What you need to know in a nutshell
- The Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance will go by its short name: Data Governance Act (DGA).
- The DGA was published in the Official Journal of the European Union on 3 June 2022, and the new rules will apply from 24 September 2023 onwards.
- The DGA introduces some new concepts, such as ‘data altruism’ (you can give your data away for the common good, like for medical research projects or climate change), ‘data intermediation services’ allowing companies to exchange personal and nonpersonal big data, and ‘personal data spaces’ for individuals to keep an e-wallet with their personal data.
- The DGA will allow public-sector data to be shared with private companies. This will include, for example, trade secrets, personal data and data protected by intellectual property rights. In this respect, the DGA will complement the 2019 Open Data Directive, which does not cover such types of data.
- More importantly for companies based in the US and other countries outside the European Economic Area (EEA), the DGA will introduce a data transfer regime for nonpersonal data transfers, similar to the General Data Protection Regulation (GDPR). In other words, nonpersonal data shall only leave the EEA under certain conditions (like standard contract clauses that will be created for this purpose).
- This is the first new European law on data, but Europe is on a roll, and there are more to come in the next few months, including the Data Act, the Digital Services Act, the Digital Markets Act and the Artificial Intelligence Act.
After the proposal for the Data Governance Act (DGA) was introduced in November 2020, the Council of the European Union finally approved it on 16 May 2022. It was published in the Official Journal of the European Union on 3 June 2022, and it will apply from 24 September 2023.
The DGA establishes robust procedures to facilitate the safe re-use of certain protected public-sector data subject to the rights of others, such as trade secrets, personal data and data protected by intellectual property. It is intended to foster data altruism throughout the EU, increase trust in data sharing, and establish trusted data use for research and innovation, amongst other things.
Some key concepts of the DGA are set out below.
Sharing of public sector data
Public access to official documents may be considered to be in the public interest, and the idea that data generated or collected by public-sector bodies or other entities at the expense of public budgets should benefit society has long been part of EU policy. While some member states were establishing structures, processes or legislation to facilitate that type of re-use, this was not the case across the entire EU. The aim of the DGA is not to create an obligation to allow the re-use of data held by public-sector bodies – it will, however, allow public-sector data (such as trade secrets, personal data and data protected by intellectual property) to be shared with private companies. The DGA should complement and be without prejudice to more specific obligations on public-sector bodies to allow re-use of data laid down in sector-specific EU or national law, and each member state should be able to decide whether data is made accessible for re-use, as well as the purposes and scope of such access.
Data intermediation services
A significant concept in the DGA is that of data intermediation services, the aim of which is to serve as a trusted environment for organisations and/or individuals to share data. The data intermediation services will help:
- Support voluntary data sharing between companies.
- Facilitate the fulfillment of data sharing obligations set by law.
- Organisations share data without the fear of the data being misused or the organisation losing a competitive advantage.
- Enable individuals to gain control over their data, share it with trusted companies and exercise their rights pursuant to the GDPR.
The DGA notes that data intermediation service providers will be able to charge a fee for the provision of their services, but will be prohibited from profiting from the data they handle by, for example, selling such data.
The DGA introduces a concept of new data management tools, such as data wallets or spaces – essentially apps which share data based on a data subject’s consent. Individuals will have full control over how their data is being shared through the use of such tools, allowing them to share such data with organisations they trust.
The DGA outlines the concept of data altruism – making data voluntarily available by individuals or companies for the common good (such as medical research projects). To increase trust in the data altruism concept, and to encourage individuals and companies to donate data to such organisations to be used for the wider societal good, the DGA establishes the possibility for organisations engaging in data altruism to register as a ‘data altruism organisation recognised in the [European] Union’.
Safeguards for transfer of nonpersonal data
The DGA recognises the importance of protecting commercially sensitive data of a nonpersonal nature (such as trade secrets or nonpersonal data representing content protected by intellectual property) from unlawful access which could lead to IP theft or industrial espionage. To ensure the protection of such nonpersonal data, as well as the fundamental rights and interests of the owners of such data, the DGA outlines that nonpersonal data which is held by public-sector bodies and is to be protected from unlawful or unauthorised access should only be transferred to third countries where appropriate safeguards for the use of such data are provided.
As such, the European Commission (EC) could adopt adequacy decisions or standard contractual clauses for the transfer of nonpersonal data governed by the DGA, similar to the adequacy decisions and standard contractual clauses relating to the transfer of personal data pursuant to the GDPR.
European Data Innovation Board
The DGA introduced a new expert group consisting of representatives of competent authorities of all member states, the European Data Protection Board, the EC and other relevant representatives of competent authorities in specific sectors, who together shall form the European Data Innovation Board, which is tasked with, amongst other things:
- Advising and assisting the EC in developing a consistent practice of public-sector and competent bodies in their processing requests for the re-use of data.
- Assisting the EC in enhancing the interoperability of data and data sharing services between different sectors and domains by building on existing European, international and national standards.
- Advising and assisting the EC in developing a consistent practice of the competent authorities in the application of requirements applicable to data sharing provider.
The DGA will apply 15 months after the entry into force of the regulation, likely taking effect around August 2023. How these new rules will fit into the ever-changing landscape surrounding data remains to be seen, but one thing is certain: It is becoming increasingly important for organisations to ensure they accurately map their data handling and storing practices in order to be able to handle the broad scope of data pursuant to the DGA.