Patrick Wheeler and CEO of digibeetle, Joost Gerritsen, explore the scope and implications of the EU’s Data Governance Act (Regulation 2022/868), examining its impact on public sector data re-use, the regulation of data intermediation services, and the growing role of data altruism organisations in the evolving digital economy.

The newly renamed and reconstituted AI and Data Committee has been monitoring the birth of the Data Governance Act: Regulation (EU) 2022/868 (DGA) which has come into force and is applicable from 24 September 2023.

Background

Data governance is about rules and means for those who use all kinds of data. More specifically, it deals with data outside the scope of the Open Data Directive: Directive (EU) 2019/1024 (ODD). This includes personal data and data protected by intellectual property rights. The DGA thus supplements the ODD.  In addition, the DGA regulates specific data services, called data intermediation services and data altruism organisations.

Definitions and Roles

“Data” consists of any digital representation of actions, facts or information and compilations thereof. It includes sound recordings and visual/audiovisual recordings.

One object of the DGA is to enable data held by public sector bodies to be ‘re-usable’ by citizens and businesses for commercial or non-commercial purposes under certain conditions.

The DGA introduces new roles: ‘data holders‘, ‘data users‘ and providers of ‘data intermediation services‘.

Data holders are legal or natural persons who have the right to grant access to or share certain personal or non-personal data.

Data users are legal or natural persons who have lawful access to personal or non-personal data and the right to use that data, for example because the General Data Protection Regulation (GDPR) allows data use.

Between entities – data holders, data users and others – ‘data sharing‘ can take place. Data sharing can be done directly or through an intermediary, for example on the basis of open or commercial licences, free of charge or for a fee. The DGA additionally introduces ‘data intermediation services‘. These are providers of, for example, data marketplaces or data cooperatives. In addition, the DGA contains rules for data altruism organisations, which we will describe further down this article. These organisations are allowed to display EU approved logos to indicate they comply with the DGA’s criteria.

Conditions for Data Re-Use

Chapter II of the DGA sets out the conditions for the re-use of various types of data held by public bodies. It only covers data protected under:

1. commercial confidentiality, including business, professional and company secrets;
2. statistical confidentiality;
3. intellectual property rights of third parties; or
4. personal data protection laws, insofar as they fall outside the ODD.

However, data of public corporations, cultural or educational establishments, data protected because of public security, defence or national security are excluded from the DGA.

If a public body does not actively make data available for re-use, the re-use may follow a granted request. However, the DGA tempers expectations: there is no obligation to allow data re-use.

Public bodies may impose conditions on re-use and charge fees, but free access is available to certain groups and bodies.

Protections are set out for the underlying data. For example, personal data should be anonymised and confidential data removed where possible.  The re-user must report breaches that lead to re-identification to the relevant public body. This is in addition to the notification obligations under the GDPR. In addition, a notification obligation applies in respect of non-personal data. If those data are used in an unauthorised manner, the re-user must notify the relevant legal entities without delay.

Data Intermediation Services

Chapter III of the DGA contains a notification and supervision framework for providers of data intermediation services. A ‘data intermediation service‘ is a service aimed at establishing commercial relationships for the purpose of data sharing between data subjects and data holders on the one hand and data users on the other. Such services can be businesses or governments. Think of online ‘data marketplaces‘ where companies can make data available or ‘data pools‘ where parties receive a reward for their contribution to the data pool.

Data intermediation services are subject to a notification procedure. Anyone wishing to offer these services must first notify the competent authorities. If the data intermediation service stops, this must also be notified.

Data altruism

Chapter IV provides the framework for the voluntary registration of entities that collect and process data made available for altruistic purposes: data altruism. An example of data altruism is the German Corona-Datenspende-App. This app collects health data such as heart rate, body temperature and blood pressure using smart watches and bracelets. Based on the data, researchers were able to discover COVID-19 hotspots.

Before it can be included in the register, an organisation must, among other things, carry out data altruism activities, be a non-profit legal entity established to pursue public interest purposes and comply with the rulebook to be drawn up by the Commission, which is planned for the first quarter of 2025. In addition, a consent form will be published. This form is planned for the final quarter of 2024, and can be used by individuals and companies to give their consent to make their data available for objectives in the public interest, such as scientific research.

The data altruism organisation must employ safeguards, for example by setting up secure processing environments or oversight such as ethics committees. This must comply with strict ethical-scientific standards and fundamental rights protection.  In addition, recognised organisations must not use the data for purposes other than those of the specific public interest for which the data subject or data holder authorises the processing.

Monitoring and enforcement

Chapter V contains provisions relating to competent authorities and procedural provisions and Chapter VI sets out the framework for the establishment of a European Data Innovation Board (EDIB). The EDIB is an expert group consisting of competent authorities from all Member States, the European Data Protection Board (EDPB), the European Data Protection Supervisor (EDPS), the European Network and Information Security Agency (ENISA), the Commission, an SME representative and other relevant representatives.

The DGA prescribes that supervision and enforcement should be vested in national authorities with regard to data intermediation services and data altruism organisations. In both cases, supervision and control will take place both ex officio and on the basis of requests from natural or legal persons.  National authorities are given various powers. They may request information to check compliance with the DGA. The authority may require that any deficiencies are remedied within a specified time limit, or immediately if the case is serious.

International data flows

The DGA addresses data transfers to third countries in two ways. First, in relation to re-use conditions (Chapter II of the DGA). Second, the DGA contains a separate chapter on international access and transfer (Chapter VII).

In relation to re-use conditions, the DGA provides that if a re-user wishes to transfer non-personal data to countries outside the EU/EEA, they must inform the public body and the legal entities concerned and explain what appropriate data protection safeguards have been put in place. Only if the legal entity authorises the transfer will the public sector body allow the re-use. The re-user should then assume contractual obligations in respect of the data transferred to the third country.

Chapter VII contains one article on non-personal data. The gist of this is that non-personal data may be transferred internationally if there is no reason to believe that the combination of non-personal data sets would lead to the identification of data subjects. The DGA is less strict here than the GDPR, which prohibits international transfers in principle, unless stringent safeguards are put in place. Economic motives may explain this difference.

Significance

The practical implications of the DGA are diverse. The impact will be felt primarily by both EU national governments and public entities.

First and foremost, each government will need to draw up a national data-altruism policy, streamlining the procedures around re-use (including the single information point). It will need to cover the provision of assistance to public bodies in relation to data re-use as well as the monitoring and enforcement roles of data intermediation authorities and recognised data-altruism organisations. Exclusive contracts should be brought into focus so that they are terminated in a timely manner. And public bodies, depending on the extent to which the ability to reuse the data are mandated by the relevant country, will need to map what data they hold and take procedural measures to facilitate reuse.

Second, organisations falling within the scope of the DGA will feel an impact, especially data intermediation services. After all, they have to come forward and comply with the requirements. The question is whether the DGA definition of these services is clear enough. In the recitals, the DGA devotes a lot of attention to what it does not cover, but this raises more questions than it answers. Fortunately, there are transitional arrangements, which means that intermediary services will not have to comply with the DGA until 24 September 2025. Hopefully, greater clarity will emerge from the Commission or the EDIB by then.

In the absence of a clear policy on data re-use, as envisaged in the DGA, the impact for re-users remains uncertain. They do not know what to expect from public bodies. This lack of clarity is obviously undesirable.

The market for data intermediation services, including data cooperatives, needs to take off. Currently, there are only a handful of parties that are registered as data intermediation services and just one as a data altruism organisation called Datalog from Spain. Will these numbers increase? Only time will tell.

This article was originally published in ECTA Bulletin March 2025 Edition.