Aiming to encourage voluntary data sharing for business and citizen benefits through secure and trustworthy exchanges, the Data Governance Act (DGA) is a core part of the European data strategy. The European Commission has released a practical guide to help stakeholders comply with the DGA. Although the practical guide for the DGA is rather short (compared eg to the FAQ for the EU Data Act), it offers a thorough summary of the DGA's key provisions.
Data Intermediaries
A main aim of the DGA is to create a reliable environment for data sharing, which includes setting rules for data intermediation services. These services establish commercial relationships for data sharing between data subjects, data holders, and data users. The practical guide gives examples such as data marketplaces, orchestrators of ecosystems like European Data Spaces, data pools where contributors benefit directly, data cooperatives or unions, and personal data wallet or cloud services storing individual data for third-party processing.
The Commission reiterates key commercial conditions for intermediary services:
- Intermediary services can charge fees but must not share user data with recipients not chosen by the user.
- They are prohibited from selling data to third parties and may only share data with user-selected recipients.
- Data and metadata can only be used to improve services, requiring a legal basis under GDPR.
- The entity providing intermediary services must remain legally separate from any other services offered.
- Moreover, the commercial terms, including pricing, must not depend on whether clients use other services.
This restricts data intermediary services significantly in monetising the data.
Finally, the Commission offers a brief summary of the notification requirements for services planning to offer intermediary services.
Public sector data
A crucial element of the DGA is the reuse of protected data from public entities. It sets guidelines for using commercially and statistically confidential data, IPR-protected data, and personal data. The DGA bans exclusive reuse deals and mandates that public sector data be accessible to all potential re-users on fair, transparent, proportionate, and objective terms.
The practical guide also outlines the duties of public sector bodies, including making the request procedure publicly accessible, implementing measures to protect sensitive data, ensuring that the re-user adheres to confidentiality obligations, and deciding on the re-use request within two months of receiving it.
The Commission states that re-users must not re-identify data subjects, and if they do, they must notify the public sector body that granted the permission.
Data altruism
Data altruism encourages individuals and companies to share data voluntarily for public benefit, without profit. To qualify as a data altruism organisation, entities must be non-profit, legally independent from for-profit businesses, and use data for the public good. They must maintain a separate structure for data altruism activities to build trust. These organisations can collect data directly or process data collected by others and allow third parties to use it. Secure storage and compliance with a Commission rulebook are also required.
Competent authorities
The DGA specifies the standards for national authorities overseeing data intermediation services and data altruism organizations, requiring them to be structured, cooperative, independent, and transparent. These authorities must ensure compliance with the DGA, and both individuals and legal entities can challenge their decisions legally. Though enforcement is crucial, the guide lacks further details on the enforcement regime's roles. Some EU member states have yet to set up national authorities to enforce the DGA, even though it is already in effect.
The European Data Innovation Board
The European Data Innovation Board (EDIB), established under the DGA, aims to share best practices and oversee its implementation. It includes representatives from national and EU authorities and can propose guidelines for data spaces and transfers outside the EU. Additionally, it has responsibilities related to the EU Data Act. The EDIB is crucial in ensuring the DGA's effective implementation and alignment with the EU's digital goals.
What lays ahead
Despite being in effect, the DGA has not garnered much attention yet. However, it could provide companies with access to public sector data. Moreover, businesses providing data intermediary services need to be ready to meet a comprehensive array of new obligations. A growing number of member states are establishing relevant competent authorities, and enforcement is likely to begin sooner rather than later.