The Data Governance Act
Data are generally regarded as a key resource for every conceivable type of progress, from medical innovations and modernisations to managing the “green deal”. It is not surprising that the European strategy for data (Communication from the Commission COM(2020) 66 final) places data at the heart of developments in the European Single Market.
An important pillar of the European data strategy is the Data Governance Act (“DGA”). Its goal is to increase the availability of data for commercial use, data sharing and, not least, for research purposes in order to create a competition advantage for the European market as regards data-driven innovation.
On 30 November 2021, the members of the EU trilogue reached consensus on a final version of a DGA. In terms of legal policy, this would seem to represent another step towards a sovereign single market for data. The three key topics addressed by the DGA are as follows: (i) making data from public sector bodies available, (ii) the concept of data intermediation services and (iii) “data altruism”. On 6 April 2022, Parliament debated the negotiated draft and approved it by a large majority. Now it only needs to be approved by the Council.
Overall, it is noticeable that the DGA – as its title suggests – has a strong regulatory approach in the following outlined areas of interest but does not provide many incentives of its own for becoming a data intermediation services provider or a data altruism organisation. The legislator is (seemingly) placing its trust in the power of the market. However, it will be of critical importance for players in the data economy to concern themselves in more detail with, for example, the concept of data intermediation services or, for example, for research institutions to keep in mind the concept of data altruism.
Essential content – data sharing, data altruism and digging up the public sector’s “data treasure”
a. Providing access to data from public-sector bodies
To promote the competitiveness of the European data economy while protecting the rights of third parties, the DGA provides framework conditions for (secure) sharing of protected data of public sector bodies. However, the express intention is not to create a right under European law to claim access to these data (Article 1(2) DGA). This remains the responsibility of the Member States.
Protected data in this context are data that are in the possession of public sector bodies and are protected for reasons of (i) commercial or statistical confidentiality, (ii) protection of intellectual property rights of third parties or (iii) protection of personal data (insofar as such data fall outside the scope of Directive (EU) 2019/1024 (the “Open Data Directive”)) (Article 3(1) DGA). This means that the Data Governance Act supplements the Open Data Directive.
The DGA establishes basic rules for making these data of public sector bodies available for re-use. This is based on the idea that even protected data generated or collected with the help of public funds should benefit society and that this has not occurred up to now due to a lack of uniform framework conditions (Recital 6 DGA). With this in mind, the DGA now provides for such uniform framework conditions:
- Upholding the protection of personal data or data relevant to trade or business secrets using appropriate safeguards such as anonymisation or aggregation and secure processing (see Article 5(3) DGA).
- Making data available exclusively to selected actors (thereby restricting competition) is prohibited (with broad exceptions in the public interest (see Article 4 DGA)).
- A primary requirement is that the conditions of re-use must be transparent and non-discriminatory (see in particular Article 5 DGA).
- As regards personal data, “re-users” are expressly prohibited from re-identifying any data subject and are required to take technical and operational measures to prevent re-identification. There are notification obligations in the event of a data breach. Because the interests of legal entities can also be affected, there is a corresponding notification obligation even in the event of the unauthorised re-use of non-personal data (Article 5(5) DGA).
- Transmission of data that are confidential or protected by intellectual property rights to re-users that intend to transfer those data to a third country is permissible only if the re-user contractually commits to protecting the data (Article 5(10) DGA). This means that further restrictions imposed under EU law are also possible in this regard (Article 5(13) DGA).
- Data re-use is to be supported by a “single information point” in each Member State to make data from public sector bodies easily accessible (see Article 8 DGA).
b. Data intermediation services – Rules for data sharing services
To enable a competitive environment for data sharing, the DGA sets out framework conditions for the data intermediation services providers that, in the opinion of the framers of the Regulation, are significantly involved in data sharing (Recitals 27 and 33). Data intermediation services providers offer services that aim to establish commercial relationships for the purposes of data sharing between data holders and data users (see Article 2(1) no. 11 DGA). Here, the framers of the Regulation picture jointly used “data pools” or marketplaces for data (Recital 28 DGA). In this context, it should be noted that:
- A data intermediation services provider is to be a neutral player, which means, for example, that it is not permitted to use the data for its own purposes (Article 12 DGA). The legislator considers this critical to creating trust and incentives for voluntary disclosure of data (Recitals 27, 33).
- Particularly in regard to prices, data intermediation services providers must be fair, so that easy access is ensured (Article 12(1f) DGA). Overall, the Regulation is intended to create fair, secure and highly interoperable exchange of data via neutral intermediaries.
- Data intermediation services providers are subject to a notification obligation (Article 11 DGA). A data intermediation services provider need not be established in the EU but can also be located outside the EU; in such a case, it must designate a representative in the EU (Article 11 Abs. 3 DGA).
c. “Data altruism”
The concept of data altruism is intended to facilitate making data available for objectives of general interest such as research, combating climate change, and improving the provision of public services (Article 2(1) no. 16 DGA). This voluntary sharing of data occurs either on the basis of consent (within the meaning of the GDPR) or, in regard to non-personal data, on the basis of permission.
An entity can also have itself registered as a data altruism organisation (Article 18 DGA), thus enabling itself to be provided with such data for the abovementioned objectives. While carrying out their data altruism activities, data altruism organisations are subject to wide-ranging transparency requirements and reporting obligations (Article 20 DGA). Where personal data are processed, there are extensive information obligations towards the data subjects (purpose, place of processing, etc.) (Article 20(1) DGA). To simplify data altruism operations, the Commission is to issue a “rulebook” in the form of delegated acts with details on such aspects as informing data subjects and technical safeguards (Article 22 DGA). To facilitate consent in the context of data altruism, Article 25(1) DGA provides for the creation of a uniform European data consent form.
Conclusion
The Data Governance Act contains wide-ranging provisions to standardise data sharing in the Single Market. It remains to be seen whether the very extensive obligations placed on individual players do not in some cases hinder rather than promote the desired effect. In particular data altruism and operating a data altruism organisation hardly seem possible unless accompanied by comprehensive data protection counsel.