unilaterally imposing its data protection regulation as a standard. This has been shown through the negotiation of bilateral trade and investment agreements including horizontal provisions regulating cross-border data flows and recognizing the right to data protection as a fundamental right. It also manifested with foreign governments aligning their data protection domestic regulation to the EU standard (the de jure Brussels Effect). As a result, the GDPR has not been challenged and will probably not be, as it becomes widely accepted (see also the status of Council of Europe Convention 108 + that aims at creating an international standard protection of the right to data protection and is largely inspired by the GDPR).
Coming back to the DGA proposal, it has to be noted that IP and trade secrets are subject to a minimum standard international protection under the WTO Agreement on Trade-Related Aspects of Intellectual Property Rights. This proves that the necessity to protect IP and trade secrets is already widely accepted and is a common concern to the WTO members. However, in practice the implementation of the protection highly varies from a country to another, in particular with regard to enforcement and effective legal remedies. It may thus seem legitimate to condition international data flows to an ‘essentially equivalent’ level of protection of IP and trade secrets. Hence, the chances for the future DGA to be challenged before the WTO might be limited.
Possible impact on B2B data sharing as well as third countries’ IP and trade secret regimes?
With these new rules conditioning international data flows the EU seeks to ensure protection of rights and interests of EU companies. However, one could wonder whether these new rules may have further impact, notably on B2B data sharing at international level. B2B data sharing is governed by private contracts which thus do not offer tools to fight misappropriation and misuse by third parties. The fact that a non-EU country is recognized as ensuring an appropriate level of protection of IP and trade secrets could thus provide some incentives for EU businesses to share their valuable data with new partners established in that country, hence bringing about wider trust in international B2B data sharing.
Another consideration could be the possible impact of the DGA international data flow rules on third countries’ IP and trade secrets regimes. In particular, it might push certain third countries to strengthen their IP and trade secrets protections to the levels similar to those in the EU, in order to open up the market for data services with the EU.
It goes without saying that any such effects are difficult to predict at this stage, as they will depend on various factors, including the EU’s political willingness to actually implement the adequacy system on a broad scale and the extent to which the public sector will make use of this (quite cumbersome) mechanism under which it may grant the right to re-use data (see conditions for re-use under Article 5 DGA proposal) thus enabling the market to scale up.