The Data Governance Act (DGA) was passed by the Council of the European Union on May 16, 2022, following support from Members of the European Parliament (MEPs) in April. The European Commission declared on November 30, 2021, that negotiations were complete and that a political agreement on the DGA had been reached between the Commission, European Parliament, and the Council of the European Union.
The DGA proposal was first introduced on November 25, 2020, and had been discussed for almost a year. It is the first legislative initiative established under the European data strategy, and it aims, among other things, to promote trust, regulate data exchange within the Member States and foster trusted data use for research and innovation.
Here’s what the DGA encompasses, what the legislation’s goals are, and what businesses ought to understand to comply with the new law.
What Is the EU Data Governance Act (DGA)?
The European Union Council has stated that the DGA defines a common approach to data sharing inside the EU. It would develop strong regulations to permit the reuse of specific protected public sector data and promote data altruism within the EU. The new law’s primary features are as follows:
- Increase trust in data sharing to speed up operations and cut expenses.
- Allow data intermediaries to act as reliable organisers of data sharing.
- Facilitate the reuse of certain data owned by the government, such as reusing health data under specified conditions to improve research and development.
- Provide the means for businesses and individuals to voluntarily make their data available for the public good under clearly defined criteria.
The Council’s goal of defining a new business model for data intermediation services would act as a trusted setting for organisations or individuals to share data. The Council emphasises that data intermediation services will be beneficial for the following:
- Encourage companies to share data voluntarily;
- Facilitate the fulfilment of legal data sharing responsibilities;
- Organisations can share data without fear of misuse or loss of competitive advantage;
- Individuals can exercise their GDPR rights;
- Enabling individuals to gain control over their data and share it with reputable companies.
According to the Council, the control that individuals will obtain over how they share their data will be controlled using unique personal information management technologies such as personal data spaces or data wallets. These are apps that exchange such data with the data subject’s consent. Data intermediation service providers will not be permitted to profit from the data they manage, but they will be permitted to charge a fee for their services. The DGA also includes certificates to help identify competent data intermediation service providers.
Furthermore, the DGA would include safeguards against the unauthorised transmission of non-personal data, similar to how the GDPR regulates personal data transfers. As a result, the European Commission would be allowed to issue adequacy judgments to countries that have acceptable protections in place to protect non-personal data as per EU standards. In addition, the Commission may create a set of contractual conditions for situations in which non-personal data is transmitted to a third country.
Lastly, the European Data Innovation Board will be established to help the Commission in improving the interoperability of data intermediation services. Among other things, the Board’s responsibilities will include setting guidelines for the development of personal data spaces.
What Are the Goals of the EU Data Governance Act (DGA)?
The DGA hopes to fulfil the following objectives:
- The DGA seeks to improve the flow of increasing industrial data across sectors and the Member States. It lays the groundwork for constructing a fair data-driven economy and creates the necessary conditions for trustful data exchange.
- The Act will establish a standardised framework of trusted data reuse tools and methodologies, allowing individuals and businesses to be in control of the data they own or generate. Thierry Breton, Commissioner for Internal Market, said that the DGA is “an open yet sovereign European Single Market for data.”
- The DGA will render more data open and exchangeable inside the EU. It has the potential to promote the establishment of common European data spaces in the industry, cultural heritage, health, and other fields. Data sharing, for example, can aid in the discovery of therapies for uncommon or chronic diseases and assist evidence-based policymaking.
- Reduced expenses for gathering, integrating, and processing data can benefit organisations. Because of fewer obstacles to entry into new markets and shorter time-to-market for new products and services, they can pursue more business opportunities.
- The Act also establishes a foundation for data governance that is consistent with EU rules on personal data protection (e.g., GDPR), consumer protection, and competition laws, putting the area at the forefront of today’s increasingly data-driven social and corporate environment.
How To Comply With the EU Data Governance Act (DGA)
To be DGA compliant, organisations should focus on the following key areas:
Public Sector Authorities Reusing Protected Data
Organisations must preserve data reuse based on economic or statistical secrecy, as well as the protection of intellectual property rights or personal data. It should also be objectively justified, non-discriminatory, and proportionate.
Businesses, for example, may need to anonymise or pseudonymise data and erase commercially sensitive information. The European Commission can also limit the reuse and transfer of sensitive non-personal data (for example, public health datasets) to third nations.
Services for Data Sharing
The DGA’s neutrality regulation will almost certainly necessitate the usage of data-sharing service providers subject to stringent requirements. Organisations that use these services must be aware of the constraints that apply to them.
These include criteria for reusing data, the usage of metadata, access to data sharing services, and data interoperability. Data sharing services must also protect against fraudulent or abusive acts, as well as the unauthorised transfer or access to non-personal data.
Some non-profit organisations can qualify as data altruism organisations if they provide services that allow data holders to make their information accessible for general interest objectives, such as science and research or improving public services.
These organisations are required to retain comprehensive and correct data processing records, including the date, duration, purpose, fees paid, and so on, and to submit yearly activity reports to the appropriate national authority. They must also adhere to transparency requirements and purpose limitation constraints.
Keeping Up with Regulatory Requirements
The passage of the DGA demonstrates the trend of the EU enacting additional data legislation to make data more accessible for use in the business and society while also allowing data owners more control over their information.
Businesses that collect, process, store, and use data must have a plan in place, as well as the technology to manage, track, and enforce data permission and preferences at a granular level. Implementing such infrastructure will assist you in complying with not only existing requirements such as GDPR and DGA but also future legislation.
How can we help?
The implementation of protections for non-personal data transfers will present an interesting challenge for organisations, many of whom are currently dealing with the consequences of the Schrems II judgement. Adding a layer of regulated data requires organisations to identify this data, where it stays, and how it is used.
The provisional agreement reached in November 2021 by the European Parliament, the Council of the European Union, and the European Commission has now been approved by MEPs and the Council, and it now awaits the signatures of the Presidents of the European Parliament and the Council before being published in the Official Journal. The revised DGA criteria will take effect 15 months after publication, implying an effective date of August or September 2023.
As the final stages of this legislative process come to a close, the need for organisations to have uniform privacy and data governance programmes is being highlighted. As part of that effort, having effective data discovery and mapping mechanisms in place to accommodate this expanded scope of data is essential.
Organisations can start strengthening their privacy and governance initiatives by locating and comprehending their data, both personal and non-personal. At Tsaaro, we enable businesses to understand their data holistically — what type of data they process, where the data is stored, the business processes, the third parties involved, and the several interactions that exist between them. We then build an ever-changing data map to serve as a single source of truth for actively discovering, categorising and mapping data in real-time. This map can be used to identify risks and potential regulatory infractions, as well as offer workflows to help organisations build trust with customers, employees, and regulators.
Need our assistance? Click on this link to browse through our services –