The EU Data Act has brought a new rule for businesses. Chapter V requires that businesses share their data with the government: Business-to-Government (B2G) data sharing. According to the EU legislator, there are currently not enough incentives for businesses to share data with governments. In this article, prepare to set sail into the uncharted waters of one of the Data Act’s most contentious obligations, as we embark on a journey through Chapter V of the Data Act.
Captain’s Bounty: All Data Welcome
So, what’s the deal with Chapter V of the Data Act? Unlike the other chapters of the Data Act referring to access rights of users, Chapter V does not only relate to “product data” or “readily available data”. Instead, Chapter V simply refers to “data”. This seemingly nondescript term, however, holds considerable importance. The B2G data sharing rules do not differentiate between different types of data. Rather they cast the net wide to catch product data, related service data, and every other kind of “data” - from the data generated by your product to other bits of information buried within your businesses’ databases.
Captain’s Log: Exceptional Needs Only
Chapter V’s treasure trove is, however, guarded by the “exceptional need clause”: the public sector body, whether it’s the government or another public sector entity, must demonstrate a genuine need for the data and demonstrate that such data is necessary to respond to a public emergency. Before requesting the data, the public sector body must further exhaust all other alternative means to obtain the data in a timely and effective manner and under equivalent conditions. When it comes to non-emergency scenarios, a public sector body may only request access to non-personal data if it has identified specific data, the lack of which prevents it from fulfilling a specific task carried out in the public interest (such as the production of official statistics or the mitigation of or recovery from a public emergency). In the latter case, the public sector body must further prove that it has tried all other methods to obtain the data, including purchasing it at market rates or using existing obligations or legislative measures to ensure timely availability of such data. Exceptional need is further characterized by encompassing only circumstances that are unforeseeable and limited in time.
Captain’s Orders – The Public Sector Body’s Request
Now, let’s shift our focus to the practical side. When public sector bodies hoist their flag and request data, the scope of data to be provided by the data holder will depend on the specific request at hand. Here’s a breakdown of the requirements for such requests:
- exceptional need: the conditions must fulfill the exceptional need requirement mentioned above;
- clarity: the data requested, including the relevant metadata, must be specified;
- purpose and duration: public sector bodies must explain the purpose of the request as well as the intended use of the data requested, and provide a deadline by which the data are to be made available;
- balance of data requests: requests for data must be proportionate to the exceptional need, considering granularity, volume, and frequency of access;
- rationale of selection: public sector bodies must justify the selection of the specific data holder;
- legality: the legal provision which allows the public sector body to request the data.
When requesting data, the public sector bodies must, in relation to the data request:
- ensure that the request is in writing;
- express the request in clear, concise and plain language that is understandable to the data holder;
- be specific about the type of data requested;
- ensure that the request is proportional and duly justified, especially regarding volume and frequency of access;
- ensure protection of trade secrets;
- only refer to non-personal data or, in case of personal data, ensure pseudonymisation as well as measures to protect such personal data;
- inform the data holder about the penalties for non-compliance with the request;
- transmit the request to the relevant Data Act enforcement authority designated by the EU member state where the requesting public sector body is established; such enforcement authority shall make the request publicly available online;
- if personal data is requested, have this notified to the relevant data protection authority.
Businesses may challenge data requests if they do not have control over the data requested, or the same data has been requested by another public sector body already in the past, or the data request does not meet the conditions set out above.
Captain’s Compass: Navigating Data Format
The Data Act does not set out specific standards for the data that public sector bodies receive (such as format, quality, etc.). Businesses may provide the data in any common machine-readable format they have at hand: CSV, JSON, XML, etc. There are, however, no obligations to further transform or clean up the data to make it useful for a specific purpose. Regarding further processing, there is only the requirement to anonymise data in certain cases.
Captain’s Treasure: Setting Sail on Compensation
Now let’s discuss compensation. If data is requested by a public sector body to respond to a public emergency, such data has to be provided completely free of charge. Meaning that businesses can neither request a compensation for the costs of making the data available nor for anonymising the data.
Save for the production of official statistics, if data is requested by a public sector body in scenarios outside of a response to a public emergency, the data holder can request a fair compensation for making data available (unless the purchase of such data by the requesting public sector body would be prohibited by national law). Such compensation covering the technical and organizational costs incurred to comply with the request include (where applicable) the costs of anonymisation, pseudonymisation, aggregation and technical adaptation of the data requested, and may include a reasonable margin.
Sailing into the Sunset: Wrapping Up Chapter V
In conclusion, Chapter V of the EU Data Act unfurls a treasure trove of provisions aimed at facilitating data accessibility for public sector entities under exceptional circumstances. From the expansive reach of data sharing obligations to the stringent criteria for exceptional need, Chapter V casts a wide net, encompassing all forms of data.
As organizations navigate the currents of data sharing and compliance, adherence to the detailed provisions outlined in Chapter V will be indispensable for steering a clear course through these uncharted waters.