The EU Data Governance Act (DGA) has been adopted as the first legal instrument of the European Data Strategy. It will directly apply in all EU Member States from 24 September 2023 onwards. The Act creates the legal framework to allow for increased access to data held by public and private bodies. In this post, we will dive deeper into the new concepts introduced by the DGA and examine its interplay with European data protection law. The substantive rules on data sharing between data holders and data users are then found in the EU Data Act. We will address them in the next post.
Public-Sector Data
One of the DGA’s key concepts centres around data held by public-sector bodies that is protected based on commercial or statistical confidentiality, by intellectual property rights or which contains personal data. To allow society to benefit from access to such data, Arts. 3-8 DGA set out some rules for accessing and “re-using” such data. The Act contains no obligation for public bodies to share their data but instead imposes certain obligations for bodies wishing to do so. Amongst others, data must be accessible in a non-discriminatory, transparent, proportionate and objective way. Additionally, the protected nature of the data must be preserved. Each Member State shall establish a competent body to support the public authorities in these tasks and adopt more specific obligations regulating the sharing of this data.
Data intermediation services
Arts. 9-14 DGA contain rules on so-called “data intermediation services”. In essence, these are services which aim to facilitate data sharing between the (private) entities holding data and the entities wishing to access this data. They provide for instance the technical, legal or other means to support the actual transfer of data between entities or to help them comply with data sharing obligations set out by law, etc. They may also enable individuals whose personal data is shared to exercise their rights under the GDPR. The Member States must establish one or more competent authorities who are tasked to oversee data intermediaries established in their territory. The Act then sets out a two-tier licensing structure for entities providing such services. First, a data intermediary must notify the competent national authority of its intention to act as such an entity and must meet the conditions specified in Art. 11 DGA. Secondly, it can voluntarily opt to further have the authority confirm that it meets the conditions. In case of confirmation, the provider is issued a Commission logo and may use the legend “provider of data intermediation services recognized in the Union”. The conditions in Art. 11 demand, amongst others, that the service is offered by a separate legal person, that pricing is not linked to taking up other services and that data must be provided in the format received.
Data Altruism
Arts. 15 to 22 address the idea of data altruism. This refers to the voluntary making available of data by individuals or companies for the common good, e.g., for scientific research or improving public services. To increase trust in the concept of data altruism, the Act allows organisations engaging in data altruism to register as recognised organisations providing such services. Such registration is entirely voluntarily and allows organisations to carry a specific Commission logo. To qualify, entities must meet specific conditions including that they do not act for profit and pursue objectives of general interest. Where personal data is shared for altruistic purposes, the lawful basis for such transfer must constitute the data subject’s consent. The Commission provides a European consent form to obtain this permission.
International transfers of non-personal data
In the latest since the Schrems II decision, transfers of personal data outside the Union are subject to high standards. You can read more about them here. The DGA now equally imposes certain restrictions on the international transfer of non-personal data within its scope. These take place where the entity seeking access to data wishes to conduct an onward transfer outside the Union or is itself located in a third state. Such transfers should only take place where appropriate safeguards for the use of the data are implemented. Most restrictions concern the re-use of public-sector body data. Users demanding access to the data and intending to transfer it to a third country must notify the public sector body of this intention. Prior to granting access to the data, the body is then obliged to notify the parties that may be affected by the transfer of this data and only allow the request if the parties have consented to the transfer. If the transfer is allowed, the re-user must provide contractual assurances to comply with any confidentiality requirements and to accept the jurisdiction of the courts of the Member State of the public sector body. The EU Commission can further adopt model contractual clauses and declare certain countries to offer adequate protection for the data. Beyond the scope of public-sector bodies, Art. 30 contains a general obligation for entities sharing data, data intermediaries and data altruism organisations to take all reasonable measures to prevent international transfers of or government access to non-personal data in the Union in breach of EU or Member State law.
European Data Innovation Board
Lastly, the Act foresees the creation of a new expert group which advises and assists the EU Commission in further developing the legal framework for the sharing of non-personal data. The Board consists of representatives of the competent authorities of all Member States, the European Data Protection Board, the EU Commission and other relevant representatives of competent authorities in specific sectors.
The European Data Protection Board: Inconsistencies with the GDPR
Naturally, the data subject to the DGA oftentimes also encompasses personal data. The DGA itself states that it applies “without prejudice to the GDPR”, meaning that the European General Data Protection Regulation continues to apply to all processing activities of personal data that take place within the data sharing framework of the DGA. “Processing” personal data refers to virtually all operations performed on personal data. Consequently, most bodies coming into the Act’s scope, namely the public sector bodies holding data to be shared, data intermediaries and data altruism organisations, process personal data when pursuing their functions under the Act. The interplay and possible inconsistencies of the two pieces of legislation have been highlighted by the European Data Protection Board in its Statement on the Data Governance Act of 19 May 2021. The Board stresses that it is important to avoid “that the DGA creates a parallel set of rules, not consistent with the GDPR […] which would result in insufficient safeguards for the individuals concerned and difficulties in the practical application”. It demands that the DGA should clarify without any ambiguity that the processing of personal data shall always be based on an appropriate legal basis under Art. 6 GDPR or under Art. 9 GDPR in case of processing of special categories of personal data, such as for instance health data. Whether the specific mention of this obligation in the Act suffices might be subject to doubt. The mere clarification that the GDPR ‘prevails’, already presupposes that a valid legal basis under Arts. 6 or 9 is always needed. In practice, it should be more important to provide guidance to the different entities within the DGA’s scope on which legal basis they could and should base their processing activities. Furthermore, the Act fails to specify whether certain of its provisions only apply to personal data, non-personal data or to mixed data sets. Here the Board demands to adapt the provisions’ wording as to clearly state their scope of application.
Moreover, the Board suggests that the competent national authorities which Member States must establish to, amongst others, certify data intermediaries or data altruism organisations should in fact be the data protection authorities charged with the GDPR’s enforcement. As these already have specific expertise in the monitoring of the compliance of data processing, the assessment of adequate security measures and other related activities, they would be best suited to oversee the DGA’s application as well. The Board cautions that this would inevitably require the provision of appropriate human, financial and information technology resources.
It becomes clear that data sharing and data protection are necessarily intertwined. Only if data protection standards are respected, data can be shared to the biggest benefit to society. These conflicts become even more visible in the context of the European Data Act, which specifies which entities can access which data under what conditions. This Act will be the topic of our next post.