Law360 – What to expect from EU’s Data Governance Act
What To Expect From EU’s Data Governance Act
By Alain Strowel, Ophélie Snoy and Solène Festor (November 21, 2022)
With its European Strategy for Data released in 2020, the European Commission aims to create a true EU market for data, whether personal or nonpersonal, viewed as a fuel for innovative products and services. Data access and sharing is also an important input for the development of artificial intelligence tools.
To increase the trust in data sharing and to unlock the potential of data held by the public sector, companies or individuals, the commission tabled the Data Governance Act, which was adopted by the European Parliament and European Council on May 30 and published as Regulation 2022/868 in the Official Journal of the EU on June 3.
The new rules will be applicable as from Sept. 24, 2023, except the requirements for data intermediation services that enter force two years later.
Three Main Objectives
The DGA pursues three main objectives, addressed in Chapters 2 to 4:
• Defining the conditions for improving the reuse of the data held by the public sector, applicable to data not considered as open data under the 2019/1024 Open Data Directive;
• Determining the framework — including the notification and the supervision system — for the provision of data intermediation services, a new category of digital intermediaries;
• Setting the rules for voluntary registration of nonprofit entities to
collect and process data made available by physical or legal persons for altruistic purposes.
The DGA imposes additional requirements, in particular on data intermediation services providers. It is rather paradoxical that the commission, to incentivize data sharing, has defined new, and sometimes burdensome, obligations. Whether the new governance framework will prompt a fair, trustful and competitive market for data in the EU remains to be seen.
Relation With Existing Legislation
Existing legislation in the personal data sector, but also more general legislation dealing with access to data and information — e.g., the General Data Protection Regulation, electronic privacy and open data directives, rules on the European health data space or relating to copyright and trade secrets, etc. — are not affected by the DGA.
In case of conflict between the DGA and the GDPR, the GDPR prevails, according to Article 1 of the DGA. The DGA leaves the possibility of additional data regulations to be adopted, such as the draft Data Act.
Three Sets of Applicable Rules
The DGA introduces three different sets of rules for data sharing that apply to various addressees of the regulation, i.e., public sector bodies, data intermediation services and data altruism organizations.
Public Sector Bodies
Public sector bodies — i.e., all bodies invested with public tasks as defined under member states’ law, for instance, social security agencies, tax administrations, local governments like municipalities, etc., but excluding public undertakings — hold considerable amounts of valuable data, often collected at the expense of public budgets, that should benefit all.
The DGA therefore complements the Open Data Directive by facilitating the reuse of personal and nonpersonal data — referred to as protected data — held by public sector bodies.
The protected data ranges from commercially confidential data, including business, professional and company secrets, data protected by intellectual property rights, or personal data such as health data.
Should public bodies decide to grant access, it must be under nondiscriminatory, transparent, proportionate and objectively justified conditions. They must also ensure that the protected nature of the data is preserved and shared without jeopardizing the interests of the right holders.
To do so, anonymization, randomization or aggregation techniques, which may exclude types of data that would allow reidentification, are mentioned as safeguards that may be used or, as a last resort, consent from the data holders may be required if sensitive information cannot be anonymized.
In any event, public bodies will be able to verify the reusers’ processing and results and will request them to contractually agree to confidentiality obligations, including refraining from trying to reidentify data holders. Public bodies will also be able to charge proportionate fees and are encouraged to set discounted rates for the reuse of data for research purposes or actors like small and mid-size enterprises.
If they chose to implement public sector data reuse policies, member states would have to implement a one-stop-shop interface and designate a competent body for its management. The interface will reference all available data resources and make them easily accessible.
Data Intermediation Services
Chapter 3 of the DGA addresses data intermediation services, which are considered key to realizing a borderless data economy.
Data intermediation services are operators aiming at establishing commercial relationships between an undetermined number of data holders and data users for the purpose of data sharing. This is the case for example of data marketplaces and pools.
For achieving this, data intermediation services can use technical, legal or other means, but should remain neutral facilitators and matchmakers.
They will have to comply with specific requirements, e.g., to appoint a legal representative if they are not established in the EU, and go through a notification procedure before a competent authority, to be created at national level. Among other requirements, data intermediation services:
• Should be independent, i.e., set up a legal entity separate from other services;
• Are not allowed to use the data for other purposes than the intermediation services;
• Must ensure fair, reasonable, and nondiscriminatory access and licensing terms to the data;
• Are not allowed to subordinate the commercial conditions they offer for the data intermediation services to the use of other services they provide;
• Must take appropriate measures to ensure interoperability with other data intermediation services;
• Must comply with specific requirements for nonpersonal data, similar to those of the GDPR for personal data, to ensure appropriate levels of security for the storage, processing and transmission of nonpersonal data; and
• Must act in the best interests of the data subjects when dealing with personal data and inform them of the intended uses before requesting consent.
All data intermediation services will have to notify their existence and compliance with the new regulatory constraints to the designated competent authorities through a notification procedure.
Data intermediation services may request a certification that the service complies with the
requirements, upon which the newly created label, “DIS provider recognized in the Union,” will be issued. A future corresponding logo will have to be visible on the websites of those data intermediation services.
Data Altruism Organizations
Chapter 4 of the DGA encourages member states to implement national policies promoting data altruism activities, i.e., the voluntary sharing of data by data subjects based on their informed consent to process data.
Other data holders might be active in data altruism when, without seeking a reward, they make data available for objectives of general interest, such as health care, combating climate change, improving mobility, facilitating the dissemination of official statistics, etc.
Data altruism organizations should be able to collect relevant data directly from natural and legal persons, or to process data collected by others and for purposes established by themselves.
To qualify as a data altruism organization, an entity will have to operate on a not-for-profit basis and be legally independent of any entity that operates for-profit, carry out its data altruism activities through a functionally separated structure from its other activities, and comply with the forthcoming commission data altruism rulebook.
A voluntary registration scheme can be put in place. A successful registration will be conditional upon complying with the new requirements. The registration of data altruism organizations is expected to lead to the creation of large data repositories accessible throughout the EU and the rulebook for data altruism organizations is expected to bring more clarifications to entities interested in setting up a data altruistic organization.
For collecting personal data, consent in the meaning of the GDPR will serve as the legal basis. The commission, together with the new EU Data Innovation Board, is expected to issue an EU-wide consent form for data altruism organizations.
The form will allow a modular approach, and organizations will be able to customize it according to their specific needs and sectors.
Interestingly, the DGA provides that data holders can permit the processing of their nonpersonal data for various purposes “not established at the moment of giving permission,” bringing more flexibility than informed and specific consent under the GDPR.
Data Transfers of Nonpersonal Data
Additional safeguards are introduced concerning the transfer of non-personal data to third countries.
The addressees of the DGA, including public sector bodies, reusers of data, data intermediation services and data altruism organizations must take effective measures to protect the rights and interests of data subjects and legal entities with regards to their personal and nonpersonal data and to prevent international transfer or governmental access to nonpersonal data.
As with personal data, international transfers are conditional on certain safeguards, including the possibility that model contractual clauses could be issued by the Commission
to certify the destination countries provide appropriate levels of protection for nonpersonal data.
Further notification and security requirements would apply for all addressees of the DGA in the event of decisions from third countries’ courts or administrations requiring access to the nonpersonal data. Governance and Next Steps
Member states will have to designate competent authorities in charge of monitoring the compliance of data intermediation services, facilitating public sector data reuse, and registering and supervising data altruism organizations. Noncompliance with the DGA requirements may result in effective, proportionate and dissuasive fines imposed by those authorities.
The DGA gives the commission the duty to establish an expert group, the European Data Innovation Board, although it is not further specified when this group will be formed.
It will consist of representatives of the national authorities competent to monitor compliance with the DGA, together with several stakeholders who will also take part in the board’s activities, for example, representatives of diverse sectors such as health care, research, transport, energy, etc.
The board will assist the commission in drawing up its policies and promoting the adoption of standards throughout member states to ensure the interoperability of data pools, be it for public sector bodies, data altruism organizations or data intermediation services.
The DGA seeks to create a legal and trustful environment that fosters data sharing. It does not really factor in the additional burdens for the public sector bodies or the data intermediation services in terms of compliance. One can thus expect that the implementation of some measures will be delayed or even resisted by some of the addressees of the DGA.
It is thus still difficult to assess the overall impact the DSA will have in practice. For instance, the new regulatory constraints for data intermediation services might dissuade private parties to shape their data activities as required under the data intermediation services regime.
As it remains difficult to ascertain when a data-sharing activity qualifies as data intermediation, companies might choose to continue to operate under their existing data arrangements, at least until the competent national authorities give more clarity on data intermediation services.
Other data operators might comply with the data intermediation services requirements so as to benefit from the additional trust associated with the data intermediation services label.
Overall, we expect also that some complexities relating to the sharing of personal data, subject to the GDPR will weight on the implementation of the DGA. In any case, the DGA marks a first step in a clear expansion of data regulation in the EU that the future Data Act will reinforce. Legal practitioners will have to juggle with those new regulatory requirements.
For instance, the new GDPR-like requirements for third-country transfers of nonpersonal
data may create the same kinds of doubts or cautiousness required as for transfers of personal data in the absence, still, of adequacy decisions for certain countries. This may raise compliance difficulties in the near future for companies.
Alain Strowel, Ph.D., is a partner, Ophélie Snoy is a senior associate and Solène Festor is a junior associate at Pierstone. The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.