The EU Data Governance Act (DGA)

The Data Governance Act (DGA) is legislation that aims to foster trust in data sharing, increase data availability, and facilitate the reuse of public sector data in the European Union.

The Data Governance Act is a key component of the European Data Strategy and will play a vital role in creating a single market for data, ultimately helping promote innovation and growth within the EU economy.

In this article, we'll explore what the Data Governance Act aims to accomplish, to whom it applies, its key requirements, practical compliance steps for applicable businesses, and penalties for non-compliance. Let's dive in.

What is the EU Data Governance Act (DGA)?

The EU Data Governance Act (DGA) is a legislative proposal that was passed on June 23, 2022, and will become fully effective on September 24, 2023. It is the first of several initiatives introduced under the 2020 "European Data Strategy" to encourage data sharing across industry sectors within the EU.

What's more, the DGA will contribute significantly to creating a single market for data, effectively establishing Europe as a leader in the global data economy.

According to the EU's official guide, the Data Governance Act aims to:

"facilitate data sharing in various sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills for the benefit of European Union (EU) citizens and businesses, creating jobs and stimulating innovation.

In practice, the Data Governance Act will do the following:

• Encourage the reuse of specific categories of protected data held by EU public sector entities
• Establish a regulatory framework for organizations that offer data-sharing intermediation services
• Introduce the concept of data altruism (i.e., voluntary data sharing for the common good and without reward)
• Create the European Data Innovation Board (EDIB) to advise and assist the European Commission with the DGA's implementation

Who Does the Data Governance Act (DGA) Apply to?

The Data Governance Act primarily affects two distinct types of entities: data-sharing service providers and data altruism organizations.

Before we examine these entities, it's important to clarify that the DGA has an extraterritorial scope. This means the law can apply to organizations based outside the EU if they offer services within the EU.

Having established that, let's take a closer look at these entities.

Data-Sharing Service Providers

Data-sharing service providers are otherwise known as data intermediaries. They are neutral third parties who establish commercial relationships for data sharing between data subjects and data holders on the one hand and data users on the other.

In other words, data intermediaries serve as authorized middlemen between two parties who want to share data.

Data Altruism Organizations

Data altruism organizations are nonprofit entities that facilitate the collection and processing of data for the common good and without any form of reward.

These organizations use data to advance research, innovation, and societal benefits, such as tackling climate change, promoting social welfare, and improving mobility. For instance, a data altruism organization can obtain health-related information to help combat rare or chronic diseases.

It's important to note that the DGA also applies to public sector bodies that handle specific categories of protected data. However, this article won't go into the details of that area of the law.

What type of Data Does the Data Governance Act (DGA) Cover?

Under Article 2, the Data Governance Act defines data as:

"any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording;"

This definition is considerably broad and notably covers both personal and non-personal data.

Note that the DGA defines non-personal data as any information not classified as personal data under Article 4 of the General Data Protection Regulation (GDPR). In other words, non-personal data is any information that doesn't relate to an identified or identifiable natural person.

Not surprisingly, where there is a conflict or inconsistency involving personal data between the GDPR and the DGA, the GDPR takes precedence.

How to Comply With the EU Data Governance Act (DGA)

The Data Governance Act sets out a number of requirements for data intermediaries and data altruism organizations that process data within the EU. Below, we briefly outline the requirements for each entity in turn.

Requirements for Data Intermediaries

To establish data intermediaries as trustworthy organizers of data sharing, Article 11 of the DGA imposes the following vital obligations:

• Submit a formal notification to a competent authority
• Ensure neutrality and avoid conflict of interest
• Don't use data for any other purpose than to provide data intermediation services
• Only use metadata (i.e., data about the data intermediation service) to develop that service
• Set up procedures to prevent fraud and similar abusive practices
• Always act in the best interests of data subjects and help facilitate GDPR rights
• Ensure that the data intermediation service is legally and structurally separate from any other value-added service provided
• Make sure access to data intermediation service is fair and non-discriminatory for all parties, including regarding prices
• Set up high-level security safeguards to protect non-personal data both during storage and transfers
• Implement adequate technical, legal, and organizational measures to prevent the illegal transfer and access of non-personal data
• Before obtaining consent from data subjects, clarify the terms of how the data will be used

Here's an excerpt of these obligations from the DGA's official text:

Requirements for Data Altruism Organizations

A DGA-approved data altruism organization must meet specific criteria, including being registered as a nonprofit entity, having a clear mission that prioritizes general interest, and operating through a legally separate structure from its other operations.

In addition, data altruism organizations must observe the following requirements:

• Register as a data altruism organization with a competent authority
• Register in the member state where your headquarters is located if your organization operates in more than one member state
• Appoint an EU legal representative if your organization is based outside the EU

• Comply with transparency requirements by keeping complete and accurate records of the following:

  • Every individual who participates in your data processing
  • The duration of the processing
  • The individual purposes of the processing, and
  • The fees paid (if any)
• Implement adequate security measures for the storage and processing of non-personal data collected on the grounds of data altruism
• Observe the standards of the data altruism consent form once released by the European Commission

Best Practices for Compliance with the EU Data Governance Act (DGA)

In light of the DGA's requirements, we've compiled a list of key practical steps your business can take (in no particular order) to comply and avoid liability under the regulation.

Let's take a look.

Update Your Privacy Policy

The Data Governance Act imposes transparency requirements on both data intermediaries and data altruism organizations under its scope. In practice, one of the best ways to showcase transparency is to provide a comprehensive, well-written, and accurate Privacy Policy.

A Privacy Policy is a legal statement that explains how an organization collects, processes, shares, and protects personal data. As a prospective data intermediary or altruism organization, you'll need to update your Privacy Policy to reflect the DGA's requirements.

While the Data Governance Act doesn't specifically clarify what details to address, its many references to the GDPR suggest that a GDPR-compliant Privacy Policy with some DGA-specific information will suffice.

That said, your Privacy Policy should at least provide the following information:

• A declaration that you are an DGA-approved data intermediary or data altruism organization
• The type of personal and non-personal data your organization collects and handles
• Your purpose(s) for collecting and using that data
• How long you intend to use and retain data
• Your lawful bases for collecting and processing data
• Data subjects' rights over their data
• Contact information

Your Privacy Policy should be transparent, clear, and easily understandable. You should also regularly review and update it to reflect changes in your data processing activities or legal requirements.

Register With a Competent Authority

Before being approved under the Data Governance Act, data intermediaries and altruism organizations must register with a "competent authority" in an EU member state. This authority would be responsible for monitoring and verifying compliance with the DGA's requirements.

As part of the registration requirements, data intermediaries and data altruism organizations must provide the following details:

• Company name and legal status
• Company rules and regulations
• Main sources of income
• Official address
• Official website
• Contact personnel and details
• A description of the data-sharing or data altruism service provided
• Estimated start date
• Country of operation
• Other relevant documentation as required

Appoint an EU Legal Representative and a Data Protection Officer (DPO)

Under the DGA, data intermediaries and data altruism organizations that are not based in the EU must appoint an EU legal representative in the EU country where they operate.

This implies that the organization would fall under the jurisdiction of the country where the legal representative is located.

Although the DGA doesn't mandate the appointment of a Data Protection Officer (DPO), doing so is highly recommended and a best practice for several reasons. A DPO oversees and helps an organization comply with the GDPR and other privacy laws - in this case, the Data Governance Act.

By engaging an internal or external DPO, organizations can benefit from expert guidance, navigate the rapidly evolving privacy landscape effectively, and keep up with ongoing regulatory developments.

Implement Adequate Data Security Measures

The Data Governance Act requires data intermediaries and data altruism organizations to set up "adequate technical, legal, and organizational measures" to prevent the illegal transfer or access of personal and non-personal data.

The law further demands high-level security for data during storage and transmission.

In practice, both these obligations can be met by implementing effective industry-standard data security measures. Examples include but aren't limited to the following:

• Data encryption
• Access controls and data validation techniques
• Regular risk assessment programs and testing
• Secure data transmission (e.g., via HTTPS)
• Employee awareness and training

We recommend engaging cybersecurity professionals or consultants to provide valuable expertise and assist in implementing robust data security measures.

Obtain GDPR-Compliant Consent When Needed

To facilitate data altruism across EU member states in a uniform format, the DGA empowers the European Commission to develop a common European data altruism consent form.

Data altruism organizations must observe the technical requirements of the altruism consent form once released by the commission.

Predictably, where personal data is involved, organizations must deploy a GDPR-compliant consent request mechanism. In other words, consent requests for personal data must be "freely given, specific, informed, unambiguous, and easily withdrawable."

Here's an example of a GDPR-compliant clickwrap consent from Lancome:

For more information and guidance on this topic, check out our article: Consent Under the GDPR

Observe Data Subject Rights

The Data Governance Act requires data intermediaries to act in the best interests of data subjects. A vital part of this stipulation entails observing the GDPR rights of data subjects and helping exercise these rights upon request.

To better clarify, consumer rights under the GDPR are as follows:

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to erasure (right to be forgotten)
5. Right to restriction of processing
6. Right to data portability
7. Right to object
8. Right not to be subject to automated decision-making

Stay Up-to-Date on Data Privacy Trends

As with any new regulation, the Data Governance Act has several areas of ambiguity and uncertainty regarding its implementation and interpretation.

Consequently, the European Commission and other regulatory authorities will likely issue additional guidance in the near future to promote a better understanding of the DGA.

As an applicable organization, you need to stay on top of developments in this area of law, regularly review your data processing operations, and update your policies and procedures accordingly to remain compliant. Consider consulting a legal expert to help you navigate your responsibilities effectively.

Penalties for Non-Compliance with the EU Data Governance Act (DGA)

Unlike the GDPR, the Data Governance Act doesn't specify penalties and enforcement measures for non-compliant organizations. Instead, it delegates this responsibility to each EU member state and provides additional guidance they must observe when enforcing the law.

This includes the following:

• The penalties for violations must be "effective, proportionate, and dissuasive" to motivate organizations to observe the rules
• Each member state must notify the commission of its penalties and enforcement measures by the DGA's effective date
• Each member state must promptly notify the commission of any subsequent changes to its penalties and enforcement measures

Here's how the DGA presents these stipulations under Article 31:

Summary

The Data Governance Act is a proposed regulation that aims to strengthen data-sharing mechanisms and encourage the reuse of public sector data across industry sectors in the EU. This ultimately serves the purpose of laying the foundation for a data economy in Europe.

To accomplish these objectives, the DGA sets out requirements for data-sharing service providers, introduces a new concept of data altruism, and establishes a new agency of expert representatives, the EDIB.

The law notably defines "data" more broadly than the GDPR, covering both personal and non-personal data.

To recap, we recommend observing the following best practices to comply with the DGA's requirements as an applicable data intermediary or data altruism organization:

• Update your Privacy Policy
• Register with a competent authority
• Ensure your data intermediation and altruism services are legally and structurally separate from your other operations
• Appoint an EU legal representative as required by the DGA and consider designating a DPO as well
• Set up high-level technical and organizational security safeguards to protect personal and non-personal data
• Obtain GDPR-compliant consent before collecting or processing personal data
• Observe data subjects' GDPR rights and help exercise them upon request
• Stay up-to-date on developments in this area of law