B2G data sharing: a new responsibility for businesses under the EU Data Act

Written By

manuela cox Module
Manuela Cox

Associate
Netherlands

As an associate in our office in The Hague, I specialise in regulatory matters, including data protection and telecommunications law.

Chapter 5 of the Data Act contains one of the Data Act’s most contentious obligations: mandatory business-to-government (B2G) data sharing in cases of exceptional need. This article provides a brief overview of why this obligation was introduced, when it applies and what type of compensation data holders may expect. It concludes with some final remarks on which steps data holders can take now to prepare for the coming into force of this chapter.

The why: data for the common good

Connected devices generate huge amounts of valuable data every day, which could also be used in addressing various societal issues. That said, according to the EU legislator, insufficient incentives currently exist for businesses to share data with the government for the common good. The Data Act attempts to address this perceived gap and stimulate the optimal allocation of data to the benefit of society. Further, the EU legislator aimed to simplify the current fragmented legal regime by the data request procedures.

The when: exceptional need

The Data Act obliges data holders to make data available to public sector bodies, the European Commission, the European Central Bank and European Union bodies (hereafter: Government Bodies) in case of an exceptional need. As per Recital 56 of the Data Act, “[e]xceptional needs are circumstances that are unforeseeable and limited in time, in contrast to other circumstances which might be planned, scheduled, periodic or frequent”.

The Data Act differentiates between situations of exceptional need, where the data is necessary to respond to a public emergency (Article 2(10) and other cases of exceptional need. Prerequisites for the former are among others that the Government Body should be able to obtain data in a timely and effective manner under equivalent conditions. Prerequisites for the latter are that the Government Body is acting on the basis of EU or national law, has identified specific data, the lack of which prevents it from fulfilling a specific task explicitly provided by law, and it has exhausted all means at its disposal to obtain such data. This applies only for non-personal data.

The table below further sets out some key characteristics of these two categories of exceptional need.

  Public emergencies  Other exceptional need 
Examples
Public health emergencies, emergencies resulting from major natural disasters (incl. those aggravated by climate change) and human-induced major disasters (e.g. cybersecurity incidents)
Official statistics and the mitigation or recovery from a public emergency
Requests may pertain to personal data
Yes No 
Right to compensation for data holders
No Yes 
Requests to small- and micro enterprises possible
Yes No 
Term for declining/requesting modification of the request
5 working days (max) 30 working days (max) 

 

Data Act’s B2G data sharing obligation does not affect other information sharing obligations under EU or national law (e.g. reporting obligations) or voluntary data sharing arrangements.

The quid pro quo: compensation

Where public emergency requests are concerned, data holders, with the exception of small and micro enterprises, cannot claim compensation for making data available. Data holders may, however, request public recognition from the receiving Government Body to bolster their reputation.

In case of other cases of exceptional need, the data holder may claim fair remuneration with the exception of data required for the production of official statistics, where the purchase of data for this purpose is not allowed by national law. Such remuneration covers the technical and organisational costs incurred to comply with the request, including, where applicable the cost of anonymisation, pseudonymisation, aggregation and of technical adaptation, plus a reasonable margin (Article 20(2)). According to the same article, the receiving Government Body may request the data holder to provide information “on the basis for the calculation of the costs and the reasonable margin”.

What is considered a reasonable margin pursuant to Article 20(2) of the Data Act is not defined. The Data Act does, however, shed light on the permitted margin as per Article 9 of the Data Act, which pertains to compensation in B2B relationships. Namely, in Recital 42a, it provides that the margin may depend on the volume, format or nature of the data, as well as the costs for collecting the data. These considerations may also help interpret the concept of a ‘reasonable margin’ in a B2G context.

Where Government Bodies disagree with the requested level of compensation, they may submit a complaint to the competent authority.

How to prepare?

The Data Act’s B2G data sharing obligation is expected to apply from Q3/Q4 2025 onwards. Companies that are data holders can start preparing now by e.g. naming responsible persons and identifying relevant stakeholders, setting up procedures to assess and comply with the Data Act’s data requests, setting up additional procedures for the timely anonymisation, aggregation and/or pseudonymisation of personal data and considering its basis for the calculation of costs and a reasonable margin.

For more information contact Manuela Cox.

SIGN UP FOR OUR CONNECTED NEWSLETTER FOR A MONTHLY ROUND-UP FROM OUR REGULATORY & PUBLIC AFFAIRS TEAM

Latest insights

More Insights
electronic fingerprint

EU & UK Online Safety Legislation - A comprehensive update

Oct 30 2024

Read More
Curiosity line pink background

Riding the Wave - Peak Issues in Australian Law (October 2024)

Oct 18 2024

Read More
city building security cameras

EU’s cybersecurity leap: the NIS2 Directive and its local transposition

Oct 17 2024

Read More