European Union – Data Governance Act
The Data Governance Act ("DGA") will apply from September 24th 2023. The DGA sets out new rules for the sharing of certain protected data held by public sector bodies as well as rules and requirements for data intermediary services and organisations for data altruism.
What: Law
Impactscore: 1
For whom: Companies/organisations involved in data sharing and data-altruists, policy makers, governments,
URL: https://eur-lex.europa.eu/lega...
Key takeaway for Flanders
Reuse of certain protected data held by the government will be subject to new rules to improve data-sharing, including a prohibition on exclusivity. Data intermediary services and organisations for data-altruism will also be bound by new rules to ensure fairness. Flemish organisations in need of data, willing to share data, or currently involved in data intermediation should familiarise themselves with these rules and requirements. Therefore this regulation is of specific importance for Athumi, the Flemish data utility company.
Summary
The goal of the European Data Governance Act (“DGA”) is to increase data sharing in the European Union, improve data availability mechanisms and to overcome technical obstacles for the reuse of data. The Act is part of the European strategy for data and provides new rules (i) for the re-use of protected data held by public sector bodies, (ii) for data intermediation services, (iii) for data altruism organisations and (iv) for the establishment of a European Data Innovation Board. The DGA is in force and its rules will apply from September 24th 2023.
Re-use of protected data held by public sector bodies
New rules will apply to the re-use of certain categories of data held by ‘public sector bodies’. These are state, regional or local authorities as well as bodies governed by public law or associations formed by those authorities. They may hold data that is protected by commercial or statistical confidentiality, by the intellectual property rights of third parties or by the protection of personal data. These bodies will be subject to additional obligations under the DGA if they make this data available for re-use by others.
Notably, public sector bodies are in principle prohibited from granting exclusive rights to the data or restricting the availability of the data for re-use through agreements or other practices. An exception to this rule is possible if the exclusivity is necessary to provide a service or supply a product in the general interest and if the exclusivity does not exceed a duration of 12 months.
In addition, the conditions and procedure for the re-use of the data must be made publicly available. These conditions, as well as any fees charged for the re-use, must be non-discriminatory, transparent, proportionate and justified. At the same time, public sector bodies must maintain the protected nature of the data, for example by anonymising, modifying or aggregating it. They may also limit access and re-use of the data to a secure digital or physical environment. The re-use must also always be compliant with intellectual property rights and with legal rules on confidentiality. Finally, a re-user will have to make additional commitments if they will transfer the data to a third country.
Rules for data intermediary services
Data intermediation services are services aimed at creating commercial relationships for data sharing between an indefinite amount of data subjects, data holders and data users. Intermediation services between data holders and data users, between natural persons (for personal and non-personal data) and data users, or for services that are data cooperatives, will be subject to certain conditions under the DGA. For instance, those services have to notify competent authorities of their intention to provide these services. They must also meet certain requirements such as a limitation on the use of the received data for other purposes than the intermediation. Among other requirements, their commercial terms must be independent from the use of their other services, access to their services must be fair, transparent and non-discriminatory, and they must have procedures and measures in place to prevent fraud and secure the data. Member states will have to designate a competent authority (either by establishing a new authority or relying on an existing entity) to receive notifications, monitor compliance and take the necessary enforcement actions such as financial penalties or the suspension or cessation of the service.
Public registers for data altruism organisations
The DGA requires the European Commission ("EC") and each member state, through its competent authorities, to create and keep public registers for recognised data altruism organisations. Data altruism is the voluntary sharing of data (both personal and non-personal) with the consent or permission of the data holder or data subject for use in the general interest without compensation beyond the costs of the sharing. Data altruism organisations must meet several requirements if they wish to be registered, such as operating not-for-profit, having a functionally separate structure for its data altruism activities and being a legal person for objectives of general interest.
In addition, an organisation must meet transparency requirements through extensive record-keeping related to the persons who are allowed to process the data, the duration and purpose of that processing and the fees paid by those persons. Organisations also have to report about their activities to their competent authority annually. If they aim to be registered, data altruism organisations must meet requirements related to the rights and interests of data subjects and data holders providing their data. They must inform data subjects and holders before processing their data of the general interest objectives and purpose of the processing, and if the processing may take place in a third country. The organisation may only use the data for general interest objectives allowed by the holder or the subject and must provide an easy way for them to withdraw their consent or permission. The organisation must also appropriately secure the data. Finally, the organisation will have to comply with informational, technical, security and interoperability requirements that will still be determined by the Commission in a separate Rulebook. As with data intermediation services, Member states will have to designate a competent authority for the registration of data altruism organisations. This authority will also monitor compliance with the above requirements and remove organisations from the register in case of non-compliance.
European Data Innovation Board
A European Data Innovation Board will be established by the EC. This board will be an expert group containing representatives of the competent authorities for data intermediation services and data altruism organisations from all member states as well as the EDPB, EDPS, ENISA, the EC and an SME envoy as well as representatives of sectoral bodies and bodies with other expertise. This expert group and its subgroups will advise and assist on multiple data-related initiatives and topics. This includes guidance on the re-use of data held by public sector bodies, data intermediary services and data altruism organisations, but also on cybersecurity, common European data spaces and standards for data use and sharing between European data spaces, and cooperation between competent authorities under the Data Governance act.