Data Governance Act (draft) – framework for re-use of government data

It is the declared goal of the German Federal Government's data strategy (concretised in its Open Data Strategy of July 2021) to “put to use for society the opportunities that lie in data": the enormous pool of data available to the public administration is to be made accessible to citizens and businesses. This is also one of the goals of the EU's "Data Governance Act", ie the planned "Regulation on European Data Governance" (DGA).

New regulation will create framework conditions for open data concepts

The Data Governance Act has been presented as a first draft by the EU Commission in late autumn 2020 and has been the subject of many discussions since. Recently, a compromise for a revised draft has emerged from negotiations between the EU Parliament and the EU Council.

The DGA has three core components: Regulations on the re-use of public sector data, regulation of "data intermediation services" and a framework for "data altruism". In addition, a European Data Innovation Board is to be established.

The Data Governance Act is merely a framework. The DGA does not impose obligations to make data publicly available, nor can one derive any data access rights from the DGA. Data protection, intellectual property, competition law and trade secret protection, to name just a few important issues, must all be observed under the DGA as usual.

What public sector data are we talking about?

The aim of the DGA is to make it easier for public sector bodies to exchange data with the private sector. In doing so, public authorities are also allowed to make data available to the private sector for further use that is subject to third-party intellectual property rights – the DGA thus supplements the EU Directive 2019/1024 on Open Data and the Re-use of Public Sector Information (PSI Directive), according to which such data could not yet be shared. Specifically, the DGA concerns data that is (i) confidential, (ii) protected by copyright, or (iii) personal data according to the General Data Protection Regulation/GDPR; however, it excludes data whose use would pose a threat to public security. Whether, and if so, what data a public sector body makes available or is required to make available to the public will depend on national provisions and local administrative practice.

If a public sector body opens up its data for further use under the DGA, the authority must ensure that this data remains protected during further use. For example, it must make sure that users commit to confidentiality obligations. Depending on the category of data and on the circumstances, it may also be necessary for the data to be aggregated or modified in such a way that it can no longer be attributed to a specific company, for example. The public sector body may also decide to allow using the data in a secure processing environment, only. For personal data, if anonymisation is not possible, a legal basis under the GDPR is required for the further use of the data. Where necessary, the public sector body supports potential data users in obtaining consent from data subjects. Users, in turn, must implement technical and organisational measures to protect data and report any data breaches to the public sector body.

What will the "infrastructure" for the use of government data look like?

Similar to the "ESAP" (proposal of the EU Commission for a "European Single Access Point", which deals with financial information and sustainability data of the private sector), there are to be national information points (Single Information Point) for the data of the public sector under the DGA. Each of these "information points" is to maintain a database in which all data sources made available by the authorities of a member state are listed. Requests to use the data will be forwarded by this central information point to the individual authorities – which must respond within two months. At the EU level, these national databases will in turn be pooled European single access point.

Restrictions for exclusivity agreements regarding data access

The conditions under which public authorities grant access to their data must be non-discriminatory and must be transparent and reasonable. Public sector bodies may charge fees, as long as these do not impair competition – discounts for SMEs and start-ups will be possible.

In the spirit of "open data", agreements granting companies exclusive rights to use data will be subject to tight restrictions under the DGA: the agreement must be in the public interest and the term must be limited to 12 months. Existing exclusivity agreements are also covered by the DGA and will expire no later than 2.5 years after the regulation enters into force.

Issues regarding data transfers to third countries

As is known from the field of data protection, the transfer of data to third countries - ie non-EU countries - is not without problems. This also applies to non-personal data that qualify as trade secrets or Intellectual Property. Under the DGA, the re-use of data in a non-EU country is only permitted if the re-user contractually undertakes to maintain IP rights and confidentiality even after the transfer to the third country. The European Commission will provide model contractual clauses for this (by way of a so-called implementing act). Again similar to the GDPR, however, the DGA also opens up the possibility for the Commission to declare for certain third countries that their level of protection corresponds to that of the EU. For the transfer of data to these countries, then, such a special contractual obligation would not be necessary.

In line with a global trend, the Data Governance Act also contains rules on "data localisation": if the transfer of certain categories of non-personal data poses a risk of harming EU interests, such data may be classified as "highly sensitive". The EU Commission can restrict the third-country transfer of such data or make it subject to special conditions. Whether, for which data and in what way the Commission will make use of this remains to be seen.

Intermediaries, data altruism and the European Data Innovation Board

In addition to the use of government data (and its provision via central, national information points), the Data Governance Act deals with two other forms of data provision, namely "data intermediation services" (in the first draft of the DGA, this was referred to as "data sharing services") and the provision of data for altruistic reasons (releasing one's own data to promote charitable purposes such as health, mobility, etc.). In both cases, the aim is to bring data owners together with potential data users. This is to enable the exchange of data between companies and between individuals and companies in a trustworthy environment. Providers of data intermediation services and data altruism services can, under certain conditions, be listed in registers. Once registered, they may use the title "provider of data intermediation services recognised in the Union " or "data altruism organisation recognised in the Union" and may use a corresponding logo. There are differences between these two regarding the registration process: a data altruism organisation must be examined and approved by the competent authority, whereas for data intermediation service providers, notification of the authority is sufficient.

It is up to the member states to decide which national authorities shall implement the provisions of the Data Governance Act. The member states may also establish new authorities. At EU level, a "European Data Innovation Board" is to be formed. This expert group will be composed of representatives of EU authorities, national authorities and various stakeholders. It will advise the EU Commission, promote cooperation between the respective competent authorities and develop guidelines for "common European data spaces".

What’s the timeline?

The DGA still has to go through the further legislative process, the next step being the first reading in the EU Parliament. It is not to be expected that the text of the regulation will be significantly revised, but it cannot be ruled out that there will be changes in the details. Currently, the Data Governance Act is scheduled to be applied 15 months after its adoption. The regulations on data intermediation services are to apply two years later.

It will be interesting to see how the various instruments of the DGA will fit into the rapidly developing ecosystem of new "data spaces" emerging in a wide variety of areas. Nevertheless – or precisely because of this – it is worthwhile for companies to take a look at the opportunities that the Data Governance Act will create.