Written by Marlon Domingus (Erasmus University Rotterdam), Lucas van der Meer (ODISSEI)

With research becoming increasingly multidisciplinary, disciplines with different traditions of secure data sharing are collaborating more frequently. This has increased the demands on datasets and data infrastructures to ensure they can interoperate. Such developments as open science, FAIR data, and the European Open Science Cloud reflect this tendency.

The legal framework is evolving

With the development of multidisciplinary research, the legal framework governing this secure data sharing for research purposes is also evolving. There are requirements from the General Data Protection Regulation (GDPR, 2016), the Uitvoeringswet AVG (Dutch GDPR Implementation Act) (UAVG, 2018). Since 2019, the Open Data Directive (in Dutch: Open Data Richtlijn) has been in effect. For healthcare data, the Dutch Medical Treatment Contracts Act (WGBO), the Medical Research Involving Human Subjects Act (WMO), and the Population Screening Act (WBO) are particularly relevant.

Even more so, in 2020, The European Commission launched the ambitious European data strategy [1]: ‘A Europe fit for the digital age’ [2],^. that aims to make the EU a leader in a data-driven society. As part of this strategy, additional legal frameworks have been developed. These frameworks encourage data reuse while ensuring that data is handled securely. 

Digital Markets Act and Digital Services Act

Examples of additional legal frameworks include the Digital Markets Act (DMA) and the Digital Services Act (DSA). Under the DMA, large platform companies, often referred to as ‘gatekeepers’, are required to share more data with researchers. This provides scientists with better opportunities to study the societal impact of large online platforms. The DSA mandates greater transparency regarding algorithms and content moderation. Platforms are required to disclose how their recommendation algorithms work. This offers researchers invaluable data for studies into the operation and impacts of social media.

The Data Governance Act and the Data Act 

A different set of European regulations stemming from the European Data Strategy [3], namely the Data Governance Act (DGA) and the Data Act (DA), is expected to have a greater impact. The DGA creates a legal framework that allows the reuse of specific categories of sensitive government data, including personal data and data covered by intellectual property rights. Although the GDPR aimed to ‘promote the free movement of that data’ within the EU to establish a stronger internal market, this reuse of such data for research and innovation has not been sufficiently realised. Building on the GDPR, the DGA and DA enhance access to valuable datasets for scientific research. More specifically, the Data Act aims to guarantee greater autonomy in using one’s own data and sharing data with third parties, while the Data Governance Act seeks to foster greater trust in data sharing.

Furthermore, the DGA  introduces the regulation framework for services that intermediate data to create   trustworthy and secure platforms for data sharing. This will make it easier for researchers to find relevant datasets, securely share research data, and ensure the integrity and origin of the data they use. In essence, the DGA promotes data sharing for altruistic reasons, which can foster a more open science environment and make research data more accessible for reuse.

The Data Governance Act went into force on 23 June 2022 and became effective on 24 September 2023; the Data Act will go into force on 11 January 2024 and become effective on 12 September 2025. 

European Data Spaces

These regulations are part of the legal framework for establishing strategic ‘European data spaces’. These spaces will offer reliable infrastructures across different domains, facilitating safe data sharing while also enhancing data protection and safeguarding strategic autonomy. These ‘European data spaces’ are being developed in 14 sectors/domains, including for the sector ‘health’; the European Health Data Space – EHDS [4].

What does secure data sharing in research entail from the perspective of the DGA and DA?

The European DGA and DA regulations introduce new principles, concepts, and organisational structures, effectively establishing an additional layer of governance for data reuse. The Dutch data strategy [4] is based on the following three principles (the practical details of these principles are currently being worked out):

• Data sharing should ideally be voluntary
• The government can mandate data sharing if needed
• Individuals and companies remain in control of their data

In addition to other points, the Council of State has emphasised the following with regard to the Open Data Directive Implementation Act:

• Take measures to prevent the unintentional use of strategic data by (state) actors in a manner that could compromise national security (a concept known as knowledge security)
• The reuse of public personal data is not possible under the Dutch Reuse of Public Sector Information Act (Who) if it is incompatible with the purposes for which the data was obtained (purpose limitation)
• The reuse of personal data from public registers is prohibited under the Who, unless specifically authorised by other legislation
• Organisations will have to systematically check if the data they provide is at risk of losing its anonymity because of technological developments

How can the DGA facilitate research?

The introduction of concepts of ‘Data Altruism’ and ‘Data Intermediation Services’ allows to facilitate research and provides more opportunities for interdisciplinary collaboration. 

Data Altruism: The voluntary sharing of data for purposes of general interest (including education, science, and research). A data altruism register of all recognised data altruistic organisations will be created. Registered data-altruistic organisations are regulated to ensure they meet specific standards, including in the area of security and transparency.

Data Intermediation Services: A neutral third party that facilitates data exchange between parties in a secure manner (e.g., data marketplaces and Personal Information Management Systems). The European Commission maintains a register of all data intermediation services in Europe. Data intermediation services must meet certain conditions to ensure neutrality and security.

The practical details of these concepts are currently being worked out.

How can the DA facilitate research?

Indirectly: Users of devices give permission to share data; this means there should be a reasonable technical and economic agreement with the ‘data holder’; The parallel use of cloud services must be possible (interoperability); Exporting data from the cloud must be possible;

Directly: If researchers themselves use devices or cloud services.

How will secure data sharing for research work through a data intermediation service, according to the DGA?

The act states that each member country appoints a competent authority to facilitate the reusability of protected data which is held by public sector bodies. CBS will be appointed as the competent body for supporting the reuse of Dutch public sector data for scientific and statistical purposes. CBS will provide the following support to public sector bodies (the practical details of the supporting role are currently being worked out):

• A secure processing environment for researchers to analyse data from public sector bodies
• Guidelines and technical assistance for data organisation and storage
• Technical support for pseudonymisation, ensuring privacy, confidentiality, integrity and accessibility of data

While the DGA does not mandate data reuse, it sets out the frameworks within which data should be made available. “These competent authorities must provide assistance, upon request, to public sector bodies with a national mandate to grant or deny access for the purpose of reusing data under the regulation”.

Terms used in this definition:

Data from private data-altruistic organisations

Private organisations wishing to voluntarily share sensitive data for research purposes can use existing domain infrastructures like ODISSEI and CLARIAH. By listing their metadata in domain portals such as the ODISSEI Portal and CLARIAH Ineo, these organisations can make their data more accessible to the SSH community. Researchers can then submit requests to the data owners for permission to use the data. 

An automatic ‘broker for data access’ can streamline the process of granting data access by standardising and simplifying it with machine-actionable access requirements. This saves time for the data owner and enables scientists to gain access more quickly. The organisation can then share the data with the researcher within a Trusted Research Environment (TRE) SANE, which ensures that the organisation retains complete control over the data. This means that the organisation can withdraw access at any moment and audit the data the scientist seeks to retrieve from SANE, such as a table with aggregated data. 

ODISSEI is investigating whether it should facilitate a Data Intermediation Service between researchers and private organisations.

Supervisory authority DGA and DA

The Dutch Authority for Consumers & Markets (ACM) is designated as the supervisory authority in the Netherlands for the DGA and the DA.

This means for the DA:

• To ensure that people can share data from their smart devices and that the terms for doing so are reasonable, considering both technical and economic factors;
• To ensure that people have the freedom to switch between cloud services or to use multiple cloud services simultaneously;
• To ensure that businesses only share data with non-EU governments following a rigorous legal evaluation.

This means for the DGA:

• Supervising Data Intermediation Services (required registration + terms and conditions)
• Designating, and supervising, data altruism organisations (voluntary registration)
• The practical details of the supervising role are currently being worked out.

To conclude

The Data Governance Act and Data Act are expected to have major implications for SSH research, specifically for sensitive data sharing. It will be easier for organisations (both public and private) to voluntarily share sensitive data, and organisations may get stimulated by the possibility to receive a data altruism certificate. It is expected that Data Intermediation Services will be established to further ease the transfer of sensitive data between organisations and researchers, for instance by providing a Trusted Research Environment. Data sharing by individuals from smart devices should become much easier and faster through enforced API connections. 

CBS should become the competent body for supporting the reuse of Dutch public sector data for scientific and statistical purposes. ODISSEI is investigating whether it should facilitate a Data Intermediation Service between researchers and private organisations.

Like what happened with the implementation of the GDPR, the precise implications of the DGA and DA will become clearer over the next few years. ODISSEI will closely monitor these developments to check whether its infrastructure should be adjusted, and intends to organise follow-up events. 

The event ‘The future of secure data sharing’, organised by ODISSEI on 5 June 2024, served as the primary source of information for this article. A condensed version of this article was published in the E-data magazine in September 2024. 

Relevant links

1. See: https://digital-strategy.ec.europa.eu/nl/policies/strategy-data
2. See: https://commission.europa.eu/strategy-and-policy/priorities-2019-2024/europe-fit-digital-age_nl
3. See: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52020DC0066
4. See: https://www.gegevensuitwisselingindezorg.nl/european-health-data-space-ehds
5. See: Nederlandse Kabinetsvisie op datadeling tussen bedrijven (2019), Non-paper on the Data Act (2021), Nederlandse Strategie Digitale Economie (SDE; 2022)

Picture by Ave Calvar