Binoculars with view of mountains

MyData view on the leaked EU Data Governance Act, Nov 5th 2020

Within the MyData community, we have spent the last few days studying the leaked version of the upcoming EU regulation called “Data Governance Act”. The draft regulation was leaked on Oct 28, 2020 and the official publication of the European Commission proposal is expected within a few weeks.

We congratulate the teams in the European Commission who have been working hard on this proposal, it is not an easy task to bring forward a groundbreaking regulation. We acknowledge that the actual drafting of the regulation is progressing and the version we are reading is already outdated. Our comments focus on parts where we see potential for changes and adjustments, but this should not be interpreted as criticism towards the proposal, quite the contrary.

MyData is a human-centric approach to personal data that combines industry needs for data with strong digital human rights. In the European Data Strategy, MyData is recognized as one of the movements that “promise significant benefits to individuals, including to their health and wellness, better personal finances, reduced environmental footprint, hassle-free access to public and private services and greater oversight and transparency over their personal data.” MyData operators (as described in the Understanding MyData Operators white paper) provide infrastructure and tools for the person in a human-centric system of personal data exchange. Operators enable people securely to access, integrate, manage, and use personal data about themselves as well as to control the flow of personal data within and between data sources and data using services.

Visualization of "data sharing services" or data intermediaries
The Data Governance Act regulates “data sharing services”, or data intermediaries, such as the MyData operators.

We welcome the regulation as a needed common ground for clarifying the role of data intermediaries, building trust in these intermediaries and setting the direction for data governance, similar to what GDPR did for data protection. At the same time, we advocate for careful scrutiny of the articles, as the Data Governance Act will be regulating a market that is in its very early stages with many cycles of innovation to come. Thus, the regulation will have a strong influence in the nascent market. It can help the market formation if it builds a framework for trustworthiness as intended, but there is also significant risk of unintended consequences – for example, by setting in law certain structures it may inhibit innovation in the development of alternatives.

We look forward to the final regulation to be strong in setting the direction towards human-centricity and interoperability while at the same time leaving space for innovation around how these objectives will be implemented.

Our top picks for potential improvements are:

  • define the key roles in data sharing (Art. 2 Definitions) so that data rights holders and technical data sources can be separated and acknowledge the type of data sharing where individuals are active participants in the transactions
  • clarify the scope of the data sharing services (Art. 9 (2)) and extended it to include services that empower the data subject beyond compliance
  • address explicitly in the regulation the interconnectivity of the data sharing services

We comment on these and few other topics in more detail here and propose some amendments. We look at it from the perspective of personal data, but most of the issues apply also to non-personal data. We have deliberately restricted our analysis to the field competencies within our community and acknowledge there will be other aspects of the proposed act as leaked that will excite other perspectives. 

Read the full version published by MyData Global on mydata.org