Brief refresher on the Data Governance Act (DGA): We covered the new wave of EU data-centric legislation that is being implemented to usher in stronger regulatory guardrails for data in our recent article on the EU Data Strategy, with one of the discussed laws being the Data Governance Act. The Data Governance Act (DGA) is aimed at increasing accessibility to data by regulating the re-use of publicly held protected data, increasing data sharing through the regulation of novel data intermediaries, as well as data sharing for humane causes.
One of the Act’s main contributions is the introduction of regulation of such service providers within the EU known as “Data Intermediation Services” and “Data Altruism Organisations.” These entities will be accredited and overseen under the auspices of the DGA, as well as subject to different verification standards, one of which is a common logo across the EU. As part of the Act’s implementation, the European Commission has now released the common logos to assist stakeholders to simply identify data intermediation service providers and data altruistic groups recognised in the Union. We consider below who falls under either of this groups, and what is needed to comply with the DGA.
|Recognized providers under the DGA||Mandatory requirements:||Voluntary requirements:|
|Data Intermediation Services (DIS): Data intermediation service providers are organisations that help data subjects and data holders establish commercial relationships with data users for the purpose of “data sharing”. Essentially, intermediation services providers act as neutral providers whose role is limited to brokering transactions. Any entity that wishes to provide a data intermediation service must notify their competent authority of their intention to provide such services (Art. 11). After submitting the notification, the data intermediation services can legally start to operate.||– Intermediation services must be offered by a separate legal person.|
– Providers must not use the data for any purposes other than making them available to the data users.
– Where a provider intends to conduct DIS alongside other commercials objectives, there must be a legal and economic separation between the DIS and any other services provided.
– Providers must put in place procedures and measures to impose penalties for fraudulent or abusive practices.
– Providers must inform data holders in the event of an unauthorised transfer or use of the non-personal data that is shared.
– Pricing cannot be related to other services provided by the DIS provider or related entity.
– The provider may offer tools to facilitate exchange of data – but must have approval of the data holder/ data subject to do this.
– Providers must have logs of all intermediation activity, and this must be maintained.
|– Intermediation service providers may (but are not required to) request the competent authority to confirm if they meet the outlined conditions.|
If the competent authority issues this confirmation, the provider is then able to use the Commission developed logo and to use the label “provider of data intermediation services recognised in the Union” in communications.
|Data Altruism Organisations: Individuals and businesses often give their assent or permission for data that they generate willingly and without profit to be used in the public interest (known as data altruism). Data altruism organisations facilitate the sharing of personal or non-personal data, for general interest purposes (e.g. climate change, social mobility), scientific research or statistics, without financial compensation for the data subject or data holder (beyond compensation related to the costs that they incur). The sharing of such data is voluntary and based on the consent of the data subject or the permission of the data holder. ||– Must operate on a not-for-profit basis and be legally independent of any entity that operates for profit.|
– Must be established to meet objectives of general interest.
– Must have a functionally separate structure for data altruism activities.
– Where logo usage is approved, the logo must be accompanied by a QR code with a link to the EU public register of recognised data altruism organisations. This register will be available from 24 September 2023.
– Further requirements relating to information provision, interoperability, and security measures will be laid down in a rulebook to be adopted in delegated acts. Organisations must comply with the rulebook no later than 18 months after it comes into force.
Ongoing obligations under Arts. 20 and 21:
While carrying out their data altruism activities, data altruism organisations are subject to wide-ranging transparency requirements, reporting obligations, and specific requirements to safeguard rights and interests of data subjects and data holders. These include:
– Must keep full and accurate records concerning the purpose of processing, fees paid for the data processing and duration of data processing.
– Must draft an annual activity report containing information about the organisation’s general interest, revenue sources and expenses.
– Must inform data subjects and data holders of their objectives of general interest, the purpose of data processing, and the location of any processing carried out in a third country. This information must be provided prior to any processing taking place.
– Must take appropriate measures to ensure the security and protection of the data collected.
– Must provide tools to obtain consent from data subjects regarding the processing of data, and it must be easy for this consent to be withdrawn.
|– Organisations seeking to engage in data altruism can register voluntarily in a public national register to increase public trust in their operations.|
– In order to qualify for registration in a public national register, the organisation must meet the requirements outlined in Art 18.
– Organisations that satisfy the requirements of Art.18 will have the benefit of using a Commission developed logo and the label “data altruism organisation recognised in the Union” in communications.
Does this affect international data flows under the GDPR?
While the GDPR has implemented the required precautions for the cross-border protection of personal data flowing from the EU, the DGA now extends these protections by creating equivalent measures to exist in the context of non-personal data as well. These protections apply to all DGA-specified provisions, including those involving public sector data, data intermediation services, and data altruism constellations. In addition to accepting the relevant EU jurisdiction, the re-user in the third country must guarantee the same level of protection for the concerned data as that guaranteed by EU legislation.
In the future, the Commission may issue additional adequacy decisions for the transfer of non-personal data in response to an access request from a third country. These adequacy determinations will be comparable to those made under the GDPR regarding the transfer of personal data. Furthermore, the DGA authorises the Commission to make model contract terms available to public sector organisations and re-users in scenarios involving public sector data in data transfers with third countries.
What the introduction of common logos means:
- The commission has released visual guidelines for data intermediation service providers and data altruism organisations, covering the placement and information specifications for the common logos, to ensure uniform compliance.
- Data intermediation services and data altruism organisations that meet the DGA’s standards and choose to use the logos must clearly display the common logo on every online and offline publication relating to their activity.
- For data altruism organisations, a QR code linking to the EU public register of recognised data altruism organisations must be displaced alongside the logo. The commission confirms that the registry will be accessible by September 24, 2023.
- The logos will act as EU trust marks, distinguishing accepted trust services from other providers and so contributing to data market transparency.
The Data Governance Act will be applicable from 24 September 2023. Ahead of this date and in accordance to the DGA, it is expected that the Commission will establish the European Data Innovation Board (EDIB) to facilitate the sharing of best practices, particularly in the areas of data intermediation, data altruism, and the use of public data that cannot be made available as open data. Data sharing organisations would also do well to start preparing their policies and business structures to adjust to the new requirements under the DGA.