Updated guidance on EU data governance law

0

On May 30, 2022, the Parliament of the European Union (EU) adopted the revised European Data Governance Act (DGA), which builds on the previous Regulation (EU) 2018/1724, which aimed to establish a single digital portal to provide access to information (1). The DGA entered into force on 23 June 2022 and, after a grace period of 15 months, will be applicable to all Member States from September 2023. It is part of the wider framework of the action plan of the European Commission (EC) to ensure Europe’s digital transition. sovereignty by 2030 and is complementary to the European strategy on artificial intelligence (AI). The aim of the law is to create a single European data market, while seeking to increase trust in the sharing of data by companies, individuals and the public sector, as well as to strengthen the mechanisms aimed at increasing the data availability and overcoming technical barriers to data reuse.

The DGA applies to data defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of a sound, visual or audiovisual recording held by the sector audience “. organizations that are not subject to the Open Data Directive but are subject to the rights of others” (2). This may include personal data, including special categories of data, such as health data, statistically confidential data, trade secrets and data subject to intellectual property rights.

DGA

The DGA aims to ensure a better distribution of the value derived from the use of personal and non-personal data between players in the data economy, particularly in relation to the use of connected objects and the development of the Internet. objects (IoT) (3). The proposed DGA therefore aims to:

  • facilitate the sharing of data between companies (B2B) and with consumers (B2C)
  • reuse public sector data subject to the rights of others
  • facilitate the change of data processing services (cloud and edge computing)
  • provide for the development of interoperability standards for data and its reuse in all sectors
  • implement safeguards against illegal access to non-personal data in the cloud by third-country governments.

The DGA also supports the establishment and development of common European data spaces in strategic areas involving both private and public actors, in sectors such as health, environment, energy, agriculture, mobility, finance, industry, public administration and skills.

In the context of healthcare, a paper published by the EC finds that data-driven innovation will benefit businesses and individuals by creating efficiencies by “improving personalized treatments, delivering better health and helping to cure rare or chronic diseases… while ensuring efficiency gains”. in health data will save around €120 billion per year in the EU health sector” (4).

Member States will have to set up a single information point to help researchers and companies identify the appropriate data, while the EC will establish a European single access point consisting of a searchable electronic register of all data available in each of the National Single Information Points.

Reusing public sector data subject to the rights of others

This re-use of data concerns commercially confidential data (such as trade secrets), statistically confidential data, data with intellectual property rights and personal data protected by the General Data Protection Regulation (GDPR) ( 5). If public sector bodies choose to share their data, it is on the condition that they introduce harmonized basic conditions which will promote this re-use. Technical measures to ensure data protection, confidentiality and confidentiality, by anonymizing or pseudonymizing data before sharing and re-use, must also be taken. It is also the responsibility of public sector bodies to verify the results of the data processed by the re-user, and they have the power to prohibit the use of the results if they believe that the rights and interests of third parties are threatened (5 ). Under the terms of the DGA, exclusivities are prohibited, although derogations of a maximum duration of 12 months are possible under certain conditions.

Data intermediation services

The DGA has also defined a new economic model for data intermediation services. These are services that act as a data hosting marketplace platform that enables data sharing but does not process or use the data. These intermediaries will be required to notify supervisory authorities of their intention to provide these services, and a license will be required to provide these services. To achieve this, an authorization regime will be put in place by the supervisory authorities to ensure that the intermediary service is sufficiently independent and has appropriate security measures in place to protect privacy and confidentiality (2). Once a license has been obtained, the data intermediary will be allowed to use a common logo which signifies that it complies with DGA regulations and is a trusted entity. These intermediaries are authorized to charge a reasonable fee for the provision of the data intermediation service, but are in no way authorized to use the stored data for their own purposes or for their benefit.

Data altruism

The third model of data sharing is altruism, which refers to the “voluntary sharing of data based on the consent of the data subject or the authorization of the data holder, without asking for any compensation, for the common good” (5 ). In this case, all types of data are covered. Organizations wishing to engage in data altruism can register voluntarily to increase trust in their operations, after which they will receive a specific EU logo. For those wishing to submit data, the DGA is implementing a common European data altruism consent form to obtain (or withdraw) consent or authorisation. It is hoped that data altruism will greatly support scientific research as it will promote the sharing of otherwise confidential data for the greater good.

The question of third countries like the United Kingdom

While the new law directly affects public sector bodies, it is important that other organizations and individuals, as well as any natural or legal person in Europe who wishes to benefit from this data, are aware of the changes made by the DGA. These changes take on particular importance when they are interpreted in the context of DGA data transfers outside Europe. Data intermediaries and recognized providers of data altruism will therefore need to consider whether third countries provide adequate protections for non-personal data (6). To this end, it is believed that the UK will follow in Europe’s footsteps and introduce a similar concept of data trusts to improve data sharing in the UK in line with GDPR. An adequacy decision will be required before DGA data that is not personal data (as personal data will be regulated by the GDPR) can be transferred to a third country (5).

Implications of the DGA for the pharmaceutical sector

The GDPR defines many key concepts, such as health data as a special category of personal data as well as genetic and biometric data, all of which require special protection (Table I) (seven). A specificity in the field of health is that the Member States have a margin to maintain or introduce additional conditions with regard to the processing of health, genetic or biometric data.

This unique nature of health data does not diminish the need for cross-sector use of health data, but underscores the need to implement specific safeguards. However, simply complying with data protection rules is not enough to guarantee the success of data sharing programs. Rather, the need to address all the essential elements of a strong data governance framework is what is needed, in particular the tools and means for individuals to maintain control over how their data is used. and shared in a transparent environment (8).

References

1. CE, Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Law), COM/2020/767 final, 25 Nov 2020.
2. Simmons & Simmons, “European Parliament Approves Data Governance Bill,” April 13, 2022.
3. CNIL, “European data strategy: the CNIL and its counterparts comment on the law on data governance and the law on data”, July 13, 2022.
4. CE, European Data Governance Law. Shaping Europe’s digital future Available from ec.europa.eu [last updated 13 July 2022].
5. A. Van de Meulebroucke and L. Deschuyteneer, “The new rules of the data governance law will apply from September 24, 2023”, Eubelius, June 7, 2022.
6. R. Boardman and JM Rodriguez, “EU Data Governance Law: What Privacy Professionals Need to Know.” International Association of Privacy Professionals (IAPP)”, iapp.orgFebruary 10, 2022.
7. Towards European Health Data Space (TEDHS), Why Health is a Special Case for Data Governance, Milestone Document, tehdas.euJune 23, 2021.
8. Mr Shabani, Mol. System Biol. 17(3)e10229 (2021).

About the Author

Bianca Piachaud-Moustakis is Senior Writer at Pharmavision, Pharmavision.fr.

Item details

Pharmaceutical Technology Europe
Flight. 34, No. 11
November 2022
Pages: 8–9

Quote

When referring to this article, please cite it as B. Piachaud-Moustakis, “Updated Guidance to the European Data Governance Act,” Pharmaceutical Technology Europe 34 (11) 2022.

Share.

Comments are closed.