Author: Mădălina Bucur
On 16 May 2022, the Council of the European Union announced the adoption of the Data Governance Act (“DGA”) following the Council’s approval of the European Parliament’s position.
After the signing formalities, DGA will be published in the Official Journal of the European Union and will enter into force 20 days after publication.
DGA will apply 15 months after entering into force.
This article is intended to provide a general overview on DGA main provisions.
Key points on DGA
- Commission presented DGA on 25 November 2020
- DGA is the first legislative initiative that has been adopted under the European strategy for data.
- the European strategy for data aims at creating the framework for data to flow freely within the EU and across different sectors
- Both personal data and non-personal data are in scope of DGA. Together they are referred as “data”, meaning any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording
- Regarding the interplay between DGA and other laws:
- DGA is without prejudice, amongst others, to competition and data protection laws
- in case of a conflict between DGA and data protection laws, the latter shall prevail. So, the General Data Protection Regulation (GDPR) continues to stand when it comes to personal data
- DGA does not create a legal basis for processing personal data
- DGA sets up framework enabling/facilitating:
- safe re-use of certain categories of data held by public sector bodies
- data intermediation services providing safe environment for companies and individuals to share data
- “data altruism”, meaning the voluntary sharing of data to be used in the general interest
- Regarding the re-use of protected public-sector data:
- re-use means using data held by public sector bodies, for commercial or non-commercial purposes, other than the purpose for which the data were initially generated
- it concerns public sector-data which are protected on different grounds, including trade secrets, personal data, and intellectual property rights
- as a rule, agreements or other practices which grant exclusive rights or restrict the availability of data for re-use shall be prohibited
- as an exception, an exclusive right to re-use data may be granted to the extent necessary for the provision of a service or the supply of a product in the general interest that would not otherwise be possible
- the duration of an exclusive right to re-use data shall not exceed 12 months. Existing agreements that do not fall the exception need to be terminated no later than 30 months after DGA entries into force
- the conditions for allowing re-use of data and the procedure to request such need to be made publicly available
- re-use of data shall be allowed only in compliance with intellectual property rights
- a European single access point with a searchable electronic register of public-sector data will be settled. The register will be available via the national single information points each Member State will have to implement
- Regarding data intermediation services:
- DGA covers services aiming to establish commercial relationships for data sharing purposes between an undetermined number of data subjects or data holders[1] on one hand and data users[2] on the other hand
- services involving enriching data or otherwise adding value to it, as well as cloud storage, web browsers, browser plug-ins or email services do not fall under DGA scope, mainly because such are generally not being provided for data sharing purposes
- providers wishing to offer data intermediation services shall prior notify the competent authority and meet specific conditions, such as the following:
- use of the data for other purposes than providing the data intermediation service is prohibited
- metadata (i.e., data about how the service is being used) shall be used only for the development of that service, which may entail the use of data for the detection of fraud or cybersecurity
- metadata shall be made available to the data holders upon request
- use of data in the format received
- a public register of all data intermediation services providers providing in the EU will be kept and updated by the Commission
- providers that are not established in the EU, but which offer data intermediation services within the EU, shall designate an EU legal representative
- the competent authority is the one in the Member State where the service provider has its main establishment
- Regarding “data altruism”:
- DGA defines data altruism as the voluntary sharing of data based on the data subjects or data holders’ consent for objectives of general interest, without seeking or receiving a reward that goes beyond compensation for the costs encounter for making the data available
- this could concern general interest objectives such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making or scientific research purposes in the general interest
- Commission shall adopt implementing acts establishing and developing a European data altruism consent form
- DGA provides a registration process for data altruism organizations. Registration is however not mandatory
- to be registered as data altruism organization, entities must meet specific conditions, including to operate on a not-for-profit basis and be legally independent from any entity that operates on a for-profit basis
- entities operating in several Member States shall register via their main establishment and those with no EU establishment shall nominate an EU representative
- a public register of recognized data altruism organizations will be kept both at national and European level
- insofar an entity is registered in the public national register of recognized data altruism organizations, it may use the label “data altruism organization recognized in the Union” in its communication, as well as a common logo to be established at EU level
- Specific conditions apply for transferring non-personal data to a third country. DGA even provides that the Commission may adopt model contractual clauses for assisting public sector bodies and re-users of public-sector data in complying with their related obligations
- A European Data Innovation Board will be established in the form of an expert group, having several tasks, including advising and assisting the Commission with regard to developing consistent guidelines for cybersecurity requirements for the exchange and storage of data. The European Data Protection Board will also be part of it.
- Member States shall lay down the rules on penalties applicable in case of DGA infringements and shall notify the Commission on the measures implemented in a set term.
What comes next?
Since DGA was adopted as a regulation, it applies directly into Member States, including Romania. However, certain aspects as well as roles and attributions need to be defined at local level.
There are other EU initiatives currently ongoing, some linked with DGA, that should also be followed, including the proposed Data Act that aims to clarify who can create value from data and under what conditions.
So, the monitoring of local developments begins, as they may be critical for the effective implementation of the mechanisms introduced by DGA and related acts.
_______________________
[1] Data holder under DGA means a natural or legal person who is not a data subject and who has the right to grant access to or to share certain data
[2] Data user under DGA means a natural or legal person who has lawful access to data and has the right, including under GDPR, to use that data for commercial or non-commercial purposes.