Legislators within the European Union have presented a significant new legislative initiative today aimed at promoting the wider utilization of industrial data throughout the Single Market. This involves establishing a uniform set of reliable methods and instruments to guarantee “safe and privacy-respecting circumstances” for data exchange.

A network of impartial and trustworthy data intermediaries, alongside a supervisory system consisting of national authorities and a Europe-wide coordinating organization, are central elements of this proposal.

This development builds upon the European Commission’s data strategy unveiled in February, which outlined plans to increase data reuse to facilitate a new wave of data-focused services driven by data-intensive artificial intelligence. It also supports the concept of leveraging “technology for positive impact” by enabling “greater quantities of high-quality data” to stimulate innovation for the benefit of all, such as improved medical diagnoses, and enhance public sector operations.

It’s important to note that the reuse of personal data is already governed by existing regulations within the bloc (like the General Data Protection Regulation; GDPR), which places restrictions on its application. Furthermore, commercial factors can often limit the extent to which industrial data is shared.

The EU’s governing body contends that standardized requirements, addressing both technical and legal aspects of data reuse, are essential to cultivate confidence and legal clarity—achieved through a framework designed to uphold existing rights and safeguards, thereby encouraging more effective data utilization.

The Commission anticipates substantial commercial advantages resulting from the suggested data governance structure. According to a press statement, “Companies, regardless of size, will experience new commercial prospects, as well as reduced expenses related to data acquisition, integration, and processing, decreased obstacles to market entry, and faster development cycles for innovative products and services.”

Additional data-related proposals are scheduled for release in 2021, complementing a comprehensive set of digital services legislation planned for introduction next month—all as part of a broader revitalization of industrial policy that prioritizes digital transformation and a sustainable green agenda.

To become law, all legislative aspects of this strategy require approval from both the European Council and the parliament, indicating a lengthy process before full implementation can be achieved.

Data Governance Act

Legislators within the European Union frequently refer to the data strategy as a means of promoting the exchange and utilization of “industrial data,” though the Data Governance Act (DGA) revealed today encompasses a broader scope.

The Commission intends for this framework to facilitate the sharing of data covered by data protection regulations—including personal data—where privacy concerns might currently limit its reuse. It also includes industrial data protected by intellectual property rights, or data containing trade secrets or other sensitive commercial information, which is not typically shared by its originators for direct commercial gain. 

During a press conference regarding the data governance proposals, Thierry Breton, the internal market commissioner, introduced the concept of “data altruism.” He explained that the Commission aims to establish a structured method for individuals to voluntarily share their personal data for the benefit of the wider community, such as supporting research into uncommon illnesses or assisting cities in monitoring air quality through mobility mapping.

“Personal data spaces, representing innovative personal information management tools and services, will empower Europeans with greater control over their data, allowing them to precisely determine who accesses it and for what purposes,” the Commission states in a question-and-answer document accompanying the proposal.

The Commission plans to establish a public registry where organizations can register as “data altruism organizations,” provided they operate on a non-profit basis, adhere to transparency standards, and implement safeguards to “protect the rights and interests of both citizens and businesses,” with the goal of maximizing confidence while minimizing administrative processes.

The DGA anticipates different tools, techniques, and requirements for data sharing between public sector entities and private companies.

Public sector bodies may face technical requirements—like encryption or anonymization—related to the data itself, or limitations on further processing, such as requiring it to occur within “dedicated infrastructures operated and overseen by the public sector.” They will also be required to sign legally binding confidentiality agreements with data reusers.

“Whenever data is transferred to a reuser, mechanisms will be in place to ensure adherence to the GDPR and to maintain the commercial confidentiality of the data,” according to the Commission’s press release.

To incentivize businesses to participate in data pooling—with the expectation of collective economic benefits from accessing larger combined datasets—the plan involves regulated data intermediaries or marketplaces offering “neutral” data-sharing services, acting as a “trusted” intermediary or repository to enable data flow between businesses.

“To guarantee this neutrality, the data-sharing intermediary is prohibited from using the data for its own benefit—such as selling it to another company or developing its own products based on it—and must comply with stringent requirements to ensure this neutrality,” the Commission explains.

Compliance with data handling requirements for these intermediaries would be overseen by national public authorities.

The Commission is also proposing the creation of a new EU-wide body, the European Data Innovation Board, to harmonize best practices across Member States—mirroring the coordinating role of the European Data Protection Board, which connects the EU’s network of data protection authorities.

“These data brokers or intermediaries that will provide for data sharing will do so in a way that your rights are protected and that you have choices,” stated Margrethe Vestager, Executive Vice President leading the bloc’s digital strategy, during the press conference.

“So that you can also have personal data spaces where your data is managed. Because, initially, when you ask people they say well actually we do want to share but we don’t really know how to do it. And this is not only the technicalities — it’s also the legal certainty that’s missing. And this proposal will provide that,” she added.

Data Localization: A Requirement or Not?

Commissioners addressed several inquiries concerning the complex topic of international data transfers.

Breton was questioned regarding whether the Data Governance Act (DGA) would incorporate any stipulations for data localization. His response indicated that the regulations will establish a set of criteria that, based on the specific data and its intended destination, could necessitate storing and processing the data within the EU as the only practical solution.

“Regarding data localization, our approach mirrors that of the GDPR, utilizing adequacy decisions and standard contractual clauses specifically for sensitive data. This involves a tiered system of conditions to permit international transfers while fully upholding the data’s protected status. That is the core principle guiding this effort,” Breton explained. “And naturally, for exceptionally sensitive data – for example, information within the public health sector – it will be essential to implement additional conditions based on the level of sensitivity; otherwise, Member States may be unwilling to share it.”

“For example, it might be feasible to restrict the reuse of this data to secure, public infrastructures, allowing companies to utilize the data without retaining it. It could also involve limiting access from third countries, restricting further data transfers, and, if necessary, prohibiting transfers altogether,” he continued, emphasizing that these conditions would be “fully consistent” with the EU’s commitments under the World Trade Organization (WTO).

In its Q&A section addressing data localization requirements, the Commission cautiously navigated the question, stating: “There is no requirement to store and process data within the EU. No one will be prevented from working with their preferred partners. However, the EU must guarantee that any access to the personal data of EU citizens, and to certain sensitive data, complies with its values and legal framework.”

During the press conference, Breton also highlighted that organizations seeking access to EU data available for reuse will be required to have legal representation within the region. “This is crucial to ensure the enforceability of the rules we are establishing,” he stated. “It is of significant importance to us – perhaps more so than to other continents – to maintain full compliance.”

The commissioners also responded to questions about the enforcement of the proposed data reuse regulations, particularly in light of ongoing criticism regarding the inconsistent and sometimes lax enforcement of Europe’s data protection regulations, the GDPR.

“Rules are ineffective without enforcement,” Vestager affirmed. “Our proposal is that if a data-sharing service provider self-declares, the responsible authority with whom they have registered will then be tasked with monitoring and overseeing compliance with the obligations necessary to protect legitimate interests – such as business confidentiality or intellectual property rights.”

“This is an area we will continue to develop in future proposals, including the Digital Services Act and the Digital Markets Act. However, this initiative serves as a preliminary step, requiring Member States receiving notifications to also supervise and ensure that everything is in order.”

Breton also addressed the enforcement aspect, suggesting that it would be integrated from the outset, for instance, through stringent control over who could qualify as a data reuse broker.

“[First] we are introducing common and harmonized regulations… We are establishing a substantial internal market for data. Second, we are requesting Member States to establish dedicated authorities for monitoring. Third, we will ensure consistency and enforcement through the European Data Innovation Board,” he explained. “To illustrate, enforcement is built-in. To operate as a data broker, certain obligations must be met; fulfilling these obligations allows one to be a neutral data broker – failing to do so disqualifies them. This will simplify application.”

In addition to the DGA, the Commission also unveiled an Intellectual Property Action Plan.

Vestager explained that this plan aims to build upon the EU’s existing IP framework through a series of supporting measures – including financial assistance for Small and Medium-sized Enterprises (SMEs) participating in the Horizon Europe Research and Development program to file patents.

The Commission is also evaluating potential reforms to the framework governing the filing of standards essential patents. However, in the near term, Vestager stated that the focus would be on encouraging industry participation in forums designed to reduce litigation.

“As one possibility, the Commission could establish an independent system for third-party essentiality checks to enhance legal certainty and lower litigation costs,” she added, noting that protecting IP is a vital component of the bloc’s industrial strategy.