Insights EU Data Governance Act (“DGA”) becomes applicable

Contact

The DGA (Regulation 2022/868) creates a new framework for good data management and data sharing with the goal of enabling industries to develop new, innovative products and services (e.g. by giving access to data for training AI systems), as well as to enable the public sector to develop better services.  It applies to personal and non-personal data which is protected e.g. by privacy, confidentiality or intellectual property rights.  It does not apply to publicly available information which is addressed under other EU legislation.

Key aspects of the DGA include a mechanism for the voluntary sharing of data by public sector bodies for re-use for both commercial and non-commercial purposes.  Both the sharing and re-use are subject to conditions such as the requirement to respect privacy, confidentiality and intellectual property rights, and that the re-use complies with principles such as proportionality and non-discrimination.  Public sector bodies who agree to share may be able to comply with such privacy or confidentiality obligations applying to the data such as by the use of anonymisation or NDAs and will be entitled to charge reasonable fees to cover their necessary costs.

The DGA also addresses businesses and individuals who may wish to share data.  To meet concerns by companies that sharing their data may lead to a loss of competitive advantage or be liable to misuse, the DGA also provides for the establishment of data intermediation service providers, neutral third parties, who link data holders (individuals and businesses) with those who wish to access their data.  The DGA provides several safeguards to guarantee the neutrality of intermediaries including providing that, whilst they may charge for their intermediation services, they cannot use the data concerned for financial profit, there must be a legal separation between the intermediation service and any other service provided, and that data intermediaries must register with competent authorities in order to ensure the proposed service does not distort competition and complies with DGA requirements.  Such data marketplaces already exist, enabling data holders to manage, provide and monetise their data via a trustworthy intermediary.

The DGA also introduces the concept of voluntary sharing by individuals and companies of data they generate, without receiving any reward, to be used in the public interest.  Entities that wish to make this data available will be able to register as “data altruism organisations recognised in the Union,” provided they are not-for-profit and comply with certain requirements.  The DGA establishes a standard process enabling those that share data in this way to grant and withdraw their consent to its use.  It is hoped that the standard consent framework will encourage data altruism as well as provided legal certainty to users of the data.

The DGA does not amend or replace the GDPR so that, where personal data is concerned, it is still necessary to comply such as by ensuring there is a legal basis for any processing of the data.

The DGA does not impose an obligation to share data.  The EU Data Act, now going through the legislative process, specifies who can use certain types of privately held data and under what circumstances, introducing mechanisms and standards to enable companies and individuals to exercise more control over data generated by their use of IoT devices or stored in data processing services such as cloud services. This includes introducing rights for companies and individuals to require that data holders make certain data available to them or to third parties in certain circumstances. The draft Data Act also introduces a framework for access by public sector bodies to data held by private data holders in cases of “exceptional need”.

The DGA came into force in June 2022 and, after a 15-month grace period, applies as of 24 September 2023.

Click here for more information.

Expertise