EU Commission proposes a data governance regulation.

Dr. S-W – 03/2021

You occasionally hear a joking comparison about how personal data is handled at conventions. The question is: who owns my data? The market in the USA. The company in China. Myself in Europe.

Now, Europe is well on the way to following the American example. In any case the EU Commission's draft "Data governance regulation" of November 25, 2020 shows which way we are going. Being a horizontal policy, it lays down the principles for both the secondary use and reusing of protected data, including social and health data that is controlled by public authorities and regardless of the original purpose for collecting this data. This can essentially be summarised as facilitating third-party access to social and patient data. For example, this data can then benefit R&D work that improves planning and care in the interests of the insured.

The problem here is that the legal ramifications are not limited to this. Third parties pursuing purely commercial purposes should also be able to access the data. Although the regulation does not establish an independent "right of access", but prohibits discrimination with regard to potential data recipients. In the interest of an open internal data market, disclosure of sensitive data by the administration would become the rule, whilst refusal of access will become an exception requiring justification.

The Commission launched a public consultation at the same time as it published the draft COM (2020) 767 final regulation. The leading German Social Insurance organisations took the opportunity to present their position. In their reply, they welcome the creation of European Data Spaces. It now remains to be clarified who may enter them, for what purpose and what duties of care the user must fulfil. In order to ensure trustworthy handling of public data and especially social data, the umbrella organisations propose specific amendments to the draft regulation, see the DSV opinion here.

The focus is on protecting the trust of the affected persons and that the use of their data will be limited to the minimum needed to fulfil the purpose of collection and that secondary use will also be within the scope of a clearly defined and limited care and administrative mandate.

It appears that the Commission is now planning to publish a revised version of the proposed regulation. The umbrella organisations will closely follow the Commission’s course of action.