20 June 2022
Radar - June 2022 – 1 of 2 Insights
The EU's European Strategy for Data, announced in February 2020, aims to remove barriers to data sharing (personal and non-personal), giving businesses access to data they contribute to creating, and providing a framework for ethical data sharing across EU borders and sectors, by public bodies and for altruistic purposes.
The Data Governance Act (DGA) is the first pillar of the Package to reach enactment. It will ultimately sit alongside the second pillar, the Data Act, which is still in the initial stages of the legislative process.
The DGA was published in the Official Journal on 3 June 2022 and came into force 20 days later. It will come into effect on 24 September 2023.
There are limited transitional arrangements:
The DGA impacts primarily public sector bodies, data intermediation service providers (DISPs) and data altruism organisations. It applies to a very broad range of data. The intention is to facilitate sharing of data held in key public sectors including health and environmental data, for the benefit of research and, therefore, the greater good.
Individuals and businesses are also encouraged to share data for the benefit of society and that requires trust. The DGA aims to establish a trusted framework for data sharing in which those providing data can be comfortable that their rights and freedoms are protected.
The DGA does not apply in the UK and outside the EU (EEA). There are requirements on those exporting public sector data to non-EU countries which will obviously impact non-EU entities receiving such data. In addition, non-EU organisations can provide data intermediation services in the EU and be EU-recognised data altruism organisations, in which case they will be subject to the DGA.
Re-use of protected public sector data
The provisions governing re-use of public sector data do not apply to all types of data, but only to protected data. The re-use can be for commercial or non-commercial purposes by natural or legal persons and for any purposes other than the public task for which the data was produced (except for the exchange of data between public sector bodies purely in pursuit of their public tasks). The types of relevant data are those protected by:
Data held by public undertakings, public service broadcasters, cultural and educational establishments, which is protected for reasons of national security, defence or public security, or which is outside the scope of the public task of the public bodies, is out of scope of the provisions on re-use.
There is no obligation on public bodies to share data but where they do, they are required not to enter into exclusive data sharing agreements (subject to limited exemptions). They also have the right to impose conditions for re-use provided these are non-discriminatory, proportionate and objectively justified and do not restrict competition. These obligations can include:
Additional rules apply to re-use of data which is protected by confidentiality, or by intellectual property rights and for non-personal data designated as "highly sensitive" by EU legislation.
In relation to onward cross-border transfers, where a re-user intends to transfer non-personal protected data to a third country, it must inform the public sector body at the time of requesting re-use. The re-user may be required (with the assistance of the public sector body) to inform the legal person whose rights and interests may be affected. The public sector body cannot allow the re-use unless the legal person gives permission for the transfer. The Commission may adopt what are effectively adequacy agreements with respect to specific third countries.
Member States must designate one or more competent authority to support the public sector bodies granting re-use of their data, by helping with security and processing techniques to preserve data privacy, as well as to help get consents where required.
Member States also need to create a single information point for re-use conditions and to receive and help process decisions on requests for re-use of data. Natural or legal persons affected by decisions on data re-use will have the right to judicial redress in the relevant Member State.
Data intermediation services
The DGA sets up a system under which trusted (and regulated) data intermediation service providers (DISPs) can operate as:
Data intermediation service providers have a number of compliance requirements including notification of their relevant supervisory authority which will be located in the Member State of their main establishment. Providers with no EU base will need to appoint a representative in one of the Member States in which they offer services.
DISPs must also comply with conditions in relation to the processing of the data entrusted to them which must be held in a separate legal entity solely for the purpose of making it available to data users. The data must be kept secure, steps must be taken to prevent unlawful transfers, and service providers offering services to data subjects must act in the best interests of the relevant individuals where facilitating the exercise of their rights. There are also provisions relating to the supply of consent tools, interoperability, the format of data, and supply of other tools including for anonymisation and pseudonymisation.
A registration and monitoring regime is set up for organisations facilitating data altruism. The organisations must be non-profit and operate independently from any other activities. As with data sharing service providers, data altruism organisations will be regulated in the Member State of their main establishment or must appoint a representative if they don't have one. The DGA also provides for a standardised European data altruism consent form.
Data altruism organisations have transparency obligations (Article 20) and specific requirements to safeguard rights and interests of data subjects and data holders (Article 21). Article 21 obligations include provision of information, purpose limitation, a requirement to provide consent tools, security obligations, breach notification requirements, and information provision around data transfers to third countries. Further requirements including around information provision, interoperability, and technical and security measures, will be provided for in a rulebook to be adopted in delegated acts.
Those sharing or re-using the data or facilitating either must ensure they take reasonable steps to prevent access to non-personal data held in the Union where its transfer or access would conflict with EU or Member State law. In particular, the DGA sets out steps for holders of non-personal data to take on receipt of an order from a third country authority seeking access to data.
Competent authorities, enforcement, and the European Data Innovation Board
Competent authorities are subject to various independence requirements (Article 26). Provision is made for individual or collective complaints (Article 27), and there is a right to judicial redress (Article 28).
Competent authorities will have a range of enforcement powers which might include dissuasive financial penalties for non-compliance. Member States may set out rules on penalties for a variety of infringements, taking into account the recommendations of the European Data Innovation Board. There is no indication as to what might be appropriate but Member States are required to take specified (non-exhaustive) criteria into account.
The DGA also sets out conditions for the creation of a new European Data Innovation Board, an expert group including representatives from all Member State competent authorities, the EDPB, the EDPS, and ENISA.
The tasks of the Board are largely advisory, helping to set up consistent practices and procedures, and advising the Commission in a number of areas, including cybersecurity, cross-border data sharing, interoperability and cross-sector standards and guidance.
The UK government is expected to announce the responses to its consultation on reforming UK data protection law shortly. It will be interesting to see whether this also covers non-personal data sharing to the same extent to which the EU has focused on it in the DGA and the draft Data Act.
20 June 2022
20 June 2022