Solid and the Data Governance Act

On April 6th 2022, the EU parliament voted the Data Governance Act. This regulation shall enter into force twenty days after its publication in the Official journal of the EU, and shall apply 15 months after it is entered into force. Roughly a year and a half from now. You can read all the details online in any official EU language.
Update: The Data Governance entered into force on 23 June 2022 and, following a 15-month grace period, will be applicable from September 2023.

In this blog, we won’t cover every aspect, but highlight the aspects that relate to Solid, and the EU data landscape. The structure of this story will be excerpts from the DGA, followed by some interpretation by yours truly. Note that I’m not a juridical expert, so feel free to contact me if some wordings or interpretations are wrong.

Before we start, we’ll go over some of the key concepts that are introduced in this act.

data altruism organisations: These organisations will use data for the greater good. More specifically, research organisations and universities, as well as other non-for profit organisations that will be approved by the “competent bodies”. Data altruism is the voluntary sharing of data.

competent bodies: These are organisations or institutions or parts of government administration that will be assigned the task to approve and register data altruism organisations and data intermediaries.

data intermediaries: These organisations will be more or less ‘traders’ and ‘aggregators’ of data between those who generate or control it, and those who wish to use (process) it.  

data cooperatives: a cooperative data intermediary organisation where it’s constituents pool their data.

The Regulation has an introductory part (to give context), and then the regulation itself.

The introduction

The most important part to us seems to lie in (32), where a clear mention is given of the “European” way of data governance.

“Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to-consumer context, data intermediation services providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. “

This comes quite close to our proposed paradigms:
The American Paradigm, where personal data is being controlled by corporations.
The Chinese Paradigm, where personal data is being controlled by the government.
The European Paradigm, where personal data is being controlled by the citizen.

It also comes close to the idea of Solid: separate data (storage) from applications (data use). This means that there is room for data intermediaries and for data altruism organisations…Which is a big part of what this regulation is about.

Other points of interest will be put in order of appearance in the DGA.

(2) “The data economy has to be built in a way that enables undertakings, in particular SMEs and start-ups to thrive, ensuring data access neutrality and data portability and interoperability, and avoiding lock-in effects.” 

Freeing up data is beneficial for entrepreneurship and the generation of new insights. Solid enables better data access and is completely in line with Europe’s philosophy.

(2) Common European data spaces should make data findable, accessible, interoperable and re-usable (the ‘FAIR data principles’),while ensuring a high level of cybersecurity.

As semantic data can easily comply with the FAIR data principles, the compatibility with Solid is almost guaranteed.

(5) “to increase trust in data sharing by establishing appropriate mechanisms for control by data subjects and data holders over data that relates to them,[] In particular, more transparency regarding the purpose of data use and conditions under which data is stored by undertakings can help increase trust.”

When you share precious information to someone, you don’t want that person to tell it to others… if not, you will not trust that person anymore with such information. In a same way, the data-economy will need trust in order to work: you need to be able to share data to an organisation or government, without the risk of them doing things with it that you don’t want. This also is much needed within the Solid paradigm, and indeed if your trust is harmed, you should be able to revoke data access as soon as possible or even automatically.

(19) not allow the re-use of information stored in e-health applications by insurance undertakings or any other service provider for the purpose of discriminating in the setting of prices, as this would run counter to the fundamental right of access to health.”

This is also one of the things that need an elegant solution for Solid. There should be automated ways to verify that such data can’t be shared by organisations that don’t have the permission to do so. When developing first applications, it’d be cautious to err on the side of safety.

(26) an assistance structure could assist the data subjects and data or permission for re-use holders with management of the consent, 

Solid has consent management by default. Of course, user friendly applications with good default settings are yet to be built.

(28)  This Regulation should cover services which aim to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data []This would exclude services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users.

A very important part indeed… In this new world of flowing data, based on trust and consent. In a commercial setting, this now becomes obligatory.

(30)  data intermediation services providers seek to enhance the agency of data subjects, and in particular individuals’ control over data relating to them.

A data intermediary is thus an organization that helps relay your personal data towards other companies. We’ll see an emergence of such companies, in a similar way as you have a telecom provider: You’ll be able to choose the one you like best (or don’t choose anyone at all), so they can manage data-usage on your behalf.

(30) In certain situations, it could be desirable to collate actual data within a personal data space so that processing can happen within that space without personal data being transmitted to third parties in order to maximise the protection of personal data and privacy. Such personal data spaces could contain static personal data such as name, address or date of birth as well as dynamic data that an individual generates through, for example, the use of an online service or an object connected to the Internet of Things. They could also be used to store verified identity information such as passport numbers or social security information, as well as credentials such as driving licences, diplomas or bank account information.

There we have it: “Personal Data Spaces"…This feels as mentioning “personal online data stores” or Pods.
Solid as an enabler for the European data model? Check!

(31)  Data cooperatives seek to achieve a number of objectives, in particular to strengthen the position of individuals in making informed choices before consenting to data use, influencing the terms and conditions of data user organisations attached to data use in a manner that gives better choices to the individual members of the group [] Data cooperatives could also provide a useful means for one-person undertakings and SMEs which, in terms of knowledge of data sharing, are often comparable to individuals.

The rise of data cooperatives is quite self-evident. If you pool data together, you can generate a lot of usable insights (especially if your cooperative is representative for a broader population). Imagine being part of such a cooperative, and get discounts, benefits, and cash in return for your pooled data. And how easy would it be if you need a first dataset as a start up? Just go to your local data cooperative and apply for the use of the data.

(32)  data intermediation services[this regulatory ] framework will contribute to ensuring that data subjects and data holders, as well as data users, have better control over access to and use of their data, in accordance with Union law

There will be alternatives to Solid, and that will be good in the broad data ecosystem. It can actually facilitate in the uptake of Solid as well.

(34) Data intermediation services providers should be allowed to offer additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, curation, conversion, anonymisation and pseudonymisation

Well indeed… and Solid can be one of those tools.

(43)  data intermediation services providers recognised in the Union [get] a common logo

This is a good measure of transparency. This will also be the case for data cooperatives.

(52)  To promote trust and bring additional legal certainty and user-friendliness to the process of granting and withdrawing consent,

Again, a reference to a good user access control.

(53)  In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group.

Great! I hope quite some people of the growing Solid community will join, so that they can weigh in on the debates and future decisions.

(55)  Member States should lay down rules on penalties applicable to infringements of this Regulation and should take all measures necessary to ensure that they are implemented. 

Well, you need penalties in order to uphold a law… Infringement can and will be prosecuted.

The regulation itself….

Well, it is all of the above, but in a more juridical version. I’ll just give brief summary of it.

(a) on the re-use of data held by public sector bodies;
- Prohibition of exclusive arrangements
- Conditions for re-use are made public, and via a single information point
- Prohibition of re-identification.
- data available at a discounted fee or free of charge, to SMEs and start-ups, civil society and educational establishments; only charge the necessary costs (to cover the expenses)
- need to be able to transfer any personal data held to the data subjects in case of insolvency

(b)   data intermediation services;
- making available the technical or other means to enable such services
- in particular enabling data subjects'  the exercise of the rights
- need to apply (and conform the explained rules) in order to be approved, and publicly listed. They also get a logo.
- shall take appropriate measures to ensure interoperability with other data intermediation services, inter alia, by means of commonly used open standards in the sector in which the data intermediation services provider operates;
- informing and, in a concise, transparent, intelligible and easily accessible manner
- provide data subjects with tools to both give and withdraw consent
- the data intermediation services provider shall maintain a log record of the data intermediation activity.
- advising data subjects.  

(c)   data altruism
- need to apply (and conform) in order to be approved, and publicly listed. They also get a logo.
- not use objectives the data subject or data holder the data for other  than those of general interest for which  allows the processing
- provide tools for obtaining consent & for easy withdrawal of such consent or permission.
- EU will make a data altruism consent form that shall be available in a manner that can be printed on paper and is easily understandable as well as in an electronic, machine-readable form.

(d)  the establishment of a European Data Innovation Board.

Will have members of relevant EU organisations, the competent authorities and additional field experts
It will have at least 3 groups.
- one that is more or less the steering committee
- A technical group : for the standardization, portability and interoperability.
- A group with stakeholder involvement.

The Commission shall establish a European single access point offering a searchable electronic register of data available in the national single information points and further information on how to request data via those national single information points. The Commission shall keep and regularly update a public all intermediation providing their services in the Union.
A Rulebook to adopt delegated acts.
- will give extra information, technical and security requirements, communication roadmaps  and recommendations on relevant interoperability standards register of data services providers. The Commission shall maintain a public Union register of recognized data altruism organisations for information purposes.

Questions, feedback or suggestions?

Yes, I want to speak with the author(s)...

More about the author(s)

Christophe Cop

Christophe Cop

Christophe is a data-scientist with a background in psychology and statistics. He has been an enthusiast of personal data control ever since GDPR came into effect. Co-founder of Konsolidate and SOLID Project Lead