Regulatory Framework

The lack of a general legal status (access regime) for data, partial application of IP rights and trade secret protection and the restrictions of personal data protection result in a fragmented and incomplete regulatory framework. To address these shortcomings in data sharing and reuse, the EU Commission presented the "European strategy for data" in February 2020 describing the vision of a common European data space. The Commission has proposed different regulations (Digital Markets Act (DMA), Digital Services Act (DSA), AI Act on harmonised rules for data governance, data access and use as part of the EU's digital strategy.

Beside other regulations the Data Governance Act (DGA) entered into force on 23 June 2022 and will be applicable from September 2023 after a 15-months grace period. On 23 February 2022, the Commission proposed a regulation on harmonised rules for fair access and use of data, the Data Act Proposal (DA-E). With both acts the Commission aims to make more data available for use, by setting up rules on who can use and access what data for which purposes across all economic sectors in the EU.

The DGA aims to make more data available by regulating the reuse of publicly/held, protected data, by promoting data sharing through the regulation of novel data intermediaries and by encouraging the sharing of data for altruistic purposes. It aims to make public sector data more widely available for local businesses, researchers and communities for the development of innovative data-driven services. A specific focus is on the public sector data which is subject to legal restrictions and thus out of the scope of the Open Data Directive. Therefore, the proposal covers public sector data which is legally protected on the grounds of: (a) commercial confidentiality including the trade secrets; (b) statistical confidentiality; (c) intellectual property rights of third parties; (d) protection of personal data. This objective of providing access to data that is not accessible as open data may be seen as indicative of the emergence of a distinct regime for the data held by public bodies. The public sector bodies enabling the use of such protected data are required to be technically equipped to ensure that data privacy and confidentiality are fully preserved. The proposal does not interfere with the substantive rights on data as it refrains from prescribing a right of access or reuse but lays out certain harmonized rules and conditions guiding member states for establishing mechanisms for the reuse of publicly held data.

The DA-E aims to ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all by providing consumers and businesses access to the data of their devices. The DA-E is regarded to be an essential building block of the European data spaces. It is guided by the understanding that B2B contractual agreements do not fully guarantee adequate access to data for SMEs or start-ups. A contractual framework is needed, providing clarity on rights and remedies regarding accessing, processing, sharing, and storing of data in order to limit misuse. The proposal acknowledges the importance of a harmonised data governance regime in achieving competitiveness, innovation and sustainable growth in all sectors and making the Union's transition to a green digital economy a success. The proposal introduces interventions to the current legal landscape of B2B data sharing and access in two dimensions: first, contracts as voluntary agreements and second, statutory access rights or obligations to make data available together with the general rules to be complied while performing these obligations or exercising the rights.

Beside these specific Acts, further legal aspects to consider when sharing data, including antitrust/competition, data protection and security, copyright, patents/Intellectual property. The regulatory development may have more impact on the concept and operationalization of data spaces in the future and needs to be monitored to ensure compliance.

The operationalisation of data governance and the establishment of data spaces require a robust methodology both to navigate through the existing regulatory patchwork (scattered in various legal instruments) and to implement the upcoming legislative agenda of the EU*.* Providing guidance to future-proof specific problems entails an assessment and combination of various regulatory tools, contractual models, design principles, and organizational structures. To this end, the below four-pillar data governance framework outlines a "legal anatomy" of data governance consisting of the following:

1. the substantive rights and obligations related to data transactions (rights to data)

2. the contractual dimension

3. the organizational aspects

4. the technical implementation.

Beside the own responsibility of participants in a decentralized organization, IDSA discusses and aligns on legal matters with other initiatives. Coordination with other initiatives on the legal dimension is all the more important as often (and by its nature) most legislation needs to be translated into practical approaches and solutions - and a common understanding of the legal terms is necessary to create a trustworthy and reliable EU data sharing landscape.

Therefore, IDSA has established a legal framework task force to discuss regulatory developments and legal topics as well as to organize the collaboration and contribution of IDSA members regarding the legal dimension.