The Jigsaw Puzzle Pieces of EU Data Legislation, Including The Data Governance Act

The Jigsaw Pieces of EU Data Legislation, Including The Data Governance Act??

Think of the Data Governance Act (DGA) as a set of rules that tell companies and organizations how to handle the personal information of people, such as their names, addresses, and financial information. These rules are put in place to protect people's privacy and make sure that their information is being used responsibly.?

The DGA applies not only to personal data but to “any digital representation of acts, facts or information”. Its rules entered into force on 23 June 2022 and takes effect in September 2023.?

The DGA is the first of the European Union’s new initiatives on “data” to get to the legislative finishing line.?

It follows the introduction of the EU Digital Markets Act, which was approved by the European Commission earlier in July 2022, alongside the Digital Service Package – see link at end of article for more information.?

Like the 2019 Open Data Directive - the re-use of public sector information, which?entered into force on 16 July 2019, replacing the Public Sector Information (PSI) Directive. The DGA does not oblige public sector bodies to allow re-use of data, but where data are made available for re-use then it requires that access arrangements must be non-discriminatory, transparent, proportionate, objective and may not restrict competition. Exclusive access arrangements are restricted. There are also restrictions on fees payable for access.?

Public sector bodies who do provide access must ensure that they preserve the protected nature of the data. By way of example, this could mean only releasing data in anonymous form. Or it could mean using secure processing environments – physical or virtual environments which allow access to data, whilst ensuring compliance with other laws.?Recital 6 specifically calls out the potential for use of differential privacy and synthetic data as ways of allowing exploitation of data. Those who wish to re-use the data, must agree to continue to respect the protected nature of the data; where data has been released that was originally personal, then this would include agreeing not to attempt to re-identify data subjects.?

If a public sector body receives a request to release data, but cannot do so in a compliant way, even by using the techniques above, then it has an obligation to use best efforts to seek consent to re-use from the data subject/ affected person, unless this would involve disproportionate effort.?

The idea that data that has been generated or collected by public sector bodies or other entities at the expense of public budgets should benefit society has been part of EU policy for a long time [via the Open Data Directive] … However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data) in public databases is often not made available. not even for research or innovative activities in the public interest.?

The DGA legislation will create a framework which will facilitate and encourage data sharing for altruistic purposes.?

• The Act encourages wider re-use of data held by the public sector bodies, including personal data. This is to be achieved by making use of secure processing environments and anonymization techniques such as differential privacy and the creation of synthetic data. This part of the Act may drive more development of, and guidance on, the use of such techniques which may be of wider use, beyond the immediate goal of re-use of public sector data. ?
• A licensing regime is set up for “data intermediaries.” These are organizations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data. Data intermediaries will need to meet license conditions designed to ensure their independence and restrict their re-use of data and metadata. The requirements will affect those offering data marketplaces and (possibly) consent management platforms. Adtech companies should take careful note.?
• Data altruism is to be encouraged. Those wanting wider access to data — in particular for scientific research — may find that this facilitates access to more data. Those operating on a not-for-profit basis for general interest purposes may want to consider becoming a recognized data altruism organization.?
• The Act contains the first steps towards the restriction of transfers of non-personal data. Data intermediaries and recognized data altruism providers will need to consider if third countries (for example. the UK) offer appropriate protections for non-personal data and will need to resist attempts by public authorities in third countries to access EU originating non-personal data. There are additional restrictions applicable to those involved in the re-use of public sector data, as well as mechanisms for the Commission to recognize countries as offering adequate protection and to adopt model contractual clauses for the transfer of non-personal data.?

The free flow of data could make or break a business. This needs no explanation, especially regarding privacy. On the one hand, data is the fuel needed to run the business by driving the total value and growth. On the other side of the coin are the commercial and reputational risks attached to hefty fines prescribed by data protection and other laws for noncompliance. This makes access to data by creating trust in data sharing and use, the focus point for businesses and governments to become leaders in a data-driven society.?

DGA & GDPR?

The definition of "data" under the DGA is so broad that it also includes personal data as defined in the EU General Data Protection Regulation. Therefore, the GDPR and DGA may apply simultaneously, which explains why the recitals and provisions of the DGA indicate on several occasions they are without prejudice to the application of the GDPR, among others.??

The DGA covers three key areas:??

(1) access to data held by public sector bodies;??

(2) regulation of data sharing services through "data intermediaries"; and??

(3) encouraging "data altruism," which means donating data for the common good, such as health care research.?

While public sector data and data altruism would largely cover non-commercial activities, it is data sharing by companies or individuals through "data intermediaries" that lies at the heart of commercial operations. This type of data sharing is likely to make the biggest impact on businesses that either currently work with data intermediaries covered under the DGA or are data intermediaries themselves. It may also impact those wanting to qualify as one because they have to plan or re-plan their operations to ensure compliance with the new notification requirements.?

Who is Impacted by The Data Governance Act???

Basically, any company or organization that collects, uses, or stores personal information is impacted by the act. This includes businesses, government agencies, and even non-profit organisations?

The Benefits of the Data Governance Act??

Are that it helps to ensure that people's personal information is kept safe and secure, and that it is only used for the purposes that they have agreed to. This can give people peace of mind and help to prevent identity theft and other forms of fraud?

?

Compliance Actions?

In order to become compliant?with the DGA, companies and organizations need to take a number of steps. This might include things like putting in place stronger security measures to protect personal information, training employees on the importance of privacy, and regularly reviewing their practices to make sure they are meeting the requirements of the act – yet another need for Data Literacy!?

In a nutshell, the Data Governance Act is like a set of rules to help protect people's personal information and make sure that it is being used responsibly. Companies and organizations need to follow these rules to make sure they are doing their part to keep people's information safe.?

More useful and informative articles on Data, for you to easily understand and put the ideas and frameworks into practice to enhance the value from your data at:

https://lizhendersondata.wordpress.com/?

?

Definition of a Data Intermediary?

Data intermediary - is a catch-all term for those who help broker the flow of data from data source to data user who otherwise could be described as middlemen, data aggregators, data brokers.?

While these facilitators have traditionally existed in the EU, the DGA will probably be the first law where data intermediary is conspicuously mentioned in its recitals. Although the term is not defined in the provisions, which instead use the term "provider" of data-sharing services.??

References:?

https://en.wikipedia.org/wiki/Data_Governance_Act?

https://digital-strategy.ec.europa.eu/en/policies/data-governance-act-explained#:~:text=The%20Data%20Governance%20Act%20(DGA,of%20data%20for%20altruistic%20purposes?

The EU Data Governance Act and the GDPR: What You Need to Know (itgovernance.eu)?

https://www.itgovernance.eu/blog/en/the-digital-services-act-and-the-gdpr-what-you-need-to-know?

EU Data Governance Act: What privacy professionals need to know (iapp.org)?

How to know you are a 'data intermediary' under the Data Governance Act (iapp.org)?

The EU Data Governance Act: what privacy professionals need to know - Bird & Bird (twobirds.com)?

Data Act — Factsheet | Shaping Europe’s digital future (europa.eu)?

EU Data Governance Act | Creating European regulation for the data ecosystem - Osborne Clarke | Osborne Clarke?