Clear rules and security measures are needed to ensure that data can be shared securely and reliably. The European Data Governance Act (DGA) was created as a cross-sector instrument for this purpose. The aim is to enable the smooth exchange of data while overcoming the lack of trust among those affected.
In a nutshell
- The Data Governance Act (DGA) is an EU regulation and therefore applies directly in all member states.
- The aim of the DGA is to create a European single market for (personal and non-personal) data.
- Practical implementation is left to the Member States, which could undermine the achievement of the objectives.
Scope of application of the Data Governance Act
The Data Governance Act is a cross-jurisdictional, supplementary EU regulation and is therefore not intended to interfere with existing specialised legal regulations. This means, in particular, that the General Data Protection Regulation (GDPR) is decisive for personal data and even takes precedence in cases of doubt. Similarly, sector-specific and national regulations (e.g. competition law) remain unaffected.
Core objectives of the Data Governance Act
The DGA aims to build trust and promote voluntary data sharing in the European Union in order to drive innovation and the creation of a European single market for data. In particular, it regulates the reuse of protected data held by public authorities, regulates data intermediary services, known as (data) intermediaries, and promotes data altruistic organisations.
Reuse of protected public data
Chapter II of the DGA creates a uniform framework for the reuse of protected data held by public bodies (e.g. personal data or trade secrets). The rationale behind the regulation is that data collected with the help of public funds should also benefit society.
If a public body permits reuse, it must make the conditions of access and the procedure public and ensure transparency, non-discrimination, proportionality and competitive neutrality (Art. 5 DGA). Personal data must be anonymised and confidential or copyright-protected content must be processed using appropriate disclosure controls.
The DGA generally prohibits exclusive rights of use and opens up the possibility of charging fees under transparent, non-discriminatory conditions. For personal data, the provisions of the GDPR also apply (legal basis, possible joint responsibility between public authorities and re-users, obligation to carry out a data protection impact assessment).
This does not override any national access or confidentiality regulations. Rather, it remains primarily the responsibility of the Member States and the respective public bodies to determine whether and to what extent or under what conditions data is released.
Data intermediation services
Chapter III of the DGA establishes a set of rules for providers acting as neutral intermediaries for data exchange. The aim is to provide an infrastructure for the exchange of data between market participants. To this end, the DGA defines (data) intermediaries as actors who are to connect an indefinite number of data subjects or data owners with potential data users.
- The DGA defines a “data owner” as a legal or natural person (including public authorities) who is authorised to grant third parties access to certain data.
- “Data users” are the recipients who are lawfully granted access via the intermediary service.
Both services for personal and non-personal data are covered by the rules.
The aim of data intermediation services is to promote neutrality and interoperability and to avoid lock-in effects on the data market. Interoperability is therefore important so that different systems or services can work together easily and smoothly. If interoperability is ensured, data can be exchanged, read and further processed between different providers without great effort. Lock-in effects can arise when data or formats are tied to the manufacturer in such a way that switching to another provider would involve considerable effort or data loss. These requirements are intended to promote fair competition and reduce excessive dependence on individual providers.
According to Art. 11 DGA, every provider of data intermediation services who intends to provide the data intermediation services referred to in Art. 10 DGA is subject to a notification requirement. The competent authority for notification in Germany is the Federal Network Agency.
Registration as an intermediary results in a publicly viewable entry and subjects the services to regulatory oversight. The material obligations are regulated in Art. 12 DGA. Data may only be used for the purpose of passing it on to data users. Independent commercial exploitation is prohibited. Pure cloud providers and the provision of technical tools or services that enable data exchange only as a side effect are not considered intermediaries.
Data altruism
The DGA introduces a system for data altruism throughout the Union. This refers to the voluntary, free provision of personal data on the basis of GDPR-compliant consent or non-personal data on the basis of permission from the data owners for purposes of general interest (e.g. health, research, or the environment).
Recognised data altruistic organisations must comply with a set of rules to be determined by the European Commission and will be entered in a public register. In order to increase the trust of data donors, there are transparency obligations regarding the data collected, the purposes for which it is used, access rights and strict purpose limitation.
To facilitate the granting and withdrawal of consent, the standardised consent form (Art. 25 GDPR) provided by the Commission will be made available.
Recognised data altruistic organisations are subject to independent supervision and are permitted to display an EU logo, which is visibly affixed to publications and linked to the register via a QR code.
In the event of violations, the competent authority may request statements, demand remedial action, order measures and, in the event of continued non-compliance, order deletion from the register.
Coexistence of the GDPR and the DGA
The DGA adopts key definitions from the GDPR and regulates both personal and non-personal data, which can lead to overlaps and questions of interpretation. Since the DGA does not create an independent legal basis for the processing of personal data in accordance with Art. 1 (3) DGA, tensions may arise. The transfer of personal data is only legally compliant if the requirements of the GDPR are met.
In practice, this means that data subjects can transfer personal data to a company via a data brokerage service, with the broker acting solely as the provider.
Whether the intermediary is to be regarded as a processor or as a separate controller depends on the individual case. The decisive factor is who determines the purpose and means of data processing:
- If the intermediary acts exclusively on the instructions of the receiving company, the obligations of contract processing may apply.
- However, if the intermediary pursues its own purposes (e.g. sale of the data), there is much to be said for qualifying it as a controller.
Any support activities performed by the intermediary, such as format conversions, pseudonymisation or anonymisation, are permitted under Art. 12(e) GDPR.
However, a valid legal basis for data processing is required. This will usually be the consent of the data subject mentioned above. For this purpose, the European Commission provides the above-mentioned consent form, which must also comply with the requirements for consent and revocation under Art. 7 GDPR.
Right of appeal and sanctions under the DGA
Supervisory and enforcement tasks remain with the competent national authorities. These authorities are empowered to sanction violations with fines and business interruptions. In Germany, the Federal Network Agency (BNetzA) is responsible.
Pursuant to Art. 27 DGA, natural and legal persons may lodge complaints with the competent authorities against the conduct of data brokerage services and recognised data altruistic organisations. In addition, Art. 28 DGA guarantees the right to effective judicial protection against official decisions under Art. 14 (for intermediary services), Articles 19 and 24 DGA (for data altruistic organisations) and against official omissions.
Under Art. 34 DGA, Member States are obliged to provide for sanctions for infringements of the obligations of individual providers set out in the DGA. Art. 34(1) sentence 2 DGA requires that sanctions must be effective, proportionate and dissuasive. In order to achieve this dissuasive effect in the case of particularly serious infringements, the German government’s draft law implementing the EU regulation provides for fines of up to EUR500,000.
European Data Innovation Board (EDIB)
Art. 29 of the DGA provides for the establishment of a European Data Innovation Board (EDIB), which is to propose guidelines for data sharing, data altruism and interoperability, thereby acting in an advisory and supportive capacity to the Commission. The EDBI consists of representatives of national authorities, EU institutions and other stakeholders.
Conclusion
The DGA can be an effective legal framework for a European data single market. It establishes instruments such as transparency requirements, registration obligations, supervision and sanctions, which are intended to build trust and facilitate data sharing. However, practical obstacles such as a lack of technology, infrastructure and cumbersome procedures can slow down this development.
Overall, the DGA offers incentives for companies to actively participate in the data economy. However, whether this will be successful and thus lead to greater data sharing and data use across the board depends on the specific implementation in the respective Member States.
Although the DGA is a regulation and not a directive, meaning that it is directly applicable in the Member States, its practical application remains dependent on the respective national arrangements, such as the designation of competent authorities, the determination of sanctions and regulations on data preparation. Particularly where the effort involved is high and there are no obligations to prepare data, it is to be expected that public authorities, for example, will not participate in data exchange across the board without a binding obligation to prepare data.