EU Data Governance Act


The European (EU) Data Governance Act aims to make data sharing more trustworthy and secure to make it more available for organizations and individuals to use. Ultimately, this can have enormous benefits for society.

This article will explain the act's purpose, who it applies to, and how you can comply. It will also briefly cover what penalties may be imposed for breaching the act.

The Purpose of the Data Governance Act

The broad purpose of the Data Governance Act is to incentivize more data sharing through a framework that increases trust and security between organizations, individuals, and the public sector.

The framework will increase trust in data-sharing processes through the creation of 'data intermediaries', which will facilitate the sharing of data between different parties.

The act also aims to increase data altruism within the EU by regulating organizations that collect and share personal data exclusively for the benefit of society. These organizations will have the opportunity to become publicly registered "data altruism organizations".

By making data sharing more trustworthy and safe, EU citizens may be more incentivized to provide their personal data. Ultimately, more data availability means new products can be developed at a faster rate, helping to solve some of the EU's biggest issues.

Access to health data can help determine the safety and efficacy of medical products to accelerate time-to-market. The availability of environmental data can help combat climate change and reduce CO2 emissions.

Who Is Affected By The EU Data Governance Act?

The EU Data Governance Act specifically regulates providers of data intermediation services (intermediaries) and organizations that practice data altruism. Private companies, EU citizens, and public bodies are all indirectly affected by the act.

The EU Data Governance Act proposal was officially approved on 16 May, 2022 and will apply in all 27 EU countries. Regulations set out in the act won't apply until September 24, 2023.

Data Intermediation Services Providers

Data intermediation services providers are facilitators of data sharing. Any organization that provides one or more of the following services is considered a data intermediation services provider and must comply with relevant regulations:

  • Facilitates sharing between data holders and users of that data.
  • Intermediates sharing between bodies that collect personal data and data users.
  • Intermediates sharing between natural persons who wish to make non-personal data available and users of that data.
  • Behaves as a data cooperative.

Even if you simply provide the means for these services to be offered, and don't actually offer them directly, you are still considered a data intermediary under Article 10 of the act.

Eur LEX EU Data Governance Act Article 10

Organizations Practising Data Altruism

Data altruism is the practice of voluntarily sharing data to be used in the public's interest. Most data altruism organizations will have a specific 'general purpose' that they aim to promote. These general purposes will often involve gaining information about a very specific problem.

Such data can have a huge impact on developing enhanced products and services and advancing research in the health, environment, and mobility sectors.

What The Act Requires (And How to Comply)

The Data Governance Act regulates the activities of data intermediaries and organizations practicing data altruism. These regulations all work to make data sharing more secure and trustworthy in the EU.

Defining Data

Understanding the term 'data' is fundamental to being able to comply with the EU Data Governance Act.

According to Article 2 of the act, data is any digital portrayal of facts, acts, or information, including the form of visual, sound, or audiovisual recordings.

Eur LEX EU Data Governance Act Article 2

More specifically, data can be broken down into two types - personal and non-personal. Personal data is any information relating to an identifiable natural person, while non-personal data is not related to an identifiable natural person.

Requirements for Data Intermediation Services Providers

All data intermediation services providers must meet certain conditions to ensure they're independent of the parties their intermediating, and won't re-use data for their own purposes.

Eur LEX EU Data Governance Act Article 10 excerpt

Designate an EU Representative

Intermediation service providers that operate in more than one EU member state will be under the jurisdiction of its primary establishment. Any organization that's considered an intermediary but is not established in the EU must designate a legal representative in one of the member states where the services are offered.

Notify The Relevant Public Authority

Any organization that meets the requirements to be considered a data intermediary must notify the relevant public authority in their member state of their intention to provide these services. This notification will need to be provided either by September 24, 2023 or prior to commencing the provision of services.

Remain Neutral

Data intermediation services providers must guarantee neutrality and not have a conflict of interest. For compliance with this requirement to be maintained, service providers must be legally separated from any other operations that don't involve data intermediation. They must also ensure their prices aren't discriminatory.

Can't be Involved in Certain Exclusive Agreements

Providers must not be involved in any exclusive agreements to use data for their personal use. This means intermediaries cannot build a product or service using data that's shared with them. Additionally, there can't be any exclusive arrangements that have the purpose or effect of limiting the availability of data for re-use by others.

Requirements for Organisations Practicing Data Altruism

There are a number of requirements set out in the Data Governance Act that aim to ensure registered data altruism organizations are truly operating for the benefit of society.

Organizations that meet the criteria to be placed on the national register of recognized data altruism organizations receive benefits such as being able to display a specific, recognizable logo.

Have a Not-For-Profit Character

All organizations on the national register must operate on a not-for-profit basis and be legally independent of any entity that operates for profit. In order to operate solely for the benefit of society, organizations cannot benefit in any way from their data. They cannot sell the data, use it to develop products or services, or profit from it in any way.

Meet Transparency Requirements

Transparency requirements, as described in Article 20 of the act, involve a variety of record-keeping and reporting obligations.

Eur LEX EU Data Governance Act Article 20

Organizations practicing data altruism must keep full and accurate records concerning the:

  • Contact details of anyone who had access to process data.
  • Date and duration of data processing.
  • Purpose of processing.
  • Fees paid for the data processing.

Furthermore, organizations must draft an annual activity report containing:

  • Details of the organization's general interests.

  • A list of all persons that had access to the data, as well as some relevant information about this access.
  • Results of the data processing (the findings of the organization).
  • Information regarding revenue sources and expenses.

Protect The Rights of Data Sharers

Organizations are required to inform data subjects and data holders of their objectives of general interest, the purpose of data processing, and the location of any processing carried out in a third country. This information must be provided prior to any processing taking place.

To further protect the rights of data sharers, there is to be no use of data for objectives other than the specified general interests. Misleading marketing practices are also strongly forbidden. Organizations must provide tools to obtain consent from data subjects regarding the processing of data, and it must be easy for this consent to be withdrawn.

Data altruism organizations are responsible for the security of any data they store and must take appropriate measures to ensure data is secure and protected.

Comply With The Rulebook

Eur LEX EU Data Governance Act Article 22

The EU will develop a rulebook containing a number of additional regulations for data altruism organizations to follow. It will contain information about:

  • How organizations must provide clear, detailed, and transparent information about their use of data.
  • Tools for giving and withdrawing consent.
  • Measures to avoid misuse of data.
  • Technical and security requirements for data storage and data processing.

This rulebook will be written with the needs of data altruism organizations in mind.

Carry Out Data Altruism Separately From Other Activities

Data altruism activities must be carried out separately from any other activities. Data altruism cannot be carried out in an organization that is involved in other activities, even if it meets all other requirements. This is to ensure operations are entirely for the benefit of society.

Penalties For Not Complying

Not complying with the rules in the EU Data Governance Act can result in penalties being imposed. The European Data Innovation Board, along with member states, will have the responsibility of enforcing penalties.

Who Enforces Penalties for Non-Compliance?

Member States have the authority to issue penalties to any organization that breaches any of the regulations laid out in the EU Data Governance Act.

Eur LEX EU Data Governance Act Article 34

Member States are asked to consider the recommendations of the European Data Innovation Board when determining penalties, but the decisions surrounding the severity and nature of penalties are ultimately up to the individual member states.

Factors Considered When Imposing Penalties

The Data Governance Act provides criteria for member states to consider when imposing penalties. This criterion ensures penalties remain fair and appropriate.

The Nature, Gravity, Scale, and Duration of the Infringement

The unique circumstances surrounding the breach, degree to which regulations were breached, amount of data or number of people affected, and the length of time in which the breach took place will all be factors that member states keep in mind when deciding how to penalize organizations.

Action Taken to Mitigate or Remedy the Damage Caused

If an organization takes actions to reduce the amount of harm caused by their breach, there may be some leniency in the severity of penalties imposed upon them. This is, of course, up to the discretion of the member state, so some may choose not to be lenient as a result of this factor.

Previous Infringements

Organizations with a clean history that doesn't involve any breaches may receive a reduced penalty. On the other hand, organizations with a poor history involving multiple breaches may be imposed more severe penalties.

Financial Gains or Losses Due to the Infringement

The amount of financial gain or loss an organization incurs as a result of its breach may also be a factor that states consider when imposing penalties. If there is a significant loss, penalties may be less severe. If there is a major gain, more severe penalties may be imposed.

Types of Penalties

Any penalties applied by the Member States must be proportionate and effective to the breach, and as such, will probably be in the form of fines. These fines will be enforced by the competent authorities in each member state.

Summary

While the EU Data Governance Act is a complex legal requirement, there are only a few things you have to remember to remain compliant.

As a data intermediary, you must:

  • Designate an EU representative if you're not based in the EU.
  • Notify the relevant public authority of your intention to offer these services.
  • emain neutral and independent.
  • Not be involved in exclusive agreements that use data for other purposes.

As a data altruism organization, you must:

  • Be not-for-profit.
  • Meet transparency requirements.
  • Protect the rights of data sharers.
  • Comply with the rulebook.
  • Remain separate from other activities.