What's it about, what it contains and what we can expect from it.
Back to all 101s
With the European Strategy for data (2020), the EU is pursuing the goal of creating a single market for data and thus enabling EU wide data sharing across all sectors. The initiative is meant to benefit companies, researchers and public administrations. In this context, the Data Governance Act (DGA) was adopted in spring 2022 and is the first of several planned legislative projects.
The aim of the DGA is to create a cross-sector, interoperable governance framework which establishes consistent mechanisms for data sharing in the European Union in order to increase trust in data sharing. The DGA rules will apply from 24.09.2023 along with existing data protection legislation such as the GDPR.
According to the general guidelines, the DGA addresses, among other things, the topics we will outline in the following.
This regulation is comparable to the Open Data Directive in the sense that there is no legal claim to the release or publication of certain data under the DGA. However, according to the principle of "public money, public data", the DGA should enable the re-use of data held by public bodies in Europe. It also lays down requirements for the further utilization of data: Such use must be non-discriminatory, transparent, proportionate and objectively justified (Art. 5 DGA).
Data intermediation services are considered to play a key role in the data economy. The DGA understands this term to mean "a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data ", Art. 2 No. 11 DGA. Every data intermediation service generally requires a registration with the competent authority. The provision of the data brokering activity is also subject to comprehensive conditions, such as the prohibition of data use for other purposes, as well as specifications on procedures and pricing, the format and transformation of data, measures for fraud prevention and insolvency protection, as well as technical, legal and organizational measures to prevent unlawful transfers. Finally, certain security measures must be in place as regards data storage. Compliance with these obligations is monitored by a Member State authority.
Furthermore, the DGA aims to promote data altruism, i.e., the voluntary sharing of data on the basis of consent (for personal data) or permission (for non-personal data) without compensation. This applies to objectives of general interest such as health care, combating climate change or improving mobility. Entities which collect and process data made available for altruistic purposes are also recognized in this context. These organizations must fulfil extensive transparency and record-keeping obligations e.g., as regards data processing, purpose and sources of income.
As an expert group the European Data Innovation Board is meant to support the European Commission regarding the coordination of national procedures and strategies in the area of DGA, as well as in the cross-sectoral use of data. Its specific tasks are defined by Art. 30 DGA. It includes representatives from the Member States as well as the EU level. Among others, members of the European Data Protection Board, the European Data Protection Supervisor, the European Union Agency for Cyber Security (ENISA) and the Commission are represented.
In line with its objectives the DGA covers a broad range of topics and addresses a wide variety of actors. Due to the major subsidiarity, the large number of new obligations and some difficulties in defining boundaries, the forthcoming months and years will show whether the goal pursued by the DGA of bringing the EU to the forefront of a data-driven society can be achieved in conjunction with regulations yet to come.