Data Governance Act explained

The economic and societal potential of data is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges. In the area of health, for example, data can contribute to providing better healthcare, improving personalised treatments and helping cure rare or chronic diseases. It is also a powerful engine for innovation and new jobs, and a critical resource for start-ups and SMEs.

However, this potential is not being realised. Data sharing in the EU remains limited due to a number of obstacles (including low trust in data sharing, issues related to the re-use of public sector data and data collection for the common good, as well as technical obstacles).

In order to truly capitalise on this enormous potential, it should be easier to share data in a trusted and secure manner.

The Data Governance Act (DGA) is a cross-sectoral instrument that aims to regulate the re-use of publicly/held, protected data, by boosting data sharing through the regulation of novel data intermediaries and by encouraging the sharing of data for altruistic purposes. Both personal and non-personal data are in scope of the DGA, and wherever personal data is concerned, the General Data Protection Regulation (GDPR) applies. In addition to the GDPR, inbuilt safeguards will increase trust in data sharing and re-use, a prerequisite to making more data available on the market.

Re-use of certain categories of data held by public sector bodies

What are the key goals?

The Open Data Directive regulates the re-use of publicly/available information held by the public sector. However, the public sector also holds vast amounts of protected data (e.g. personal data and commercially confidential data) that cannot be re-used as open data but that could be re-used under specific EU or national legislation. A wealth of knowledge can be extracted from such data without compromising its protected nature, and the DGA provides for rules and safeguards to facilitate such re-use whenever it is possible under other legislation.  

How does it work in practice?

• Technical requirements for the public sector: Member States will need to be technically equipped to ensure that the privacy and confidentiality of data is fully respected in re-use situations. This can include a range of tools, from technical solutions, such as anonymisation, pseudonymisation or accessing data in secure processing environments (e.g. data rooms) supervised by the public sector, to contractual means such as confidentiality agreements concluded between the public sector body and the re-user.
• Assistance from the public sector body: If a public sector body cannot grant access to certain data for re-use, it should assist the potential re-user in seeking the individual’s consent to re-use their personal data or the data holder’s permission whose rights or interests may be affected by the re-use. Furthermore, confidential information (e.g. trade secrets) can be disclosed for re-use only with such consent or permission.
• To have even more publicly held data available for re-use, the DGA limits reliance on exclusive data re-use agreements (whereby a public sector body grants such an exclusive right to one company) to specific cases of public interest.
• Reasonable fees: public sector bodies may charge fees for allowing the re-use as long as those fees do not exceed the necessary costs incurred. In addition, public sector bodies should incentivise the re-use for scientific research and other non-commercial purposes as well as by SMEs and start-ups, by reducing or even excluding charging.
• A public sector body will have up to 2 months to take a decision on a re-use request.
• Member States can choose which competent bodies will support the public sector bodies granting access to the re-use for example by providing the latter with a secure processing environment and by advising them on how to best structure and store data to make it easily accessible.
• To help potential re-users find relevant information on what data is held by which public authorities, Member States will be required to set up a single information point. The Commission created the European Register for Protected Data held by the Public Sector (ERPD), a searchable register of the information compiled by national single information points in order to further facilitate data re-use in the internal market and beyond.

Examples

• The Finnish social and health data permit authority Findata processes requests and grants access to data for re-use. Examples of Findata’s data sources are the social insurance institution, the pensions register and the population register.
• French company DAMAE Medical is improving its LC-OCT (Line-field Confocal Optical Coherence Tomography) technology that gives access to cellular resolution imaging of inner microstructures of the skin up to the dermis, immediately and non-invasively with new training data made available through the French Health Data Hub. The objective of the project is to improve the capacity of this technology to better identify potential signs of skin cancer and demarcate the surgical intervention area better.

Data intermediation services

What are the key goals?

Many companies currently fear that sharing their data would imply a loss of competitive advantage and represent a risk of misuse. The DGA defines a set of rules for providers of data intermediation services (so-called data intermediaries, such as data marketplaces) to ensure that they will function as trustworthy organisers of data sharing or pooling within the common European data spaces. In order to increase trust in data sharing, this new approach proposes a model based on the neutrality and transparency of data intermediaries whilst putting individuals and companies in control of their data.

How does it work in practice?

The framework offers an alternative model to the data-handling practices of the Big Tech platforms, which have a high degree of market power because they control large amounts of data.

In practice, data intermediaries will function as neutral third parties that connect individuals and companies with data users. While they may charge for facilitating the data sharing between the parties, they cannot directly use the data that they intermediate for financial profit (e.g. by selling it to another company or using it to develop their own product based on this data). Data intermediaries will have to comply with strict requirements to ensure this neutrality and avoid conflicts of interest. In practice, this means that there must be a structural separation between the data intermediation service and any other services provided (i.e. they must be legally separated). Also, the commercial terms (including pricing) for the provision of intermediation services should not be dependent on whether a potential data holder or data user is using other services. Any data and metadata acquired can be used only to improve the data intermediation service.

Both stand-alone organisations providing data intermediation services only and companies that offer data intermediation services in addition to other services could function as trusted intermediaries. In the latter case, the data intermediation activity must be strictly separated, both legally and economically, from other data services.

Under the DGA, data intermediaries will be required to notify the competent authority of their intention to provide such services. The competent authority will ensure that the notification procedure is non-discriminatory and does not distort competition and will confirm that the data intermediation services provider has submitted the notification containing all required information.

Upon receipt of such a confirmation, the data intermediary can legally start to operate and use the label ‘data intermediation services provider recognised in the Union’ in its written and spoken communication, as well as the common logo. Those authorities will also monitor compliance with the data intermediation requirements and the Commission will keep a central register of recognised data intermediaries.

Examples

With its Data Intelligence Hub, Deutsche Telekom offers a data marketplace in which companies can securely manage, provide and monetize good quality information, for example production data, in order to optimise processes or entire value chains. Telekom takes the role of a neutral trustee and guarantees data sovereignty through decentralised data management. Currently more than 1,000 users from over 100 different companies are active on the platform.

DAWEX is a French company that describes itself as a ‘global data marketplace’.  Dawex does not purchase or sell data but brings together companies interested in monetising and re-using data, and fosters transparency between data suppliers and users by ensuring that they communicate and conduct the transaction directly on its platform. Dawex developed a series of tools to help both data suppliers and users to understand, assess and communicate about the data. Visualisation tools (e.g. heat maps, tree maps) provide data users with different information about a complete dataset that can be securely shared before a transaction is completed. Sampling tools automatically generate representative data samples based on algorithms to avoid any bias. Data users and data suppliers communicate using a messaging tool embedded in the platform. Additionally, Dawex supports the negotiation of the contractual agreement by model terms that can be automatically generated.

API-AGRO is an agricultural data-sharing hub which uses the Dawex technology. This technology fosters an agricultural ecosystem involving numerous actors and a neutral intermediary (the Api-Agro platform) where there is a clear separation between the intermediation role and other activities related to the use of the data. Api-Agro does not monetise the data, but functions as a neutral third party that connects data holders and data users.

Data altruism

What are the key goals?

Data altruism is about individuals and companies giving their consent or permission to make available data that they generate – voluntarily and without reward – to be used in the public interest. Such data has enormous potential to advance research and develop better products and services, including in the fields of health, environment and mobility.

Research indicates that while in principle there is a willingness to engage in data altruism, in practice this is hampered by a lack of data-sharing tools. As such, the goal of the Data Governance Act is to create trusted tools that will allow data to be shared in an easy way for the benefit of society. It will create the right conditions to assure individuals and companies that when they share their data, it will be handled by trusted organisations based on EU values and principles. This will allow the creation of pools of data of a sufficient size to allow data analytics and machine learning, including across borders.

How does it work in practice?

Entities that make available relevant data based on data altruism will be able to register as ‘data altruism organisations recognised in the Union’. These entities must have a not-for-profit character and meet transparency requirements as well as offer specific safeguards to protect the rights and interests of citizens and companies who share their data. In addition, they must comply with the rulebook (at the latest 18 months after it comes into force), which will lay down information requirements, technical and security requirements, communication roadmaps and recommendations on interoperability standards. The rulebook will be developed by the Commission, in close cooperation with data altruism organisations and other relevant stakeholders.

The entities will be able to use the common logo designed for this purpose and can choose to be included in the public register of data-altruism organisations. An EU-level register of recognised data altruism organisations will be set up by the Commission, for information purposes.  

A common European consent form for data altruism will allow the collection of data across Member States in a uniform format, ensuring that those that share their data can easily give and withdraw their consent. It will also give legal certainty to researchers and companies wishing to use data based on altruism. This will be a modular form, which can be tailored to the needs of specific sectors and purposes.

Examples

MyData Global aims to ‘empower individuals by improving their right to self-determination regarding their personal data.’ While the overall goal extends beyond data altruism, the organisation provides a trusted interface for members to give consent to the use of their personal data for specific purposes.

The Smart Citizen platform allows citizens to share data on noise levels and pollution in their home collected through sensors. This provides essential information to map noise and air quality, and for researchers and governments to develop targeted solutions to these issues.

The German Corona-Datenspende-App was set up to collect data (e.g. heart rate, body temperature, blood pressure, sleeping patterns) from fitness bracelets and smartwatches. By monitoring this data, researchers could identify at an early stage possible Covid-19 hotspots.

European Data Innovation Board

What are the key goals?

As provided in the DGA, the Commission established the European Data Innovation Board (EDIB) to facilitate the sharing of best practices, in particular on data intermediation, data altruism and the use of public data that cannot be made available as open data, as well as on the prioritisation of cross-sectoral interoperability standards.

How does it work in practice?

The EDIB includes representatives from the following entities:

• Member State competent authorities for data intermediation
• Member State competent authorities for data altruism
• the European Data Protection Board
• the European Data Protection Supervisor
• the European Union Agency for Cybersecurity (ENISA)
• the European Commission
• the EU SME Envoy/representative appointed by the network of SME envoys
• other representatives of relevant bodies selected by the Commission through a call for experts.

The list of EDIB members is available here:  Register of Commission expert groups and other similar entities (europa.eu).

EDIB will have the power to propose guidelines for common European data spaces, for example on the adequate protection for data transfers outside of the Union.

International data flows

What are the key goals?

The European strategy for data of February 2020 acknowledged the importance of having an open, yet assertive approach towards international data flows.

International data transfers can unlock the significant socioeconomic potential of the vast amount of data generated within the EU, thereby increasing the international competitiveness of the Union in the global arena, while contributing to economic growth, which is crucial especially in the post-COVID recovery era.

While the DGA plays a key role in strengthening the open strategic autonomy of the European Union, it also contributes to creating trust and confidence in international data flows.

How does it work in practice?

Whereas the GDPR has put in place all the necessary safeguards in the context of personal data, it is thanks to the DGA that similar safeguards exist for access requests from third countries in the context of non-personal data.

These safeguards concern all scenarios and provisions laid down by the DGA, namely for public sector data, data intermediation services and data altruism constellations. The re-user in the third country will need to ensure the same level of protection with respect to the data in question as the level of protection ensured in EU law, as well as accept the respective EU jurisdiction.  

If judged necessary, the Commission may adopt additional adequacy decisions for the transfer of public protected data for re-use when it comes to an access request with respect to non-personal data from a third country. These adequacy decisions will be similar to the adequacy decisions related to the transfer of personal data under the GDPR.

Additionally, the DGA empowers the Commission to make model contract clauses available for public sector bodies and re-users for scenarios where public sector data is involved in data transfers with third countries.