On 7 March 2022, the European Parliament will cast its vote on the Data Governance Act (DGA). This can be considered the first act in a series of measures to be implemented as part of the European Data Strategy published by the EU Commission in 2020. The text of the DGA was already negotiated in December 2021 in trilateral consultations between the European Council, Parliament and Commission, which is why the voting process is simply a formality. The purpose of the following article is to provide a brief overview of the essential regulations of the DGA.
The DGA aims to promote data availability and strengthen data sharing mechanisms in the EU. To this end, the DGA essentially contains four largely self-standing subjects of regulation:
- conditions for re-using data in certain categories held by public sector bodies (Chapter II),
- a registration and supervision framework for the provision of services by so-called data intermediaries (Chapter III),
- a framework for the voluntary registration of entities collecting and processing data provided for altruistic purposes (Chapter IV), and
- a framework for the establishment of a so-called European Data Innovation Council.
By way of clarification, Article 1 already stipulates that the DGA does not affect the application of special provisions of data protection law, the TTDSG (Telecommunications and Telemedia Data Protection Act), competition law or the law of public security, defence or national security. Insofar as personal data is to be re-used within the framework of the DGA, the requirements of the GDPR must also be observed.
Re-use of certain categories of protected data held by public sector bodies
Chapter II sets out the conditions for the re-use of data held by public authorities and protected for certain reasons. The background to the regulation is the idea that data generated or collected with the help of public funds should also benefit society (Recital 5). Article 3 (1) lists commercial or statistical confidentiality, the protection of the intellectual property of third parties and the protection of personal data as reasons worthy of protection.
It is important to understand that the DGA does not create a right to re-use this data (Article 3 (3)). Instead, it lays down basic conditions under which re-use is to be permitted. In addition to a fundamental prohibition of exclusive arrangements in Article 4, Article 5 lists a large number of individual conditions for re-use as the core of the regulation. While in the original Commission proposal these were mainly “optional” provisions that left the exact formulation to the national public sector bodies, the negotiated version of the DGA mainly contains more binding provisions.
In principle, these conditions must be „non-discriminatory, transparent, proportionate and objectively justified“ (Article 5 (2)). According to subparagraph 3, public bodies must ensure that only processed – i.e. anonymised or pseudonymised – data may be re-used or that access takes place in a “secure processing environment” whose technical integrity is verified by the public body. Furthermore, the re-use of data is only permissible if intellectual property rights are respected, whereby public bodies are denied the right to create databases.
It is also worth mentioning that the transfer of data to non-EU third countries must first be notified and can only take place if the Commission deems the third country’s rules on the protection of intellectual property and trade secrets to be equivalent, or if the re-user undertakes to comply with the conditions. Standard contractual clauses may be adopted for this purpose (subparagraph 9a). This mechanism, already known from the GDPR, now also applies to non-personal, sensitive data under the DGA.
According to Article 8, the competent authorities of the Member States shall establish a “Single Information Point” and a data request shall be answered regularly within two months. On the initiative of the European Parliament, the use of data by start-ups and small and medium-sized enterprises is to be particularly promoted (para. 2b, 2c).
Requirements for data intermediary services
Chapter III establishes a notification and supervision framework for the services of so-called data intermediaries. Article 9 names as such services:
- Intermediation services between data controllers and potential data users,
- Intermediation services between data subjects and potential data users, in particular for the exercise of GDPR rights, and
- Services of so-called data cooperatives.
The background to the regulation is the assumption that data intermediaries will play a key role in the data economy by facilitating the exchange of significant amounts of relevant data, thereby encouraging real competition for data sharing. In order to build trust and strengthen control over these services by data holders and data users, the neutrality of data intermediaries is considered crucial and therefore they should only act as intermediaries without using the transferred data for other purposes (Recital 26).
Data intermediation services should therefore aim to establish an economic connection between an unspecified number of data holders and users in order to share data with each other. Excluded from this are those services that modify or enrich data in some way and only make it available afterwards (such as cloud storage or analytics services). Services that predominantly offer copyrighted works and intra-group data brokering are also excluded. Although the scope of application is shaped by this, numerous delimitation difficulties are likely to arise in practice in view of the unclear terminology.
For data intermediaries, Article 10 provides for a formal notification procedure and Article 11 for substantive requirements including safeguarding of the purpose of the data, procedure and pricing, the format and transformation of the data, fraud prevention measures, insolvency protection, technical, legal and organisational measures to prevent unlawful transfers, and security measures for storage.
The services of the data intermediaries therefore do not require official authorisation. Nevertheless, if a violation of Articles 10 or 11 is found, the competent authority may order the termination of the service or impose “dissuasive fines”. In order to ensure enforcement, providers must be established in the EU or appoint a legal representative in the EU.
Data altruism
Another large sub-area regulated in Chapter IV is so-called data altruism. Data altruism can be understood as the voluntary provision of data by individuals or companies for purposes of general interest. The DGA explicitly mentions health care, combating climate change, improving mobility, facilitating the production of public statistics and scientific research as such purposes of general interest.
Pursuant to Article 16 et seq., legal entities that seek to promote the aforementioned objectives may register as “data altruism organisations recognised in the Union”. The prerequisite is that these organisations operate on a non-profit basis and are legally independent, and also fulfil extensive transparency and record-keeping obligations, for example with regard to data processing, purpose and sources of income. Recital 36 lists further requirements, e.g. a secure processing environment and the establishment of ethics councils, which, however, have not found their way into the enacting terms of the DGA and whose enforceability therefore appears questionable.
Among other things, recognition offers the advantage that the regulations on data intermediary services (Chapter III) do not have to be applied. According to Article 15, the competent authority keeps a register of recognised data altruism organisations and can remove the respective organisation from the register in case of violations (Article 21).
Member States can promote data altruism by creating a framework in which data subjects can share data stored with public service providers (Article 14a); in Germany this is already the case with the electronic patient record (Section 363 Social Security Code V).
In order to facilitate the collection of data and the consent of data subjects that is often required for this purpose, Article 22 provides that the Commission – in consultation with the European Data Protection Board – shall adopt implementing acts establishing a European consent form. It is thus clarified that the consent required under the GDPR also remains for the use of data for altruistic purposes. The form nevertheless offers the advantage of enabling consent to be obtained in a uniform format in all Member States, which should benefit legal certainty.
European Data Innovation Council and International Access
Another noteworthy regulation is the provision in Chapter VI for the establishment of a “European Data Innovation Board”, which will be made up of experts and representatives from the Member State authorities and the European Data Protection Board, among others. The European Data Innovation Board has standardised its tasks in Article 27, which essentially have the purpose of advising and supporting the Commission in the development of a uniform practice with regard to the pre-scripted topics of the DGA. Particularly in view of the indefinite density of regulations in the DGA, the Innovation Council will presumably be of great importance in the specific shaping of the regulations.
In the final provisions in Chapter VIII, the DGA contains general provisions on the protection of non-personal data in relation to third country transfers. All addressees of the DGA must take appropriate technical, legal and organisational measures to prevent such transfers and access, unless there is an international agreement with the third country. The absence of such an agreement may then require a case-by-case assessment of the level of the law in the third country.
Conclusion
The DGA represents a first attempt to regulate the European data economy – at least in certain sub-areas. In view of the often rather vague explanations, it remains to be seen to what extent the data economy will actually be advanced by this. The systematic integration and differentiation of the DGA from other existing and forthcoming EU laws in the area of digitalisation – for example, with regard to the expected Data Act – will raise many questions in particular. However, it is encouraging that the DGA is geared towards the structure of the GDPR on many issues and in this respect contributes to a certain standardisation of data traffic.
