Insights

Understanding the Data Governance Act: key aspects and challenges

Understanding the Data Governance Act: key aspects and challenges

Nov 14, 2023
Download PDFDownload PDF
Print
Share

Summary

A few weeks ago, on 24 September 2023, the Data Governance Act (Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance) (“DGA”) came into force. 

The DGA aims to bolster the data economy by encouraging public sector bodies to share certain categories of protected data (e.g., personal data and commercially confidential data) and promote data altruism.

We set out below an overview of the key aspects of the DGA.

Data Intermediation Services

A key feature of the DGA is the creation of data intermediation services that will provide a trusted and secure environment in which companies or individuals can share data. The providers of such services will function as intermediaries between those who hold the data and those who want to use it.

These providers are anticipated to become pivotal in the data landscape, simplifying the process of collating and exchanging vast amounts of relevant data. However, there are strict obligations on these providers, as they must:

  • only use the data to share it with the data users, not for their own purposes or benefit;
  • separate their data intermediation services from the other services they provide by operating the intermediary services through separate legal entity;
  • provide transparent and non-discriminatory pricing for these services; and
  • notify their intention to provide intermediation services to relevant national authority responsible for monitoring compliance with the requirements laid down in the DGA. The competent authority will ensure that the notification procedure is non-discriminatory and does not distort competition. Once confirmed, the data intermediary will be able to legally start to operate and use the label “data intermediation services provider recognised in the Union” in its communications and use the logo.

Data Altruism and Profitable Data Pool 

The principle of “data altruism” refers to data that is voluntarily made available by individuals and companies with their consent. It further captures non-personal data as made available by legal entities for general interest purposes. This is differentiated from a “profitable” data pool as a Data Altruism Organisation is established for general interest operating on an independent and non-profit basis.

The DGA establishes a special category for entities that collect data for the greater good, such as non-profit called “Data Altruism Organisation as recognised in the Union”. These organisations will have the possibility to be included in a public register.

Through this, the DGA provides a framework for pooling substantial amounts of data – enabling progress towards key objectives such as the reduction of greenhouse gases, improvements to health management and organisation of smart cities. These in turn benefit both commercial entities and individuals across the European Union.

Re-Use of Public Sector Data

The DGA further creates an optional mechanism for the re-use of certain categories of public sector data. This is designed to allow the public sector to make more easily available the data it produces to the private sector.

Public sector bodies can charge fees for the re-use of data but are able to allow the data to be made available at a lower cost or no cost basis – depending on the category of re-use (for example, non-commercial re-use or re-use by SMEs and start-ups) – to incentivise research and innovation.

The DGA requires that the conditions set out by public bodies for the re-use of their data should be non-discriminatory, proportionate and objectively justified regarding the categories of data and purposes of re-use.

It also ensures that the provision of data does not create a competitive imbalance between operators – by prohibiting public bodies from entering into exclusive agreements in relation to the re-use of data they hold unless this is in relation to a service or a product in the general interest and for a period not exceeding three years.

EU Member States will need to set up a single contact point that supports researchers and innovative businesses in identifying suitable data. They will further need to put in place structures that support public bodies with technical means and legal assistance.

The New European Data Innovation Board

The DGA establishes the “European Data Innovation Board” – a new expert group aimed at facilitating the emergence of best practices by Member States’ authorities. This Board will focus on processing requests for the re-use of data, which is subject to the rights of others, ensuring consistent practices regarding the notification frame for data sharing providers and data altruism.

The Board will further support the European Commission in coordinating national policies on the topics covered in the DGA, support cross-sector data use by adhering to the European Interoperability Framework (EIF) principles and through utilising standards and specifications.

International Access to Data and Transfer

Under the DGA, transfers of non-personal data outside the EU are tightly regulated. There is a general prohibition on the transfer of non-personal data if it conflicts with EU or Member State law, including rights to security, national interests, and commercial sensitivity. Access is only permissible through an international agreement (such as a mutual legal assistance treaty, or MLAT) or if the third-country’s legal systems meet specific ‘quality control’ conditions – similar to the prohibitions under Art. 48 of the GDPR.

Companies must take appropriate steps, at all levels of the organisation, to ensure data protection and prevent the inadvertent transfer of or access to non-personal data held in the EU. The DGA puts forward an accountability driven self-assessment approach for companies, replacing the initially proposed ruling system. Companies must assess a third-country’s legal framework, akin to the transfer impact assessments under the GDPR.

 The EC is further empowered to establish model contractual clauses for the transfer of non-personal data to a third country and to recognise specific nations as providing an adequate level of protection for non-personal data through formal adequacy determinations.

Challenges Created by the DGA

Whilst the DGA applies to data generally, and not just to personal data, it creates the need for a subtle balance between the protection and use of personal data – as the GDPR and the DGA may apply simultaneously.

Regarding the enhanced re-use of data, the fundamental rights of property (concerning proprietary rights in certain data, such as commercially confidential or protected by intellectual property rights) should further be respected.

It should be noted that the sector-specific legislation on data access is further in place to address identified market gaps – for instance in the automotive industry, payment service providers, smart metering information, electricity network data, intelligent transport systems, environmental information, spatial information, the health sector and so on.


Additional resources

Related Practice Areas

  • Data Privacy & Security

Meet The Team

Meet The Team

Meet The Team

This material is not comprehensive, is for informational purposes only, and is not legal advice. Your use or receipt of this material does not create an attorney-client relationship between us. If you require legal advice, you should consult an attorney regarding your particular circumstances. The choice of a lawyer is an important decision and should not be based solely upon advertisements. This material may be “Attorney Advertising” under the ethics and professional rules of certain jurisdictions. For advertising purposes, St. Louis, Missouri, is designated BCLP’s principal office and Kathrine Dixon (kathrine.dixon@bclplaw.com) as the responsible attorney.