On 31 March 2021 the third webinar of the TRUSTS webinar series was held together with Safe-DEED. This time, Lidia Dutkiewicz (TRUSTS) and Alessandro Bruni (Safe-DEED) from KU Leuven discussed legal aspects of data sharing platforms and answered frequently asked questions.

Interactive Survey

To get an insight into the knowledge of the participants, the webinar started with an interactive poll. Due to the limited amount of time given in the event, the speakers could not have collected data in a structural and empirically accepted manner. Consequently, data collected in the interactive survey do not allows to develop any academically accepted theory. Still, the information gathered provide a snapshot of factors influencing consumers to assess their data value:

  • The participants have demonstrated to have a clear understanding of the notion of personal data, providing an extensive definition of these data. Nevertheless, it is challenging for them to provide a clear cut differentiation between personal and non-personal data.
  • A clear understanding of how to differentiate between personal and personal data contributes to affect information asymmetries between providers and customers in the online environment.
  • In the opinion of the workshop’s addresses, the usability and possibility of using data in more than a context are crucial criteria for assessing the value of personal data. Additional criteria used to assess the value of data comes from a qualitative assessment of data. Interestingly, context, which is crucial for carrying out an assessment, does not represent, according to respondents, a primary criterion to assess value to data.
  • Addresses of our survey believe a valuation of data value should always combine economic and non-economic considerations. Assessments that also considers the social, ethical, and psychological implications of a specific processing activity involving personal data should be implemented moving from the DPIA scheme.
  • Participants have stressed that besides the economic opportunities generated by processing personal data, governments should increasingly use the opportunities offered by such a processing activity to provide support and valuable solution to citizens (e.g. in the public administration).

Is it personal data?

Legal constraints of data sharing

In the second part of the workshop, the speakers described a few legal constraints of data sharing based on our Deliverable 6.2 Legal and Ethical Requirements in TRUSTS project and in Safe-DEED project Deliverable 3.2.

Lack of clarity

A lack of legal clarity on data processing have been identified by the European Commission’s Data Strategy as crucial obstacles to enhance data sharing between companies across the EU. Besides, the EU legal framework applying to data is a patchwork of different rules, and their applicability depends, among others things, on the ‘type’ of data, i.e. whether data is personal, non-personal, copyright-protected, financial etc.

Thinking of data as a tradable “good” (a commodity) is rather new. There is no “ownership right” on data in the EU law due to its specific nature of these data. Most legal scholars also consider that such an ownership right should not be set up.

Data Governance Act

With the Data Governance Act (DGA) Proposal, the EC aims to create an EU wide regulatory framework that sets out harmonized requirements for data sharing services. One of them is the “neutrality” requirement which means that the data-sharing intermediary cannot exchange the data for its own interest (e.g. selling them to another company or using same data to develop its own products). The data and metadata acquired can be used only to improve the data-sharing service. According to this Proposal, the data-sharing activity will also be strictly separated from other data services (in a separate legal entity).

Articles 10 and 11 of the DGA Proposal provides a long list of notification duties and conditions with which data sharing services need to comply with providing data sharing services across the EU. Our future work in TRUSTS will include an analysis of what these requirements mean for the data marketplaces.

FAQ – Legal Aspects of Data Sharing Platforms

From the business perspective, do you have an idea on the incentives for businesses to pursue these data sharing activities, given the obligation of neutrality and all the conditions to respect?

According to the Data Governance Act (DGA) Proposal, chapter III (requirements applicable to data sharing services) aims to increase trust in sharing personal and non-personal data and lower transaction costs linked to B2B and C2B data sharing. In the DGA Proposal own words, “a key element to bring trust and more control for data holder and data users in data sharing services is the neutrality of data sharing service providers as regards the data exchanged between data holders and data users“. (Rec. 26)

Lidia Dutkiewicz spoke of potential ‘data cooperatives’ in the future. Any idea about what such cooperatives would/might entail? Are these a sort of ‘data unions’ that represent collective data rights?

Article 9 (c) of the DGA Proposal lists “data cooperatives” among data sharing services providers. The Proposal Recital 24 sees “data cooperatives” as services which seek to strengthen the position of individuals in making informed choices before consenting to data use, influencing the terms and conditions attached to data use or potentially solving disputes on how data can be used.  There is some confusion regarding the definition and scope of these services. For example, as the EDPB-EDPS Joint Opinion 03/2021 on the DGA points out, the fact that  data cooperatives will have powers to “negotiate terms and conditions for data processing before they consent” is unclear at least, if not directly contradictory. Such “terms and conditions” for personal data processing are enshrined in the GDPR and cannot be amended by means of a contract or other type of private arrangements.

Public sector bodies may impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secrets. How should this definition be understood? In particular “aims”?

This provision raises a few interpretation issues, and I do not have a clear-cut answer to this question. The EDPB-EDPS Joint Opinion 03/2021 on the DGA also questions this provision. In particular the EU regulatory bodies point out that public sector bodies (PSBs) “may” impose an obligation to re-use only prior anonymized or pseudonymised personal data. “This means that public sector bodies are not obliged to pre-process personal data so that to make available to re- users only prior anonymized or pseudonymised personal data.”

Did you also take into account DSA in regards of content provider platforms?

Intermediary liability for data sharing platforms is a very important legal challenge. In that context, the Digital Services Act (DSA) proposal is a crucial legislative initiative. We follow up closely interinstitutional negotiations on the DSA and will assess its relevance for the TRUSTS and SAFE-Deed projects.

Can you give us examples of standardisation organisations?

Nowadays, there are multiple national and international organisation developing standards. Sometimes these standards cover one field, while in other situation, they are horizontally applicable. The International Organization for Standardization (ISO) is probably the most important private standardisation organisation, whose standards cover multiple and overlapping domains. ISO has developed an international standard ISO 27701, which defines the management system and security requirements for personal data processing (Personally identifiable information (PII)). In Europe, there is e.g. the European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC).

What do you think of the European Data Protection Board (EDPB) comments on the DGA?

The EDPB-EDPS Joint Opinion 03/2021 on the DGA raises various very important points which should be taken into account by policymakers. The Opinion advocates for clarifications on terminology and necessary adjustments on the interplay between importantly on the DGA and other crucial legislation, particularly the GDPR. At this stage of the legislative developments, both claims seem fairly substantiated by the EU regulatory bodies. Still, to provide a substantial answer to this query, it would be necessary to wait till the end of the proposal’s regulatory process.

Do you agree there should be no new authority, but should DPAs take on this role?

At this stage, it is not possible to comment on this question due to the ongoing political debate on the proposal. Political evaluations are out of our sphere of competence.

If you have missed the webinar, just click on the picture below and watch it on YouTube.

You can also find the presentation slides here.

If you are interested in legal aspects of data sharing, take a look at our latest podcast with Yuliya Miadzvetskaya, Research Associate at the Center for IT & IP Law (KU Leuven), who talked about the legal aspects of TRUSTS and the challenges in the area of data sharing.