The Regulation on European data governance, better known as the Data Governance Act (“DGA”), is one of the initiatives announced in the European Commission’s European strategy for data. With this strategy, the Commission is paving the way for a single European data space and a genuine single market for data in which data is freely accessible.
What?
The Commission wants to exploit the untapped potential of public sector data by facilitating its re-use both by businesses and for scientific research. The DGA focuses mainly on public sector data that is subject to the rights of others. This includes personal data (e.g. health data), data protected by intellectual property rights, trade secrets or statistically confidential data. The data must fall outside the scope of the Open Data Directive (which also focuses on public sector data).
The DGA thus squeezes itself into a complex landscape of applicable legislation. The DGA may also apply to personal data but will not affect the application of the GDPR. Additionally, the DGA will be complementary to the Data Act, which is yet to be adopted. The Data Act will foster data sharing between companies and governments in the public interest on the one hand and among companies on the other hand, e.g. when co-generated IoT data is concerned. At the moment there is not yet an official proposal for the Data Act; a proposal is expected on 23 February 2022).
Who?
The DGA will be important for anyone, whether in the public sector or in the private sector, who wants to use public sector data that is subject to the rights of others.
How?
The DGA goes all out for the re-use of public data that is subject to the rights of others, aims to increase trust in data intermediaries and establishes rules for data altruism.
- The DGA sets basic conditions for the re-use of these categories of protected public sector data. There will be restrictions on exclusivity arrangements. Moreover, public bodies that authorise re-use must implement technical measures to ensure data protection, privacy and confidentiality. This could be through anonymisation, pseudonymisation, differential privacy, generalisation, suppression and randomisation. The transfer of data to third countries will be subject to a regime similar to that of the GDPR.
- Member States will have to set up a single information point to provide legal and technical assistance to governments. This information point will also act as a central contact point to support researchers and innovative businesses in identifying suitable data.
- The Commission will establish an electronic register of available public sector data. This register will be accessible through the national single information points.
- Data intermediaries will play a key role in the data economy. Therefore, the DGA aims to increase trust in these providers of data sharing services, through a system that will include, for instance, a notification requirement, an obligation to be established within the EU, and a conflict-of-interest regime.
- The Regulation will also encourage data altruism. This will allow data, whether or not personal data, to be made available free of charge for the common good, such as for purposes of scientific research or for the improvement of public services. This will allow for the creation of data pools which will enable data analytics and machine learning within the EU. Organisations engaged in data altruism can register in order to boost trust in their activities.
- The DGA also provides for a European data altruism consent form, which should facilitate the transfer of data and reduce the costs of obtaining consent. This will allow data subjects to give their consent for the processing of their personal data for a specific purpose or for processing in the context of a particular research field or for certain parts of a research project.
- Finally, the DGA will establish a formal expert group, the European Data Innovation Board. This Board will facilitate the exchange of best practices between the competent authorities of the Member States and will advise and assist the Commission in the application of the DGA.
When?
On 21 November 2021, the European Parliament, the Council of the EU and the European Commission reached a political agreement on the DGA. The Parliament and the Council must now give their final approval to this agreement, which is expected to take place at the beginning of this year. The provisions of the DGA will then apply 15 months after entry into force. The rules for data intermediaries will apply 24 months after entry into force.