The EU Data Act: regulating public sector access to privately held data

This blog post was originally published on the Global Partnership for Sustainable Data website and has been modified for the purposes of the World Data Forum blog series.

Privately held data holds tremendous potential for public decision makers who are confronted with alarmingly frequent and far-reaching crises (environmental, health, economic) leading to increasing pressure to develop better evidence-based policies and programmes. The World Development Report 2021 argues that, in many instances, private data are an alluring alternative to public data as they are more timely, more granular and more encompassing than other available datasets. Mobile Network Operators’ data for instance have already proven to be exceptionally useful to map population movements following disasters such as earthquakes or flooding, and they allow for the organizing of rescue and relief activities to take place much more effectively than other datasets.

Accessing privately held data however is all but simple, even when companies are willing to cooperate for example, during global emergencies such as the Covid-19 pandemic. Recent analysis shows that establishing partnerships between public and private stakeholders around data access can take up to several months and does not always succeed: only 9 countries out of 41 in which the World Bank sought to establish partnerships during the Covid-19 crisis succeeded in formalizing an agreement within 1 year.

Against this background, the European Commission (EC) has recently put forward a legislative proposal, the Data Act, to ensure public sector bodies can access privately held data they need in specific circumstances. The Data Act is an ambitious legislative framework establishing rules for a broad range of topics including a) individuals’ access to data generated through their connected devices, b) fairer data contracts for Small and Medium Enterprises (SMEs), c) possibilities for individuals to switch more easily between Cloud Service Providers and d) public sector access to privately held data.

The rules on public sector access to privately held data, much awaited after a public consultation showed great appetite and interest from public sector bodies and large support from NGOs for these measures, are however more limited in scope than originally intended. In early discussions, the EC was considering rooting the public sector access rights in the notion of “clear public interest”. However, this notion was replaced by the much more restrictive concept of “exceptional need” in the final text.

The Data Act establishes that “a (private) data holder shall make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested.” According to the text, the notion of exceptional need refers to three specific situations:

  • Public emergency response (i.e. public health emergencies or major natural or human-induced disasters);
  • Public emergency prevention or recovery;
  • Situations involving an “exceptional need” in which lack of data prevents the public sector from fulfilling a specific task in the public interest, and the necessary data cannot be purchased on the market or would otherwise require a burdensome process to access.

Following this interpretation means that the circumstances in which the public sector can exercise this new data access right towards the private sector are quite limited. However, some margin of maneuver and latitude on the definition of exceptional needs remain. The European Data Protection Supervisor (the body in charge of assessing the adequacy of EC’s proposal in terms of data protection) recently expressed some doubts concerning the legal clarity of the abovementioned situations and urged “the co-legislators to define much more stringently the hypotheses of emergency or “exceptional need”, and which public sector bodies and EUIs should be able to request data”.

Besides establishing these public sector access’ rights, the Data Act also serves to dictate the ways in which data should be requested, shared and provided.

  • It first establishes that data requested to respond to a public emergency (the first scenario mentioned above) shall be provided by the private sector for free. In the other two cases, compensation for the data holder is limited to the marginal cost of providing the data. Remuneration of the private sector data providers is therefore not entirely off the table, but those players will have to adapt and, in many cases, lower their pricing when dealing with public sector data access requests.
  • It defines the situations in which private sector data providers can deny access requests and the obligations for the public sector entities making the request. Importantly, the public sector must a) ensure that data requests are necessary, legitimate, and proportionate, b) specify what data is needed, why there is an exceptional need, how the data will be used, for how long, and c) limit its requests for non-personal data as much as possible.
  • Finally, and very interestingly from an NSO perspective, Article 21 of the Data Act clarifies that the data obtained by a public sector body following this procedure can be shared with national statistical offices and research institutions for broader research and analytics activities—as long as these activities are compatible with the purpose for which the data was originally requested. European NSOs could therefore often be indirect beneficiaries of data access requests made by other public authorities in their respective countries.

The Data Act constitutes a very first attempt to establish broad and non-sectoral rules to regulate when and how the public sector has a right to obtain access to privately held data. As it happened in the context of the General Data Protection Regulation (GDPR), this European Commission’s initiative risks creating a standard which will be adopted by many other jurisdictions around the world.

Given the relevance of this topic for NSOs, a UN World Data Forum webinar was recently co-organized by UNSD and the Global Partnership for Sustainable Development Data to reflect upon the repercussions of the Data Act on the global debate and on the discussions around public sector access to privately held data. Read this blog for key takeaways from the event.