Preamble 31 to 40
(31) Data cooperatives seek to achieve a number of objectives, in particular to strengthen the position of individuals in making informed choices before consenting to data use, influencing the terms and conditions of data user organisations attached to data use in a manner that gives better choices to the individual members of the group or potentially finding solutions to conflicting positions of individual members of a group on how data can be used where such data relates to several data subjects within that group.
In that context it is important to acknowledge that the rights under Regulation (EU) 2016/679 are personal rights of the data subject and that data subjects cannot waive such rights. Data cooperatives could also provide a useful means for one-person undertakings and SMEs which, in terms of knowledge of data sharing, are often comparable to individuals.
(32) In order to increase trust in such data intermediation services, in particular related to the use of data and compliance with the conditions imposed by data subjects and data holders, it is necessary to create a Union-level regulatory framework which establishes highly harmonised requirements related to the trustworthy provision of such data intermediation services, and which is implemented by the competent authorities. That framework will contribute to ensuring that data subjects and data holders, as well as data users, have better control over access to and use of their data, in accordance with Union law.
The Commission could also encourage and facilitate the development of codes of conduct at Union level, involving relevant stakeholders, in particular on interoperability. Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to-consumer context, data intermediation services providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. Data intermediation services providers could also make available specific technical infrastructure for the interconnection of data subjects and data holders with data users. In that regard, it is of particular importance to shape that infrastructure in such a way that SMEs and start-ups encounter no technical or other barriers to their participation in the data economy.
Data intermediation services providers should be allowed to offer additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation. Those tools and services should be used only at the explicit request or approval of the data holder or data subject and third-party tools offered in that context should not use data for other purposes.
At the same time, data intermediation services providers should be allowed to adapt the data exchanged in order to improve the usability of the data by the data user where the data user so desires, or to improve interoperability by, for example, converting the data into specific formats.
(33) It is important to enable a competitive environment for data sharing. A key element by which to increase the trust and control of data holders, data subjects and data users in data intermediation services is the neutrality of data intermediation services providers with regard to the data exchanged between data holders or data subjects and data users. It is therefore necessary that data intermediation services providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose.
The commercial terms, including pricing, for the provision of data intermediation services should not be dependent on whether a potential data holder or data user is using other services, including storage, analytics, artificial intelligence or other data-based applications, provided by the same data intermediation services provider or by a related entity, and if so to what degree the data holder or data user uses such other services.
This will also require structural separation between the data intermediation service and any other services provided, so as to avoid conflicts of interest. This means that the data intermediation service should be provided through a legal person that is separate from the other activities of that data intermediation services provider. However, the data intermediation services providers should be able to use the data provided by the data holder for the improvement of their data intermediation services.
Data intermediation services providers should be able to put at the disposal of data holders, data subjects or data users their own or third-party tools for the purpose of facilitating the exchange of data, for example tools for the conversion or curation of data only at the explicit request or approval of the data subject or data holder.
The third-party tools offered in that context should not use data for purposes other than those related to data intermediation services. Data intermediation services providers that intermediate the exchange of data between individuals as data subjects and legal persons as data users should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data subjects.
Questions of liability for all material and immaterial damage and detriment resulting from any conduct of the data intermediation services provider could be addressed in the relevant contract, on the basis of national liability regimes.
(34) Data intermediation services providers should take reasonable measures to ensure interoperability within a sector and between different sectors to ensure the proper functioning of the internal market. Reasonable measures could include following the existing, commonly-used standards in the sector where the data intermediation services providers operate.
The European Data Innovation Board should facilitate the emergence of additional industry standards, where necessary. Data intermediation services providers should implement in due time the measures for interoperability between the data intermediation services adopted by the European Data Innovation Board.
(35) This Regulation should be without prejudice to the obligation of data intermediation services providers to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. Where data intermediation services providers process personal data, this Regulation should not affect the protection of personal data. Where the data intermediation services providers are data controllers or processors as defined in Regulation (EU) 2016/679 they are bound by the rules of that Regulation.
(36) Data intermediation services providers are expected to have in place procedures and measures to impose penalties for fraudulent or abusive practices in relation to parties seeking access through their data intermediation services, including measures such as the exclusion of data users that breach the terms of service or infringe existing law.
(37) Data intermediation services providers should also take measures to ensure compliance with competition law and have procedures in place to that effect. This applies in particular in situations where data sharing enables undertakings to become aware of market strategies of their actual or potential competitors. Competitively sensitive information typically includes information on customer data, future prices, production costs, quantities, turnovers, sales or capacities.
(38) A notification procedure for data intermediation services should be established in order to ensure that data governance within the Union is based on trustworthy exchange of data. The benefits of a trustworthy environment would be best achieved by imposing a number of requirements for the provision of data intermediation services, but without requiring any explicit decision or administrative act by the competent authority for data intermediation services for the provision of such services. The notification procedure should not impose undue obstacles for SMEs, start-ups and civil society organisations and should comply with the principle of non-discrimination.
(39) In order to support effective cross-border provision of services, the data intermediation services provider should be requested to send a notification only to the competent authority for data intermediation services from the Member State where its main establishment is located or where its legal representative is located. Such a notification should not entail more than a mere declaration of the intention to provide such services and should be completed only by providing the information set out in this Regulation. After the relevant notification the data intermediation services provider should be able to start operating in any Member State without further notification obligations.
(40) The notification procedure laid down in this Regulation should be without prejudice to specific additional rules for the provision of data intermediation services applicable by means of sector-specific law.
Understanding Cybersecurity in the European Union.