Trust and Legal Certainty for the data-driven Economy? A look into the EU Data Governance Act

Scope

The DGA is part of a wider EU policy effort to regulate the data-driven economy. The EU's ambition is to promote data sharing, and ensure that data is and remains findable, accessible, interoperable and re-usable (referred to as the FAIR acronym). In short, the EU wants businesses to compete on their intrinsic merits, rather than on the amount of data they happen to possess or control. But in order to achieve that purpose, there is a need for increased legal certainty, in particular with respect to data that is protected or restricted under data protection law, intellectual property or trade secrets rules. 

In that context, 'data governance' is to be understood as a set of rules, structures, processes and technical means to share and pool data. The goal of the DGA is to lay down a level playing field for data sharing and pooling, with all relevant stakeholders (including data subjects and data holders) being represented and engaged, so that the rules of the sharing game become clearer, and businesses in turn benefit from greater access to datasets that they can re-use lawfully. 

The DGA will create a common minimum legal regime (governance) across the EU in respect of three key areas: (i) the re-use of certain data held by public sector bodies, (ii) the provision of data intermediation services and (iii) the provision of services based on "data altruism". In addition, it allows for the adoption of sector-specific data spaces through implementing legislation, in areas such as health, mobility, climate, financial services, agriculture and manufacturing. In so doing, the DGA lays important foundations for data sharing beyond those three specific areas, through a focus on salient cross-sector issues such as promoting openness and transparency, implementing technical means to preserve the integrity of data, and ensuring effective protection for third parties' rights. The first sector-specific regulation could be the Regulation for a European Health Data Space, the draft of which has just been officially published.

Interaction with other legislation 

As a general rule, the DGA is not intended to change or amend existing legislation, nor to create any obligation to share or allow re-use of data. Its provisions must be applied in combination with existing primary and secondary sources of EU law and with national law. Several commentators have highlighted, though, that combining the DGA with other rules on data sharing is not exactly frictionless, and that many questions arise.

For instance, the DGA defines new forms of data intermediaries, but it is unclear how and to what extent the responsibilities of those entities apply with respect to other kinds of intermediaries, in particular platforms and other gatekeepers as regulated under the coming Digital Services and Digital Markets Acts. Another example is the interaction with data protection rules. The DGA clearly states that the EU and national rules on data protection must be complied with, and even prevail in the event of conflict. It also clarifies that the DGA does not create an additional legal basis for the processing of personal data nor alter any obligations and rights laid down in the General Data Protection Regulation (GDPR) or the e-Privacy Directive. It remains to be seen, though, whether this will suffice to define clearly which rules apply in respect of mixed datasets (containing both personal and non-personal data), or in situations where advanced analytics and machine-learning techniques enable the re-identification of previously anonymised data. In such cases, it might be difficult to assess whether only the data sharing rules of the DGA apply, or must be combined with the more demanding requirements of the GDPR. 

The same difficulty can be seen with respect to the international transfer of non-personal data to third countries. In this regard, the DGA sets new restrictions and rules inspired by the GDPR provisions on international data transfers. The DGA requires those sharing data to obtain contractual assurances on confidentiality and, in respect of intellectual property law, to assess the risk of government access to data. It limits the cases where data sharing entities may comply with requests for access from third country authorities. The combination of those new obligations with existing post-Schrems II transfer impact assessment and risk mitigation exercises, will leave practitioners and privacy professionals with many unanswered questions. 

Data-driven business models The role of legal teams in delivering success Download the full report >

A wealth of new data sources? 

The text of the DGA focusses on certain categories of entities that are likely to authorise the re-use of data: (i) public sector bodies, (ii) data intermediaries and (iii) data altruism organisations. In the short-term, these can be labelled the potential new sources of data for businesses, keeping in mind that the DGA also provides a general framework for data sharing beyond those three categories of data sources, through implementing legislation. 

• Public sector bodies are authorities or entities established for purposes of general interest with no industrial or commercial character, having legal personality and funded or controlled by public authorities. The DGA does not create a new obligation to allow the re-use of data but creates a framework to facilitate the sharing of such data when it is protected under confidentiality obligations, intellectual property or data protection laws and hence falls outside the scope of the Open Data Directive. It should be noted that the DGA has a carveout for public undertakings, broadcasters and cultural establishments. Outside these categories, the general range of public sector bodies that possess datasets and have not yet made these available for reuse, could now be requested to share them and would then need to comply with the specific requirements set out in the DGA to accommodate the protection of confidentiality, intellectual property or personal data. 

• Data intermediaries are a new category of provider that facilitate the sharing of data and aim to establish commercial relationships between several data holders and categories of data users. On the face of it, the Act targets three forms of intermediaries: (i) data exchange services or platforms, (ii) services that enable individuals to control the sharing of their personal data, and (iii) so-called "data cooperatives" that support their members in exercising their rights with respect to data. Categories of traditional services such as web browsers, email services, cloud storage, analytics or data sharing software, are excluded, as are services used in a closed group such as those ensuring the functioning of Internet of Things (IoT) devices or objects. All of this seems to refer to new business models or innovative data services such as implementations of the Solid protocol or the MyData movement. But existing marketplaces or consent management systems could fall under that definition as well, and be subject to the same general obligations as imposed upon all data intermediaries: prior notification to a competent authority of the intention to operate as a data intermediary, based on a mandatory disclosure of data sharing services and activities, rules on independence, and requirements to ensure that the data sharing activities are carried out in an open and transparent manner. 

• Data altruism is defined as the voluntary sharing of personal or non-personal data without seeking a reward and for purposes of general interest, such as healthcare, combating climate change, or improving mobility. The DGA requires data altruism organisations to be registered, imposes a not-for-profit corporate structure, and mandates an independent functioning and functional separation from other activities, as well as a number of requirements to safeguard transparency and data subjects' rights. The Commission may also lay down further rules regarding information requirements, technical and security measures and interoperability standards. 

Common issues for data sharing

While the DGA creates specific rules and enforcement or monitoring systems for these various categories of data sources, it is useful to highlight three common themes in the regulation of data sharing. These could also become recurring themes when implementing legislation is enacted to foster data sharing in specific sectors or for specific purposes, such as the European Health Data Space. 

• First, the goal to ensure that data be “as open as possible, as closed as necessary”. In order to maximise openness, the DGA requires the sharing of data to be done on a non-discriminatory and non-exclusive basis. Exclusive re-use arrangements with public sector bodies are generally prohibited, subject to a very narrow exception tied to the provision of a service of general interest. The conditions and fees for re-use of public sector data must be proportionate and justified on the basis of objective grounds, and fees must remain limited to the necessary costs. The same ambition inspires rules for data intermediaries and data altruism organisations: they must ensure interoperability of data formats and interoperability with other similar providers, and ensure their services are available on a fair, transparent and non-discriminatory basis. In addition, implementing legislation can be enacted to promote the availability of data or to facilitate the obtaining of consent, for instance. 
• Secondly, the willingness to ensure an effective protection of third parties' rights such as confidentiality, intellectual property or data protection laws. Throughout the DGA, entities that benefit from an access to data, and those that facilitate such access, are made accountable and must preserve the confidential nature of data, ensure anonymisation of personal data or protection against disclosure of commercially sensitive pieces of information, including by implementing appropriate organisational and technical measures or passing on the same requirements to their contractual counterparts involved in the data sharing. For public sector bodies, that includes the ability to prohibit the use of results that contain information jeopardising the rights and interests of third parties, or to prohibit re-identification of data subjects, for instance. Where data intermediaries are able to facilitate data sharing, this remains subject to the purpose-limitation principle and they must act "in the data subjects' best interest" when facilitating the exercise of the data subjects' rights under data protection legislation. For data altruism organisations, in addition to the layer of transparency requirements, they must provide tools for granting and withdrawing permissions to process data. 
• Thirdly, the notion of "secure processing environments", highlighting the need to implement a combination of legal, contractual, technical and organisational measures in order to preserve the integrity of the data. The notion of a secure processing environment is even defined as both the physical or virtual environment and the organisational means to ensure compliance with applicable Union or national law at large, allowing the entity to determine and supervise data processing actions, going from display and download to "calculation of derivative data through computational algorithms". Public sector bodies have a specific obligation to use such secure processing environments, and the recitals refer to techniques such as anonymisation, differential privacy, randomisation (again, these principles could be extended through implementing legislation for dedicated European data spaces). But data altruism organisations and even data intermediaries might also find themselves under a duty to use secure processing tools, either under the general obligation to implement adequate measures to prevent unlawful transfer or access to data, or pursuant pursuant to national implementing legislation.

A new regulatory regime for the data ecosystem 

There is no doubt that the DGA represents a significant extension to the framework for data regulation in the EU. Its impact will not be limited to businesses located within the EU – it will also apply to data intermediaries providing services into the EU, and data altruism organisations that are collecting data from within the EU. The EU is seeking both to support businesses by boosting the data ecosystem with these measures, and also to control it and ensure the trust of consumers by laying out a clear framework for governance. Alongside the proposals for the Data Act, which will create new rights for data subjects to secure access to non-personal data (see further Chapter 2.10), and proposals for governing the data used to train AI deep learning systems (see further Chapter 2.7), the European Data Strategy will lead to wide-ranging changes in the landscape for data in the EU. There will be significant new opportunities for businesses and for individuals, but also sweeping expansion of data regulation, including full regulatory enforcement frameworks to ensure compliance.