Hostname: page-component-78c5997874-94fs2 Total loading time: 0 Render date: 2024-11-10T11:32:55.230Z Has data issue: false hasContentIssue false
  • English
  • Français

Collaborative Governance Structures for Interoperability in the EU’s new data acts

Published online by Cambridge University Press:  18 September 2024

Jens-Peter Schneider ,
Johannes Erny Open the ORCID record for Johannes Erny [Opens in a new window]  and
Franka Enderlein Open the ORCID record for Franka Enderlein [Opens in a new window]
Jens-Peter Schneider
Affiliation:
Institute for Media and Information Law, University of Freiburg Faculty of Law, Freiburg, Germany
Johannes Erny*
Affiliation:
Institute for Media and Information Law, University of Freiburg Faculty of Law, Freiburg, Germany
Franka Enderlein
Affiliation:
Institute for Media and Information Law, University of Freiburg Faculty of Law, Freiburg, Germany
*
Corresponding author: Johannes Erny; Email: johannes.erny@jura.uni-freiburg.de
Rights & Permissions [Opens in a new window]

Abstract

This contribution analyses the EU’s new data acts. Interoperability is a common denominator of the EU’s new data acts. This paper demonstrates that the new data acts provide various approaches or concepts of collaborative governance to regulate interoperability. Although the EU’s new data acts are far from a uniform governance concept, we detected certain institutional arrangements organising the collaboration between private self-regulatory bodies, other private stakeholders and public bodies to lay down rules for interoperability.

Keywords

Collaborative GovernanceData ActData Governance ActInteroperable Europe ActInteroperability
Type
Articles
Information
European Journal of Risk Regulation , First View , pp. 1 - 12
Copyright
© The Author(s), 2024. Published by Cambridge University Press

I. Introduction

Interoperability is a common denominator of the EU’s new data acts. The reason is obvious: interoperability is a fundamental condition for effective information sharing in the EU administrative space as well as in the EU’s digital economy.

Remarkably, the various new data acts quite often refer more or less explicit to each other’s interoperability provisions. Thus, they provide a collaborative governance structure for interoperability. In addition, these acts demand collaboration of various private and public actors for the development or adoption of interoperability standards or safeguards.

Traditionally, interoperability is conceived as a mainly technical problem. Consequently, interoperability safeguards are often provided in technical standards established by private standardisation organisations or directly by industry actors in different modes of self-regulation. However, interoperability standards for inter-administrative (G2G) data exchange clearly exceed the realm of industry self-regulation. The same applies in the case of informational public–private partnerships with either government to business or citizen data-sharing (G2B/C) under the open government data paradigm or business to government data-sharing (B2G) to overcome informational asymmetries at the expense of public authorities. Furthermore, due to market power asymmetries, even data exchange among private actors (B2B, B2C or C2B) have motivated the European legislator to regulate such private data sharing including the basic interoperability standard setting. Important features of this regulation are participation of various stakeholders and supervision by public authorities. Consequently, collaborative governance is an important characteristic of the new legislative framework for interoperability.

The focus of this paper is as follows: Firstly, Section II. clarifies the understanding of “interoperability” in the new data acts. Secondly, Section III. presents an overview about the complex and fragmented new legislative framework for the EU’s future common data spaces in a broad sense composed by various new acts with sometimes overlapping titles. Instead of discussing the complex rulebooks in detail, we will rather highlight their core content as well as their relevance for administrative law. Section IV. then focusses on structural characteristics of the new interoperability rules. We will demonstrate that the new data acts provide various approaches or concepts of collaborative governance. Although the rulebook is far from a uniform governance concept, Section V. detects certain institutional arrangements organising the collaboration between private self-regulatory bodies, other private stakeholders and public bodies. Finally, Section VI. draws a conclusion and offers an outlook.

II. Understanding “interoperability”

As already mentioned, standardisation organisations often set interoperability safeguards in technical standards. This comprises the definition of interoperability, which the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) established in 2017 in their technical standard for cloud computing. ISO and IEC define interoperability for cloud computing as “the ability of two or more systems or applications to exchange information and to mutually use the information that has been exchanged.”Footnote 1 Also, reference is made to different dimensions of interoperability such as transport, syntactic, semantic, behavioural and policy interoperability.Footnote 2

The technical approach of ISO and IEC is important in the context of the EU’s new data acts because the Data ActFootnote 3 refers to the cited standard of the standardisation organisations. In recital 100 the Data Act states that the criteria specified in the Act have the same meaning as the interoperability aspects defined in the ISO and IEC technical specifications for cloud computing. It is therefore only consistent that the Data Act defines interoperability very similarly to the ISO and IEC technical standard.Footnote 4 In addition, the Data Act provides that open interoperability specifications for data processing services shall address the same interoperability dimensions as defined by ISO and IEC.Footnote 5

In contrast, the Interoperable Europe ActFootnote 6 highlights that interoperability is not only a technical problem.Footnote 7 The Interoperable Europe Act does not even define technical interoperability. However, the Act refers to the European Interoperability Framework.Footnote 8 In the Communication from 2017 containing the most recent implementation strategy for the European Interoperability Framework, the Commission defines technical interoperability as applications and infrastructures connecting systems and services.Footnote 9 This seems to be in line with the transport dimension as defined by ISO and IEC and mentioned in the Data Act. The same applies to the definition of the semantic dimension in the Interoperable Europe Act which is a combination of syntactic and semantic interoperability as defined by ISO and IEC and as mentioned in the Data Act.Footnote 10

Against this background, it is remarkable that the Interoperable Europe Act extends the EU’s regulatory approach beyond purely technical dimensions in also addressing legal and organisational dimensions of interoperability as part of an Integrated Public Service Governance reflecting a holistic approach on interoperability.Footnote 11 While ISO and IEC merely understand policy interoperability as a compliance check with legal requirements, the Interoperable Europe Act provides an explicitly pro-active approach, demanding legal and organisational frameworks effectively supporting interoperability.Footnote 12 The reason for this difference is clear. ISO and IEC as private standardisation organisations lack the competence to demand legal and organisational reforms especially towards inter-administrative data-sharing which is the focus of the Interoperable Europe Act as will be further shown below. Nevertheless, the EU’s legislative competence to recommend or even demand such reforms of public information law also at national level might be a matter of dispute.Footnote 13

III. Overview: the EU’s new data acts

This paper, however, focusses on an overview about the complex and fragmented new data acts of the EU. It analyses the core content of the new data acts and their relevance for different categories of information exchange between public and private actors, ie their importance from an administrative law perspective. In our analysis we have identified three categories of information exchange between public and private actors: inter-administrative data sharing (1.), public–private data sharing (2.) and private data sharing (3.). Additionally, there are some horizontal acts that establish rules for every domain of information sharing (4.).

1. Acts regulating inter-administrative data sharing

First, we identify inter-administrative or G2G data sharing as established by well-known sector-specific legislation such as the IMI RegulationFootnote 14 . That Regulation establishes the Internal Market Information System (“IMI”) for administrative cooperation between competent authorities of the Member States and between competent authorities of the Member States and the Commission. Of the EU’s new data acts, the Interoperable Europe Act addresses the process of inter-administrative data sharing and codifies policies under the previously not legally binding European Interoperability Framework. The scope of this Regulation is limited to public sector bodies of Member States and institutions, bodies and agencies of the Union that provide or manage digital information systems as an infrastructure for cross-border public services (Article 1(2)).

2. Acts regulating public-private data sharing

The second category concerns two different cases of public-private data sharing: Firstly, it includes the case when the government shares information with private actors as regulated by the Open Data DirectiveFootnote 15 or formerly the Public-Sector-Information (PSI) DirectiveFootnote 16 (G2B or G2C). Secondly, it comprises the case of the inverse perspective when businesses or citizens share data with the government (B2G or C2G). The second case is subject to sector-specific legislation like the Directive on the assessment of the effects of certain public and private projects on the environmentFootnote 17 obliging the developer to prepare and submit to the competent authority an environmental impact assessment report.Footnote 18 Other examples are the Digital Services ActFootnote 19 or provisions in the field of financial regulation.Footnote 20

3. Acts regulating purely private data sharing

The regulation of purely private data sharing (B2B, B2C, C2B or C2C) constitutes the third category. This category addresses for example the Digital Markets ActFootnote 21 regulating the portability of user-generated data.

The Data Governance ActFootnote 22 also regulates private data sharing but is not limited to it. It establishes rules for G2B, G2C, B2G and C2G data sharing. Chapter II of the Data Governance Act complements the Open Data Directive by laying down new rules on re-use of protected public sector information. Additionally, Chapter IV on data altruism regulates B2G data sharing or private data sharing if this pursues a general interest objective. Furthermore, the terms on European Data Spaces in the Data Governance Act (Article 29(2)(c), 30(f), (g), (h)) apply to all four domains of data sharing.

Another component of the regulatory framework concerning mainly private data sharing is the Data Act, in particular its rules on data sharing between private actors with regard to the internet of things (IoT) in Chapter II. Nevertheless, the Data Act also mandates businesses to share data with public sector bodies, the Commission, the European Central Bank or a Union bodies when there is an exceptional need (Chapter V).Footnote 23 Moreover, the Data Act provides provisions concerning data spaces (Article 33) as well as the switching of data processing services (Article 35), which apply to private as well as public providers or customers.Footnote 24

4. Horizontal acts establishing rules for every domain of information sharing

Moreover, there are some horizontal acts that establish rules for every domain of information sharing, like the General Data Protection Regulation,Footnote 25 the Regulation on a framework for the free flow of non-personal data in the European UnionFootnote 26 and the Regulation on electronic identification and trust services for electronic transactions in the internal marketFootnote 27 .

Interestingly, the EU’s new data acts refer in their interoperability provisions to the European Standardisation Regulation of 2012.Footnote 28 As shown in Section IV., the Regulation and the EU’s new data acts will serve as a central enabler of a collaborative governance structure for interoperability.

IV. Interoperability rules in the EU’s new Data Acts & collaborative governance

In our analysis we identified the involvement of private stakeholders in different types of collaboration with public bodies in the EU’s multi-level system of governance as an overarching principle.Footnote 29 The new data acts establish a framework for collaborative interoperability governance comprising elements of self-regulation, competences for public bodies to support or request industry standard-setting as well as powers for formal regulatory interventions.

1. Different approaches governing the establishment of data sharing standards

Nevertheless, the new framework is far from a uniform governance concept used in all adopted or proposed legal acts. Instead, we have identified three different approaches governing the establishment of data sharing standards. We label these approaches “legal effect by referencing” (a.); “standardisation request and referencing” (b.) and “consulted rulemaking by the Commission” (c.).

a. Legal effect by referencing

“Legal effect by referencing” leaves the most extensive room for rather autonomous self-regulation by private standardisation organisations. Under this traditional concept, public bodies like the Commission are limited to the option to select privately established standards and to provide them with more or less legally binding effects by way of referencing in official acts or publications. However, the European Standardisation Regulation may provide requirements for a balanced representation and participation of divergent or even conflicting private interests or stakeholders.

b. Standardisation request and referencing

Under the “standardisation request and referencing” approach public bodies or the Commission have an increased influence on the standardisation process. For instance, Article 10 of the European Standardisation Regulation empowers the Commission to request one or more European standardisation organisations to draft harmonised standards. If the harmonised standard satisfies the requirements laid down by the legal acts, the Commission shall publish a reference of the harmonised standard for example in the Official Journal of the European Union.

c. Consulted rulemaking by the commission

The third approach of “consulted rulemaking by the Commission” covers arrangements under which the Commission is empowered to adopt delegated or implementing legal acts as well as mere guidelines. If such rulemaking procedures concern technical standard-setting, the Commission regularly has to consult various stakeholders.

2. Collaborative interoperability governance in the new data acts

Our analysis of the new data acts will unveil that the same area of interoperability, such as the interoperability of data spaces may be regulated by more than one of the new data acts. In addition, according to the new data acts, different collaborative governance regimes may apply for the same area of interoperability – eg of data spaces – depending on the success or failure of requested self-regulation.

a. Interoperable Europe Act

To start with, the Interoperable Europe Act provides two approaches for collaborative interoperability governance:

On the one hand, the European Interoperability Framework shall be subject to consulted Commission rulemaking. The starting point will be a proposal of the newly established Interoperable Europe Board for updating the European Interoperability Framework, which shall serve as a guideline for the proposed Interoperability Assessments.Footnote 30 The Commission may adopt that proposal and shall publish the European Interoperability Framework in the Official Journal of the European Union.Footnote 31

On the other hand, interoperability solutions including ICT specifications and industry standardsFootnote 32 are developed in the practice of inter-administrative data sharing or by private standardisation organisations. When the Interoperable Europe Board recommends an interoperability solution, it is labelled as an Interoperable Europe solution and the Commission is referencing it by way of its publication on the Interoperable Europe portal.Footnote 33

Both interoperability rules have a semi-binding legal effect: Where a public body intends to set up or significantly modify an information system, it has to carry out an interoperability assessment.Footnote 34 Pursuant to Article 3(2) of the Interoperable Europe Act, the interoperability assessment shall identify and assess the effects of the binding requirements on cross-border interoperability, using the European Interoperability Framework as a support tool and evaluate the Interoperable Europe solutions.

b. Data Act and Data Governance Act

The interaction of the Data Act, the Data Governance Act and the European Standardisation Regulation is complex. The Data Act provides rules for two different domains of interoperability: Firstly, requirements for operators of data spaces to facilitate the interoperability of data, data sharing mechanisms and services (a). Secondly, rules for the interoperability of data processing services (b).Footnote 35

i. Requirements for operators of data spaces

The relevance of data spaces for the establishment of the European Data Economy cannot be overestimated.Footnote 36 In fact, the Commission strives to further establish common European Data Spaces to facilitate sector-specific and cross-sectoral data sharing and data reuse.

Data spaces are regulated in Article 33 of the Data Act.Footnote 37 Paragraph 1 of the article lays down the essential requirements that operators of data spaces shall comply with in order to facilitate interoperability. These essential requirements encompass regulations related to interoperability. For example the requirements demand a description of the data structures, data formats and vocabularies, which relate to syntactic and semantic interoperability.Footnote 38 Furthermore, the technical means to enable automatic access and transmission of data (ie transport interoperability) shall be sufficiently described.Footnote 39 Beside this, requirements related to data quality shall allow the recipient to find, access and use the data: The essential requirements demand a description of the dataset content, data collection methodology, data quality and uncertainty.Footnote 40

According to Article 33(2) of the Data Act, the Commission is empowered to adopt delegated acts to further specify those essential requirements. Within this specification process the Commission shall consult the European Data Innovation Board (EDIB) (“consulted rulemaking by the Commission”).

As indicated earlier, the Data Governance Act complements the Data Act inter alia concerning the Commission’s rulemaking on data spaces. First, the Data Governance Act requires the consultation of the EDIB by the Commission.Footnote 41 It also regulates the composition of the EDIB. In accordance with the Data Governance Act, the EDIB consists not only of representatives of the competent authorities of the European Union, but also of representatives from industry, research, academia, civil society, standardisation organisations, relevant common European data spaces and other relevant stakeholders. Nevertheless, the Data Act – and not the Data Governance Act – obliges the Commission to further consult experts designated by each Member State before adopting the delegated act.Footnote 42 Consequently, while the Commission must take into account various opinions of different groups of stakeholders, the final decision of adopting the delegated act is made by the Commission.

Second, the essential requirements in Article 33(1) Data Act reflect the so-called FAIR-Principles for Common European Data Spaces mentioned in the Data Governance Act requiring that data spaces should make data findable, accessible, interoperable and re-usableFootnote 43 . The Commission should consider this when further specifying the essential requirements through delegated acts.

As mentioned, the new data acts regulate interoperability of data spaces at various levels of detail. Besides the specification of essential requirements in delegated acts, the Data Act provides rules on even more detailed technical standards. In addition, concerning such interoperability standards for data spaces, different collaborative governance regimes may apply depending on the success or failure of requested self-regulation.

The Data Act empowers the Commission to request one or more European standardisation organisations to draft harmonised standardsFootnote 44 that satisfy the essential requirements of Article 33(1) Data Act including their specifications in delegated acts of the Commission.Footnote 45 If the standardisation organisation’s proposal satisfies the specified requirements, the Commission shall publish a reference of the drafted harmonised standard in the Official Journal of the European Union.Footnote 46 The operators of data spaces shall be presumed to be in conformity with the essential requirements, if they meet the harmonised standards or parts thereof published by reference in the Official Journal of the EU.Footnote 47 The procedure to the adoption of harmonised standards is part of our second category of “standardisation request and referencing.”

Again, the Data Act rules will be complemented by already existing rules. In this regard, the general rules on requested standard-setting provided by the European Standardisation Regulation supplement the Data Act rules.Footnote 48 Although initiated and supervised by the Commission, this second approach for collaborative interoperability governance extensively relies on self-regulated standard-setting. The standardisation organisations are free to draft harmonised standards. The Commission can only check whether the harmonised standards meet the requirements.

Where the standardisation organisations fail to draft harmonised standards complying with the essential requirements laid down by this Regulation, the Data Act provides a “safety net” by empowering the Commission to adopt so-called common specifications,Footnote 49 by way of implementing acts.Footnote 50 The Commission is obliged to take into account the advice of the EDIB and views of other relevant bodies or expert groups and shall duly consult all relevant stakeholders.Footnote 51 Therefore, the adoption of common specifications resembles a form of “consulted rulemaking by the Commission.”

Furthermore, according to Article 33(11) Data Act the Commission may adopt guidelines providing interoperability specifications for the functioning of common European Data Spaces. The EDIB shall propose these guidelines; a requirement already established in the Data Governance ActFootnote 52 . Consequently, we classify this arrangement for adopting another layer of soft law for data spaces as consulted rulemaking.

Moreover, the Data Governance Act sets the envisaged content of the guidelines the EDIB proposes.Footnote 53 The guidelines address a different layer in comparison to the above-mentioned essential requirements.Footnote 54 Unlike the essential requirements, these guidelines may include standards and practices to facilitate data sharing in the European Union. They aim to support the development of a functioning European data economy based on data spaces by addressing all aspects of interoperability.Footnote 55

However, the guidelines that establish interoperability specifications are not legally binding for the operators within data spaces, adding another layer of soft law to the Governance of interoperability in the European Union. In contrast to the harmonised standards and common specifications, the Data Act does not contain provisions stating that operators within data spaces are presumed to be in conformity if they comply with these guidelines. Notwithstanding this, the guidelines will certainly influence the Commission’s future legislative proposals regarding common European Data Spaces. As soft law adopted by the Commission, the guidelines will have a self-binding effect for the Commission.

As shown above, the Data Act contains three different levels of rules regarding interoperability of data spaces in addition to the guidelines for the functioning of common European Data Spaces. These three levels create a cascade of rules, progressively developing an ever more concrete framework for the interoperability of data spaces. In this cascade, the democratic legitimacy originating from the European Parliament and the Council extends into the subsequent levels of interoperability rules.

At the first level, the European Parliament and the Council lay down and adopt the essential requirements in the ordinary legislative procedure as part of the Data Act.Footnote 56

On the second level, the Commission is empowered to adopt delegated acts to further specify those essential requirements. This delegation of power to the Commission is limited in time and can be revoked at any time by the European Parliament or by the Council.Footnote 57 Furthermore, the European Parliament or the Council can express their objections and by this prevent the entry into force of the delegated act.Footnote 58 The European Parliament and the Council thus oversee the Commission’s specification of the essential requirements.

On the third level, standardisation organisations will be requested to propose harmonised standards. It is debatable whether the standardisation organisations have sufficient democratic legitimacy to propose such harmonised standards.Footnote 59 The fact that the harmonised standards must fulfil the essential requirements laid down in the Data Act speaks in favour of sufficient democratic legitimacy. The Commission shall only publish a reference of such a harmonised standard, if it satisfies the requirements set out in the Data Act.Footnote 60 Moreover, if the Commission publishes a reference to the harmonised standards in the Official Journal of the European Union it acknowledges it.Footnote 61 Therefore, the level of democratic legitimacy is sufficient.

ii. Interoperability for data processing services

The Data Act also addresses the interoperability of data processing services. Due to the limited effect of self-regulating codes, the Data Act strives to adopt a set of minimum regulatory obligations on providers of data processing services.Footnote 62 Hence, the providers of data processing services shall ensure the compatibility with open interoperability specifications or standards for interoperability.Footnote 63

Concerning the interoperability of data processing services, the Data Act establishes in principle a similar two-tier approach of either requested harmonised standardsFootnote 64 or the adoption of common specifications by way of “consulted Rulemaking by the Commission.”Footnote 65 The empowerment of the Commission to lay down common specifications by way of implementing actsFootnote 66 provides a “safety net” in case the standardisation organisations are failing to draft the requested harmonised standards.

The Data Act provides a different concept of standard-setting for establishing common specifications than for the interoperability of data spaces. It obliges the Commission to duly consult all relevant stakeholders,Footnote 67 but not to consult the EDIB. This is due to the tasks of the EDIB.Footnote 68 In accordance with the Data Governance Act, the EDIB shall advise the Commission on their activities regarding data spaces. The consultation of the Commission on the interoperability of data processing services is not mentioned. Therefore, these tasks laid down by the Data Governance Act would need to be adjusted to these new tasks of the EDIB to enable a consultation of the Commission by the EDIB on the interoperability of data processing services.Footnote 69

The concept of laying down interoperability rules for data processing services mirrors not only the two-tier approach of the standard-setting procedure for data spaces, but also the above-mentioned cascade of rules. The Commission shall only publish the reference of a harmonised standard if this harmonised standard meets the criteria set out in Article 35(1) and (2) of the Data Act.Footnote 70

c. Interim conclusion

To summarise: The Data Act in combination with the Data Governance Act and the European Standardisation Regulation use two different concepts of standard-setting. Under the first approach, harmonised standards shall be developed by private standardisation organisations on request of the Commission which reference these standards in the Official Journal if they fulfil essential quality requirements for interoperability. According to the second concept, the Commission can adopt common specifications by way of implementing acts, where the harmonised standards are insufficient to ensure conformity with the essential requirements. The second concept provides a “safety net” in case of failing self-regulation. Nevertheless, it is based on collaboration with stakeholders from various domains in order to overcome information asymmetries.

V. Institutional arrangements for organising collaborative governance

Altogether, we can identify four institutional arrangements for organising collaborative governance: Standardisation organisations, the EDIB, the Interoperable Europe Board and finally comitology committees.

This part briefly presents some features of the four institutional arrangements: The first tier of collaborative standard setting involves collaboration with competent standardisation organisations. However, the approach of collaboration differs. According to the Data Act, the standard-setting process is part of our concept of “standardisation request and referencing.” Whereas according to the Interoperable Europe Act, the identification of interoperability is part of our concept of “legal effect by referencing.” The details of these collaborations are not regulated in the EU’s new data acts. Instead, they refer to the established arrangements under the European Standardisation Regulation of 2012.Footnote 71

Secondly, the EDIB plays an important role in consulting the Commission in questions arising from interoperability rules applicable to Common European Data Spaces. The EDIB consists of representatives of various national and European competent authorities and shall support the Commission by identifying relevant standards.Footnote 72 In consultation-processes concerning data spaces, the EDIB involves in addition to its standard membership of public officials a subgroup for stakeholder involvement. This subgroup is composed of relevant representatives from industry, research, academia, civil society, standardisation organisations, relevant common European data spaces and other relevant stakeholders.Footnote 73

Thirdly, there are two different institutional arrangements established by the Interoperable Europe Act to support the activities of the Commission: the Interoperable Europe Board and the Interoperable Europe Community.Footnote 74 The Interoperable Europe Board consists of representatives of each Member State and the Commission.Footnote 75 While the Board’s focus is the participation of public actors, the Interoperable Europe Community expands the collaboration with public and private stakeholders. They can support the Interoperable Europe Board by contributing to the content of the Interoperable Europe portal.Footnote 76

Fourthly, under the consulted rulemaking approach the examination procedure according to Article 5 of the Comitology Regulation is a key element for support and control of the Commission by the Member States.

Altogether, in all institutional arrangements – except Comitology – stakeholder participation is a central although not uniform feature. Moreover, one needs to keep in mind that according to the Data Act comitology procedures regarding common specifications for interoperability will be accompanied by at least one of the other three institutional arrangements providing some form of stakeholder participation.Footnote 77

VI. Conclusion and outlook

We conclude that the EU’s new data acts are establishing a rather comprehensive, while complex collaborative governance structure characterised by the interaction of various public and private bodies comprising self-regulation as well as regulatory interventions or public support of industry standard-setting. Especially, the Commission and the EDIB are playing an important role together with European standardisation organisations in fostering the interoperability of common European Data Spaces. This reflects the insight that interoperability also beyond inter-administrative data-sharing is not merely a technical problem. Instead, it is related to various legal and organisational – or in other words political – issues of data spaces.

Funding statement

This project has received funding from the NORFACE Joint Research programme on Democratic Governance in Turbulent Ages and co-funded by AEI, AKA, DFG, FNR and the European Commission through Horizon 2020 under the Grant Agreement No 822166 and the research project PCI2020-112207/AEI/10.13039/501100011033.

Competing interests

Jens-Peter Schneider is Professor of Public Law and European Information Law and Director at the Institute for Media and Information Law at the University of Freiburg. Johannes Erny and Franka Enderlein are research assistants at this institute. Many thanks to all the participants of the INDIGO-workshop in Luxemburg on 14–15 September 2023 for the helpful comments and criticism. All remaining errors are entirely our own.

References

1 ISO and IEC, ISO/IEC 19941:2017 Information technology — Cloud computing — Interoperability and portability.

2 Ibid. Transport interoperability refers to the exchange of information using an established communication infrastructure between participating systems. Syntactic interoperability means that the formats of exchanged information can be understood by the participating systems. Semantic data interoperability pertains to the understanding of the meaning of the data model within the context of a subject area by the participating systems. Behavioural interoperability ensures that the actual result of the exchange achieves the expected outcome. Policy interoperability involves compliance with the legal, organisational and policy frameworks applicable to the participating systems.

3 Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonised rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act) (2023) OJ L.

4 Data Act, Art. 2(40), see also Jonas Siglmüller, “Standardisierungsbestrebungen für das Rückgrat der europäischen Digitalwirtschaft: Erste Einordnung von Begrifflichkeiten, Systematik und praktischen Herausforderungen” (2024) MMR 112, 114–115.

5 Data Act, Art. 35(2)(a).

6 Regulation of the European Parliament and of the Council laying down measures for a high level of public sector interoperability across the Union (Interoperable Europe Act). The Interoperable Europe Act has not yet been published in the Official Journal. Therefore, we refer to the latest text version with document number PE-CONS 73/23.

7 Interoperable Europe Act, recital 5, 8, Art. 2(1).

8 Ibid., recital 8.

9 Commission, “Annex 2 to the European Interoperability Framework – Implementation Strategy” (Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions) COM (2017) 134 final 27, additionally listing interface specifications, interconnection services, data integration services, data presentation and exchange and secure communication protocols as aspects of technical interoperability.

10 See for this integrated approach Ibid., final 25–26.

11 Ibid., final 18–20.

12 Interoperable Europe Act, Art. 3, Annex; see also Felix Pflücke, “Interoperability in the EU: Paving the Way for Digital Public Services” (2023) SSRN Journal 17, 33, 35.

13 On the EU’s legislative competence for the Interoperable Europe Act, see ibid. 16.

14 Regulation (EU) 1024/2012 of the European Parliament and of the Council of 25 October 2012 on administrative cooperation through the Internal Market Information System and repealing Commission Decision 2008/49/EC (“the IMI Regulation”) (2012) OJ L316/1; for more details see Micaela Lottini, “An Instrument of Intensified Informal Mutual Assistance: The Internal Market Information System (IMI) and the Protection of Personal Data” (2014) 20 European Public Law 107; for a general account of interadministrative information exchange within the EU’s administrative space see Jens-Peter Schneider, “Information exchange and its problems” in Carol Harlow, Päivi Leino and Giacinto Della Cananea (eds), Research Handbook on EU Administrative Law (Edward Elgar Publishing 2017) 81.

15 Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (2019) OJ L172/56 (Open Data Directive).

16 Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public sector information (2003) OJ L345/90.

17 Directive 2011/92/EU of the European Parliament and of the Council of 13 December 2011 on the assessment of the effects of certain public and private projects on the environment (2012) OJ L26/1.

18 Directive 2011/92/EU of the European Parliament and of the Council of 13 December 2011 on the assessment of the effects of certain public and private projects on the environment (2012) OJ L26/1, Art. 5 and Annex IV; see on the collaborative fact-finding under the Environmental Impact Assessments-regime Jens-Peter Schneider, Nachvollziehende Amtsermittlung bei der Umweltverträglichkeitsprüfung (Duncker und Humblot 1991) 1991.

19 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and amending Directive 2000/31/EC (Digital Services Act) (2022) OJ L277/1, eg Art. 40(1), 72(1) DSA; see also Jens-Peter Schneider, Kester Siegrist and Simon Oles, “Collaborative Governance of the EU Digital Single Market established by the Digital Services Act” (2023) SSRN Journal 36.

20 Herwig C Hofmann, Dirk A Zetzsche and Felix Pflücke, “The Changing Nature of ‘Regulation by Information’: Towards Real-time Regulation?” (2023) SSRN Journal 11–17.

21 Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022 on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (2022) OJ L265/1.

22 Regulation (EU) No 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (2022) OJ L152/1 (Data Governance Act).

23 Data Act, Art. 14.

24 For the relationship between the regulations, see Siglmüller (n 5), 113.

25 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016) OJ L119/1.

26 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union (2018) OJ L303/59.

27 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) OJ L257/73; see also Commission, “Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity” COM (2021) 281 final.

28 Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (2012) OJ L316/12 (European Standardisation Regulation).

29 See Section V.

30 Interoperable Europe Act, Art. 3(5), 15(5)(a).

31 Ibid., Art. 6(1).

32 Ibid., Art. 2(4), Art. 4; European Standardisation Regulation, Art. 2(1), (4), (5), Art. 13.

33 Ibid., Art. 7(1).

34 Ibid., Art. 3(1).

35 Data Act, Art. 36 also provides rules on smart contracts, regarding those, see Siglmüller (n 5), 115–116.

36 Ulrich M Gassner, “Forschung und Innovation im europäischen Gesundheitsdatenraum” (2022) 46(12) Datenschutz und Datensicherheit - DuD 739, 746.

37 On the definition of data spaces see Siglmüller (n 5), 113.

38 Data Act, Art. 33(1)(b).

39 Ibid., Art. 33 (1)(c).

40 Data Act, Art. 33(1)(a).

41 Data Governance Act, Art. 30(f); Art. 33(2), 42(c)(iii) Data Act.

42 Data Act, n 40, Art. 33(2), Art. 45(4).

43 Data Governance Act, recital 2.

44 Data Act, Art. 2(43); European Standardisation Regulation, Art. 2(1)(c).

45 Data Act, Art. 33(4); European Standardisation Regulation, Art. 10(1), (2) and Art. 22(3).

46 Data Act, Art. 33(4); European Standardisation Regulation, Art. 10(6).

47 Ibid., Art. 33(3).

48 European Standardisation Regulation, Art. 10.

49 Data Act, Art. 2(42).

50 Ibid., Art. 33(5).

51 Ibid., Art. 33(7).

52 Data Governance Act, Art. 30(h).

53 Ibid., Art. 30(h)(i–v).

54 See Section IV. II. 2. a) aa).

55 Data Governance Act, recital 54.

56 Consolidated version of the Treaty on the Functioning of the European Union (2012) OJ C326/47 (TFEU), Art. 288(2), 289(1) and 294.

57 Data Act, Art. 45(1–3).

58 Ibid., Art. 45(6).

59 Herwig C Hofmann, Gerard C Rowe and Alexander Türk, Administrative law and policy of the European Union (1st edn, OUP 2011) 598–605.

60 Data Act, Art. 33(4); European Standardisation Regulation, Art. 10(6).

61 Data Act, Art. 33(3); see also Martin Eifert, “§ 19 Regulierungsstrategien” in Andreas Voßkuhle, Martin Eifert and Christoph Möllers (eds), Grundlagen des Verwaltungsrechts (3rd edn. C.H. Beck 2022) para 64, 65.

62 Data Act, recital 79.

63 Ibid., Art. 30(3).

64 Data Act, Art. 35(4).

65 Ibid., Art. 35(5)–(7).

66 Ibid., Art. 35(5), see also Council of the European Union, “Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act) – Mandate for negotiations with the European Parliament” 7413/23, Art. 29(4a).

67 Data Act, Art. 35(6), see also Council of the European Union, n 66, Art. 29(6).

68 Data Governance Act, Art. 30.

69 European Parliament, “Amendments adopted by the European Parliament on 14 March 2023 on the proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data” (Data Act) (COM(2022)0068 – C9-0051/2022 – 2022/0047(COD)) P9_TA(2023)0069, Art. 29(5).

70 Data Act, Art. 35(5), (8).

71 European Standardisation Regulation, Art. 2(8), 4, 5, 8, 10–12, Annex I, (9), (10).

72 Commission, “Commission Staff Working Document on Common European Data Spaces” SWD(2022) 45 final 5.

73 Data Governance Act, Art. 29(2)(c), Art. 30(f), (h).

74 Interoperable Europe Act, Art. 15, Art. 16; for details see Pflücke (n 13) 23–24, 32–34.

75 Interoperable Europe Act, Art. 15(2).

76 Ibid., Art. 16(4)(a).

77 Data Act, Art. 33(7), Art. 35(6).