Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on European data governance (Data Governance Act) (Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee21,
Having regard to the opinion of the Committee of the Regions22,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1) The Treaty on the functioning of the European Union (‘TFEU’) provides for the establishment of an internal market and the institution of a system ensuring that competition in the internal market is not distorted. The establishment of common rules and practices in the Member States relating to the development of a framework for data governance should contribute to the achievement of those objectives.
(2) Over the last few years, digital technologies have transformed the economy and society, affecting all sectors of activity and daily life. Data is at the centre of this transformation: data-driven innovation will bring enormous benefits for citizens, for example through improved personalised medicine, new mobility, and its contribution to the European Green Deal23. In its Data Strategy24, the Commission described the vision of a common European data space, a Single Market for data in which data could be used irrespective of its physical location of storage in the Union in compliance with applicable law. It also called for the free and safe flow of data with third countries, subject to exceptions and restrictions for public security, public order and other legitimate public policy objectives of the European Union, in line with international obligations. In order to turn that vision into reality, it proposes to establish domain- specific common European data spaces, as the concrete arrangements in which data sharing and data pooling can happen. As foreseen in that strategy, such common European data spaces can cover areas such as health, mobility, manufacturing, financial services, energy, or agriculture or thematic areas, such as the European green deal or European data spaces for public administration or skills.
(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges. Sector-specific legislation can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the envisaged legislation on the European health data space25 and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law that include rules relating to cross- border or Union wide sharing or access to data26. This Regulation is therefore without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (27), and in particular the implementation of this Regulation shall not prevent cross border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place, Directive (EU) 2016/680 of the European Parliament and of the Council (28), Directive (EU) 2016/943 of the European Parliament and of the Council (29), Regulation (EU) 2018/1807 of the European Parliament and of the Council (30), Regulation (EC) No 223/2009 of the European Parliament and of the Council (31), Directive 2000/31/EC of the European Parliament and of the Council (32), Directive 2001/29/EC of the European Parliament and of the Council (33), Directive (EU) 2019/790 of the European Parliament and of the Council (34), Directive 2004/48/EC of the European Parliament and of the Council (35), Directive (EU) 2019/1024 of the European Parliament and of the Council (36), as well as Regulation 2018/858/EU of the European Parliament and of the Council (37), Directive 2010/40/EU of the European Parliament and of the Council (38) and Delegated Regulations adopted on its basis, and any other sector-specific Union legislation that organises the access to and re-use of data. This Regulation should be without prejudice to the access and use of data for the purpose of international cooperation in the context of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data sharing services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act should also apply.
(4) Action at Union level is necessary in order to address the barriers to a well-functioning data-driven economy and to create a Union-wide governance framework for data access and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharing providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons.
(5) The idea that data that has been generated at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 as well as sector-specific legislation ensure that the public sector makes more of the data it produces easily available for use and re-use. However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data not accessible on the basis of specific national or Union legislation, such as Regulation (EU) 2016/679 and Directive (EU) 2016/680) in public databases is often not made available, not even for research or innovative activities. Due to the sensitivity of this data, certain technical and legal procedural requirements must be met before they are made available, in order to ensure the respect of rights others have over such data. Such requirements are usually time- and knowledge- intensive to fulfil. This has led to the underutilisation of such data. While some Member States are setting up structures, processes and sometimes legislate to facilitate this type of re-use, this is not the case across the Union.
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Application of these privacy- enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679.
(7) The categories of data held by public sector bodies which should be subject to re-use under this Regulation fall outside the scope of Directive (EU) 2019/1024 that excludes data which is not accessible due to commercial and statistical confidentiality and data for which third parties have intellectual property rights. Personal data fall outside the scope of Directive (EU) 2019/1024 insofar as the access regime excludes or restricts access to such data for reasons of data protection, privacy and the integrity of the individual, in particular in accordance with data protection rules. The re-use of data, which may contain trade secrets, should take place without prejudice to Directive (EU) 2016/94340, which sets the framework for the lawful acquisition, use or disclosure of trade secrets. This Regulation is without prejudice and complementary to more specific obligations on public sector bodies to allow re-use of data laid down in sector- specific Union or national law.
(8) The re-use regime provided for in this Regulation should apply to data the supply of which forms part of the public tasks of the public sector bodies concerned, as defined by law or by other binding rules in the Member States. In the absence of such rules the public tasks should be defined in accordance with common administrative practice in the Member States, provided that the scope of the public tasks is transparent and subject to review. The public tasks could be defined generally or on a case-by-case basis for individual public sector bodies. As public undertakings are not covered by the definition of public sector body, the data they hold should not be subject to this Regulation. Data held by cultural and educational establishments, for which intellectual property rights are not incidental, but which are predominantly contained in works and other documents protected by such intellectual property rights, are not covered by this Regulation.
(9) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding as far as possible the conclusion of agreements, which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreement should be only possible when justified and necessary for the provision of a service of general interest. This may be the case when exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of delivering the service or the product which allows the public sector body to provide an advanced digital service in the general interest. Such arrangements should, however, be concluded in compliance with public procurement rules and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited period, which should not exceed three years. In order to ensure transparency, such exclusive agreements should be published online, regardless of a possible publication of an award of a public procurement contract.
(10) Prohibited exclusive agreements and other practices or arrangements between data holders and data re-users which do not expressly grant exclusive rights but which can reasonably be expected to restrict the availability of data for re-use that have been concluded or have been already in place before the entry into force of this Regulation should not be renewed after the expiration of their term. In the case of indefinite or longer-term agreements, they should be terminated within three years from the date of entry into force of this Regulation.
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re-use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competition. In particular, public sector bodies allowing re-use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re- user without leading to a disproportionate effort for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-user, on-premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons on the re-use of data pertaining to them through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or companies directly.
(12) The intellectual property rights of third parties should not be affected by this Regulation. This Regulation should neither affect the existence or ownership of intellectual property rights of public sector bodies, nor should it limit the exercise of these rights in any way beyond the boundaries set by this Regulation. The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) and the WIPO Copyright Treaty (WCT). Public sector bodies should, however, exercise their copyright in a way that facilitates re-use.
(13) Data subject to intellectual property rights as well as trade secrets should only be transmitted to a third party where such transmission is lawful by virtue of Union or national law or with the agreement of the rightholder. Where public sector bodies are holders of the right provided for in Article 7(1) of Directive 96/9/EC of the European Parliament and of the Council (41) they should not exercise that right in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.
(14) Companies and data subjects should be able to trust that the re-use of certain categories of protected data, which are held by the public sector, will take place in a manner that respects their rights and interests. Additional safeguards should thus be put in place for situations in which the re-use of such public sector data is taking place on the basis of a processing of the data outside the public sector. Such an additional safeguard could be found in the requirement that public sector bodies should take fully into account the rights and interests of natural and legal persons (in particular the protection of personal data, commercially sensitive data and the protection of intellectual property rights) in case such data is transferred to third countries.
(15) Furthermore, it is important to protect commercially sensitive data of non-personal nature, notably trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage. In order to ensure the protection of fundamental rights or interests of data holders, non-personal data which is to be protected from unlawful or unauthorised access under Union or national law, and which is held by public sector bodies, should be transferred only to third-countries where appropriate safeguards for the use of data are provided. Such appropriate safeguards should be considered to exist when in that third-country there are equivalent measures in place which ensure that non-personal data benefits from a level of protection similar to that applicable by means of Union or national law in particular as regards the protection of trade secrets and the protection of intellectual property rights. To that end, the Commission may adopt implementing acts that declare that a third country provides a level of protection that is essentially equivalent to those provided by Union or national law. The assessment of the level of protection afforded in such third-country should, in particular, take into consideration the relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law concerning the access to and protection of non-personal data, any access by the public authorities of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, or the third countries’ international commitments regarding the protection of data the third country concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems. The existence of effective legal remedies for data holders, public sector bodies or data sharing providers in the third country concerned is of particular importance in the context of the transfer of non- personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remedies.
(16) In cases where there is no implementing act adopted by the Commission in relation to a third country declaring that it provides a level of protection, in particular as regards the protection of commercially sensitive data and the protection of intellectual property rights, which is essentially equivalent to that provided by Union or national law, the public sector body should only transmit protected data to a re-user, if the re- user undertakes obligations in the interest of the protection of the data. The re-user that intends to transfer the data to such third country should commit to comply with the obligations laid out in this Regulation even after the data has been transferred to the third country. To ensure the proper enforcement of such obligations, the re-user should also accept the jurisdiction of the Member State of the public sector body that allowed the re-use for the judicial settlement of disputes.
(17) Some third countries adopt laws, regulations and other legal acts which aim at directly transferring or providing access to non-personal data in the Union under the control of natural and legal persons under the jurisdiction of the Member States. Judgments of courts or tribunals or decisions of administrative authorities in third countries requiring such transfer or access to non-personal data should be enforceable when based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. In some cases, situations may arise where the obligation to transfer or provide access to non-personal data arising from a third country law conflicts with a competing obligation to protect such data under Union or national law, in particular as regards the protection of commercially sensitive data and the protection of intellectual property rights, and including its contractual undertakings regarding confidentiality in accordance with such law. In the absence of international agreements regulating such matters, transfer or access should only be allowed under certain conditions, in particular that the third- country system requires the reasons and proportionality of the decision to be set out, that the court order or the decision is specific in character, and the reasoned objection of the addressee is subject to a review by a competent court in the third country, which is empowered to take duly into account the relevant legal interests of the provider of such data.
(18) In order to prevent unlawful access to non-personal data, public sector bodies, natural or legal persons to which the right to re-use data was granted, data sharing providers and entities entered in the register of recognised data altruism organisations should take all reasonable measures to prevent access to the systems where non-personal data is stored, including encryption of data or corporate policies.
(19) In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non-personal data that have been identified as highly sensitive, as regards the transfer to third countries, if such transfer could jeopardise public policy objectives, in line with international commitments. For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law, for example in the context of the European Health Data Space or other sectoral legislation. The conditions attached to the transfer of such data to third countries should be laid down in delegated acts. Conditions should be proportionate, non-discriminatory and necessary to protect legitimate public policy objectives identified, such as the protection of public health, public order, safety, the environment, public morals, consumer protection, privacy and personal data protection. The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re- identification of individuals. These conditions could include terms applicable for the transfer or technical arrangements, such as the requirement of using a secure processing environment, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or who can access the data in the third country. In exceptional cases they could also include restrictions on transfer of the data to third countries to protect the public interest.
(20) Public sector bodies should be able to charge fees for the re-use of data but should also be able to decide to make the data available at lower or no cost, for example for certain categories of re-uses such as non-commercial re-use, or re-use by small and medium- sized enterprises, so as to incentivise such re-use in order to stimulate research and innovation and support companies that are an important source of innovation and typically find it more difficult to collect relevant data themselves, in line with State aid rules. Such fees should be reasonable, transparent, published online and non- discriminatory.
(21) In order to incentivise the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data holders with management of the consent, including consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors.
(22) Providers of data sharing services (data intermediaries) are expected to play a key role in the data economy, as a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjects, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an indefinite number of data holders and data users, excluding data sharing services that are meant to be used by a closed group of data holders and users. Providers of cloud services should be excluded, as well as service providers that obtain data from data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright-protected content, should not be covered by this Regulation. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council 42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providers for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not-for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of general interest by increasing the volume of data available for such purposes.
(23) A specific category of data intermediaries includes providers of data sharing services that offer their services to data subjects in the sense of Regulation (EU) 2016/679. Such providers focus exclusively on personal data and seek to enhance individual agency and the individuals’ control over the data pertaining to them. They would assist individuals in exercising their rights under Regulation (EU) 2016/679, in particular managing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right ‘to be forgotten’, the right to restrict processing and the data portability right, which allows data subjects to move their personal data from one controller to the other. In this context, it is important that their business model ensures that there are no misaligned incentives that encourage individuals to make more data available for processing than what is in the individuals’ own interest. This could include advising individuals on uses of their data they could allow and making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices. In certain situations, it could be desirable to collate actual data within a personal data storage space, or ‘personal data space’ so that processing can happen within that space without personal data being transmitted to third parties in order to maximise the protection of personal data and privacy.
(24) Data cooperatives seek to strengthen the position of individuals in making informed choices before consenting to data use, influencing the terms and conditions of data user organisations attached to data use or potentially solving disputes between members of a group on how data can be used when such data pertain to several data subjects within that group. In this context it is important to acknowledge that the rights under Regulation (EU) 2016/679 can only be exercised by each individual and cannot be conferred or delegated to a data cooperative. Data cooperatives could also provide a useful means for one-person companies, micro, small and medium-sized enterprises that in terms of knowledge of data sharing, are often comparable to individuals.
(25) In order to increase trust in such data sharing services, in particular related to the use of data and the compliance with the conditions imposed by data holders, it is necessary to create a Union-level regulatory framework, which would set out highly harmonised requirements related to the trustworthy provision of such data sharing services. This will contribute to ensuring that data holders and data users have better control over the access to and use of their data, in accordance with Union law. Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to-consumer context, data sharing providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. Providers of data sharing services may also make available specific technical infrastructure for the interconnection of data holders and data users.
(26) A key element to bring trust and more control for data holder and data users in data sharing services is the neutrality of data sharing service providers as regards the data exchanged between data holders and data users. It is therefore necessary that data sharing service providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose. This will also require structural separation between the data sharing service and any other services provided, so as to avoid issues of conflict of interest. This means that the data sharing service should be provided through a legal entity that is separate from the other activities of that data sharing provider. Data sharing providers that intermediate the exchange of data between individuals as data holders and legal persons should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data holders.
(27) In order to ensure the compliance of the providers of data sharing services with the conditions set out in this Regulation, such providers should have a place of establishment in the Union. Alternatively, where a provider of data sharing services not established in the Union offers services within the Union, it should designate a representative. Designation of a representative is necessary, given that such providers of data sharing services handle personal data as well as commercially confidential data, which necessitates the close monitoring of the compliance of such service providers with the conditions laid out in this Regulation. In order to determine whether such a provider of data sharing services is offering services within the Union, it should be ascertained whether it is apparent that the provider of data sharing services is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the website or of an email address and of other contact details of the provider of data sharing services, or the use of a language generally used in the third country where the provider of data sharing services is established, should be considered insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of users who are in the Union, may make it apparent that the provider of data sharing services is planning to offer services within the Union. The representative should act on behalf of the provider of data sharing services and it should be possible for competent authorities to contact the representative. The representative should be designated by a written mandate of the provider of data sharing services to act on the latter's behalf with regard to the latter's obligations under this Regulation.
(28) This Regulation should be without prejudice to the obligation of providers of data sharing services to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. Where the data sharing service providers are data controllers or processors in the sense of Regulation (EU) 2016/679 they are bound by the rules of that Regulation. This Regulation should be also without prejudice to the application of competition law.
(29) Providers of data sharing services should also take measures to ensure compliance with competition law. Data sharing may generate various types of efficiencies but may also lead to restrictions of competition, in particular where it includes the sharing of competitively sensitive information. This applies in particular in situations where data sharing enables businesses to become aware of market strategies of their actual or potential competitors. Competitively sensitive information typically includes information on future prices, production costs, quantities, turnovers, sales or capacities.
(30) A notification procedure for data sharing services should be established in order to ensure a data governance within the Union based on trustworthy exchange of data. The benefits of a trustworthy environment would be best achieved by imposing a number of requirements for the provision of data sharing services, but without requiring any explicit decision or administrative act by the competent authority for the provision of such services.
(31) In order to support effective cross-border provision of services, the data sharing provider should be requested to send a notification only to the designated competent authority from the Member State where its main establishment is located or where its legal representative is located. Such a notification should not entail more than a mere declaration of the intention to provide such services and should be completed only by the information set out in this Regulation.
(32) The main establishment of a provider of data sharing services in the Union should be the Member State with the place of its central administration in the Union. The main establishment of a provider of data sharing services in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities.
(33) The competent authorities designated to monitor compliance of data sharing services with the requirements in this Regulation should be chosen on the basis of their capacity and expertise regarding horizontal or sectoral data sharing, and they should be independent as well as transparent and impartial in the exercise of their tasks. Member States should notify the Commission of the identity of the designated competent authorities.
(34) The notification framework laid down in this Regulation should be without prejudice to specific additional rules for the provision of data sharing services applicable by means of sector-specific legislation.
(35) There is a strong potential in the use of data made available voluntarily by data subjects based on their consent or, where it concerns non-personal data, made available by legal persons, for purposes of general interest. Such purposes would include healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics or improving the provision of public services. Support to scientific research, including for example technological development and demonstration, fundamental research, applied research and privately funded research, should be considered as well purposes of general interest. This Regulation aims at contributing to the emergence of pools of data made available on the basis of data altruism that have a sufficient size in order to enable data analytics and machine learning, including across borders in the Union.
(36) Legal entities that seek to support purposes of general interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘Data Altruism Organisations recognised in the Union’. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non-personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a general interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available.
(37) This Regulation is without prejudice to the establishment, organisation and functioning of entities that seek to engage in data altruism pursuant to national law. It builds on national law requirements to operate lawfully in a Member State as a not- for-profit organisation. Entities which meet the requirements in this Regulation should be able to use the title of ‘Data Altruism Organisations recognised in the Union’.
(38) Data Altruism Organisations recognised in the Union should be able to collect relevant data directly from natural and legal persons or to process data collected by others. Typically, data altruism would rely on consent of data subjects in the sense of Article 6(1)(a) and 9(2)(a) and in compliance with requirements for lawful consent in accordance with Article 7 of Regulation (EU) 2016/679. In accordance with Regulation (EU) 2016/679, scientific research purposes can be supported by consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research or only to certain areas of research or parts of research projects. Article 5(1)(b) of Regulation (EU) 2016/679 specifies that further processing for scientific or historical research purposes or statistical purposes should, in accordance with Article 89(1) of Regulation (EU) 2016/679, not be considered to be incompatible with the initial purposes.
(39) To bring additional legal certainty to granting and withdrawing of consent, in particular in the context of scientific research and statistical use of data made available on an altruistic basis, a European data altruism consent form should be developed and used in the context of altruistic data sharing. Such a form should contribute to additional transparency for data subjects that their data will be accessed and used in accordance with their consent and also in full compliance with the data protection rules. It could also be used to streamline data altruism performed by companies and provide a mechanism allowing such companies to withdraw their permission to use the data. In order to take into account the specificities of individual sectors, including from a data protection perspective, there should be a possibility for sectoral adjustments of the European data altruism consent form.
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics). The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board. (41) The Board should support the Commission in coordinating national practices and policies on the topics covered by this Regulation, and in supporting cross-sector data use by adhering to the European Interoperability Framework (EIF) principles and through the utilisation of standards and specifications (such as the Core Vocabularies44 and the CEF Building Blocks45), without prejudice to standardisation work taking place in specific sectors or domains. Work on technical standardisation may include the identification of priorities for the development of standards and establishing and maintaining a set of technical and legal standards for transmitting data between two processing environments that allows data spaces to be organised without making recourse to an intermediary. The Board should cooperate with sectoral bodies, networks or expert groups, or other cross-sectoral organisations dealing with re-use of data. Regarding data altruism, the Board should assist the Commission in the development of the data altruism consent form, in consultation with the European Data Protection Board.
(42) In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to develop the European data altruism consent form. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council46.
(43) In order to take account of the specific nature of certain categories of data, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to lay down special conditions applicable for transfers to third-countries of certain non-personal data categories deemed to be highly sensitive in specific Union acts adopted though a legislative procedure. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
(44) This Regulation should not affect the application of the rules on competition, and in particular Articles 101 and 102 of the Treaty on the Functioning of the European Union. The measures provided for in this Regulation should not be used to restrict competition in a manner contrary to the Treaty on the Functioning of the European Union. This concerns in particular the rules on the exchange of competitively sensitive information between actual or potential competitors through data sharing services.
(45) The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (47)and delivered an opinion on [...].
(46) This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter, including the right to privacy, the protection of personal data, the freedom to conduct a business, the right to property and the integration of persons with disabilities,
HAVE ADOPTED THIS REGULATION: