Data governance

What privacy professionals need to know

On December 10, 2021, a political agreement was reached on the data governance law. The (largely) remaining procedural steps are expected to be completed by March 2022 and the law will become applicable 15 months after the date of its entry into force – i.e. in the summer of 2023. data governance applies to “data” – “any representation of acts, facts or information…” – in general, not just personal data. This is the first of new EU initiatives European Union on ‘data” to cross the legislative finish line. In this article, we highlight the most relevant provisions for privacy professionals. For those who want a quick read, the key points are listed below The full article contains a general summary of the law and a more in-depth analysis of the impact for privacy professionals.

  • The law encourages wider reuse of data held by public sector bodies, including personal data. This should be achieved using secure processing environments and anonymization techniques such as differential privacy and synthetic data creation. This part of the law may lead to further development and guidance on the use of these techniques which may be of wider use, beyond the immediate purpose of reusing public sector data.
  • A licensing regime is in place for “data intermediaries”. These are organizations that establish commercial agreements between data holders and data users, but do not themselves add additional value to the data. Data intermediaries will have to satisfy licensing terms designed to ensure their independence and limit their re-use of data and metadata. The requirements will affect those offering data marketplaces and (possibly) consent management platforms. Adtech companies should take note.
  • Data altruism is to be encouraged. Those who want broader access to data – especially for scientific research – may find this makes it easier to access more data. Those operating on a not-for-profit basis for public benefit purposes may consider becoming a recognized data altruism organization.
  • The law contains the first steps towards restricting transfers of non-personal data. Data intermediaries and recognized data altruism providers will need to consider whether third countries provide adequate protections for non-personal data and will need to resist attempts by public authorities in third countries to access non-personal data originating from the EU. There are additional restrictions applicable to those involved in the re-use of public sector data, as well as mechanisms for the Commission to recognize countries as offering adequate protection and to adopt standard contractual clauses for the transfer of personal data not personal.

Photo by Guillaume Perigois on Unsplash

Editor’s note:

Editor’s Note: This article highlights the provisions of the data governance law most relevant to privacy professionals. The full article contains a general summary of the law and a more in-depth analysis of the impact for privacy professionals and can be find at twobirds.com.