Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
CHAPTER I
General provisionsArticles 1 — 2
CHAPTER II
Re-use of certain categories of protected data held by public sector bodiesArticles 3 — 9
CHAPTER III
Requirements applicable to data intermediation servicesArticles 10 — 15
CHAPTER IV
Data altruismArticles 16 — 25
CHAPTER V
Competent authorities and procedural provisionsArticles 26 — 28
CHAPTER VI
European Data Innovation BoardArticles 29 — 30
CHAPTER VII
International access and transferArticles 31 — 31
CHAPTER VIII
Delegation and committee procedureArticles 32 — 33
CHAPTER IX
Final and transitional provisionsArticles 34 — 38
Data & Privacy
AI & Trust
Cybersecurity
Digital Services & Media
1
The Treaty on the Functioning of the European Union (TFEU) provides for the establishment of an internal market and the institution of a system ensuring that competition in the internal market is not distorted. The establishment of common rules and practices in the Member States relating to the development of a framework for data governance should contribute to the achievement of those objectives, while fully respecting fundamental rights. It should also guarantee the strengthening of the open strategic autonomy of the Union while fostering international free flow of data.
2
Over the last decade, digital technologies have transformed the economy and society, affecting all sectors of activity and daily life. Data is at the centre of that transformation: data-driven innovation will bring enormous benefits to both Union citizens and the economy, for example by improving and personalising medicine, providing new mobility, and contributing to the communication of the Commission of 11 December 2019 on the European Green Deal. In order to make the data-driven economy inclusive for all Union citizens, particular attention must be paid to reducing the digital divide, boosting the participation of women in the data economy and fostering cutting-edge European expertise in the technology sector. The data economy has to be built in a way that enables undertakings, in particular micro, small and medium-sized enterprises (SMEs), as defined in the Annex to Commission Recommendation 2003/361/EC , and start-ups to thrive, ensuring data access neutrality and data portability and interoperability, and avoiding lock-in effects. In its communication of 19 February 2020 on a European strategy for data (the ‘European strategy for data’), the Commission described the vision of a common European data space, meaning an internal market for data in which data could be used irrespective of its physical storage location in the Union in compliance with applicable law, which, , could be pivotal for the rapid development of artificial intelligence technologies.
3
It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges and laying down certain basic requirements for data governance, paying specific attention to facilitating cooperation between Member States. This Regulation should aim to develop further the borderless digital internal market and a human-centric, trustworthy and secure data society and economy. Sector-specific Union law can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the Union law envisaged on the European health data space and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law, which includes rules relating to the sharing of or access to data across borders or across the Union, for example Directive 2011/24/EU of the European Parliament and of the Council in the context of the European health data space, and relevant legislative acts in the field of transport, such as Regulations (EU) 2019/1239 and (EU) 2020/1056 and Directive 2010/40/EU of the European Parliament and of the Council in the context of the European mobility data space.
4
This Regulation should be without prejudice to Regulations (EU) 2016/679 and (EU) 2018/1725 of the European Parliament and of the Council and to Directives 2002/58/EC and (EU) 2016/680 of the European Parliament and of the Council and the corresponding provisions of national law, including where personal and non-personal data in a data set are inextricably linked. In particular, this Regulation should not be read as creating a new legal basis for the processing of personal data for any of the regulated activities, or as amending the information requirements laid down in Regulation (EU) 2016/679. The implementation of this Regulation should not prevent cross-border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail. It should be possible to consider data protection authorities to be competent authorities under this Regulation. Where other authorities function as competent authorities under this Regulation, they should do so without prejudice to the supervisory powers and competences of data protection authorities under Regulation (EU) 2016/679.
5
Action at Union level is necessary to increase trust in data sharing by establishing appropriate mechanisms for control by data subjects and data holders over data that relates to them, and in order to address other barriers to a well-functioning and competitive data-driven economy. That action should be without prejudice to obligations and commitments in the international trade agreements concluded by the Union. A Union-wide governance framework should have the objective of building trust among individuals and undertakings in relation to data access, control, sharing, use and re-use, in particular by establishing appropriate mechanisms for data subjects to know and meaningfully exercise their rights, as well as with regard to the re-use of certain types of data held by the public sector bodies, the provision of services by data intermediation services providers to data subjects, data holders and data users, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons. In particular, more transparency regarding the purpose of data use and conditions under which data is stored by undertakings can help increase trust.
6
The idea that data that has been generated or collected by public sector bodies or other entities at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 and sector-specific Union law ensure that the public sector bodies make more of the data they produce easily available for use and re-use. However, certain categories of data, such as commercially confidential data, data that are subject to statistical confidentiality and data protected by intellectual property rights of third parties, including trade secrets and personal data, in public databases are often not made available, not even for research or innovative activities in the public interest, despite such availability being possible in accordance with the applicable Union law, in particular Regulation (EU) 2016/679 and Directives 2002/58/EC and (EU) 2016/680. Due to the sensitivity of such data, certain technical and legal procedural requirements must be met before they are made available, not least in order to ensure the respect of rights others have over such data or to limit the negative impact on fundamental rights, the principle of non-discrimination and data protection. The fulfilment of such requirements is usually time- and knowledge-intensive. This has led to the insufficient use of such data. While some Member States are establishing structures, processes or legislation to facilitate that type of re-use, this is not the case across the Union. In order to facilitate the use of data for European research and innovation by private and public entities, clear conditions for access to and use of such data are needed across the Union.
7
There are techniques enabling analyses on databases that contain personal data, such as anonymisation, differential privacy, generalisation, suppression and randomisation, the use of synthetic data or similar methods and other state-of-the-art privacy-preserving methods that could contribute to a more privacy-friendly processing of data. Member States should provide support to public sector bodies to make optimal use of such techniques, thus making as much data as possible available for sharing. The application of such techniques, together with comprehensive data protection impact assessments and other safeguards, can contribute to more safety in the use and re-use of personal data and should ensure the safe re-use of commercially confidential business data for research, innovation and statistical purposes. In many cases the application of such techniques, impact assessments and other safeguards implies that data can be used and re-used only in a secure processing environment that is provided or controlled by the public sector body. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) No 557/2013 . In general, insofar as personal data are concerned, the processing of personal data should be based upon one or more of the legal bases for processing provided in Articles 6 and 9 of Regulation (EU) 2016/679.
8
In accordance with Regulation (EU) 2016/679, the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. Re-identification of data subjects from anonymised datasets should be prohibited. This should not prejudice the possibility to conduct research into anonymisation techniques, in particular for the purpose of ensuring information security, improving existing anonymisation techniques and contributing to the overall robustness of anonymisation, undertaken in accordance with Regulation (EU) 2016/679.
9
In order to facilitate the protection of personal data and confidential data and to speed up the process of making such data available for re-use under this Regulation, Member States should encourage public sector bodies to create and make available data in accordance with the principle of ‘open by design and by default’ referred to in Article 5(2) of Directive (EU) 2019/1024 and to promote the creation and the procurement of data in formats and structures that facilitate anonymisation in that regard.
10
The categories of data held by public sector bodies which should be subject to re-use under this Regulation fall outside the scope of Directive (EU) 2019/1024 that excludes data which is not accessible due to commercial and statistical confidentiality and data that is included in works or other subject matter over which third parties have intellectual property rights. Commercially confidential data includes data protected by trade secrets, protected know-how and any other information the undue disclosure of which would have an impact on the market position or financial health of the undertaking. This Regulation should apply to personal data that fall outside the scope of Directive (EU) 2019/1024 insofar as the access regime excludes or restricts access to such data for reasons of data protection, privacy and the integrity of the individual, in particular in accordance with data protection rules. The re-use of data, which may contain trade secrets, should take place without prejudice to Directive (EU) 2016/943, which sets out the framework for the lawful acquisition, use or disclosure of trade secrets.
11
This Regulation should not create an obligation to allow the re-use of data held by public sector bodies. In particular, each Member State should therefore be able to decide whether data is made accessible for re-use, also in terms of the purposes and scope of such access. This Regulation should complement and be without prejudice to more specific obligations on public sector bodies to allow re-use of data laid down in sector-specific Union or national law. Public access to official documents may be considered to be in the public interest. Taking into account the role of public access to official documents and transparency in a democratic society, this Regulation should also be without prejudice to Union or national law on granting access to and disclosing official documents. Access to official documents may in particular be granted in accordance with national law without imposing specific conditions or by imposing specific conditions that are not provided by this Regulation.
12
The re-use regime provided for in this Regulation should apply to data the supply of which forms part of the public tasks of the public sector bodies concerned under law or other binding rules in the Member States. In the absence of such rules, the public tasks should be defined in accordance with common administrative practice in the Member States, provided that the scope of the public tasks is transparent and subject to review. The public tasks could be defined generally or on a case-by-case basis for individual public sector bodies. As public undertakings are not covered by the definition of public sector body, the data held by public undertakings should not be covered by this Regulation. Data held by cultural establishments, such as libraries, archives and museums as well as orchestras, operas, ballets and theatres, and by educational establishments should not be covered by this Regulation since the works and other documents they hold are predominantly covered by third party intellectual property rights. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law.
13
Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding the conclusion of agreements which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreements should be possible only where justified and necessary for the provision of a service or the supply of a product in the general interest. This may be the case where the exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of providing the service or supplying the product which allows the public sector body to provide a service or supply a product in the general interest. Such arrangements should, however, be concluded in accordance with applicable Union or national law and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited duration which should not exceed 12 months. In order to ensure transparency, such exclusive agreements should be published online, in a form that complies with relevant Union law on public procurement. Where an exclusive right to re-use data does not comply with this Regulation, that exclusive right should be invalid.
14
Prohibited exclusive agreements and other practices or arrangements pertaining to the re-use of data held by public sector bodies which do not expressly grant exclusive rights but which can reasonably be expected to restrict the availability of data for re-use that have been concluded or were already in place before the date of entry into force of this Regulation should not be renewed after the expiry of their term. In the case of indefinite or longer-term agreements, they should be terminated within 30 months of the date of entry into force of this Regulation.
15
This Regulation should lay down conditions for re-use of protected data that apply to public sector bodies designated as competent under national law to grant or refuse access for re-use, and which are without prejudice to rights or obligations concerning access to such data. Those conditions should be non-discriminatory, transparent, proportionate and objectively justified, while not restricting competition, with a specific focus on promoting access to such data by SMEs and start-ups. The conditions for re-use should be designed in a manner promoting scientific research so that, for example, privileging scientific research should, as a rule, be considered to be non-discriminatory. Public sector bodies allowing re-use should have in place the technical means necessary to ensure the protection of rights and interests of third parties and should be empowered to request the necessary information from the re-user. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of third parties in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate burden on the public sector bodies. Conditions attached to the re-use of data should be designed to ensure effective safeguards with regard to the protection of personal data. Before transmission, personal data should be anonymised, in order not to allow the identification of the data subjects, and data containing commercially confidential information should be modified in such a way that no confidential information is disclosed. Where the provision of anonymised or modified data would not respond to the needs of the re-user, subject to fulfilling any requirements to carry out a data protection impact assessment and consult the supervisory authority pursuant to Articles 35 and 36 of Regulation (EU) 2016/679 and where the risks to the rights and interests of data subjects have been found to be minimal, on-premise or remote re-use of the data within a secure processing environment could be allowed.
16
In order to facilitate and encourage the use of data held by public sector bodies for the purposes of scientific research, public sector bodies are encouraged to develop a harmonised approach and harmonised processes to make that data easily accessible for the purposes of scientific research in the public interest. That could mean, , creating streamlined administrative procedures, standardised data formatting, informative metadata on the methodological and data collection choices and standardised data fields that enable the easy joining of data sets from different public sector data sources where relevant for the purposes of analysis. The objective of those practices should be to promote the publicly funded and produced data for the purposes of scientific research in accordance with the principle of ‘as open as possible, as closed as necessary’.
17
The intellectual property rights of third parties should not be affected by this Regulation. This Regulation should neither affect the existence or ownership of intellectual property rights of public sector bodies nor limit the exercise of those rights in any way. The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-related Aspects of Intellectual Property Rights (TRIPS Agreement) and the World Intellectual Property Organization Copyright Treaty (WCT), and Union or national intellectual property law. Public sector bodies should, however, exercise their copyright in a way that facilitates re-use.
18
Data subject to intellectual property rights as well as trade secrets should be transmitted to a third party only where such transmission is lawful by virtue of Union or national law or with the agreement of the rights holder. Where public sector bodies are holders of the right of the maker of a database provided for in Article 7(1) of Directive 96/9/EC of the European Parliament and of the Council they should not exercise that right in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.
19
Undertakings and data subjects should be able to have confidence in the fact that the re-use of certain categories of protected data which are held by the public sector bodies will take place in a manner that respects their rights and interests. Additional safeguards should therefore be put in place for situations in which the re-use of such public sector data takes place on the basis of a processing of the data outside the public sector, such as a requirement that public sector bodies ensure that the rights and interests of natural and legal persons are fully protected, in particular with regard to personal data, commercially sensitive data and intellectual property rights, in all cases, including where such data is transferred to third countries. Public sector bodies should not allow the re-use of information stored in e-health applications by insurance undertakings or any other service provider for the purpose of discriminating in the setting of prices, as this would run counter to the fundamental right of access to health.
20
Furthermore, in order to preserve fair competition and the open market economy it is of the utmost importance to safeguard protected data of non-personal nature, in particular trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to intellectual property theft or industrial espionage. In order to ensure the protection of the rights or interests of data holders, it should be possible to transfer non-personal data which is to be protected from unlawful or unauthorised access in accordance with Union or national law and which is held by public sector bodies to third countries, but only where appropriate safeguards for the use of data are provided. Such appropriate safeguards should include a requirement that the public sector body transmit protected data to a re-user only if that re-user makes contractual commitments in the interest of the protection of the data. A re-user that intends to transfer the protected data to a third country should comply with the obligations laid down in this Regulation even after the data has been transferred to the third country. To ensure the proper enforcement of such obligations, the re-user should also accept the jurisdiction of the Member State of the public sector body that allowed the re-use for the judicial settlement of disputes.
21
Appropriate safeguards should also be considered to be implemented where, in the third country to which non-personal data is being transferred, there are equivalent measures in place which ensure that data benefit from a level of protection similar to that applicable by means of Union law, in particular with regard to the protection of trade secrets and intellectual property rights. To that end, the Commission should be able to declare, by means of implementing acts, where justified because of the substantial number of requests across the Union concerning the re-use of non-personal data in specific third countries, that a third country provides a level of protection that is essentially equivalent to that provided by Union law. The Commission should assess the necessity of such implementing acts on the basis of information provided by the Member States through the European Data Innovation Board. Such implementing acts would reassure public sector bodies that re-use of data held by public sector bodies in the third country concerned would not compromise the protected nature of that data. The assessment of the level of protection afforded in the third country concerned should, in particular, take into consideration the relevant general and sectoral law, including on public security, defence, national security and criminal law, concerning access to and protection of non-personal data, any access by the public sector bodies of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, the third country’s international commitments regarding the protection of data, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems.
22
Some third countries adopt laws, regulations and other legal acts which aim to directly transfer or provide governmental access to non-personal data in the Union under the control of natural and legal persons under the jurisdiction of the Member States. Decisions and judgments of third-country courts or tribunals or decisions of third-country administrative authorities requiring such transfer of or access to non-personal data should be enforceable where they are based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. In some cases, situations may arise where the obligation to transfer or provide access to non-personal data arising from a third country law conflicts with a competing obligation to protect such data under Union or national law, in particular with regard to the protection of the fundamental rights of the individual or of the fundamental interests of a Member State related to national security or defence, as well as the protection of commercially sensitive data and the protection of intellectual property rights, including contractual undertakings regarding confidentiality in accordance with such law. In the absence of international agreements regulating such matters, the transfer of or access to non-personal data should be allowed only if, in particular, it has been verified that the third-country’s legal system requires the reasons and proportionality of the decision or judgment to be set out, that the decision or judgment is specific in character, and that the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal, which is empowered to take duly into account the relevant legal interests of the provider of such data.
23
To foster further trust in the data economy of the Union, it is essential that the safeguards in relation to Union citizens, the public sector and undertakings that ensure control over their strategic and sensitive data are implemented and that Union law, values and standards are upheld in terms of, but not limited to, security, data protection and consumer protection. In order to prevent unlawful access to non-personal data, public sector bodies, natural or legal persons to which the right to re-use data was granted, data intermediation services providers and recognised data altruism organisations should take all reasonable measures to prevent access to the systems where non-personal data is stored, including encryption of data or corporate policies. To that end, it should be ensured that public sector bodies, natural or legal persons to which the right to re-use data was granted, data intermediation services providers and recognised data altruism organisations adhere to all relevant technical standards, codes of conduct and certifications at Union level.
24
In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non-personal data that may be identified as highly sensitive in future specific Union legislative acts, with regard to the transfer to third countries, if such transfer could jeopardise Union public policy objectives, in line with international commitments. For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data. Other relevant sectors include transport, energy, environment and finance. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law, for example in the context of the European health data space or other sectoral law. Those conditions attached to the transfer of such data to third countries should be laid down in delegated acts. Conditions should be proportionate, non-discriminatory and necessary to protect legitimate Union public policy objectives identified, such as the protection of public health, safety, the environment, public morality, consumer protection, privacy and personal data protection. The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re-identification of individuals. Such conditions could include terms applicable for the transfer or technical arrangements, such as the requirement to use a secure processing environment, limitations with regard to the re-use of data in third countries or categories of persons entitled to transfer such data to third countries or to access the data in the third country. In exceptional cases such conditions could also include restrictions to the transfer of the data to third countries to protect the public interest.
25
Public sector bodies should be able to charge fees for the re-use of data but should also be able to allow re-use at a discounted fee or free of charge, for example for certain categories of re-use such as non-commercial re-use for scientific research purposes, or re-use by SMEs and start-ups, civil society and educational establishments, so as to provide incentives for such re-use in order to stimulate research and innovation and support undertakings that are an important source of innovation and typically find it more difficult to collect relevant data themselves, in accordance with State aid rules. In that specific context, scientific research purposes should be understood to include any type of research-related purpose regardless of the organisational or financial structure of the research institution in question, with the exception of research that is being conducted by an undertaking with the aim of developing, enhancing or optimising products or services. Such fees should be transparent, non-discriminatory and limited to the necessary costs incurred and should not restrict competition. A list of categories of re-users to which a discounted fee or no charge applies, together with the criteria used to establish that list, should be made public.
26
In order to provide incentives for the re-use of specific categories of data held by public sector bodies, Member States should establish a single information point to act as an interface for re-users that seek to re-use that data. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. The single information point should be able to rely on automated means where it transmits enquiries or requests for re-use. Sufficient human oversight should be ensured in the transmission process. For that purpose existing practical arrangements such as open data portals could be used. The single information point should have an asset list containing an overview of all available data resources including, where relevant, those data resources that are available at sectoral, regional or local information points, with relevant information describing the available data. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated under sectoral Union or national law. Those competent bodies should provide assistance to public sector bodies with state-of-the-art techniques, including on how to best structure and store data to make data easily accessible, in particular through application programming interfaces, as well as make data interoperable, transferable and searchable, taking into account best practices for data processing, as well as any existing regulatory and technical standards and secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information.
27
Data intermediation services are expected to play a key role in the data economy, in particular in supporting and promoting voluntary data sharing practices between undertakings or facilitating data sharing in the context of obligations set by Union or national law. They could become a tool to facilitate the exchange of substantial amounts of relevant data. Data intermediation services providers, which may include public sector bodies, that offer services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediation services that are independent from data subjects, data holders and data users could have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power, while allowing non-discriminatory access to the data economy for undertakings of all sizes, in particular SMEs and start-ups with limited financial, legal or administrative means. This will be particularly important in the context of the establishment of common European data spaces, namely purpose- or sector-specific or cross-sectoral interoperable frameworks of common standards and practices to share or jointly process data for, , the development of new products and services, scientific research or civil society initiatives. Data intermediation services could include bilateral or multilateral sharing of data or the creation of platforms or databases enabling the sharing or joint use of data, as well as the establishment of specific infrastructure for the interconnection of data subjects and data holders with data users.
28
This Regulation should cover services which aim to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data. Where undertakings or other entities offer multiple data-related services, only the activities which directly concern the provision of data intermediation services should be covered by this Regulation. The provision of cloud storage, analytics, data sharing software, web browsers, browser plug-ins or email services should not be considered to be data intermediation services within the meaning of this Regulation, provided that such services only provide technical tools for data subjects or data holders to share data with others, but the provision of such tools neither aims to establish a commercial relationship between data holders and data users nor allows the data intermediation services provider to acquire information on the establishment of commercial relationships for the purposes of data sharing. Examples of data intermediation services include data marketplaces on which undertakings could make data available to others, orchestrators of data sharing ecosystems that are open to all interested parties, for instance in the context of common European data spaces, as well as data pools established jointly by several legal or natural persons with the intention to license the use of such data pools to all interested parties in a manner that all participants that contribute to the data pools would receive a reward for their contribution.
29
Services that focus on the intermediation of copyright-protected content, such as online content-sharing service providers as defined in Article 2, point (6), of Directive (EU) 2019/790, should not be covered by this Regulation. Consolidated tape providers as defined in Article 2(1), point (35), of Regulation (EU) No 600/2014 of the European Parliament and of the Council and account information service providers as defined in Article 4, point (19), of Directive (EU) 2015/2366 of the European Parliament and of the Council should not be considered to be data intermediation services providers for the purposes of this Regulation. This Regulation should not apply to services offered by public sector bodies in order to facilitate either the re-use of protected data held by public sector bodies in accordance with this Regulation or the use of any other data, insofar as those services do not aim to establish commercial relationships. Data altruism organisations regulated by this Regulation should not be considered to be offering data intermediation services provided that those services do not establish a commercial relationship between potential data users, on the one hand, and data subjects and data holders who make data available for altruistic purposes, on the other. Other services that do not aim to establish commercial relationships, such as repositories that aim to enable the re-use of scientific research data in accordance with open access principles should not be considered to be data intermediation services within the meaning of this Regulation.
30
A specific category of data intermediation services includes providers of services that offer their services to data subjects. Such data intermediation services providers seek to enhance the agency of data subjects, and in particular individuals’ control over data relating to them. Such providers would assist individuals in exercising their rights under Regulation (EU) 2016/679, in particular giving and withdrawing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right ‘to be forgotten’, the right to restrict processing and the right to data portability, which allows data subjects to move their personal data from one data controller to the other. In that context, it is important that the business model of such providers ensures that there are no misaligned incentives that encourage individuals to use such services to make more data relating to them available for processing than would be in their interest. This could include advising individuals on the possible uses of their data and making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices. In certain situations, it could be desirable to collate actual data within a personal data space so that processing can happen within that space without personal data being transmitted to third parties in order to maximise the protection of personal data and privacy. Such personal data spaces could contain static personal data such as name, address or date of birth as well as dynamic data that an individual generates through, for example, the use of an online service or an object connected to the Internet of Things. They could also be used to store verified identity information such as passport numbers or social security information, as well as credentials such as driving licences, diplomas or bank account information.
31
Data cooperatives seek to achieve a number of objectives, in particular to strengthen the position of individuals in making informed choices before consenting to data use, influencing the terms and conditions of data user organisations attached to data use in a manner that gives better choices to the individual members of the group or potentially finding solutions to conflicting positions of individual members of a group on how data can be used where such data relates to several data subjects within that group. In that context it is important to acknowledge that the rights under Regulation (EU) 2016/679 are personal rights of the data subject and that data subjects cannot waive such rights. Data cooperatives could also provide a useful means for one-person undertakings and SMEs which, in terms of knowledge of data sharing, are often comparable to individuals.
32
In order to increase trust in such data intermediation services, in particular related to the use of data and compliance with the conditions imposed by data subjects and data holders, it is necessary to create a Union-level regulatory framework which establishes highly harmonised requirements related to the trustworthy provision of such data intermediation services, and which is implemented by the competent authorities. That framework will contribute to ensuring that data subjects and data holders, as well as data users, have better control over access to and use of their data, in accordance with Union law. The Commission could also encourage and facilitate the development of codes of conduct at Union level, involving relevant stakeholders, in particular on interoperability. Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to-consumer context, data intermediation services providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. Data intermediation services providers could also make available specific technical infrastructure for the interconnection of data subjects and data holders with data users. In that regard, it is of particular importance to shape that infrastructure in such a way that SMEs and start-ups encounter no technical or other barriers to their participation in the data economy.
33
It is important to enable a competitive environment for data sharing. A key element by which to increase the trust and control of data holders, data subjects and data users in data intermediation services is the neutrality of data intermediation services providers with regard to the data exchanged between data holders or data subjects and data users. It is therefore necessary that data intermediation services providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose. The commercial terms, including pricing, for the provision of data intermediation services should not be dependent on whether a potential data holder or data user is using other services, including storage, analytics, artificial intelligence or other data-based applications, provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services. This will also require structural separation between the data intermediation service and any other services provided, so as to avoid conflicts of interest. This means that the data intermediation service should be provided through a legal person that is separate from the other activities of that data intermediation services provider. However, the data intermediation services providers should be able to use the data provided by the data holder for the improvement of their data intermediation services.
34
Data intermediation services providers should take reasonable measures to ensure interoperability within a sector and between different sectors to ensure the proper functioning of the internal market. Reasonable measures could include following the existing, commonly-used standards in the sector where the data intermediation services providers operate. The European Data Innovation Board should facilitate the emergence of additional industry standards, where necessary. Data intermediation services providers should implement in due time the measures for interoperability between the data intermediation services adopted by the European Data Innovation Board.
35
This Regulation should be without prejudice to the obligation of data intermediation services providers to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. Where data intermediation services providers process personal data, this Regulation should not affect the protection of personal data. Where the data intermediation services providers are data controllers or processors as defined in Regulation (EU) 2016/679 they are bound by the rules of that Regulation.
36
Data intermediation services providers are expected to have in place procedures and measures to impose penalties for fraudulent or abusive practices in relation to parties seeking access through their data intermediation services, including measures such as the exclusion of data users that breach the terms of service or infringe existing law.
37
Data intermediation services providers should also take measures to ensure compliance with competition law and have procedures in place to that effect. This applies in particular in situations where data sharing enables undertakings to become aware of market strategies of their actual or potential competitors. Competitively sensitive information typically includes information on customer data, future prices, production costs, quantities, turnovers, sales or capacities.
38
A notification procedure for data intermediation services should be established in order to ensure that data governance within the Union is based on trustworthy exchange of data. The benefits of a trustworthy environment would be best achieved by imposing a number of requirements for the provision of data intermediation services, but without requiring any explicit decision or administrative act by the competent authority for data intermediation services for the provision of such services. The notification procedure should not impose undue obstacles for SMEs, start-ups and civil society organisations and should comply with the principle of non-discrimination.
39
In order to support effective cross-border provision of services, the data intermediation services provider should be requested to send a notification only to the competent authority for data intermediation services from the Member State where its main establishment is located or where its legal representative is located. Such a notification should not entail more than a mere declaration of the intention to provide such services and should be completed only by providing the information set out in this Regulation. After the relevant notification the data intermediation services provider should be able to start operating in any Member State without further notification obligations.
40
The notification procedure laid down in this Regulation should be without prejudice to specific additional rules for the provision of data intermediation services applicable by means of sector-specific law.
41
The main establishment of a data intermediation services provider in the Union should be the place of its central administration in the Union. The main establishment of a data intermediation services provider in the Union should be determined in accordance with objective criteria and should imply the effective and real exercise of management activities. Activities of a data intermediation services provider should comply with the national law of the Member State in which it has its main establishment.
42
In order to ensure the compliance of data intermediation services providers with this Regulation, they should have their main establishment in the Union. Where a data intermediation services provider not established in the Union offers services within the Union, it should designate a legal representative. The designation of a legal representative in such cases is necessary, given that such data intermediation services providers handle personal data as well as commercially confidential data, which necessitates the close monitoring of the compliance of data intermediation services providers with this Regulation. In order to determine whether such a data intermediation services provider is offering services within the Union, it should be ascertained whether it is apparent that the data intermediation services provider is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the website or of an email address and other contact details of the data intermediation services provider, or the use of a language generally used in the third country where the data intermediation services provider is established, should be considered to be insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language, or the mentioning of users who are in the Union, could make it apparent that the data intermediation services provider is planning to offer services within the Union.
43
In order to assist data subjects and data holders to easily identify, and thereby increase their trust in, data intermediation services providers recognised in the Union, a common logo recognisable throughout the Union should be established, in addition to the label ‘data intermediation services provider recognised in the Union’.
44
The competent authorities for data intermediation services designated to monitor compliance of data intermediation services providers with the requirements of this Regulation should be chosen on the basis of their capacity and expertise regarding horizontal or sectoral data sharing They should be independent of any data intermediation services provider as well as transparent and impartial in the exercise of their tasks. Member States should notify the Commission of the identity of those competent authorities for data intermediation services. The powers and competences of the competent authorities for data intermediation services should be without prejudice to the powers of the data protection authorities. In particular, for any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority for data intermediation services should seek, where relevant, an opinion or decision of the competent supervisory authority established pursuant to that Regulation.
45
There is a strong potential for objectives of general interest in the use of data made available voluntarily by data subjects on the basis of their informed consent or, where it concerns non-personal data, made available by data holders. Such objectives would include healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, or public policy making. Support to scientific research should also be considered to be an objective of general interest. This Regulation should aim to contribute to the emergence of sufficiently-sized data pools made available on the basis of data altruism in order to enable data analytics and machine learning, including across the Union. In order to achieve that objective, Member States should be able to have in place organisational or technical arrangements, or both, which would facilitate data altruism. Such arrangements could include the availability of easily useable tools for data subjects or data holders for giving consent or permission for the altruistic use of their data, the organisation of awareness campaigns, or a structured exchange between competent authorities on how public policies, such as improving traffic, public health and combating climate change, benefit from data altruism. To that end, Member States should be able to establish national policies for data altruism. Data subjects should be able to receive compensation related only to the costs they incur when making their data available for objectives of general interest.
46
The registration of recognised data altruism organisations and use of the label ‘data altruism organisation recognised in the Union’ is expected to lead to the establishment of data repositories. Registration in a Member State would be valid across the Union and is expected to facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data holders could give permission to the processing of their non-personal data for a range of purposes not established at the moment of giving the permission. The compliance of such recognised data altruism organisations with a set of requirements as laid down in this Regulation should bring trust that the data made available for altruistic purposes is serving an objective of general interest. Such trust should result in particular from having a place of establishment or a legal representative within the Union, as well as from the requirement that recognised data altruism organisations are not-for-profit organisations, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and undertakings.
47
In order to assist data subjects and data holders to easily identify, and thereby to increase their trust in, recognised data altruism organisations, a common logo that is recognisable throughout the Union should be established. The common logo should be accompanied by a QR code with a link to the public Union register of recognised data altruism organisations.
48
This Regulation should be without prejudice to the establishment, organisation and functioning of entities that seek to engage in data altruism pursuant to national law and build on national law requirements to operate lawfully in a Member State as a not-for-profit organisation.
49
This Regulation should be without prejudice to the establishment, organisation and functioning of entities other than public sector bodies that engage in the sharing of data and content on the basis of open licenses, thereby contributing to the creation of common resources available to all. This should include open collaborative knowledge sharing platforms, open access scientific and academic repositories, open source software development platforms and open access content aggregation platforms.
50
Recognised data altruism organisations should be able to collect relevant data directly from natural and legal persons or to process data collected by others. Processing of collected data could be done by data altruism organisations for purposes which they establish themselves or, where relevant, they could allow the processing by third parties for those purposes. Where recognised data altruism organisations are data controllers or processors as defined in Regulation (EU) 2016/679, they should comply with that Regulation. Typically, data altruism would rely on consent of data subjects within the meaning of Article 6(1), point (a), and Article 9(2), point (a), of Regulation (EU) 2016/679 that should be in compliance with requirements for lawful consent in accordance with Articles 7 and 8 of that Regulation. In accordance with Regulation (EU) 2016/679, scientific research purposes could be supported by consent to certain areas of scientific research where in keeping with recognised ethical standards for scientific research or only to certain areas of research or parts of research projects. Article 5(1), point (b), of Regulation (EU) 2016/679 specifies that further processing for scientific or historical research purposes or statistical purposes should, in accordance with Article 89(1) of Regulation (EU) 2016/679, not be considered to be incompatible with the initial purposes. For non-personal data the usage limitations should be found in the permission given by the data holder.
51
The competent authorities for the registration of data altruism organisations designated to monitor compliance of recognised data altruism organisations with the requirements of this Regulation should be chosen on the basis of their capacity and expertise. They should be independent of any data altruism organisation as well as transparent and impartial in the exercise of their tasks. Member States should notify the Commission of the identity of those competent authorities for the registration of data altruism organisations. The powers and competences of the competent authorities for the registration of data altruism organisations should be without prejudice to the powers of the data protection authorities. In particular, for any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority for the registration of data altruism organisations should seek, where relevant, an opinion or decision of the competent supervisory authority established pursuant to that Regulation.
52
To promote trust and bring additional legal certainty and user-friendliness to the process of granting and withdrawing consent, in particular in the context of scientific research and statistical use of data made available on an altruistic basis, a European data altruism consent form should be developed and used in the context of altruistic data sharing. Such a form should contribute to additional transparency for data subjects that their data will be accessed and used in accordance with their consent and also in full compliance with the data protection rules. It should also facilitate the granting and withdrawing of consent and be used to streamline data altruism carried out by undertakings and provide a mechanism allowing such undertakings to withdraw their permission to use the data. In order to take into account the specificities of individual sectors, including from a data protection perspective, the European data altruism consent form should use a modular approach allowing customisation for specific sectors and for different purposes.
53
In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The European Data Innovation Board should consist of representatives of the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organisations of all Member States, the European Data Protection Board, the European Data Protection Supervisor, the European Union Agency for Cybersecurity (ENISA), the Commission, the EU SME Envoy or a representative appointed by the network of SME envoys, and other representatives of relevant bodies in specific sectors as well as bodies with specific expertise. The European Data Innovation Board should consist of a number of subgroups, including a subgroup for stakeholder involvement composed of relevant representatives of industry, such as health, environment, agriculture, transport, energy, industrial manufacturing, media, cultural and creative sectors, and statistics, as well as of research, academia, civil society, standardisation organisations, relevant common European data spaces and other relevant stakeholders and third parties, bodies with specific expertise such as national statistical offices.
54
The European Data Innovation Board should assist the Commission in coordinating national practices and policies on the topics covered by this Regulation, and in supporting cross-sector data use by adhering to the European Interoperability Framework principles and through the use of European and international standards and specifications, including through the EU Multi-Stakeholder Platform for ICT Standardisation, the Core Vocabularies and the CEF Building Blocks, and should take into account standardisation work taking place in specific sectors or domains. Work on technical standardisation could include the identification of priorities for the development of standards and establishing and maintaining a set of technical and legal standards for transmitting data between two processing environments that allows data spaces to be organised, in particular clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral. The European Data Innovation Board should cooperate with sectoral bodies, networks or expert groups, or other cross-sectoral organisations dealing with the re-use of data. Regarding data altruism, the European Data Innovation Board should assist the Commission in the development of the data altruism consent form, after consulting the European Data Protection Board. By proposing guidelines on common European data spaces, the European Data Innovation Board should support the development of a functioning European data economy on the basis of those data spaces, as set out in the European strategy for data.
55
Member States should lay down rules on penalties applicable to infringements of this Regulation and should take all measures necessary to ensure that they are implemented. The penalties provided for should be effective, proportionate and dissuasive. Large discrepancies between rules on penalties could lead to distortion of competition in the digital single market. The harmonisation of such rules could be of benefit in that regard.
56
In order to provide for an efficient enforcement of this Regulation and to ensure that data intermediation services providers and entities that wish to register as recognised data altruism organisations are able to access and complete the procedures of notification and registration fully online and in a cross-border manner, such procedures should be offered through the single digital gateway established pursuant to Regulation (EU) 2018/1724 of the European Parliament and of the Council . Those procedures should be added to the list of procedures included in Annex II to Regulation (EU) 2018/1724.
57
Regulation (EU) 2018/1724 should therefore be amended accordingly.
58
In order to ensure the effectiveness of this Regulation, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission for the purpose of supplementing this Regulation by laying down special conditions applicable to transfers to third countries of certain non-personal data categories deemed to be highly sensitive in specific Union legislative acts and by establishing a rulebook for recognised data altruism organisations, with which those organisations are to comply, that provides for information, technical and security requirements as well as communication roadmaps and interoperability standards. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
59
In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to assist public sector bodies and re-users in their compliance with conditions for re-use set out in this Regulation by establishing model contractual clauses for the transfer by re-users of non-personal data to a third country, to declare that the legal, supervisory and enforcement arrangements of a third country are equivalent to the protection ensured under Union law, to develop the design of the common logo for data intermediation services providers and of the common logo for recognised data altruism organisations, and to establish and develop the European data altruism consent form. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council .
60
This Regulation should not affect the application of the rules on competition, and in particular Articles 101 and 102 TFEU. The measures provided for in this Regulation should not be used to restrict competition in a manner contrary to the TFEU. This concerns in particular the rules on the exchange of competitively sensitive information between actual or potential competitors through data intermediation services.
61
The European Data Protection Supervisor and the European Data Protection Board were consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered their opinion on 10 March 2021.
62
This Regulation uses as its guiding principles the respect for the fundamental rights and principles recognised in particular by the Charter of Fundamental Rights of the European Union, including the right to privacy, the protection of personal data, the freedom to conduct a business, the right to property and the integration of persons with disabilities. In the context of the latter, the public service bodies and services under this Regulation should, where relevant, comply with Directives (EU) 2016/2102 and (EU) 2019/882 of the European Parliament and of the Council. Furthermore, Design for All in the context of information and communications technology, which is the conscious and systematic effort to proactively apply principles, methods and tools to promote universal design in computer-related technologies, including internet-based technologies, thus avoiding the need for a posteriori adaptations or specialised design, should be taken into account.
63
Since the objectives of this Regulation, namely the re-use, within the Union, of certain categories of data held by public sector bodies as well as the establishment of a notification and supervisory framework for the provision of data intermediation services, a framework for voluntary registration of entities which make data available for altruistic purposes and a framework for the establishment of a European Data Innovation Board, cannot be sufficiently achieved by the Member States, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives,