Council approves Data Governance Act

© European Union, 2021, Source: Council of the EU – Audiovisual resources© European Union, 2021, Source: Council of the EU – Audiovisual resources

After the European Parliament, the Council today approved a new law to promote the availability of data and build a trustworthy environment to facilitate their use for research and the creation of innovative new services and products.

The Data Governance Act (DGA) will set up robust mechanisms to facilitate the reuse of certain categories of protected public-sector data, increase trust in data intermediation services and foster data altruism across the EU.

It is an important component of the European strategy for data, which aims to bolster the data economy. The new rules will apply 15 months after the entry into force of the regulation.

Wider reuse of protected public-sector data
The Data Governance Act will create a mechanism to enable the safe reuse of certain categories of public-sector data that are subject to the rights of others. This includes, for example, trade secrets, personal data and data protected by intellectual property rights. Public-sector bodies allowing this type of reuse will need to be properly equipped, in technical terms, to ensure that privacy and confidentiality are fully preserved.

In this respect, the DGA will complement the 2019 Open Data Directive, which does not cover such types of data.

Exclusive arrangements for the reuse of public-sector data will be possible when justified and necessary for the provision of a service of general interest. The maximum duration for existing contracts will be 30 months and for new contracts 12 months.

The Commission will set up a European single access point with a searchable electronic register of public-sector data. This register will be available via national single information points.

A new business model for data intermediation
The DGA creates a framework to foster a new business model – data intermediation services – that will provide a secure environment in which companies or individuals can share data.

For companies, these services can take the form of digital platforms, which will support voluntary data-sharing between companies and facilitate the fulfilment of data-sharing obligations set not only by that law, but also by other legislation, be it at European or national level. By using these services, companies will be able to share their data without fear of their being misused or of losing their competitive advantage.

For personal data, such services and their providers will help individuals exercise their rights under the general data protection regulation (GDPR). This will help people have full control over their data and allow them to share them with a company they trust. This can be done, for example, by means of novel personal information management tools, such as personal data spaces or data wallets, which are apps that share such data with others, based on the data holder’s consent.

Data intermediation service providers will need to be listed in a register, so that their clients know that they can trust them.

The service providers will not be allowed to use shared data for other purposes. They will not be able to benefit from the data – for example, by selling them on. They may, however, charge for the transactions they do carry out.

Data altruism for the common good
The DGA also makes it easier for individuals and companies to make data voluntarily available for the common good, such as medical research projects.

Entities seeking to collect data for objectives of general interest may request to be listed in a national register of recognised data altruism organisations. Registered organisations will be recognised across the EU. This will create the necessary trust in data altruism, encouraging individuals and companies to donate data to such organisations so that they can be used for wider societal good.

If an organisation wants to be recognised as a data altruism organisation under the DGA, it will have to comply with a specific rulebook.

Easy identification of service providers
Voluntary certification in the form of a logo will make it easier to identify compliant providers of data intermediation services and data altruism organisations.

European Data Innovation Board
A new structure, the European Data Innovation Board, will be created to advise and assist the Commission in enhancing the interoperability of data intermediation services and issuing guidelines on how to facilitate the development of data spaces, among other tasks.

International access to and transfer of non-personal data
The DGA creates safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data. For personal data, the EU already has similar safeguards under the GDPR.

In particular, the Commission – through secondary legislation – may adopt adequacy decisions declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU. These decisions would be similar to adequacy decisions relating to personal data under the GDPR. Such safeguards should be considered to exist when the country in question has equivalent measures in place that ensure a level of protection similar to that provided by EU or member state law.

The Commission may also adopt model contractual clauses to support public-sector bodies and re-users in the case of transfers of non-personal data covered by the DGA to third countries.