On 30 November, the European Parliament and Council provisionally agreed on the final version of the Data Governance Act (DGA). The text, which will now require a final vote by both institutions, is the first legislative element of the European data strategy to emerge in its final form. Concretely, the DGA proposes a new horizontal framework for data sharing amongst public sector bodies, data intermediation services and data altruism organizations. While the final text is yet to be published, here is an overview of the main elements of the Act and some of the most noteworthy improvements it has undergone during the legislative process.
First, the DGA provides rules aimed at fostering wider reuse of protected public sector data. By complementing the 2019 Open Data Directive, the new rules apply to the reuse by other players of sensible information held by the public sector bodies, like personal data, as well as data protected by trade secrets and other intellectual property rights. It limits exclusive arrangements between public and private bodies to situations in which they fulfil a purpose of general interest and then only for a maximum period of 12 months. However, these obligations do not apply to data held by cultural heritage institutions or educational institutions that are covered by intellectual property rights—an overly broad exception that should have been limited to data that are covered by third party intellectual property rights.
Second, the new act introduces a “novel European way of data governance” by devising a framework for companies and individuals to engage in data sharing in a secure environment. This framework hinges on the idea that ‘data intermediardiation services’– which aim to facilitate data sharing between data subjects and data holders, on the one hand, and data users, on the other hand–must be structurally separated from any other commercial activities. This is to ensure that data which is shared via these services cannot be used by entities providing the intermediation service themselves. With this, the DGA now provides an EU-wide regulatory framework for collective data governance structures, such as Data Trusts and Data Cooperatives, to develop new business models rooted in the collective exercise of users’ rights.
Third, the text includes a new chapter on “data altruism in the general interest”. The act defines data altruism as the voluntary sharing of data by data subjects and data holders for purposes of general interest without seeking or receiving any remuneration. This is applicable for interests related to health care, combating climate change, improving mobility, facilitating the establishment of official statistics, improving public services, public policy making, or scientific research in the general interest. Organizations that seek to collect data for objectives of general interest can register themselves to become recognized data altruism organizations and will be subject to transparency and reporting requirements.
Fourth, the DGA establishes a new body tasked with monitoring the emergence of common data spaces in the European digital single market: the European Data Innovation Board (EDIB). EDIB is tasked to advise the Commission on a variety of areas covered by the DGA, including interoperability standards for data intermediation services, the protection of non-personal data, and higher cybersecurity standards for data sharing. The EDIB is conceived as a multistakeholder group bringing together national competent authorities, technical experts for the uniformity of portability and interoperability standards as well as civil society and industry representatives.
Finally, the DGA introduces new safeguards against unlawful cross-border transfer and government access to non-personal data held by public authorities, data intermediation services, and data altruism organizations. Through secondary legislation, the Commission may declare the adequacy of third countries’ legal regimes vis-à-vis the EU in providing appropriate safeguards to non-personal data. Equally, the Commission is entitled to develop model contractual clauses to assist public sector bodies and re-users in the cross-border transfer of sensible non-personal data. Effectively, the DGA aligns the international transfer regime of non-personal data with the GDPR for personal data.
At an earlier stage of the legislative process we raised concerns that the DGA was not adequately taking into account existing forms of voluntary data sharing, such as open access commons resources stewarded by platforms like Euroepana or Wikimedia. We also signalled that some provisions under discussions would risk undermining provisions in the GDPR.
The final text adopted in the trilogue addresses the latter point by clarifying the relationship between the two measures and confirming the primacy of the GDPR over the DGA. The text now brings the new provisions largely in line with both the substantive requirements and the terminology established by the GDPR terminology for data sharing and clarifies the application of the new rules to personal data. Regarding the former point, a new recital clarifies that the requirements established on data intermediaries and data altruism organizations “do not apply to open collaborative knowledge sharing platforms”. The act also makes it clear that not-for-profit organizations do not qualify as data intermediation services which provides further legal certainty to such projects.
The final text will now need to be adopted by both Parliament and Council. Once that has happened, the new rules will directly apply across Member States starting from 15 months after the entry into force of the Regulation.
With the adoption of the first part of the European Data Strategy, the legislative focus will now shift to the next element of the strategy: the Data Act, which the Commission is committed to unveil on the 23rd of February 2022. The measure is expected to complement the DGA by providing a variety of incentives for market actors in engaging in data sharing which we have previewed here.