The Data Governance Act (DGA)

Philipp Rosenauer
Partner Legal, PwC Switzerland

In our Blogpost series, we already have informed about the Digital Services Act, the Digital Markets Act (both part of the EU Digital Services Package), the Data Act and the Artificial Intelligence Act (both part of the EU Data Strategy). However, there exists another regulation that we have not covered so far: the EU Data Governance Act. Since this “milestone regulation” already entered into force on 23 June 2022 and will be applicable to organisations beginning on 23 September 2023, we wanted to explain the most important aspects in this Blogpost.

So what is the Data Governance Act, or “DGA”? The objective of the DGA is to (a) create a framework enabling the secure use of data from the public sector, (b) stipulate rules for intermediary service providers and (c) introduce a new concept of data altruism. Besides that, a new agency will be founded: the European Data Innovation Board. So let’s take a closer look at these three pillars.

Use of data processed by public sector bodies

In essence, the DGA provides a framework to ensure that data can be shared with confidence and that it is easy to use from a technical perspective. The scope of the DGA is very broad in this context: all public sector bodies are affected. This also includes institutions that are government-financed, government-managed or that are created to serve the public interest. The novelty is that it does not only cover personal data, but also non-personal data such as business secrets, statistical information and intellectual property rights. However, data that is held by public undertakings, public broadcasters, cultural and educational establishments or data protected on grounds of public security and defence is not included in the scope of the Act.

Public sector bodies have to make the conditions for allowing such re-use publicly available. The conditions for re-use shall be non-discriminatory, proportionate and objectively justified with regard to categories of data and purposes of re-use. When sharing data, it must be ensured that the protected nature of the data is preserved, e.g. by anonymising personal data or modifying or aggregating business secrets or content protected by intellectual property rights. Also, re-users may be requested to enter into confidentiality agreements.

When it comes to enforcement and penalties, the DGA refers to the competent authorities of the respective member states. For affected natural and legal persons it is also possible to file a complaint with the competent authorities.

Data Intermediation Service Providers (DISPs)

These are defined as “brokers” of the flow of data from an undetermined number of data subjects and data holders to data users. They establish a commercial relationship between the data holders and the data users. Providers of cloud services should be excluded, as well as service providers that either obtain data from data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users. This does not establish a direct relationship between data holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider.

Data intermediaries are expected to play a key role in the data economy as a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Specialised data intermediaries that are independent from both data holders and data users can play a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power.

The data covered includes an individual’s personal data as well as a company’s non-personal data.

A degree of trust is necessary for the concept of data intermediation to come to fruition. Therefore, a couple of regulatory requirements need to be considered:

DISPs have to be registered with the competent authorities. Also, they will be entered into a registry controlled by the European Commission
DISPs are subject to close monitoring by the competent authorities
Besides that, the provision of data sharing itself is subject to a number of conditions

Enforcement actions can be initiated by the competent authorities in the various member states. Also, affected natural and legal persons may lodge a complaint with the competent authorities.

Data altruism

Data altruism refers to the concept of voluntarily making data available by individuals or companies for the common good. It establishes the possibility for organisations engaging in data altruism to register as a “Data Altruism Organisation recognised in the European Union” in order to increase trust in their operations. In addition, a common European data altruism consent form will be developed in order to lower the costs of collecting consent and to facilitate the portability of the data (where the data to be made available is not held by the individual).

The rules on data altruism cover personal and non-personal data.

Competent authorities in the EU member states must keep a register of recognised data altruism organisations.

From an extraterritorial point of view, the DGA applies to data intermediaries providing services into the EU and data altruism organisations that are collecting data within the EU.