On November 30th, 2021, the European Parliament and the Council of the EU reached an agreement on the EU Data Governance Act (DGA), the first legislative initiative adopted under the European Strategy for Data to regulate data sharing within the Member States.
Here's what the DGA entails, the goals of this legislation, and what businesses should know to comply with the new law.
What Is the EU Data Governance Act (DGA)?
The DGA defines a common approach to data sharing within the EU. It aims to establish trusted data use for research and innovation. It sets up robust mechanisms to support the reuse of specific protected public-sector data, increase trust in data intermediation services, and foster data altruism across the region. The new law consists of these main elements:
- Increase trust in data sharing to facilitate processes and reduce costs.
- Allow data intermediaries to function as trustworthy organizers of data sharing.
- Facilitate the reuse of specific data held by the public sector, such as reusing health data under clear conditions to advance research and development.
- Provide the tools so companies and individuals can voluntarily make their data available for the common good under clear conditions.
What Are the Goals of the EU Data Governance Act (DGA)?
The DGA aims to facilitate the flow of growing industrial data across sectors and the Member States. It offers the foundation for establishing a fair data-driven economy and creating the proper condition for trustful data sharing.
The legislation will create a standardized framework of trusted tools and techniques for data reuse, allowing individuals and companies to be in control of the data they own or generate. According to Thierry Breton, Commissioner for Internal Market, the DGA is "an open yet sovereign European Single Market for data.”
The DGA will enable more data to be available and exchanged in the EU. It can encourage the development of common European data spaces in manufacturing, cultural heritage, health, etc. For example, data sharing can help discover cures for rare or chronic diseases and support evidence-based policymaking.
Organizations can benefit from lower costs in acquiring, integrating, and processing data. They can explore more business opportunities thanks to the lower barriers to entering new markets and shorter time-to-market for new products and services.
The legislation also creates a basis to support data governance that aligns with EU rules on personal data protection (e.g., GDPR) and consumer protection and competition laws to position the region at the forefront of today's increasingly data-driven social and business environment.
How To Comply With the EU Data Governance Act (DGA)
Organizations should address these main areas to stay compliant with the DGA:
The Reuse of Protected Data by Public Sector Authorities
Organizations must protect the reuse of data on the grounds of commercial or statistical confidentiality and the safeguard of intellectual property rights or personal data. It should also be non-discriminatory, proportionate, and objectively justified.
For instance, businesses may need to anonymize or pseudonymize data and delete commercially confidential information. The European Commission can also restrict the reuse of sensitive non-personal data (e.g., public health datasets) and its transfer to third countries.
Data Sharing Services
The DGA's rule on neutrality will likely require the use of data-sharing service providers that must follow strict conditions. Organizations using these services must be aware of the restrictions under which they operate.
These include conditions on the purposes for reusing data, the use of metadata, accessing data sharing services, and the interoperability of the data. Data sharing services must also prevent fraudulent or abusive practices and unlawful transfer or access to non-personal data.
Some non-profit entities can register as data altruism organizations if they provide services that enable data holders to make their information available for purposes of general interest, such as scientific research purposes or improving public services.
These organizations must keep complete and accurate data processing records, including the date, duration, purpose, fees paid, etc., and provide annual activity reports to the appropriate national authority. They must also observe transparency obligations and purpose limitation restrictions.
Staying Ahead of Regulatory Requirements
The passing of the DGA illustrates the trend that the EU will be implementing more data regulations to make data more available for use in the economy and society while giving data owners more control over their information.
Businesses that collect, process, store, and utilize data must have a strategy and the technology to manage, track, and enforce data consent and preferences at a highly granular level. Implementing such infrastructure will help you comply with not only current regulations such as GDPR and DGA but others that will come in the future.
Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.