Data Governance Act: Why, Who, What, and How?

The EU Data Governance Act (DGA) took effect in June 2022, with a fifteen-month grace period that ended in September 2023.

Public sector bodies collect vast amounts of data. The DGA ultimately aims to encourage and facilitate the re-use of that data for public benefit. The law introduces new concepts and requirements and overlaps with other important EU directives and regulations.

This article will explore why the DGA was passed, who the law affects, what types of data are covered by the DGA, and how the law aims to achieve its aims.

Data Governance Act: Why?

The DGA, like many EU laws, is intended to boost the European economy—in this case, by encouraging the sharing and re-use of data.

Before the DGA came the Open Data Directive (ODD). The ODD was known as the “Public Sector Information (PSI) Directive) from its passing in 2003 until it was renamed as part of a substantial amendment in 2019.

Public sector bodies collect large amounts of data about everything from the climate to social trends and business activities.

Other organizations can do great things with this data if they have appropriate access and permission. The ODD regulates how public sector bodies make their data available for re-use.

But, as the name of the directive suggests, the ODD only covers “open data”. A lot of data collected by public bodies is not covered by the ODD, such as data covered by confidentiality, intellectual property, or data protection rules.

Just like open data, confidential or protected data held by public bodies can provide great value to society.

The DGA aims to fill in the ODD’s gaps and help facilitate the sharing of these more sensitive types of data where appropriate.

Data Governance Act: Who?

Let’s consider the types of people and organizations directly affected by the DGA.

• Data holder: A legal person (i.e., a corporation or other organization with legal rights) with the right to share or grant access to a given piece of data.
• Data subject: A natural person (i.e., a living individual) whom a given piece of data is about. The DGA cross-references the General Data Protection Regulation (GDPR)’s “data subject” definition.
• Data user: A natural or legal person with the right to access or use a given piece of data.
• Data intermediation service: A service that facilitates data sharing by data holders with data subjects and data users.

Each of these types of entities has some relationship to data in the scope of the DGA. Most fo the law’s obligations fall on “public sector bodies” in their capacity as data holders.

Data Governance Act: What?

Now let’s explore the types of data covered by the DGA.

As noted, the DGA regulates the governance of data falling outside the scope of its predecessor, the ODD. The focus is on data that is protected under the four following grounds:

• Commercial confidentiality, including business, professional and company secrets
• Statistical confidentiality
• Intellectual property rights of third parties
• (Personal) data protection, if the data is not already covered by the ODD

The DGA does not cover data held by certain types of bodies, such as public service broadcasters, educational establishments, and national security agencies.

Data Governance Act: How?

The DGA covers the following sorts of activities:

• Data re-use: Using data for new purposes other than those for which it was produced.
• Data altruism: Voluntarily sharing data for the “common good”, either with the consent of data subjects or the permission of data holders.
• Permission: Giving data users rights to re-use non-personal data.

Finally, here’s a summary of some of the DGA’s main rules and provisions.

• Prohibition on exclusive arrangements: Public sector data holders may not grant exclusive rights of data re-use. This means that after permission to an initial data users, other data users must be allowed, in theory, to re-use data.
• Secure processing: Public sector data holders must take steps to ensure the integrity and confidentiality of data before allowing access to it. For example, personal data must be anonymized or pseudonymized, and contractual agreements can cover the confidentiality of commercially sensitive data.
• Proportionality and legality: Any re-use of data must be proportionate, non-discriminatory, and respect intellectual property rights.
• Fair access: Public sector bodies must abide by certain rules when considering a request to access or re-use data, such as responding to the request within two months and charging only a reasonable administrative fee.
• Access to confidential information: The DGA prohibits access to confidential data unless permission by the data holder has been granted.
• Third-country transfers: The Commission may new legislation to facilitate or restrict the transfer of non-personal data outside the EU.
• Data altruism: The DGA introduces standardized forms and procedures to encourage voluntary sharing of data by private sector bodies.

To facilitate the DGA, the Commission has created the European Data Innovation Board (EDIB), which consists of representatives from EU member states and bodies like the European Data Protection Board (EDPB) and European Union Agency for Cybersecurity (ENISA).