What you need to know in a nutshell
- The Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance will bear its abbreviated name: Data Governance Act (DGA).
- The DGA was published in the Official Journal of the European Union on June 3, 2022 and the new rules will apply from September 24, 2023.
- The DGA introduces some new concepts, such as ‘data altruism‘ (you can donate your data for the common good, such as for medical research projects or climate change), ‘data intermediation services‘ allow companies to exchange personal and non-personal big data, and ‘personal data spaces‘ for individuals to keep an electronic wallet with their personal data.
- The DGA will allow the sharing of public sector data with private companies. This will include, for example, trade secrets, personal data and data protected by intellectual property rights. In this regard, the DGA will complement the 2019 Open Data Directive, which does not cover this type of data.
- More importantly for companies based in the United States and other countries outside the European Economic Area (EEA), the DGA will introduce a data transfer regime for transfers of non-personal data, similar to the General Regulation on data protection (GDPR). In other words, non-personal data will only leave the EEA under certain conditions (such as standard contractual clauses that will be created for this purpose).
- This is the first new EU data law, but Europe is on the right track and more will follow in the coming months, including the Data Act, the Digital Services Act, the digital markets and the law on artificial intelligence.
After the tabling of the Data Governance Bill (DGA) in November 2020, the The Council of the European Union finally approved it on May 16, 2022. It was published in the Official Journal of the European Union June 3, 2022, and it will apply from September 24, 2023.
The DGA establishes robust procedures to facilitate the secure reuse of certain protected public sector data subject to the rights of others, such as trade secrets, personal data and data protected by intellectual property. It aims to foster data altruism across the EU, increase trust in data sharing and establish trusted use of data for research and innovation, among others.
Some key DGA concepts are outlined below.
Public sector data sharing
Public access to official documents can be considered to be in the public interest, and the idea that data generated or collected by public sector bodies or other entities at the expense of public budgets should benefit society long been part of EU policy. While some Member States put in place structures, processes or legislation to facilitate this type of reuse, this was not the case across the EU. The DGA’s aim is not to create an obligation to allow re-use of data held by public bodies – it will, however, allow public data (such as business secrets, personal data and data protected by intellectual property) to be shared with private companies. The DGA should complement and be without prejudice to more specific obligations imposed on public sector bodies to enable the re-use of data provided for by sectoral or national EU legislation, and each Member State should be able to decide whether the data is made accessible for reuse, as well as the purposes and extent of such access.
Data intermediation services
An important concept within the DGA is that of data intermediation services, the objective of which is to serve as a trusted environment allowing organizations and/or individuals to share data. Data intermediation services will enable:
- Support voluntary data sharing between companies.
- Facilitate compliance with data sharing obligations set by law.
- Organizations share data without fear that the data will be misused or that the organization will lose a competitive advantage.
- Enable individuals to take control of their data, share it with trusted companies, and exercise their rights under GDPR.
The DGA notes that data intermediation service providers will be able to collect a fee for the provision of their services, but they will be prohibited from profiting from the data they process, for example by selling this data.
The DGA introduces a concept of new data management tools, such as wallets or data spaces – essentially applications that share data based on a data subject’s consent. Individuals will have full control over how their data is shared through the use of these tools, allowing them to share this data with organizations they trust.
The DGA describes the concept of data altruism – making data voluntarily available by individuals or companies for the common good (such as medical research projects). In order to increase confidence in the concept of data altruism and to encourage individuals and businesses to donate data to these organizations to be used for the good of society at large, the DGA plans the ability for organizations engaging in data altruism to register as a “recognized data altruism organization in the [European] Union’.
Safeguards for the transfer of non-personal data
The DGA recognizes the importance of protecting commercially sensitive non-personal data (such as trade secrets or non-personal data representing intellectual property protected content) from unlawful access that could lead to intellectual property theft or industrial espionage. In order to ensure the protection of this non-personal data, as well as the fundamental rights and interests of the owners of this data, the DGA specifies that the non-personal data held by public sector bodies and which must be protected against any illegal or unauthorized access authorized should only be transferred to third countries when appropriate safeguards for the use of such data are provided.
As such, the European Commission (EC) could adopt adequacy decisions or standard contractual clauses for the transfer of non-personal data governed by the DGA, similar to the adequacy decisions and standard contractual clauses relating to the transfer of personal data in application of the GDPR.
European Data Innovation Council
The DGA has introduced a new group of experts composed of representatives of the competent authorities of all Member States, the European Data Protection Board, the EC and other relevant representatives of the competent authorities in specific sectors, who will form together the European Data Innovation Board, which is responsible for, among other things:
- Advise and assist the EC in the development of consistent practice by the public sector and competent bodies in their processing requests for the re-use of data.
- Help the EC to strengthen the interoperability of data and data sharing services between different sectors and domains by building on existing European, international and national standards.
- Advise and assist the EC in the development of consistent Competent Authority practice in applying the requirements applicable to the Data Sharing Provider.
The DGA will apply 15 months after the entry into force of the regulation, which is expected to take effect around August 2023. It remains to be seen how these new rules will fit into the ever-changing data landscape, but one thing is certain: it is becoming increasingly important for organizations to ensure that they accurately map their data processing and storage practices to be able to process the wide range of data in accordance with the DGA.