Digital Reform – Preparing for a New Data-Driven World: The Data Governance Act
While the volume of data generated by people and organisations in the EU and elsewhere has exponentially increased in recent years, much of it remains underutilised. Despite the amount of data being generated, the incentives and trusted mechanisms necessary for it to be widely shared are lacking in many respects. Recognising the potential of this data for economic growth, competitiveness, innovation, job creation, societal progress, and indeed, the development of AI systems, the EU has developed a series of legislative initiatives aimed at ensuring data becomes more widely available for use in the economy and society. The Data Governance Act and the Data Act are key pillars of this “European strategy for data”. In this article, we will focus on the Data Governance Act, which seeks to increase trust in data sharing and strengthen mechanisms to increase data availability.
The Data Governance Act
As part of the European Digital Strategy, the European Commission proposed the Data Governance Act (the “DGA”) which is now published in the Official Journal of the European Union. It entered into effect on 23 June 2023 and will apply in full from 24 September 2023.
The DGA recognises that data re-use is hampered by low trust in data sharing, conflicting economic incentives and technological obstacles. It therefore seeks to incentivize the construction of a reliable data sharing system through four main Pillars:
Re-Use Of Public Sector Data
In contrast to the Open Data Directive which regulates the re-use of publicly available information held by the public sector, the DGA seeks to facilitate the re-use of protected data held by public sector bodies (e.g. confidential information and personal data). A number of rules are specified in the DGA to facilitate re-use of this data which include:
- A prohibition on granting exclusive rights over certain public sector data;
- A requirement that public sector bodies ensure measures are taken to ensure the protected nature of data such as placing restrictions on access. This may include only allowing access to the data in a secure processing environment such as the physical premises of the public sector body. Technical solutions including anonymisation and pseudonymisation will also be important; and
- Where re-use of data is not allowed on the basis it is personal data or confidential data, the public sector body must make best efforts to assist potential re-users, by seeking consent of data subjects or rights holders for example.
It should be noted that the DGA does not create an obligation to allow the re-use of data held by public sector bodies. It is up to each Member State to decide whether data is made available for re-use as well as the scope of such re-use.
Data Intermediation Services
Another way that the DGA seeks to increase trust and provide a mechanism for data sharing is by providing for trustworthy organisers of data sharing and pooling called “data intermediation services”. Data intermediation services are neutral third parties that connect individuals and companies with data holders and data users, e.g. a data marketplace.
The key aspect of a data intermediation service is that it cannot monetize, transform or add value to the data. Rather, it merely facilitates the establishment of commercial relationships between data holders and data users. This is an important requirement for building trust, because many companies fear that sharing their data would imply a loss of competitive advantage and represent a risk of misuse. Some important requirements for data intermediation service providers are:
- there must be a clear separation between the data intermediation service and any other services provided, i.e. they must provide the service through a separate legal entity;
- data intermediation service providers must ensure that the procedure for access to the service is fair, transparent and non-discriminatory, including with regard to prices and terms of service; and
- data intermediation services must have in place procedures to prevent fraudulent and abusive practices.
Any entity that wishes to provide a data intermediation service must notify their competent authority, which will be the competent authority where it has its main establishment. Entities providing data intermediation services have until 24 September 2025 to comply with their obligations.
This Pillar incentivizes data sharing by another means; the voluntary sharing of data by individuals and companies (without reward) to be used in the public interest. Entities that make available data based on data altruism will be able to register as “data altruism organisations recognised in the Union”. These entities must:
- have a not-for-profit character;
- meet transparency requirements as well as offer specific safeguards to protect the rights and interests of citizens and companies who share their data; and
- carry out its data altruism activities through a structure that is functionally separate from its other activities (similar to data intermediation services).
The Commission also has the power to implement delegated acts which specify further requirements (known as “the Rulebook”) which will lay down information requirements, technical and security requirements, communication roadmaps and recommendations on interoperability standards.
The European Data Innovation Board
The European Data Innovation Board will be an expert group consisting of representatives from the relevant competent authorities in each Member State. It will advise and assist the Commission in developing consistent practices in areas such as data altruism and public sector data.
These four distinct Pillars are all aimed at a common goal: increasing the availability of data to people and businesses across the European Union. The hope is that this will help industries in developing innovative products and services and make industries such as health, transport and agriculture more efficient and sustainable, including in the public sector. The Data Act, the second main legislative initiative of the European strategy for data (which is expected to be enacted later this year), will provide further means and incentives towards achieving these goals by providing rules on who can use and access data generated in the EU. The rules will include measures allowing users of connected devices to gain access to data generated by them and the provision of rules preventing abuse of contractual imbalances in data sharing contracts with SMEs.
The significance of the DGA and the Data Act are heightened in the context of artificial intelligence. The wide availability of data is crucial for the development of AI technologies, especially by small and medium enterprises which lack access to large volumes of data. The Commission has itself stated that good data management and data sharing are “essential for training AI systems.”
Please look out for our next article on the European strategy for data which will focus on the Data Act.
We would like to thank Bohdana Tabachuk for her contribution to this article.