On 6 April 2022, the European Parliament formally approved the Data Governance Act (“DGA”), which establishes a legal framework to promote the availability of data and increase trust in data sharing across sectors in the EU. Some of the key objectives of the new legislation include enabling the re-use of certain categories of protected public sector data and making it easier and safer for citizens and businesses to share their data with relevant stakeholders.
As a result, the DGA may bring the EU one step closer towards establishing its goal of a European single market for data. Indeed, the aim of the DGA is to transform the way that data is shared, potentially creating new opportunities for companies including lowering barriers to the creation of innovative data-driven products and services, as well as fostering new business models for companies that qualify as data intermediation services. To ensure compliance with GDPR, the DGA provides users with control over their data and explicitly refers to GDPR’s data processing requirements.
The DGA is part of the European Commission’s broader digital and data strategy. Other recent legislative proposals include the Digital Markets Act (“DMA”), the Digital Services Act (“DSA”), the Data Act and the Artificial Intelligence Act. After hotly contested negotiations, last week, political agreement was reached on the DSA, which proposes new content regulation provisions for online intermediaries. This follows the recent agreement on the content of the DMA, which proposes a set of obligations for so-called “gatekeeper” platforms to ensure fair and contestable digital markets. The formal approval of the DGA and the relative speed with which agreement was reached on the DMA and DSA demonstrates the political will to progress the strategy.
Re-use of protected public sector data
The DGA provides for a set of harmonised basic conditions under which public authorities may allow the re-use of data that is subject to the rights of others e.g., trade secrets, personal data and data protected by intellectual property rights. In this respect, it complements the Open Data Directive (“ODD”), which lays down rules on the re-use of certain data across the EU but which excluded from its remit these types of sensitive data. The DGA seeks to address the underutilisation of this data. The legislation requires Member States to be technically equipped to ensure that privacy and confidentiality are fully protected e.g., through anonymisation, secure processing environments and/or confidentiality agreements to ensure relevant data can be shared securely.
The DGA also provides for safeguards against unlawful international transfer of or governmental access to non-personal data (similar safeguards for personal data are available under the GDPR).
Data intermediation services
The DGA will create a framework for a new business model in the form of data intermediation services. These services will provide a secure environment to help companies or individuals share data (either to support voluntary data-sharing between companies or facilitate data-sharing obligations set by law), without the fear of misuse or a loss of competitive advantage. To ensure neutrality, data-sharing intermediaries will not be able to exchange the data for their own interest (e.g., by selling it to another company or using it to develop their own product based on this data) and will have to comply with strict ex ante compliance and transparency requirements (such as being listed in a public register).
The DGA encourages data altruism, whereby individuals and companies can make data voluntarily available (without financial reward) for the common good, such as for scientific and medical research, combating climate change or improving mobility. Entities seeking to collect such data may request to be listed in a public register of recognised data altruism organisations, which will give them recognition across the EU. To protect the rights and interests of citizens and companies, these organisations must have a not-for-profit character and meet transparency requirements, as well as implement specific safeguards.
European Data Innovation Board
The DGA provides for the creation of a European Data Innovation Board to facilitate the sharing of best practices by Member States and consistent application of the framework.
The DGA is aimed at encouraging the use of “tech for good” and enabling “more data and good quality data” to fuel innovation for the common public good. The DGA will support the set-up and development of common European data spaces in strategic sectors such as health, environment, energy, mobility and finance. Further, the DGA will be soon complemented by the forthcoming Data Act. While the DGA creates the framework, processes and structures to facilitate data sharing, the Data Act clarifies who can access and use – and therefore control and benefit from – data, and under what conditions. The Commission published its proposal for the Data Act on 23 February 2022 and this will now be scrutinised by the EU’s co-legislators, the European Council and European Parliament.
In November last year, the European Council and European Parliament reached political agreement on the content of the DGA, and following last week’s developments, all that remains outstanding before it can be passed into law is formal approval by the Council. The rules will apply 15 months after entry into force of the regulation and are therefore likely to apply from mid to late 2023.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.