Skip to content

Data sharing

The House of Data Imperiali bulletins are excerpts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email: segreteria@imperialida.com

Data sharing

The data economy is based on “data sharing”, that is, the sharing of data with third parties. The EU strategy on the data economy, aimed at stimulating its development and eliminating the barriers that stand in its way, has promoted a series of legislative acts, mostly in the form of regulations and immediately applicable, aimed at facilitating data sharing. Data sharing, therefore, is an important intersection between protection and valorisation, with significant impacts when the shared information is also “personal data “.

 

Summary

What in the context of the data economy is defined as “data sharing” is translated in the data protection dimension as “communication of data” and takes place between autonomous data controllers. “Data sharing”, therefore, is neither necessarily a “transfer” of data, nor a “sharing”, nor does it necessarily require access to personal data. These clarifications are necessary when – as appears to be the most common case – the object of “data sharing” will also be “personal data”; in such cases, or if made up of mixed data, the GDPR and other data protection regulations will prevail. In these circumstances, data sharing will take place between autonomous data controllers, each of whom will be responsible for complying with the data protection provisions in respect of the processing activities pertaining to them. Any data intermediaries acting on behalf of the parties will take on the role of data controllers for the party on whose behalf they carry out processing operations. The parties of the data sharing will bind with clauses that respond to profiles that are both data protection and economic nature.

Regulatory measures for the European data strategy

The European Commission has launched its five-year strategic plan for creating the Common European Data Space and the data-driven digital economy “to balance the flow and broad use of data while maintaining high levels of privacy, security, safety and ethical standards.” A number of legislative initiatives have been proposed to this end, including what has since become the Open Data Directive (Dir. 2019/1024) for the reuse of public sector information. The reuse of data subject to third-party rights (e.g., intellectual property, data protection), on the other hand, is the purpose of the proposed regulation known as the Data Governance Act (“DGA”). The proposed Data Governance Regulation aims to address the following situations:

  • re-use and relevant conditions, within the Union, of data held by public sector bodies
  • provision of data sharing services, subject to mandatory notification and supervision
  • data altruism, subject to a voluntary registration scheme.

The proposed Data Act aims to break down barriers to data sharing that “prevent an optimal allocation of data to the benefit of society”; these include lack of incentive for data providers to voluntarily enter into data-sharing agreements, uncertainty about rights and obligations with respect to data, poor management of metadata, lack of standards for semantic and technical interoperability, and abuse of contractual imbalances with respect to data access and use [Recital (2) Data Act].

 

Coordination with the GDPR

All the above-mentioned EU regulatory acts mainly concern “non-personal” data, but it cannot be ruled out that the regulated activity may also involve “mixed” data (i.e., personal and non-personal data) and even personal data, tout court.

Where the activity of “sharing” involves personal data, the regulation on the protection of personal data prevails over others relating to the data economy, as specified in all the regulatory acts mentioned.

The prevalence of the GDPR over the DSA, DMA, Data Act and AIA, as well as the directive on free access to data and the regulation for the free movement of data, is not a consequence of the legislator, but it is a direct implication of the fundamental nature recognized to the right to the protection of personal data both by the Charter of Fundamental Rights of the EU (art. 8) and by the Treaty on the Functioning of the Union (art. 16).

In practice, the prevalence of the GDPR (and other applicable sectoral regulations, such as ePrivacy) means that data sharing is only achievable if it is carried out in compliance with the principles and rules set out in the data protection regulations.

 

The concept of “sharing”

The closest Italian translation to the English term “sharing” is “condivisione” (joint use) or “scambio” (exchange), but the use of this term within the data protection framework may lead to erroneous conclusions, if not properly specified.

The term “sharing” is found in the text of the English version of the GDPR in only two circumstances:

  1. In Recital (6), where referring to the rapid pace of technological change and globalization, it is stated that “[t]he scale of sharing [in the italian version “condivisione”] and collection of personal data has increased significantly.”
  2. In Article 57.1(g) where, in listing the duties of the national supervisory authority, it mentions that it “cooperate with, including sharing [in the italian version “scambio”] information and provide mutual assistance to, other supervisory authorities (…)”.

To complement, Article 4 of the GDPR, which sets out the definitions, states that “processing” is to be understood as, among other things, “disclosure [in the italian version “comunicazione”] by transmission, dissemination or otherwise making available” of personal data (Article 4(2)).

Disclosure and dissemination

The terms disclosure and dissemination are not defined in the GDPR but only in the Italian privacy code. Article 2-ter in paragraph 4 states that it should be understood as:

(a) “communication”*  shall mean disclosing personal data in whatever manner, including by making available, interrogating or creating links to such data, to one or more identified entities other than the data subject, the controller’s representative in the EU, the processor or the latter’s representative in the EU, and the persons authorised to process personal data under the controller’s or processor’s authority in pursuance of Section 2-m;

b) “dissemination”, shall mean disclosing personal data in whatever manner, including by making available or interrogating such data, to unidentified entities;

In truth, the distinction between ” disclosure” and “dissemination” does not reside in the modality of “disclosing” which, conversely, is identical in both cases and consists of any form of ” making available, interrogating or creating links to such data “; the distinguishing criteria of the two processing operations is offered by the ability to determine (i.e., specify in the case of “communication”) the recipients or not (in “dissemination”).

“Making available”

This regulatory reconstruction can be concluded in the meaning that “sharing” – within the meaning of the GDPR – should be understood as any “form of making available” personal data. More precisely, in the meaning of data economy and the relevant legislation, the “making available” of personal data in favor of third parties acting in their own interest. In fact, for the purposes of data economy, the “making available” of data within the internal organizational structure of the concerned entity, nor within the scope of responsibility of the same data controller (as it would be in the case of “making available” personal data to one’s data controller in order to allow him to carry out the mandate assigned to him) is not relevant; what matters, instead, is the circumstance that personal data are “made available” to a third party acting on its behalf (autonomous data controller who receives the data through disclosure or dissemination).

*according to the official translation of the Italian Privacy Code, provided by the Italian Data Protection Authority (Garante) the Italian term comunicazione is translated as “communication”. For the purposes of this Bulletin the terms communication and disclosure are used as synonyms.