Article
European Data Governance Act (DGA): A Milestone in Shaping Data Sharing and Innovation Across the EU
November 7th, 2023
Discover the groundbreaking European Data Governance Act (DGA), a pivotal piece of legislation outlined in the European Commission’s “A European strategy for data.” This act sets the stage for a digital internal market in the EU, emphasizing data access and use while adhering to strict privacy, security, and ethical standards. We explore its impact, interplay with GDPR, conditions for data re-use, data intermediation services, and the innovative concept of data altruism. Learn how it fosters collaboration, trust, and innovation, revolutionizing the data landscape in the European Union.
Overview
The Data Governance Act (DGA)[1] is one of the priority legislative measures envisaged in the Communication “A European strategy for data”[2] from the European Commission (the “Commission”), and it is the first legislative initiative that has been adopted thereunder. In this 2020 Communication, the Commission announced its ambition to develop a cross-sectoral governance framework for data access and use, by means of creating common European data spaces in strategic sectors and domains of public interest, including notably a common European health data space. This entails the formation of a digital internal market that serves to facilitate the sharing of both non-personal and personal data and to promote digital trust across the European Union in conformity with European privacy, security and ethical standards.
The Commission presented its proposal[3] for a DGA on November 25, 2020. Following a public consultation and rounds of trilogue negotiations among the European institutions, the final text of the DGA was published in the Official Journal of the European Union on June 3, 2022, upon signature by the Presidents of respectively the European Parliament and the Council of the European Union (the “co-legislators”) on May 30, 2022. The DGA entered into force 20 days after its publication and became applicable as of September 24, 2023. Being a European Regulation, the DGA is binding in its entirety and directly applicable in all Member States of the European Union (“Member States”).
Data governance at the European level implies common structural and procedural data-(re-)use and data-sharing rules that adhere to the established European values and principles such as those concerning personal data protection. In this regard, the DGA draws up a legal framework that governs, in particular, i) the conditions for the re-use of certain categories of data held by public sector bodies (i.e., the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities, or one or more such bodies governed by public law);[4] [5] ii) the provision of data intermediation services;[6] iii) the voluntary registration of entities processing data made available for altruistic purposes;[7] and iv) the creation of a European Data Innovation Board.[8]
Interplay Between the DGA and GDPR
Pursuant to Article 1(3) of the DGA, Union law and national law of Member States on the protection of personal data shall apply to any personal data processed in connection with the DGA; in the event of a conflict between the DGA and such Union law or national law, the latter shall prevail. Specifically, the DGA does not form a legal basis for the processing of personal data, and it does not affect the rights and obligations stipulated in the General Data Protection Regulation (GDPR),[9] Regulation (EU) 2018/1725,[10] the ePrivacy Directive,[11] or Directive (EU) 2016/680.[12] [13] Furthermore, the DGA is not to be interpreted as amending the information requirements prescribed by the GDPR nor should it prevent international transfers of personal data in accordance with Chapter V of the GDPR.[14] Where personal data is concerned, the processing should rely on one or more of the legal bases under Articles 6 and 9 of the GDPR.[15] Personal data cannot be transmitted to a third party for re-use unless a legal basis allows the transmission.[16]
Article 2(1) of the DGA defines “data” broadly as any digital representation of acts, facts or information and any compilation thereof including in the form of sound, visual or audiovisual recording. “Personal data” however is ascribed to its meaning as defined in Article 4(1) of the GDPR, thereby distinguished from other (non-personal) data that is subject to the DGA. Similarly, the DGA refers to the definitions provided in the GDPR of respectively “personal data”, “consent”, “data subjects” and “processing (of personal data)”. Insofar as the processing of personal data is concerned, the public sector body responsible for the register containing such data under the DGA is considered a data controller as defined in the GDPR.[17]
Article 2(10) of the DGA further defines data sharing as the provision of data to a data user (i.e., a legal or natural person who has lawful access to certain personal or non-personal data and has the right, including such under the GDPR in the case of personal data, to use that data for commercial or non-commercial purposes)[18] by a data subject or a data holder (i.e., a legal person or natural person who is not a data subject in relation to the data concerned and has the right to grant access to or to share certain personal data or non-personal data).[19]
Interplay Between DGA and GDPR
In terms of the conditions for the re-use of data, the DGA underlines that the design of such conditions should incorporate effective safeguards for the protection of personal data. For instance, ideally, personal data should be anonymized before transmission and where anonymization would not respond to the needs of the data re-user, re-use of pseudonymized personal data within a “secure processing environment” (i.e., physical or virtual environment and organizational measures to ensure compliance with Union law such as the GDPR with regard to inter alia the rights of the data subjects and compliance with applicable national law of Member States, and to allow the entity concerned to determine and supervise all data processing actions)[20] could be allowed, provided that the re-user has fulfilled the requirements under Articles 35 and 36 of the GDPR with regard to the data protection impact assessment (DPIA) and consultation with the supervisory authority and that the risks to the rights and interests of data subjects have been found to be minimal.[21] Data re-users are prohibited from re-identifying the data subjects and shall implement technical and operational measures to prevent such re-identification.[22] Where a data breach has resulted in the re-identification of data subjects, the re-user shall notify the public sector body of the breach, this is without prejudice to its obligation to notify the supervisory authority and the data subjects concerned pursuant to the GDPR.[23]
European Data Innovation Board (EDIB):
Established under Article 29 of the DGA, the EDIB is a collective of data governance experts from across the EU.
Re-use of Certain Categories of Protected Data Held by Public Sector Bodies
Specifically, in furtherance of effective data re-use mechanisms, the DGA defines the parameters for the re-use of data held by public sector bodies that is protected on grounds of: i) commercial confidentiality; ii) statistical confidentiality; iii) the protection of intellectual property rights of third parties; or iv) the protection of personal data–insofar as such data fall outside the scope of Directive (EU) 2019/1024 (collectively “protected data”).[24] [25] Exclusive arrangements (e.g., agreements granting exclusive rights to re-use data) as regards the re-use of protected data shall be prohibited;[26] however, such an exclusive arrangement may be exceptionally allowed to the extent necessary for the provision of a service or supply of a product in the general interests that would not otherwise be feasible.[27]
Pursuant to Article 5(1) of the DGA, competent public sector bodies responsible for granting or refusing access for the re-use of protected data shall make publicly available the conditions for allowing such re-use and the procedure to request the re-use through national “single information points” (i.e., new or existing bodies or structures designated by Member States through which relevant information regarding conditions for re-use and associated fees) [28] to receive inquiries about or requests for the re-use of such data and transmit that data to the competent public sector bodies or competent bodies designated by Member States to assist the public sector bodies.[29] [30] Article 8(4) further states that a European single access point shall be established by the Commission to offer a searchable electronic register of data that is available in the national single information points of Member States and to provide information on how to request data through national single information points.
A public sector body may put forward further requirements to safeguard protected data.[31] As regards the conditions for granting access for the re-use of protected data, the public sector body may require, for instance, anonymization of personal data, or a secure processing environment provided or controlled by the public sector body in the case of remote access and re-use of data.[32] In the event the re-use of protected data cannot be allowed in accordance with such requirements and there is no legal basis for data transmission under the GDPR, the public sector authority shall assist potential data re-users in obtaining consent of the data subjects concerned or permissions from data holders whose interests and rights may be affected by the re-use, provided that this does not place disproportionate burden on the public sector authority.[33] Following the principle of “as open as possible, as closed as necessary”, public sector bodies are especially encouraged to formulate a harmonized approach in respect of access to data for the purposes of scientific research in the public interest.[34] For example, public sector bodies may develop streamlined administrative procedures and standardized data fields that clear the way for the joining of data set from different data sources.[35]
Where a re-user of protected data intends to transfer non-personal data to a third country, it must at the time of requesting the re-use inform the public sector body of such intention and the purpose of the transfer. The public sector body shall not transmit non-personal confidential data or data protected by intellectual property rights to a re-user that intends to transfer such data to a third country that is not recognized by the Commission as i) ensuring protection of intellectual property and trade secrets in a way essentially equivalent to the protection under Union law; ii) being effectively applied and enforced; and iii) providing effective judicial redress[36]––unless the re-user contractually commits to i) comply with intellectual property rights and in the case of confidential data ensures that the data is not disclosed even after the transmission to the third country; and ii) with respect to any disputes arising from those compliance obligations, accept the jurisdiction of the courts or tribunals of the Member State of the transmitting public sector body.[37] In this regard, the Commission may adopt implementing acts to establish model contractual clauses.[38]
Article 9(1) of the DGA stipulates a two-month general time limit from the date of receipt of a request for re-use of protected data, within which a competent public sector body or a competent body shall adopt a decision on that request. Public sector bodies granting re-use of protected data may charge fees for the re-use.[39]
Requirements Applicable to Data Intermediation Services
Article 12 of the DGA specifies the conditions for the provision of data intermediation services (i.e., services that aim to foster commercial relationships through technical, legal or other means for the purposes of data sharing)[40] between i) data holders and potential data users; ii) data subjects who wish to make their personal data available (or natural persons who seek to make non-personal data available) and potential data users; and iii) services of data cooperatives.[41] For example, a data intermediation services provider must provide the services through a separate legal person and must not use the data concerned for purposes other than to put the data at the disposal of data users; where relevant, the data intermediation services provider may be required to specify the third-country jurisdiction in which the data use is to take place, provide the data subjects with tools to both give and withdraw consent, and provide the data holders with tools to both give and withdraw permissions to process data.[42]
To be entitled to provide those services, a data intermediation services provider must first submit a notification to the competent authority to supply the latter with certain mandatory information, including inter alia the address of a public website where complete and up-to-date information on the services provider and its activities can be found (name, legal status and ownership structure, registration number, address, description of data intermediation services to be provided, etc.).[43] Upon the issuance of a standardized declaration by the competent authority that confirms its submission of the notification in compliance with the notification procedure, the data intermediation services provider may use the label “data intermediation services provider recognized in the Union” in its communication and as a common logo.[44]
Data Altruism
In addition to the certification mechanisms for the provision of data intermediation services, the DGA also sets out the registration requirements and conditions for the provision of services based on data altruism, which involves voluntary data sharing on the basis of i) consent of data subjects to process personal data concerning them, or ii) permissions of data holders to allow the use of non-personal data without receiving a reward going beyond compensation related to the costs incurred, where they make available data to pursue objectives of general interests such as healthcare.[45]
An entity that is qualified for registering as a recognized data altruism organization must: i) carry out data altruism activities; ii) be a legal person established pursuant to national law to meet objectives of general interest; iii) operate on a not-for-profit basis and be legally independent from any entity operating on a for-profit basis; iv) carry out data altruism activities through a structure functionally separate from other activities; and v) comply with a rulebook that is to be set up by the Commission by means of delegated acts as regards information requirements, technical and security requirements, communication roadmaps and recommendations on interoperability standards. [46] [47]
Article 17 of the DGA further provides that each competent authority responsible for the registration of data altruism organizations shall maintain a public national register of such recognized organizations while the Commission shall keep a public Union register of such for information purposes.[48] A duly registered entity may use the label “data altruism organization recognized in the Union” in its communications and as a common logo.[49]
A qualified entity may apply for registration in the public national register of recognized data altruism organizations in the Member State where it is established or in which it has its main establishment.[50] If a qualified entity is not established in the European Union, it shall designate a legal representative in one of the Member States where the data altruism services are offered.[51] In its application, the qualified entity must indicate inter alia the objectives of general interest it intends to promote when collecting data, the nature of the data it intends to control or process, and the categories of personal data where personal data is involved.[52]
To facilitate data collection based on data altruism, the Commission aims to develop a European data altruism consent form in consultation with the European Data Protection Board (EDPB) to establish a uniform format in which consent or permissions can be collected across Member States.[53] The European data altruism consent form shall comply with the requirements (e.g., conditions for consent) under the GDPR in the case of giving or withdrawing consent by data subjects.[54]
Reference list
European Data Innovation Board
Article 29 of the DGA provides that the Commission shall establish a European Data Innovation Board in the form of an expert group, which shall comprise the competent authorities for data intermediation services and the competent authorities for the registration of data altruism organizations of all Member States, the EDPB, the European Data Protection Supervisor (EDPS), the European Union Agency for Cybersecurity (ENISA), the Commission, the Envoy of the European Union for Small and Medium-Sized Enterprises (EU SME Envoy) or a representative appointed by the Network of SME Envoys, and other representatives of relevant bodies in specific sectors as well as bodies with specific expertise.[55]
In particular, the European Data Innovation Board is assigned the task of proposing guidelines on common European data spaces with respect to purpose-specific, sector-specific or cross-sectoral interoperable common standards and practices supporting the joint processing or data sharing for the furtherance of inter alia scientific research initiatives.[56]
Yve Wu
