Marie-Sklodowska Curie Action's Fellow Barbara Lazarotto (LSTS) reflects on public-private data sharing and its implications on data subjects' rights.
The Data Act was the last proposed Act of the European Data Strategy, issued on February 2022. It is composed of 42 Articles divided into 11 Chapters, grounded on the premise of permitting access to IoT data, avoiding unfair contractual clauses in data-sharing processes, as well as making business data available for the common good, and cloud services switch mechanisms.
The Proposal has gone through many changes since it was first made public, following draft suggestions requested by the French Presidency to the Member States on May 2022, and modifications were drafted by the Czech Presidency. These modifications to Recitals and Articles made clear that public sector bodies should, under justification,  use non-personal data, including anonymized data when possible. Principles of purpose limitation and data minimization were reinforced in the text, and pseudonymization and aggregation measures were emphasized as security measures when the sharing of personal data is necessary. Moreover, new mechanisms of enforcement namely, Article 31(8) now stipulates that the European Data Protection Supervisor (EDPS) shall be responsible for monitoring the application of Chapter V of the Proposal insofar as the processing of personal data by the Commission or Union bodies is necessary. Many of these modifications followed strong criticism by both the European Data Protection Board (EDPB) and the EDPS in their joint opinion on the Proposal.
In this blog post, I focus my analysis on Chapter V of the Proposal and its implications on business-to-government data sharing in smart cities contexts due to its importance in these contexts that permits them to access more data, and as a consequence have more precise inferences leading to more precise policy-making. To do so, this blog post is divided into two parts; the first focuses on a general analysis of Chapter V, and the second part builds on the implications of the Chapter on business-to-government data-sharing in smart cities.
1. Chapter V of the Data Act
Chapter V of the Act now named “Making Data Available to Public Sector Bodies and The Commission or Union Bodies Based on Exceptional Need”, has the main objective to make business data available to the public sector – known as business-to-government data sharing – under “exceptional circumstances” after other means to obtain the relevant data has been exhausted.
The Chapter initiates with Articles 14, and 15 which regulate general rules on the obligation to make data available. Article 14 sets the obligation on exceptional needs and the exhaustion of other means to obtain relevant data. Highlighting that this Chapter does not apply to small and micro enterprises. The subsequent Article 15 develops the circumstances that can be considered of “exceptional need”, limiting them in “time and scope”, namely where the data is requested to respond to a public emergency, to prevent a public emergency or to assist the recovery from it, and when the lack of available data prevents the public sector body to fulfil a specific task in the public interest that has been explicitly provided by law. It is worth noting that Article 15 is closely related to Recitals 56, 57, and 58 which have gone through modifications. The concept of “exceptional need” has been more detailed in Recital 56, expressed as “circumstances which are unforeseeable and limited in time, in contrast to other circumstances which might be planned, scheduled, periodic or frequent”. While Recital 58 focuses on the hypothesis that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task that is within the competence of the public sector body that requests the data, being explicitly laid down in their mandate. The Recital goes further, by naming examples of what such tasks could be, such as local transport or city planning, and improving structural services – e.g., energy, waste, and water management.
Going further to Article 17 concerns the formalities of data requests. Requests must specify what data are required – with the recent addition of relevant metadata –, the exceptional need must be demonstrated, the purpose of the request, the legal provision, and the deadline by which the data must be made available or for modification/withdrawal. It must be expressed in clear, concise, and plain language,  and be proportionate. It is important to highlight that Article 17(2)(d) outlines that data requests must concern insofar as possible nonpersonal data. In case personal data is necessary, the request should justify the need and set out the technical and organizational measures that will be taken to it.
Article 19 settles the obligations of the public sector bodies when receiving the data requested, reinforcing the principle of purpose limitation  with further demands on the implementation of technical and organizational measures to preserve the confidentiality and integrity of data. Article 20 regulates possible compensations to data holders in case of requests which must not exceed technical and organizational costs, the costs for anonymization, pseudonymization, and of technical adaptation, plus a reasonable margin.
Article 21 named “further sharing of data obtained in the context of exceptional needs with research organizations or statistical bodies”, indicates that the public sector can share data received based on this chapter with individuals and organizations that carry out scientific research or analytics. Chapter V finishes with Article 22 which aims to regulate cooperation between public sector bodies, avoiding the misuse of data.
Thus, after this general analysis of Chapter V, it is possible to observe that the recent modifications made by the Czech Presidency enhance the connections between the Data Act and the GDPR, essential to the protection of personal data. Additionally, recent changes made Recitals definitions clearer and more specific that help the application of the Act. With that said, the next session will focus on the implications of the Chapter on smart cities.
2. Implications on business-to-government data-sharing in smart cities
Currently, there are no existing business-to-government data-sharing rules at the European level, yet such sharing still happens, causing the lack of harmonized standards across the Member States and even between different municipalities. Due to this, there are different formats of business-to-government data-sharing models that are used in smart cities that vary in name and method. In general, municipalities still face a lot of obstacles when it comes to accessing data since access is still exceptional, situation-dependent, and fragmented, based primarily on contractual, voluntary arrangements (Funes, 2017).
The recent modifications to the Proposal have had a particular impact on the application of the Act to smart cities. They accentuated the concept of “public interest” by detailing it in Recital 58, which was one of the main gaps mentioned by the EDPB-EDPS joint opinion. Changes have somewhat addressed concerns regarding possible abusive behaviour, by adding a section that mentions that the public interest task should be “within the competence of the public sector body” and “must be explicitly laid down in the public sector mandate”. The modifications went further including examples, namely local transport, city planning, improvement of infrastructural services such as energy, waste and water management and producing reliable and up-to-date statistics. In my opinion, these modifications are a big advancement in comparison to the original proposal. It creates a lawful alternative for the request of private data, being a step towards the direction of the redistribution of the value data in these contexts.
Nevertheless, some recent modifications do not favour the full development of smart cities. The limitation of “time and scope” imposed on all hypotheses of Article 15 restricts the free flow of data that might benefit smart city applications, such as local transportation. Plus, the specification that the public body must have exhausted all other means to obtain relevant data, including the purchase at market rates, maintains the status quo which municipalities are currently facing.
Following this analysis, overall, it is possible to observe that the Data Act Proposal does not offer broad options for business-to-government data sharing in smart cities. Even though recent modifications have opened an avenue for interpreting the Proposal in a more favourable way than the original text, it is still far from being a satisfactory alternative. The Proposal also does not address many of the obstacles when it comes to the access of municipalities to data that are mostly linked to monopolistic data markets dominated by companies that lack incentives to share data.
7 November 2022
The author will present the paper version of this contribution at the Digital Legal Talks, Utrecht, in November 2022.