Data Pools for Data Sharing Now Regulated – EU Data Governance Law | Hogan Lovells

[co-author: Joanna Rozanska]

In Europe, the current conditions for sharing data between companies are so complicated that the potential of the industry is not fully exploited. This results in a loss of competitiveness of European industry compared to other jurisdictions where data sharing is much simpler. With the Data Governance Act, which will apply from September 2023, the European Union has taken corrective action by creating a legal framework for data sharing. An interesting option offered by this law is the regulation of data pools.

Data Pools in Data Governance Law

The Data Governance Law (DGA) aims to create a single European market for data (personal or otherwise) including a new strategy for data sharing through data intermediation service providers. These should strengthen the reliability of common European data spaces and allow players to share data more easily via these intermediaries, which could play the role of “data market” or trusted third party. This new approach is based on neutrality and transparency while leaving companies and individuals in control of their own data.

Context of data pools under the DGA

Data pools are centralized spaces where trading partners can share, obtain and/or keep data, which can be useful in business relationships involving multiple companies feeding the same data pool with their own data (e.g. to reduce costs), for the same company or for others to access and use this information under predetermined conditions.

Undoubtedly, this new system offers many possibilities for industries – such as algorithm training, machine learning, process optimization, new product development, research and development initiatives, etc.

Participants in the data pool will be able to decide what data to share, who will be authorized to access the data and under what conditions, taking into account the rules and technical conditions of the data intermediation services (and other regulations, such as laws on competition). Data sharing could be multilateral for data participants, or be open to third parties wishing to access this data, for “the joint or individual use of this data”.

One of the objectives of the DGA’s data pools is to promote the sharing of information and the creation of European data spaces or data markets for the benefit of industry and research. One option for these data pools is open and available access by any interested party on an equal footing (e.g. through licensing

Data pools are not necessarily accessible free of charge. Participants, through this mechanism, will be able to receive “royalties” or “compensations” for their contribution, which is an incentive to create data spaces.

Other types of data pools not covered by the DGA are not necessarily prohibited but will not follow this new legal framework. Also, data pools and data intermediation services are different from cloud or analytics services, data sharing software, web browsers or email services, which fall outside the scope of the DGA. These services only provide technical tools allowing companies to share data with others and/or are not intended to establish a commercial relationship between data holders and data users.

Types of data that can feed the data pool

What data can be shared in data pools? All data that companies have the right to share with third parties, with certain limited exceptions, such as copyrighted content. In other words, any non-personal data can feed into the data pools provided it is not protected by industry laws (eg trade secrets, intellectual property, etc.).

As for personal data, it can be shared as long as this sharing complies with the General Data Protection Regulation (“GDPR”). In this context, the use of anonymization or pseudonymization could facilitate the sharing of personal data in GDPR-compliant pools. In any case, as long as the data remains personal data, the pools must allow data subjects to exercise their data protection rights.

The information shared in the data pool must not be enriched or modified by the intermediation service provider. It should be offered as provided by the participants, with some adaptation of the format for harmonization standards or improved interoperability.

Data Pool Management: Data Intermediation Service Providers

Data pools must be managed by a new actor defined in the DGA: the data intermediation service provider. The data intermediation service is defined as follows:

a service which aims to establish commercial relations for the purpose of sharing data between an indefinite number of data subjects and data holders on the one hand and data users on the other hand”.

This new role as a provider of intermediation services for data sharing will bring business opportunities to technology companies. The data intermediation services allow the interconnection between the participants of the pool with the data users, and will have to ensure that the security of the data and that the principles of the DGA are respected.

Data intermediation service providers are subject to a very strict regime and must comply with strict conditions. They must be neutral and consider the companies and entities using the pools fairly and transparently, and ensure that the prices are not discriminatory. As part of their data intermediation activity, they may not be subject to a conflict of interest, nor use and process the pool data (not even the metadata collected in the context of the provision of their services ) for purposes other than providing the data to corporate users of the data pool. They cannot use pool data for their own purposes. In addition, they must ensure the security of their services and provide procedures to prevent fraudulent practices. Finally, the data intermediation service provider “must maintain a log recording all data intermediation activities”.

Their activity is subject to prior notification to the competent authority designated by each Member State. This authority could either be created per se for this purpose or be managed by existing authorities such as the data protection authority, the competition authority or any other public authority. The competent authority must be chosen by September 24, 2023.

In any case, when several companies agree on the creation of a data pool, the governance and compliance model is paramount. A clear definition from the beginning of the project of the controls, who carries them out and how they are reviewed and updated is essential.

Date of application

The DGA will apply from 24 September 2023, so companies wishing to take the initiative to become intermediaries should start planning without delay, as the business reporting requirements and requirements to become an intermediary are quite onerous.

Overall, the fact that data pool rules are recognized in an EU regulation is a positive development. It provides legal certainty to companies wishing to provide or obtain data and the certainty that by complying with this regulation (and, where applicable, others that may apply such as the GDPR or competition laws) , this exchange of data is legal. It will be interesting to see how this regulation interacts with other regulations that are already on the horizon in certain sectors, such as the regulation creating the European Health Data Area.

Next steps

  • Determine if a data sharing space managed by an intermediation service could interest and benefit your company;
  • Data intermediation service providers should start preparing their business structures and policies now to prepare for notification to regulators;
  • Companies wishing to create a data pool must ensure that the data pool governance rules comply with the DGA;
  • When creating a data pool, other legislation must be taken into account, such as the GDPR or European competition laws.

[View source.]