Image credit: ‘Bold Office’ by Jamillah Knowles & Digit / https://betterimagesofai.org / https://creativecommons.org/licenses/by/4.0/

Original article here.
‍

This month, on September 12th, the Data Act (also known as Regulation 2023/2854 on harmonised rules on fair access to and use of data) started to apply in the EU with the ambition, in the European Commission words, to ‘foster a competitive data market by making data (in particular industrial data) more accessible and usable, encouraging data-driven innovation and increasing data availability’.

Yet, some of the newly applicable Data Act’s provisions reveal a governance misalignment between its market-enabling sections and its top-down requirements. This is the case of Chapter V of the Data Act, which sets the mechanism for Business-to-Government (B2G) data sharing. Chapter V establishes that data holders, defined as legal persons other than public sector bodies, must make data available to public sector entities, the European Commission, the European Central Bank, or other Union bodies. This obligation is triggered only in situations of ‘exceptional need’, a concept the Act defines as ‘being limited in time and scope’.
‍

What is an ‘exceptional need’? The Act outlines two distinct scenarios. The first is a ‘public emergency’,’ which is defined broadly to include public health crises, natural disasters, and major cybersecurity incidents. In this scenario, a public body can request data, including personal data, if it is deemed ‘necessary to respond’ to the emergency and cannot be obtained by other means in a ‘timely and effective manner’. A critical aspect of this provision is that the declaration of such an emergency is left to Union or national law, a point of ambiguity that leaves significant room for divergent interpretations across Member States. In any case, the regulatory framework tends to assume a world of discrete data holders and government requesters. Yet, ours is a world of cloud-native applications, with data flowing across multiple jurisdictions and making compliance with national data requests technically complex.
‍

The second scenario for an exceptional need applies only to non-personal data and arises in non-emergency situations. Here, a public body must prove that the data is essential for a specific public-interest task (such as producing official statistics or mitigating a public emergency) and that it has ‘exhausted all other means at its disposal to obtain such data’, including purchasing it on the open market (this condition, however, does not apply to microenterprises and small enterprises, which are generally exempt from this non-emergency obligation).
‍

Where the broader EU data strategy, particularly under the DGA, advocates for trust-based and collaborative models, these two Chapter V scenarios lack regulatory imagination, reverting to crude data extraction. Certainly, Recital 65 and Article 15 require public bodies to be ‘unable to obtain such data by alternative means in a timely and effective manner‘ (15.1(a)) or ‘exhaust all other means at their disposal’ before invoking emergency data access — including purchasing data on the market, negotiating voluntary agreements, or establishing new legislative frameworks (15.1(b)). This sounds sensible, but the Data Act provides no mechanism, guidance, or timeline for what ‘exhaustion’ actually means. A public body facing a crisis could either violate the exhaustion requirement by acting too quickly or, inversely, delay response while documenting futile attempts to purchase unavailable data or negotiate with companies with no incentives to cooperate.
‍

On the other side, consider, for example, an IoT manufacturer whose sensors monitor air quality across European cities. Under Chapter V, any public body claiming environmental emergency could demand detailed sensor data. The company must verify the request’s legitimacy, ensure proper anonymisation, coordinate with multiple jurisdictions if the emergency crosses borders, and document everything for potential audit, while facing potential penalties for refusing the request (just five working days to object during emergencies, thirty days otherwise). There are other ways to do this.

The Common European Data Spaces Alternative
‍

The European Data Strategy already has a better model at hand: the 14 common European Data Spaces currently under development across sectors such as health, mobility, agriculture, energy and manufacturing. Rather than Chapter V’s top-down mechanism, emergency response in the EU could leverage a dedicated Emergency Response Data Space that integrates with existing sectoral infrastructures.
‍

A Emergency Response Data Space[s] could connect the Health Data Space, Green Deal Data Space, Mobility Data Space, Manufacturing Data Space and others through standardised crisis response protocols. This approach would transform emergency response from a potentially adversarial data extraction process into collaborative crisis management across pre-established and privacy-preserving infrastructure.
‍

The Emergency Data Space[s] could build on existing European digital infrastructure investments, such as the federated cloud architecture from the GAIA-X initiative. And the EU could invest more in standardised emergency APIs across all sectoral data spaces for rapid coordination, cross-sector interoperability protocols, and distributed governance mechanisms that enable democratic oversight of emergency response without central control.
‍

In sum, Chapter V could have mandated participation in Emergency Response Data Space[s] rather than creating new data extraction powers. Article 15’s ‘exceptional need’ criteria could have triggered automated data space coordination rather than command-and-control request procedures. And the elaborate safeguards around personal data and trade secrets could have been replaced with state-of-the-art cryptographic guarantees and/or voluntary data arrangements such as, for example, impact licensing frameworks.
‍

Impact licenses
‍

Another alternative would be to replace ad-hoc crisis demands with proactive ‘impact licensing’ schemes. Impact licensing is a practice consisting of reusing and re-purposing intellectual assets (including data) for the benefit of society without compromising already existing economic returns. At the Impact Licensing Initiative project, we define impact licenses as ‘time-bound permissions granted by a technology owner to bring a defined intellectual property (e.g. a technology or a product or a service) to a predefined market for a specified societal value purpose’. The goal is to create incentives for technology holders to explore new markets and to access more real-world data on technology performance and indicators than those available in the existing market.
‍

Under this model, companies could voluntarily opt into pre-established frameworks that authorise specific public benefit uses of their data through privacy-preserving technical means. Rather than waiting for emergency requests, the air quality sensor company above could license aggregate pollution data for public health monitoring through federated analytics protocols that never expose raw measurements.
‍

Impact licenses would provide predictability and valorisation for businesses, efficiency for government response, and societal value for citizens. Companies could choose licensing terms that align with their capabilities and values, while public bodies could access pre-authorised data streams through technical interfaces rather than emergency legal procedures.
‍

The ultimate test
‍

The next crises — pandemic, climate disaster, cybersecurity incident, or power blackouts — will confront European policymakers with the following alternative: embracing the collaborative, interoperable, federated vision already embedded in their common data spaces strategy (as the Data Act acknowledges a few times in different sections), or retreating to the twentieth-century model of crisis governance through emergency powers and centralised control.
‍

Europe’s 14 data spaces and new regulatory frameworks such as impact licenses already offer a glimpse of a different future: crisis response through cooperation rather than coercion, and public benefit through institutional and technical innovation rather than regulatory mandate.
‍

The EU should actively promote and support the creation of proactive, long-term data-sharing partnerships between public and private entities. This would move beyond the reactive emergency mandate model and align the B2G governance mechanism of the Data Act with the collaborative spirit of the DGA and the Common European Data Spaces, building a more resilient and innovation-friendly data ecosystem.

‍