European Parliament approve draft Data Governance Act

The Data Governance Act (DGA) aims to set the foundation for a data economy in Europe and provide a single data marketplace where data can be shared in a trusted and regulated way.

The DGA was first proposed in November 2020 with the aim of increasing trust in relation to data sharing, create new rules on the neutrality of data marketplaces and facilitate the reuse of public sector data. The European parliament has now approved the text of the DGA. The European Council must now approve this position for law to enter into force, but based on a undertaking given on 15 December 2021, it is expected that the law will be adopted without any amendments.

The aim of the law is to create a single European market for data and promote trusted data sharing. This is particularly relevant in specific sectors such as health, energy, mobility, manufacturing and technology, including in relation to the use of AI. Each Member State will be required to establish a supervisory authority to act as a single information point providing assistance to governments. It will also be required to establish a register of available public sector data. These bodies will be overseen by the European Data Innovation Board who will maintain a central register of available DGA Data.

The DGA applies to data defined as any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording that is held by public sector bodies that is not subject to the Open Data Directive but is subject to the rights of others. This may include personal data, including special categories of data such as health data, statistically confidential data, trade secrets and data that is subject to intellectual property rights (DGA Data).

The DGA regulates the way in which public sector bodies can share DGA Data, as well as the intermediaries that facilitate this data sharing. Public sector bodies can facilitate the re-use (using of DGA Data for a purpose other than the purpose for which the data was initially collected) of DGA Data, provided that they have in place safeguards to maintain the privacy and confidentiality of the data. These safeguards can include anonymisation of personal data or modification of confidential data. Public bodies can impose conditions of those wishing to re-use the data for commercial or non-commercial purposes, but those conditions must be non-discriminatory, proportionate and objectively justified, while not restricting competition.

Public bodies are restricted in their ability to grant exclusive arrangements for the sharing of data, with a limit of 12 months for any new arrangement. Any existing arrangements should be terminated within 3 years of the DGA being in force. They are able to charge for access to data, but these cost must be reasonable, transparent, published online and non-discriminatory.

When sharing DGA Data, there are restrictions in place for transfers outside of Europe, including to the UK. Although details are not fully developed, the proposal is for a similar mechanism as under the GDPR, where an adequacy decision will be required before DGA Data that is not personal data (as personal data will be regulated under the GDPR), can be transferred to a third country.

The DGA also defined a new business model for data intermediary services, i.e. services that act as a data hosting marketplace platform (for example, that allow for the sharing of data but do not process or utilise the data). These intermediaries will be required to notify supervisory authorities of their intention to perform these services and a license will be required to carry out such services. A licensing regime will be put in place by supervisory authorities to ensure that the intermediary service is sufficiently independent and has appropriate security measures to protect privacy and confidentiality. Once the intermediary is licenced it will be permitted to use a common logo that signifies it is compliant with the DGA and can be trusted for data sharing. These intermediaries may charge a reasonable fee for the provision of the data intermediary service, but are not permitted to utilise the data for their own purposes or profit. Individuals will be permitted to create a data space or wallet in these marketplaces that will allow them to share their DGA data and have control over parties it is shared with.

The DGA encourages data altruism, which is the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interest, such as scientific research purposes or improving public services. This promotes the sharing of otherwise confidential data for the greater good. Organisations who participate in these activities will be entered into a register held by the relevant Member State’s supervisory authority. In order to share data for these purposes, a data altruism consent form will be used to obtain data subjects consent for the processing of their DGA Data for particular processing in the context of a research project or research field (if the data is personal data the requirements under GDPR for consent, if consent is relied upon, must still be satisfied).

While this is directly relevant for public sector bodies, other organisations and individuals in Europe who wish to benefit from this data, as well as any natural or corporate person to whom the relevant DGA Data relates, will also need to be aware of the changes brought in by the DGA. This will be particularly relevant for data transfers of DGA Data outside of Europe. It is likely that the UK will follow in Europe’s footsteps and introduce a similar concept of data trusts to enhance data sharing within the UK.

The DGA will be adopted by the European Council and published in the Official Journal.