Statement
On the proposed regulation on European data governance (Data Governance Act) EU Transparency Register: 1771817758-48
Federation of German Industries
Status: February 1, 2021 01.2019
BDI Statement on the Data Governance Act
Preliminary note
BDI welcomes the European Commission's proposal for a regulation on European data governance to promote the increased reuse of data held by the public sector, support for voluntary data sharing by intermediaries, interoperability and standardization measures. In order to realize a smooth data flow through EU-wide and cross-sector value chains, a harmonized legal environment across Europe is needed. The Data Governance Act can help to take an important step towards harnessing the potential of data for the common good according to the principles of openness, participation and transparency. In this context, however, the draft regulation fails to create the necessary simplifications and reductions in complexity for the above-mentioned purposes. In particular, there is a lack of clarification regarding the handling of personal data. Right at the beginning of the proposed regulation, Art. 1(2) DGA makes it clear that the provisions of the GDPR remain unaffected. In this respect, the Data Governance Act imposes some new requirements on companies in addition to the processes already established in companies for data protection management. A reduction in complexity with regard to the requirements of data protection law - for example, through an exception for the area of data altruism, a separate legal basis for the permissibility of training artificial intelligence (AI) or clarifications with regard to the legal requirements for a change of purpose - is not included in the proposal despite its great practical importance. As stipulated in Regulation (EU) 2018/1807 ("Free Flow of nonpersonal Data"), the free flow of data within the EU should be guaranteed by default and only restricted in very rare and clearly defined exceptional cases. In order to protect existing and future investments; it must be ensured that companies have legal certainty when transferring non-personal data. Here, the Commission is called upon to consider long-standing intergovernmental agreements, such as the Berne Convention or the TRIPs Agreement, which have brought together a number of like-minded countries to protect intellectual property. Against this background, it is at least questionable whether the positive approaches of the proposed regulation in the form of data intermediaries, data altruism and the further use of public data with third-party protection rights will actually achieve the hoped-for positive effect for the European data economy. Legal certainty and reduction of bureaucracy regarding data protection requirements while maintaining the level of protection continue to be of great importance in application practice.
Page 2 of 9
BDI Statement on the Data Governance Act
Regarding Chapter II - Reuse of certain categories of protected data held by public sector bodies According to Art. 3 DGA, this chapter applies to data held by public bodies and protected on the basis of commercial or statistical confidentiality, protection of intellectual property or personal data. Data held by public companies are not covered according to the Commission's intention. De-personalisation of data According to Art. 5 DGA proposal, the competent public bodies may impose the obligation that only processed data may be used further, provided that personal data is anonymized, pseudonymized or confidential business information and trade secrets are deleted as a result of this processing. To specify the technical requirements for such de-personalization, recital 11 states that, depending on the particular case, personal data should be completely anonymized before being transmitted so that it is definitely impossible to identify the data subjects. In BDI's view, complete anonymization in the sense of "absolute" anonymization of personal data would in many cases risk to jeopardize the actual purpose of the further use of such public data, e.g. for machine learning or AI. Furthermore, absolute anonymization is also not required by the GDPR. Recital 26 of the GDPR states that "in order to “determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.� This suggests that a relative notion of anonymization should be used in determining the effectiveness of anonymization. Article 5 (11) DGA proposal also refers to "re-identification of data subjects on the basis of anonymized data", which in turn suggests a relative understanding of anonymization. The BDI therefore suggests a clarification in recital 11 to the effect that the GDPR is also based on a relative concept of anonymization. The above discussion on the concept of anonymization of personal data is an example of the great legal uncertainty under data protection law in practice when it comes to handling data. The GDPR does not contain any legally binding requirements, nor has any technical standards been recognized to date that provide companies with reliable and practical guidance on how to anonymize personal data in compliance with the GDPR. In this respect, it remains unclear, even with reference to Art. 5 (11) DGA, to what extent non-personal data are to be classified as "highly sensitive" or how it should be possible for companies to determine and assess the risks of re-identification at all. Page 3 of 9
BDI Statement on the Data Governance Act
In order to reduce the resulting legal uncertainty and at the same time to promote the reuse of public sector data, technical requirements should be defined and practical guidelines be established with the objective to provide concrete guidance on legally compliant data anonymization. Guidelines on the requirements for legally secure anonymization are indispensable, especially for constellations in which a plurality of data points is required, for example, in order to be able to recognize patterns through AI. It would be conceivable for potential users of data pools for AI purposes to subject themselves to legally binding, strict self-restrictions, i.e. to undertake not to use such data from data pools to be used for AI research purposes for the purpose of re-identifying individuals. To this end, such companies would take appropriate technical and organizational measures to protect such data from access by third parties, even if the users of such data were still acting within the scope of the lawful purpose limitation. Regarding Chapter III - Requirements for data sharing services BDI welcomes in principle that Chapter III sets out harmonized requirements for data sharing services in order to ensure data exchange between different players and in this way strengthen the trust of market players in data sharing. Especially in market constellations where mutual trust in data sharing is low, data intermediaries can provide real added value for the data economy as a whole. However, it is important to emphasize that there are already various well-functioning models of data exchange in many industrial sectors today, based on fair and privacy-autonomous contractual arrangements. Therefore, it is important that regulatory requirements support existing initiatives and create further incentives for data transfer. However, the proposed regulatory framework does not achieve this goal. It introduces a whole range of administrative and regulatory obligations for data sharing services and intermediaries (establishment of a separate legal entity, costs for monitoring and compliance, potential penalties, requirements for structural separation of services, etc.) without, however, providing any relief or incentives that could lead to greater scalability of existing services. A voluntary approach combined with a certification option and a public register would have been a viable way to make data trustee services more transparent and thus more attractive for B2B and B2C solutions. In view of the planned obligation to register, however, there are doubts as to whether untrustworthy intermediaries can be kept out of the market. In the present case, however, the proposed regulations could contrary to the actual objective even lead to the situation that existing industry solutions might no longer be able to be offered: For example, it is perfectly understandable that data collected by the trustee service should not be reused for other services – in order to avoid lock-in effects. On the other hand, it should still be possible for data trustees to offer additional services for shared use, such as data preparation services like quality, interoperability, commercial presentation (metadata), and statistical analysis. SMEs in particular, which often have a lack of their own expertise, are often dependent on appropriate analysis tools to make their data attractive to other companies in the first place. Moreover, these additional offerings also represent a differentiation factor
Page 4 of 9
BDI Statement on the Data Governance Act
that data sharing services can use in order to distinguish themselves from competitors in the market. If, on the other hand, the EU Commission's goal is to create pure data passthrough entities in Europe that are limited solely to data transmission, the added value of a binding legal framework for data intermediaries and sharing services must generally be questioned in the view of the BDI. In order to comply with these considerations in legislative terms as well, the scope of application of Chapter III DGA should generally be specified in order to avoid legal uncertainty and additional bureaucracy for industrial companies. It is also not sufficiently clear which companies would already be covered by the provisions of Chapter III DGA at present. This is due to the fact that, for example, the terms "providers of data sharing services" and "intermediaries" used in Art. 9-11 DGA are not defined and furthermore no clear distinction is made in recitals 22 and 23 either. It is true that recital 22 states by way of example that the regulation does not apply to objects and devices connected to the Internet of Things whose main objective is to ensure the functionalities of the connected object or device and to enable value-added services. In order to create legal certainty, a clear formulation of exceptions or a clear wording of the scope of Art. 9(1)(a) and (b) should therefore be made in the legal text itself and not merely in the recitals. Against this background, an additional paragraph or definition of the term "intermediary" should be added to Art. 9 DGA or a definition of the term "intermediary" should be added, according to which Chapter III DGA does not apply to the sharing of data in such cases where the entity making data available is the data owner at the same time. This is particularly true in the context of industry agreements or service offerings that already provide a framework for data management. This would ensure that the exchange of data under bilateral contracts or industry agreements is not covered by the provisions of the legal framework. Finally, it must be taken into account that the use of a data intermediary always involves a certain cost factor and, in this respect, requires real added value. Regarding Chapter IV - Data altruism The BDI basically welcomes the initiative to create an efficient framework for data altruism by individuals and companies in Europe. Analogous to the provision of public data, there is great potential for value creation in the voluntary option of making personal data available to the general public. However, for this potential to actually unfold, companies need to be able to use the data provided in a way that is as legally secure as possible and at the same time unbureaucratic. In the view of the BDI, however, both aspects are inadequately guaranteed in the present proposed regulation. Definition of "data altruism" According to its definition, "data altruism" pursuant to Art. 2 No. 10 DGA is to be understood as consent or permission " for purposes of general interest,
Page 5 of 9
BDI Statement on the Data Governance Act
such as scientific research purposes or improving public services ". In this regard, we would like to note that this narrow limitation of the definition to scientific research alone falls short. In the same way, the research and development of commercial products and services of medical technology and industrial health management should also be included, especially since the formulation used does not exclude a narrow interpretation with regard to restriction to "non-profit" science and research conducted at universities. Not least, the current corona pandemic makes it clear that it is in the highest public interest to ensure the supply of the population with products and services developed and manufactured by the industrial health care industry, including the medical technology industry, and effectively distributed through its distribution channels. Art. 2 No. 10 DGA should be specified accordingly. Administrative effort Art. 15 DGA provides for a register of recognized data altruistic organizations to be maintained both at national level (para. 1) and at Union level (para. 2). However, in order to be eligible for registration and the associated possibility to call themselves a "data altruism organisation recognised in the Union� (para. 3), the organizations must meet extensive requirements pursuant to Art. 16 et seq. DGA. The proposed requirements impose a considerable (additional) administrative burden on organizations that already process large volumes of data for research projects and "only" comply with the demanding criteria of the GDPR. It is precisely those companies that do not want to expose themselves to these additional requirements that must fear being assessed as less trustworthy in the future. This in turn leads to difficulties in accessing data for their own research purposes.
Article 22 - Data protection / EU consent form With regard to data protection requirements, the Data Governance Act creates additional requirements on top of the GDPR requirements without reducing the existing complexity elsewhere. Art. 22 DGA provides for a European data altruism consent form. This is a form to be defined by the EU Commission which, according to para. 2, is to have a modular structure so that it can be adapted to specific sectors and for different purposes. According to recital 39, this is intended to create more legal certainty regarding consent and its withdrawal, especially in connection with data provided on an altruistic basis for scientific research and statistical purposes. Such a form should contribute to more transparency for data subjects that their data will be accessed and used in accordance with their consent and in full compliance with data protection rules. BDI supports the approach of the EU Commission in Art. 22 (2) DGA, according to which the EU consent form should take sector-specific aspects and different purposes into account. Nevertheless, there are doubts as to whether Page 6 of 9
BDI Statement on the Data Governance Act
such a consent form will do justice to the practical application in a very dynamic and complex market. For example, very specific cases can also be distinguished within sectors and future purposes may not even be apparent at the time the EU Commission defines such a form. As recital 36 correctly indicates, it is already often not possible to fully determine the purpose of processing personal data for scientific research purposes at the time of data collection. Therefore, it is necessary that consent for certain areas of scientific research can be given in a more general form, if this is done in compliance with the recognized ethical standards of scientific research. Especially in the field of health, Big Data provides new approaches to research. The old principle of working hypothesis and focused investigation is being dissolved. The opportunity in the investigation of large and diverse data sets lies particularly in discovering previously unknown correlations. This is because it is often not possible to precisely determine a specific research purpose in advance of data use. In this context, we suggest a digital consent management system for storing health data that makes it possible to automatically allow access to certain data in accordance with an authorization concept. Such a concept has the advantage that the individual wishes of the person concerned can be taken into account. By giving the data subject access and choice, it is possible to change his or her option and revoke consent with effect for the future. In big data applications, automated consent management of this kind is a good way to ensure the best possible self-determination of the data subject as well as accessibility for evaluations. Furthermore, Art. 22 (3) DGA stipulates that a consent form must enable the data subject to revoke consent in accordance with the GDPR. We take this as an opportunity to point out conflicts with medical device regulations that arise when individuals revoke their consent to the use of data in the context of machine learning, thereby changing the data basis for AI systems applied in medical devices (Art. 10 (8) MDR obliges the manufacturer to keep the technical documentation for at least ten years after the last product covered by the declaration of conformity has been placed on the market). This would have to be resolved either by limiting the effects of revocation in certain cases or by creating a separate legal basis for such cases. In order to maintain the necessary flexibility for practical application, consideration should also be given to defining criteria for consent forms to be developed in-house in addition to the EU consent form, and to setting up corresponding certification procedures. This would take into account the complexity and also urgent needs for data collection and evaluation without restricting the high European level of data protection. In order to take sufficient account of the specific requirements of individual sectors, the development of an EU consent form should in any case be developed in cooperation with sector-specific stakeholders.
Page 7 of 9
BDI Statement on the Data Governance Act
Regarding Chapter VI - EU Data Innovation Board BDI welcomes the planned establishment of an EU Data Innovation Board (EDIB) to harmonize the new responsibilities of public authorities associated with the Data Governance Act, including oversight of data exchange service providers, ensuring consistent practice in handling requests for public sector data, and advising the Commission on the governance of cross-sector standardization. In doing so, however, the mandate, competencies, and composition of this body should be further defined. From BDI's point of view, the EDIB can be an excellent opportunity to bring data experts with different backgrounds together and to actively include the experiences of industry representatives. It is important that the view of the application practice is clearly expressed within the EDIB, for example by establishing public-private-partnership collaborations within the EDIB. In addition, the involvement of stakeholders from the business community should be just as mandatory as the consultation of the European Data Protection Board and the EU Commission. In particular, the industry perspective must be ensured when setting cross-sector norms and standards. When addressing existing rules on interoperability, ongoing initiatives, such as GAIA-X, should also be considered in order to take a holistic approach to the European data economy. It therefore also seems sensible to provide the EDIB with competencies to monitor and enforce compliance with the defined standardization measures.
Page 8 of 9
BDI Statement on the Data Governance Act
About the BDI The BDI transports the interests of German industry to the political leaders. In this way it supports companies in global competition. It has an extensive network in Germany and Europe, in all important markets and in international organisations. The BDI provides political support for international Market development. And it offers information and economic policy advice on all industry-related topics. The BDI is the umbrella organisation of German industry and industry-related service providers. It speaks for 40 industry associations and more than 100,000 companies with around 8 million employees. Membership is voluntary. 15 state representatives represent the interests of industry at regional level.
Imprint Federation of German Industries (BDI) Breite Straße 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 Contact person Dr. Michael Dose Senior Manager Department "Digitalisation and Innovation“ T: +49 30 2028 1560 M.Dose@bdi.eu
Stefanie Ellen Stündel Senior Manager Department "Digitalisation and Innovation" T: +32 27921015 S.stuendel@bdi.eu
Ines Nitsche Senior Manager Department “Law, Competition and Consumer Policy” T: +49 30 2028 1711 I.Nitsche@bdi.eu
Transparency register number: 1771817758-48
BDI document number: D 1319
Page 9 of 9