Council and Parliament find provisional agreement on the Data Governance Act
On 30 November, the European Parliament and Council provisionally agreed on the final version of the Data Governance Act (DGA). The text, which will still require final approval by both institutions, is the first legislative element of the European data strategy to emerge in its final form. While the final text is yet to be published, here is an overview of the main elements of the Act.
First, the DGA provides new rules aimed at fostering wider reuse of sensitive information held by public sector bodies, such as personal data as well as data protected by trade secrets and intellectual property rights. In the case of personal data, access to reuse can only be granted if data has been effectively anonymized. It also puts limits on the length of exclusive agreements between public sector bodies and reusers.
Second, the new act introduces a framework for data intermediaries that applies to both personal and non-personal data. ‘Data intermediation services’ that are covered by this framework must be structurally separated from all other activities undertaken by the provider and providers of such services are prohibited from using data that is shared via them. They also need to comply with registration and transparency requirements. At least in theory, this new regulatory framework provides a EU wide legal basis for collective data governance structures, such as data trusts and data cooperatives, which are rooted in the collective exercise of users’ rights.
Third, the law includes a new chapter on ‘data altruism’ – defined as the voluntary sharing of data by data subjects and data holders for purposes of general interest without seeking or receiving remuneration. Not-for-profit entities that provide such services can register to become “recognized data altruism organisations” that are subject to a series of transparency and reporting requirements, including structural separation from other activities. The definition of data altruism remains a bit vague and could potentially allow malicious actors to mislead data subjects to share their data in the name of vague purposes of general interest.
Fourth, the measure establishes a new body tasked with monitoring the emergence of common data spaces in the EU as well as advising the Commission on interoperability standards for data intermediation services: the European Data Innovation Board. The Board will take the configuration of a multi-tiered stakeholder forum bringing together national competent authorities, technical experts as well as civil society and industry representatives.
Finally, the new act also provides new rules for the cross-border transfer of non-personal data held by public authorities, data intermediation services, and data altruism organizations. In line with the GDPR regime for personal data, the DGA authorizes the Commission to develop model contractual clauses and to declare the adequacy of third countries’ legal regimes.
The final compromise text also addresses one key issue where EDRI previously raised concerns: the potential undermining of GDPR provisions for personal data protection. The provisions in the final text are largely in line with both the substantive requirements and the terminology established by the GDPR for data sharing. In addition, it clarifies the application of the new rules to personal data by reaffirming the primacy of the GDPR over the DGA.
The final text will now need to be adopted by both Parliament and Council. Once that has happened, the new rules will directly apply across Member States starting from 15 months after the entry into force of the Regulation.
(Contribution by: Francesco Vogelezang, Policy Analyst & Paul Keller, Policy Director, Open Future)