Data Spaces and Compliance: How to navigate the regulatory landscape of the European Data Space for Smart Communities?

Blogpost written by Genoveva Gil(Serendipity)

The DS4SSCC-DEP initiative aims to establish a well-governed, federated data space, treating data as a critical resource for smart and sustainable cities and communities. At the heart of this ambition lies data sharing to solve our most pressing urban challenges, like water management, urban planning, traffic congestion, or pollution reduction through the European Data Space for Smart Communities (DS4SSCC). In our previous blogpost, we presented the DS4SSCC-DEP Blueprint Evolution (‘the report’), which dives into different considerations on Business, Governance, Legal, and Technical implications for the building of the European Data Space for Smart Communities (DS4SSCC). In today’s blogpost, we will provide an overview of the regulatory landscape of this data space.

Regulatory compliance is an early-stage priority to build up upon. This is why the Regulatory Compliance building block of the DS4SSCC aims to guide the data space’s participants in applying legal rules to a data space's design and operation. In this regard, the European data space for smart communities must comply with the existing and upcoming cross-sectorial legislation related to non-personal and personal data, as well as with sector specific legislation depending on the use of respective domain's data sets (mobility, energy, water management…). The report presents a list of relevant cross-sectoral legislation presented in the form of clusters which constitutes the regulatory landscape of the DS4SSCC. This cannot be considered an exhaustive list since depending on the concrete case, additional specific legislation might need to be looked into, especially national or sector specific legislation. Therefore, the legal framework of the European data space for smart communities will be informed by relevant sector policies and regulations according to the specific use-case.The clusters proposed are the following: 

• Privacy & Data Protection

• Cybersecurity

• Data Legislation & Interoperability

• Artificial Intelligence

• Electronic Identification and Trust Services

• Consumer Protection and Regulation of Platforms

• Intellectual Property and Competition Law

• Contract Law

But, how to navigate through them? What triggers the application of each act? Inspired by the methodology of the Data Spaces Support Centre (DSSC), the applicability of a specific Act will be triggered depending on the type of data, participant, use case, or technology used within the data space (‘triggers’). At the same time, certain legislation within those clusters will apply horizontally in all scenarios, as those will constitute legal considerations to be aware of when setting up any data space (‘additional legal considerations’). 

For example, as per the types of data, if the data space is processing personal data, then the General Data Protection Regulation (GDPR) will be applicable. If a public sector body is participating in the data space, the Open Data Directive and the Data Governance Act will be triggered. The two latter Acts would be triggered for double reasons if the data used in the data space is public sector data, or public sector data protected under grounds of commercial/statistical confidentiality, IPRs of third parties, or personal data. Moreover, depending on the concrete use case (e.g., mobility, energy, health…) concrete sector specific legislation would be triggered. If the data space use case involves the use of AI systems (‘technology used’), the AI act might be triggered.

Navigating the different legislation applicable to data spaces can prove challenging, especially in an ever-evolving digital regulatory landscape. But, what are some recommendations that we give to our current pilots in our training sessions?

1. Start working on your Governance Framework. This will help you identify roles and responsibilities as well as rights and obligations.

2. Be aware of the types of data, participants, and technologies handled/used within your data space, as well as the specific sector related to your use case. For instance, is it proprietary data? Is there a risk of personal data re-identification after its anonymisation?

3. Identify the participants’ roles and responsibilities stemming from the legislation. For instance, who is a data intermediation service provider? Who is a controller or processor of personal data? Who is a data altruism organisation? Am I a data re-user, or a data holder?

4. Define your privacy and cybersecurity policies, and enforce them.

5. Work together with your legal team on compliance by design. This will ensure that you identify legal challenges, and implement mitigating measures from the development phase.

You can read more about the current Legal Building Block of the European Data Space for Smart Communities at the DS4SSCC-DEP Blueprint Evolution.

Follow us on LinkedIn!