Insights European Data Protection Board and European Data Protection Supervisor adopt joint Opinion on the Data Governance Act

The EDPB and EDPS have adopted a joint Opinion on the proposal for a Data Governance Act (DGA). The DGA aims to foster the availability of data by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. In particular, the DGA aims to promote the availability of public sector data for reuse, promote the sharing of data among businesses and allow personal data to be used with the help of a “personal data-sharing intermediary”. The DGA also seeks to enable the use of data for altruistic purposes.

The EDPB and the EDPS acknowledge the legitimate objective of the DGA to improve the conditions for data sharing in the internal market. At the same time, they say that the protection of personal data is an essential and integral element for trust in the digital economy. The EDPB and the EDPS invite co-legislators to ensure that the future DGA is fully in line with EU personal data protection legislation, thus fostering trust in the digital economy and upholding the level of protection provided by EU law under the supervision of the EU Member States’ supervisory authorities.

The EDPB and EDPS consider that the DGA must clearly and unambiguously state that it will not affect the level of protection of individuals’ personal data, nor will any rights and obligations set out in data protection legislation be altered.

On the reuse of personal data held by public sector bodies, the EDPB and EDPS recommend aligning the DGA with existing rules in the GDPR and with the Open Data Directive (2019/1024/EU). Further, it should make clear that the reuse of personal data held by public sector bodies will only be allowed if it is grounded in EU or Member State law. Such laws should state that further processing may only be lawfully authorised for certain clear compatible purposes or where it constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives set out in Article 23 of the GDPR.

On data sharing service providers, the Opinion highlights the need to ensure prior information and controls for individuals, taking into account the principles of data protection by design and by default, transparency and purpose limitation. In addition, the ways in which such service providers should assist individuals in exercising their rights as data subjects should be clarified.

As for “data altruism”, the EDPB and the EDPS recommend that the DGA should better define the purposes of general interest of such “data altruism”. Data altruism should be organised in such a way that it allows individuals to easily give, but also withdraw, their consent.

In light of the possible risks for data subjects when their personal data might be processed by data sharing service providers or data altruism organisations, the EDPB and EDPS consider that the registration regimes for these entities, as set out in the DGA, do not provide a sufficiently stringent vetting procedure. Therefore, the EDPB and EDPS recommend including a more systematic set of accountability tools, in particular the adherence to a code of conduct or certification mechanism.

The Opinion also recommends designating supervisory authorities as the main authorities with control over compliance with the DGA, in consultation with other relevant sectorial authorities. To read the EDPB’s press release in full, click here. To access the Opinion, click here.