The European (EU) Data Governance Act aims to make data sharing more trustworthy and secure to make it more available for organizations and individuals to use. Ultimately, this can have enormous benefits for society.
This article will explain the act's purpose, who it applies to, and how you can comply. It will also briefly cover what penalties may be imposed for breaching the act.
The broad purpose of the Data Governance Act is to incentivize more data sharing through a framework that increases trust and security between organizations, individuals, and the public sector.
The framework will increase trust in data-sharing processes through the
The act also aims to increase data altruism within the EU by regulating organizations that collect and share personal data exclusively for the benefit of society. These organizations will have the opportunity to become publicly registered "data altruism organizations".
By making data sharing more trustworthy and safe, EU citizens may be more incentivized to provide their personal data. Ultimately, more data availability means new products can be developed at a faster rate, helping to solve some of the EU's biggest issues.
Access to health data can help determine the safety and efficacy of medical products to accelerate time-to-market. The availability of environmental data can help combat climate change and reduce CO2 emissions.
The EU Data Governance Act specifically regulates providers of data intermediation services (intermediaries) and organizations that practice data altruism. Private companies, EU citizens, and public bodies are all indirectly affected by the act.
The EU Data Governance Act proposal was officially approved on 16 May, 2022 and will apply in all 27 EU countries. Regulations set out in the act won't apply until September 24, 2023.
Data intermediation services providers are facilitators of data sharing. Any organization that provides one or more of the following services is considered a data intermediation services provider and must comply with relevant regulations:
Even if you simply provide the means for these services to be offered, and don't actually offer them directly, you are still considered a data intermediary under Article 10 of the act.
Data altruism is the practice of voluntarily sharing data to be used in the public's interest. Most data altruism organizations will have a specific 'general purpose' that they aim to promote. These general purposes will often involve gaining information about a very specific problem.
Such data can have a huge impact on developing enhanced products and services and advancing research in the health, environment, and mobility sectors.
The Data Governance Act regulates the activities of data intermediaries and organizations practicing data altruism. These regulations all work to make data sharing more secure and trustworthy in the EU.
Understanding the term 'data' is fundamental to being able to comply with the EU Data Governance Act.
According to Article 2 of the act, data is any digital portrayal of facts, acts, or information, including the form of visual, sound, or audiovisual recordings.
More specifically, data can be broken down into two types - personal and non-personal. Personal data is any information relating to an identifiable natural person, while non-personal data is not related to an identifiable natural person.
All data intermediation services providers must meet certain conditions to ensure they're independent of the parties their intermediating, and won't re-use data for their own purposes.
Intermediation service providers that operate in more than one EU member state will be under the jurisdiction of its primary establishment. Any organization that's considered an intermediary but is not established in the EU must designate a legal representative in one of the member states where the services are offered.
Any organization that meets the requirements to be considered a data intermediary must notify the relevant public authority in their member state of their intention to provide these services. This notification will need to be provided either by September 24, 2023 or prior to commencing the provision of services.
Data intermediation services providers must guarantee neutrality and not have a conflict of interest. For compliance with this requirement to be maintained, service providers must be legally separated from any other operations that don't involve data intermediation. They must also ensure their prices aren't discriminatory.
Providers must not be involved in any exclusive agreements to use data for their personal use. This means intermediaries cannot build a product or service using data that's shared with them. Additionally, there can't be any exclusive arrangements that have the purpose or effect of limiting the availability of data for re-use by others.
There are a number of requirements set out in the Data Governance Act that aim to ensure registered data altruism organizations are truly operating for the benefit of society.
Organizations that meet the criteria to be placed on the national register of recognized data altruism organizations receive benefits such as being able to display a specific, recognizable logo.
All organizations on the national register must operate on a not-for-profit basis and be legally independent of any entity that operates for profit. In order to operate solely for the benefit of society, organizations cannot benefit in any way from their data. They cannot sell the data, use it to develop products or services, or profit from it in any way.
Transparency requirements, as described in Article 20 of the act, involve a variety of record-keeping and reporting obligations.
Organizations practicing data altruism must keep full and accurate records concerning the:
Furthermore, organizations must draft an annual activity report containing:
Organizations are required to inform data subjects and data holders of their objectives of general interest, the purpose of data processing, and the location of any processing carried out in a third country. This information must be provided prior to any processing taking place.
To further protect the rights of data sharers, there is to be no use of data for objectives other than the specified general interests. Misleading marketing practices are also strongly forbidden. Organizations must provide tools to obtain consent from data subjects regarding the processing of data, and it must be easy for this consent to be withdrawn.
Data altruism organizations are responsible for the security of any data they store and must take appropriate measures to ensure data is secure and protected.
The EU will develop a rulebook containing a number of additional regulations for data altruism organizations to follow. It will contain information about:
This rulebook will be written with the needs of data altruism organizations in mind.
Data altruism activities must be carried out separately from any other activities. Data altruism cannot be carried out in an organization that is involved in other activities, even if it meets all other requirements. This is to ensure operations are entirely for the benefit of society.
Not complying with the rules in the EU Data Governance Act can result in penalties being imposed. The European Data Innovation Board, along with member states, will have the responsibility of enforcing penalties.
Member States have the authority to issue penalties to any organization that breaches any of the regulations laid out in the EU Data Governance Act.
Member States are asked to consider the recommendations of the European Data Innovation Board when determining penalties, but the decisions surrounding the severity and nature of penalties are ultimately up to the individual member states.
The Data Governance Act provides criteria for member states to consider when imposing penalties. This criterion ensures penalties remain fair and appropriate.
The unique circumstances surrounding the breach, degree to which regulations were breached, amount of data or number of people affected, and the length of time in which the breach took place will all be factors that member states keep in mind when deciding how to penalize organizations.
If an organization takes actions to reduce the amount of harm caused by their breach, there may be some leniency in the severity of penalties imposed upon them. This is, of course, up to the discretion of the member state, so some may choose not to be lenient as a result of this factor.
Organizations with a clean history that doesn't involve any breaches may receive a reduced penalty. On the other hand, organizations with a poor history involving multiple breaches may be imposed more severe penalties.
The amount of financial gain or loss an organization incurs as a result of its breach may also be a factor that states consider when imposing penalties. If there is a significant loss, penalties may be less severe. If there is a major gain, more severe penalties may be imposed.
Any penalties applied by the Member States must be proportionate and effective to the breach, and as such, will probably be in the form of fines. These fines will be enforced by the competent authorities in each member state.
While the EU Data Governance Act is a complex legal requirement, there are only a few things you have to remember to remain compliant.
As a data intermediary, you must:
As a data altruism organization, you must: