Hoping to facilitate the creation of new products and services in the EU, the Commission has introduced the bill with an ‘aim to foster the availability of data by increasing trust in data intermediaries and by strengthening data sharing mechanisms across the EU.’
If adopted the Data Governance Act (DGA) will provide legal recourse for the companies to access public sector data and allow industries to share data among themselves through the introduction of various frameworks that will improve trust by creating safe spaces.
The DGA will, at the same time, be in accordance with the existing rules and regulations related to data processing and sharing. It will thus be applied in respect to the General Data Protection Regulation, any national laws, sector-specific guidelines, and any other data governance rules.
The DGA introduces several ideas in the form of rules and frameworks that will help them achieve the goal of increasing the use of data for products and services.
The public sector is using huge amounts of data in Europe, which even the authorities themselves are restricted from using. With an aim to make this data available for firms to use, the DGA will open up several categories of public sector data which can be used by companies for commercial and non-commercial purposes.
While the DGA will rely on national rules for companies’ to access this data, they will lay down certain ground rules for its use, including conditions that make the reuse nondiscriminatory, proportionate, and objectively justified and that they do not restrict competition.
Secondly, in the current situation, private companies do not share data with each other due to lack of trust, despite the awareness of several advantages of large datasets.
To address this issue, the government introduces a framework to create data sharing services, which can help improve this trust and create European Data Spaces. The DGA lays down several requirements for these data sharing services or data brokers, including notification of its services to the EU member state and fiduciary duty towards data subjects, among others.
Another form of data sharing is through data altruism that will encourage companies to gather data, personal and non-personal, for projects of general importance. But for such collection of data, the company needs to again satisfy several conditions.
This will need the company to be constituted to meet objectives of general interest, operate on a not-for-profit basis, and ensure the activities related to data altruism take place through a legally independent structure.
Is India Ready For Such An Act?
While India does not have a bill introduced yet that will encourage sharing of data; it introduced the Personal Data Protection Bill (PDP) in 2019, which is currently being reviewed by a Joint Parliamentary Committee. However, the inclusion and exclusion of sections that talk about data sharing have been largely criticised in both inside and outside the parliament.
The bill lets the government direct any data fiduciary or data processor to provide any personal data anonymised or other non-personal data and is not obligated to be transparent of how this data will be used or if the individual who the data belongs to will be compensated or not. Also studies highlight that the bill’s reliance on the consent-based mechanism for protecting personal data is not likely to be effective.
In general, the PDP does not put any restrictions on the transfer of personal data, except for ‘sensitive personal data’ which needs explicit consent from the individual.
A committee formed last September under MeitY, called for new data regulation that will allow the private sector to use non-personal data or anonymised personal data. It also calls for a data-sharing marketplace for Indian businesses and the government.
However, this report has been criticised by experts for leaving too many questions unanswered in terms of who could use that non-personal data and how it will ensure that the community that produces the data benefits them. Even if the data is non-personal, if used for two different purposes by two different communities, it could end up hurting the socio-economically weaker group.
A lack of an adequate framework in terms of data sharing might be indicative that we are not ready for such an act.
However, a dialogue in the direction of using data for the public good is very much relevant but needs to come in the picture after a robust legal language for privacy, rights, and community-led governance comes into place.