The Data Governance Act (DGA) was published in the Official Journal of the European Union on 3 June 2022, after the Council approved the DGA on 16 May 2022. The DGA will apply in the Member States from 24 September 2023 onwards. Data intermediation services will have more time, until 24 September 2025, to comply with the rules.
The DGA aims to tackle the fact that data sharing remains limited within the European Union (EU). Therefore, it creates opportunities to make data available. It provides a framework to facilitate data sharing by companies, individuals and the public sector. The idea is that better use of data will lead to improvements for the general interest, including companies and citizens.
To achieve this objective, the DGA increases the voluntary sharing of data, both personal data and non-personal data. It does so through three governance models: (1) it establishes mechanisms for enhanced re-use of public sector data subject to the rights of others; (2) it creates trust in data intermediation services; and (3) it facilitates data altruism. When the data involves personal data, the DGA will complement the rules of the General Data Protection Regulation (GDPR), which will still apply.
Re-use of public sector data subject to the rights of others
Public sector bodies have the possibility to share their data subject to the rights of others. This concerns commercially confidential data (e.g. business trade secrets), statistically confidential data, data with intellectual property rights and personal data that is protected by the GDPR.
If they choose to share the data, they must introduce harmonised basic conditions for the re-use. Technical measures to ensure data protection, privacy and confidentiality of the data, e.g. anonymising or pseudonymising the data before sharing, must accompany the re-use. The public sector bodies must also be able to verify the results of the data processing by the re-user, and they can prohibit the use of the results if this would jeopardise the rights and interests of third parties. Exclusive arrangements are, in principle, prohibited. However, exceptions for a maximum of 12 months are possible under certain conditions.
The DGA is limited to the re-use of certain public sector data within the EU. The transfer of public sector data to third countries is restricted. Here, similar requirements as under the GDPR apply, meaning that the transfer should be accompanied by safeguards.
How will you know which data are available? Member States will have to set up a single information point to support researchers and businesses in identifying suitable data. The Commission will establish a European single access point consisting of a searchable electronic register of all data available in the national single information points. The European single access point will assist companies, researchers and the public sector in requesting data through these single information points.
Data intermediation services
Data sharing is further facilitated by data intermediation (DI) services. These services facilitate the exchange of data and set up a commercial relationship between data holders (that have the right to grant access to data or share data but are not data subjects, e.g. an employer) and data subjects (an identified or identifiable natural person), on the one hand, and data users (a natural or legal person that has lawful access to data and is authorised to use data), on the other hand. The rules on DI services are not limited to public sector data but apply to all types of data.
The DGA sets up a system of notification and supervision of these DI services, which should create the necessary trust for individuals and companies to share their personal and non-personal data. Entities that want to become a DI service will have to submit a notification to a national competent authority which will monitor their services. Entities must abide by certain conditions, e.g. they must maintain their neutrality towards the shared data, they cannot use the data for other purposes, they cannot enrich the data or add value to it and they must, in principle, be established in the EU.
The third data sharing model is data altruism. This means the voluntary sharing of data based on the consent of the data subject or the permission of the data holder, without seeking any compensation, for the common good. Again, the type of data is not limited to public sector data; all types of data are covered.
Organisations that want to engage in data altruism can register voluntarily in order to increase trust in their operations. The authorisation will be handled by a national competent authority. All recognised organisations will be listed in public national and EU registers and will be able to use a specific EU logo. They will also have to meet certain conditions. For instance, they cannot be profit-making and they have to be established to meet objectives of general interest, they must provide these services in a separate structure from their other activities, they have to abide by certain transparency requirements, keep full records, and comply with the Commission’s rulebook on information, security and interoperability standards.
The problem with data altruism is, of course, the obstacle of a legal basis. How can data subjects give their consent, or how can data holders give their permission? For this reason, the DGA introduces a common European data altruism consent form. This form should make it easier to obtain consent or permission, but also to withdraw consent or permission.
Two entities will be central in governing the DGA. Firstly, the newly established European Data Innovation Board (EDIB) will coordinate the efforts in the Member States and at the European level and will advise the Commission. The EDIB will be a formal expert group composed of members of academia, research, industry and civil society. Secondly, each Member State will have to designate a competent authority to monitor, including with the imposition of penalties and sanctions, the data intermediation services and entities engaged in data altruism. Natural and legal persons can lodge complaints with the national competent authorities. The DGA leaves the rules on penalties to the Member States.
Eubelius is ready to assist you in applying the DGA and in seeking opportunities to enhance data sharing to the benefit of your organisation.