Data governance

“First act” of the European data economy: the law on data governance

On March 7, 2022, the European Parliament will vote on the Data Governance Act (DGA). This can be seen as the first act of a series of measures to be implemented as part of the European data strategy published by the European Commission in 2020. The DGA text has already been negotiated in December 2021 during consultations between the European Council, the Parliament and the Commission, which is why the voting process is only a formality. The following article is intended to provide a brief overview of the essentials of the DGA’s regulations.

The DGA aims to promote data availability and strengthen data sharing mechanisms in the EU. To this end, the DGA essentially contains four largely autonomous regulatory subjects:

  • the conditions for the reuse of data of certain categories held by public sector bodies (chapter II),
  • a framework for registering and controlling the provision of services by so-called data intermediaries (chapter III),
  • a framework for voluntary registration of entities that collect and process data provided for altruistic purposes (Chapter IV), and
  • a framework for setting up a so-called European Data Innovation Council.

By way of clarification, Article 1 already stipulates that the DGA does not affect the application of the specific provisions of data protection law, the TTDSG (Telecommunications and Telemedia Data Protection Act), the competition law or public safety, defense or national security law. Insofar as personal data must be reused within the framework of the DGA, the requirements of the GDPR must also be respected.

Reuse of certain categories of protected data held by public sector bodies

Chapter II defines the conditions for the re-use of data held by public authorities and protected for certain reasons. The background of the regulation is the idea that data generated or collected using public funds should also benefit society (recital 5). Article 3(1) lists commercial or statistical secrecy, the protection of third party intellectual property and the protection of personal data as grounds worthy of protection.

It is important to understand that the DGA does not create a right to reuse this data (Article 3 (3)). Instead, it establishes the basic conditions under which reuse should be permitted. In addition to a fundamental prohibition of exclusivity agreements in Article 4, Article 5 lists a large number of individual conditions for reuse as a central part of the regulation. Whereas in the initial Commission proposal these were mainly ‘optional’ provisions which left the exact wording to national public sector bodies, the negotiated version of the DGA mainly contains more binding provisions.

In principle, these conditions must be “non-discriminatory, transparent, proportionate and objectively justified” (Article 5(2)). According to paragraph 3, public bodies must ensure that only processed data – i.e. anonymised or pseudonymised – can be reused or that access takes place in a “secure processing environment” whose Technical integrity is verified by the public body. Furthermore, data reuse is only permitted if intellectual property rights are respected, with public bodies being denied the right to create databases.

It should also be mentioned that the transfer of data to non-EU third countries must first be notified and can only take place if the Commission considers that the rules of the third country on the protection of intellectual property and trade secrets are equivalent, or if the re-user agrees to abide by the terms. Standard contractual clauses may be adopted for this purpose (paragraph 9a). This mechanism, already known to the GDPR, now also applies to sensitive non-personal data under the DGA.

According to Article 8, the competent authorities of the Member States establish a “single information point” and a request for data receives a regular response within two months. At the initiative of the European Parliament, the use of data by start-ups and small and medium-sized enterprises should be particularly encouraged (paragraphs 2b, 2c).

Requirements for Data Intermediary Services

Chapter III establishes a framework for notifying and monitoring the services of so-called data intermediaries. Article 9 names in this respect the services:

  • Intermediation services between data controllers and potential data users,
  • Intermediation services between data subjects and potential data users, in particular for the exercise of GDPR rights, and
  • Services of so-called data cooperatives.

The regulation is based on the assumption that data intermediaries will play a key role in the data economy by facilitating the exchange of significant amounts of relevant data, thereby encouraging genuine competition for data sharing. In order to build trust and strengthen control over these services by data holders and data users, the neutrality of data intermediaries is considered crucial and therefore they should only act as intermediaries without using the transferred data for other purposes (recital 26).

Data intermediation services should therefore aim to establish an economic link between an indeterminate number of data holders and users in order to share data between them. Excluded are services that modify or enrich the data in one way or another and only make it available afterwards (such as cloud storage or analysis services). Services that primarily offer copyrighted works and intra-corporate data brokerage are also excluded. Although the scope of application is determined, many delimitation difficulties are likely to arise in practice given the imprecision of the terminology.

For data intermediaries, Article 10 provides for a formal notification procedure and Article 11 for substantive requirements, including safeguarding data purpose, procedure and pricing, data format and transformation, fraud prevention measures, insolvency protection, technical, legal and organizational measures to prevent illegal transfers and security measures for storage.

The services of data intermediaries therefore do not require official authorisation. However, if a violation of Articles 10 or 11 is found, the competent authority may order the termination of service or impose “dissuasive fines”. In order to ensure performance, service providers must be established in the EU or appoint a legal representative in the EU.

Data altruism

Another large sub-area regulated in Chapter IV is what is known as data altruism. Data altruism can be understood as the voluntary provision of data by individuals or companies for purposes of public interest. The DGA explicitly mentions health, the fight against climate change, the improvement of mobility, the facilitation of the production of public statistics and scientific research as such purposes of general interest.

Pursuant to Articles 16 et seq., legal persons seeking to further the above purposes may register as “Union Recognized Data Altruism Organisations”. The prerequisite is that these organizations operate on a not-for-profit basis and are legally independent, and also fulfill extensive transparency and record-keeping obligations, e.g. with regard to data processing, purpose and data sources. income. Recital 36 lists other requirements, for example a secure processing environment and the establishment of ethics councils, which however have not found their place in the DGA system and whose applicability therefore appears questionable. .

Among other things, recognition offers the advantage that the regulation on data intermediary services (Chapter III) does not have to be applied. According to Article 15, the competent authority maintains a register of recognized data altruism organizations and may remove the organization concerned from the register in the event of a breach (Article 21).

Member States can promote data altruism by creating a framework in which data subjects can share stored data with public service providers (Article 14a); in Germany, this is already the case with the electronic patient file (article 363 of the social security code V).

In order to facilitate the collection of data and the consent of data subjects which is often required for this purpose, Article 22 provides that the Commission, in consultation with the European Data Protection Board, shall adopt implementing acts establishing a European consent form. It is thus specified that the consent required under the GDPR also remains for the use of data for altruistic purposes. The form nevertheless has the advantage of making it possible to obtain consent in a uniform format in all Member States, which should benefit legal certainty.

European Data Innovation Council and International Access

Another regulation worthy of mention is the provision in Chapter VI on the creation of a “European Data Innovation Board”, which will be composed of experts and representatives of the authorities of the Member States and of the European data protection, among others. The European Data Innovation Board has standardized its tasks in Article 27, which are essentially intended to advise and support the Commission in the development of a uniform practice with regard to the predefined subjects of the DGA. Particularly given the indefinite density of regulations within the DGA, the Innovation Council is likely to be of great importance in the specific development of regulations.

In the final provisions of Chapter VIII, the DGA contains general provisions on the protection of non-personal data in relation to transfers to third countries. All recipients of the DGA must take appropriate technical, legal and organizational measures to prevent such transfers and access, unless there is an international agreement with the third country. The absence of such an agreement may then require a case-by-case assessment of the level of legislation in the third country.

Conclusion

The DGA represents a first attempt to regulate the European data economy – at least in certain sub-areas. In view of the often rather vague explanations, it remains to be seen to what extent the data economy will really be advanced. The systematic integration and differentiation of the DGA from other existing and future European legislation in the field of digitization – for example, with regard to the future data law – will in particular raise many questions. However, it is encouraging that the DGA is moving towards the structuring of the GDPR on many subjects and is contributing in this respect to a certain standardization of data exchanges.