2023年9月27日
The Data Governance Act is applicable since 24 September 2023. This is a key pillar of the “European strategy for data”. This article provides a short overview of the essential aspects and latest changes.
The Data Governance Act (DGA) entered into force on 23 June 2022. Following a grace period of 15 months, it is applicable since 24 September 2023. The DGA is a key pillar of the EU’s “European strategy for data”. According to the EU, it provides a framework to enhance trust in voluntary data sharing for the benefit of businesses and citizens.
The DGA works as a cross-sectoral instrument that aims to make more data available by regulating the re-use of publicly/held, protected data, by boosting data sharing through the regulation of novel data intermediaries and by encouraging the sharing of data for altruistic purposes. Its objectives are to increase trust in data re-users, to help establish appropriate data sharing structures and processes, and to reduce technological barriers (e.g. data interoperability, discoverability and quality deficiencies).
The DGA regulates mainly five aspects: i) Re-using protected data held by public sector bodies, ii) data intermediation services, iii) data altruism, iv) establishment of a “European Data Innovation Board”, and v) international data transfers. The DGA clarifies that its provisions are without prejudice to EU competition and data protection law. In the event of a conflict between the DGA and data protection law (in particular the GDPR and ePrivacy Directive), the latter will prevail. Please find our previous article for a detailed view on the DGA here.
The DGA sets out the framework for re-using data held by public authorities. This only applies to data that is protected in some way, e.g. due to commercial or statistical confidentiality, intellectual property or in case of personal data. This is based on the idea that data generated or collected with the help of public funds should also benefit the public.
The right to re-use data is not explicitly granted by the DGA (Article 1 paragraph 2), but depends on national law. However, the DGA provides the guardrails for public sector bodies in which they can create the conditions and procedure for authorised re-use. In principle, these conditions must be “non-discriminatory, transparent, proportionate and objectively justified“. When granting access, public bodies must maintain the original protection, by – inter alia - anonymising or ensuring a “secure processing environment”. This was a talking point throughout the negotiations of the DGA. In the final version of the DGA, re-users are now also required to adhere to a confidentiality obligation.
Additionally, an authority structure will be established in order to streamline requests for re-use of data. This includes establishing a “single information point”, which EU Member States may designate as the main point of contact. Either way, requests shall be answered regularly within two months.
The DGA introduces a new concept of “data intermediation services” (Chapter III), i.e. services that aim to establish commercial relationships between data subjects and data holders on the one hand and data users on the other, all for the purpose of data sharing (cf. Article 2 number 11). An example of these are data pools set up with the intention to license the use to anyone interested, while ensuring that all contributors receive a remuneration for their contribution. In contrast, services that modify data to add value and then license it – without enabling such a commercial relationship – are not covered.
Data intermediation services are expected to play a key role in the data economy by facilitating the exchange of significant amounts of relevant data, thus fostering real competition in data sharing. Data intermediation services are subject to a formal notification procedure and substantive requirements. Recently added requirements include log-keeping, measures to ensure interoperability and the prohibition of making commercial conditions, including the price, dependant on the use of another service provided by the same data intermediary.
The services of the data intermediation services therefore do not require official authorisation. Nevertheless, if data intermediation services do not comply with the requirements, then the competent authority may impose “dissuasive monetary fines” or even order the termination of the service. Laws of the Member States will determine the applicable regulators on the national level as well as the fines. According to a first leaked draft by the German government (called “Daten-Governance-Rechtsakt”, dated 17 January 2023) such fines could be up to 2 percent of worldwide turnover, for companies with a yearly turnover of more than 50 million EUR. Providers without an establishment in the EU must appoint a legal representative in the EU for enforcement purposes.
Another new concept is “data altruism” (Chapter IV). Data altruism can be understood as the voluntary provision of data by individuals or companies for purposes of general interest, such as health care, combating climate change, improving mobility, etc. (cf. Article 2 number 16).
A legal entity carrying out data altruism activities may register as a “data altruism organisation recognised in the Union”. This requires that the organisation operates independently, on a non-profit basis and also fulfils extensive transparency and record-keeping obligations. The final version of the DGA enables the Commission to adopt a rulebook, which data altruists must also comply with. The rulebook shall provide for information, technical and security requirements as well as communication roadmaps and recommended interoperability standards.
Additionally, the trademark “data altruism organisation recognised in the Union”, as well as the corresponding logo, may be used by the respective organisations. The competent authority maintains a register and can remove non-compliant organisations from the register.
In order to facilitate the – often required - collection of data and the consent of data subjects, the DGA enables the EU Commission to establish a consent form (Article 25). These forms shall be modular and customisation for specific sectors and for different purposes is permitted.
The establishment of an expert group phrased as the “European Data Innovation Board” (Article 29) is worth noting. Its main role is to advise and assist the EU Commission in the development of a common practice in relation to the DGA's pre-defined topics. In light of certain remaining ambiguities, the Innovation Board will probably help with the specific shaping of the regulations.
The DGA contains general provisions on the protection of non-personal data in relation to third country transfers (Chapter VII). All addressees of the DGA must take appropriate technical, legal and organisational measures to prevent transfers and access, where that would contradict EU or respective Member State law. Such transfers are only to be permitted if they can be based on an international agreement in force, such as a mutual legal assistance treaty, or if certain rule of law criteria is met in the third country concerned.
Additional requirements apply to public bodies and re-users (Article 5 paragraphs 9-14). Before a re-user transfers non-personal data to a third country, it must notify the public sector body. Similar to the GDPR’s adequacy decision, the EU Commission must have deemed the third country’s rules to be equally protective of intellectual property and trade secrets. Otherwise, the re-user can also contractually commit to relevant conditions of the DGA. For this purpose, standard contractual clauses may be adopted.
The DGA is a first attempt to regulate and boost the EU’s data economy, at least in certain areas. While, generally, a data-driven transformation will probably benefit EU citizens and the data economy, the DGA’s effect to companies is not clear yet – and whether it reaches its goals regarding increased trust in data re-users, establishment of appropriate data sharing structures and processes, and the reduction of technological barriers. The interplay with other pillars of the EU’s data strategy remains to be seen. Further, it will be interesting to see how the relationship between the DGA, the Data Act and the GDPR plays out. There will probably be a clearer picture when, in two years, the EU Commission’s official evaluation will be presented (Article 35).