Legislation never sleeps, particularly data legislation, and there are a flurry of new proposed regulations in the UK and Europe on top of everyone’s favourite - the General Data Protection Regulation (GDPR). In this latest Your ESGuide in 5, we look at how these new proposals may impact your ESG programme.
1. Rise in data and a new regulatory agenda
The volume of data generated by public bodies, businesses and individuals is ever growing and expected to multiply five times between 2018 and 2025. We regularly hear that ‘data is the new oil’ for companies (probably not the most helpful of terms for ESG – ‘data is the new solar power’, anyone?), and ESG programmes themselves can create a lot of new data, most notably but not exclusively, in the context of sustainability reporting and supply chain auditing.
To date, the focus of data regulation in Europe has been on personal data, but now we are seeing proposals that tackle broader data issues, including the facilitation of better data sharing. Various regulatory initiatives (including the DGA and DA below) will form part of the European Union’s wider ‘European Strategy for Data’ adopted by the Commission in February 2020. This included various strategic objectives such as improved governance mechanisms, better processing infrastructures, enabling data reuse, and generating sustainable, energy-efficient and trustworthy data services. In addition to the new legislation we cover below, the strategy also includes a review of the INSPIRE Directive, as part of the European Green Deal, with a focus on availability and reuse of geodata and environmental data, which proposals we hope to see in the fourth quarter of 2022.
2. EU Data Governance Act (DGA)
This EU proposal was approved by the European Parliament and the European Council in December and the remaining procedural steps are likely to be finalised by March 2022. The proposal states that it will then take effect 15 months after the date of its entry into force, so currently expected to be summer 2023. The DGA will take the form of a Regulation that will be directly binding on all Member States. Both public and private sector companies are covered.
The name is a slight giveaway here, but the DGA most obviously falls within the governance (‘G’) limb of ESG. The DGA looks to introduce new safeguards (similar to those under the GDPR, i.e. mechanisms to recognise countries offering adequate protection and adopting model contractual clauses) for the transfer of non-personal data, rules around the reuse of public sector data and new rules on anonymisation. It promotes the concept of data altruism to make data available for the purposes of public interest (note that the definition specifically calls out solutions that “combat climate change”). Perhaps most significantly, the DGA introduces a licensing regime for data intermediaries, who will need to meet certain conditions designed to ensure independence and restrict their reuse of data.
3. EU Data Act (DA)
The European Commission is expected to formally publish the DA on 23 February 2022, with a 12-month implementation period for the Regulation from when the Act is eventually approved. It will mainly impact manufacturers, providers and consumers of connected products and services (e.g. IoT devices), as well as public sector bodies, in the EU.
Complementing the DGA, the DA specifically (but certainly not exclusively) looks to support the critical role of data in achieving the EU Green Deal objectives. The DA helps to translate this goal into action by promoting sustainable growth and reuse (which requires high-quality and interoperable data), closing knowledge gaps around the social and environment impacts of products and services, mobilising data to address climate, biodiversity, pollution and natural resource challenges, and helping better manage crises through improved mitigation, preparedness, response and recovery actions. In practice, for companies this will mean that they need to take specific steps and adopt common standards, for example, when facilitating switching between cloud and data processing services and providing data to public bodies in response to a public emergency.
4. What about the UK?
The legislation outlined above of course will not apply to the UK following Brexit. The UK also has plans to focus on changes in data regulation with its National Data Strategy.
The emphasis so far, however, has been on a potential revamp of the Data Protection Act 2018 and therefore still in the realm of personal data. Outside of personal data, other important data initiatives, if not at the level of legislative proposals, are underway, aimed at driving efficiency, tackling climate change and responsible data. For example, a new Code of Practice will be drawn up to implement the FAIR (findable, accessible, interoperable and reusable) principles to provide greater economic, social and environmental value in the geospatial data market through better use of data. The Robotics Growth Partnership also just launched its Vision for cyber-physical infrastructure (CPI), bringing together technologies to help accelerate innovation processes, which will help to achieve objectives such as Net Zero.
5. How this fits with ESG
As these new regulations come into force and initiatives are advanced, companies will face positive and negative ramifications. On the one hand, there will be more work to do from a compliance perspective, including compliance with rules around assessments and reporting, which in turn has an impact on the need for more G in ESG programmes. On the other hand, the agenda here is clearly about opening up crucial data sets for wider data sharing and utilisation, which may be very helpful, particularly to smaller companies.