European Commission publishes draft of Data Governance Act

The European Commission has published its proposed draft of the EU Data Governance Act (DGA), laying the groundwork for European data policy over the next decade. The DGA outlines how digital services should handle data in the future and is part of the 2020 European Strategy for Data

The draft DGA regulates four areas:

Re-Use of Public Sector Data

The draft DGA covers the re-use of public sector data for commercial and non-commercial purposes that differs from the initial public purpose for which the data was collected. Designed to be compatible with the General Data Protection Regulation (GDPR), the draft DGA states that the fundamental rights of data protection, privacy, and property (intellectual property rights) are to be respected. Similarly, data sharing service providers offering services to data subjects will have to comply with the applicable data protection rules.

Trusted intermediaries

The draft DGA regulates providers of data sharing services as facilitators of pooled data and bilateral exchanges. It states the neutrality of data sharing service providers as a key element of trust and control between data holders and data users. Data sharing service providers can act only as intermediaries in the transactions, and must not use the data exchanged for any other purpose. This will also require structural separation between the data sharing service and any other services provided, so as to avoid issues of conflict of interest.  

Data Altruism

The draft DGA creates an authorisation framework and a standard consent form for data altruism schemes under which individuals or companies may make their data available for the common good.

Creation of the European Data Innovation Board

The European Data Innovation Board will conduct oversight of data sharing services providers, ensure consistent practice in processing requests for public sector data, and advise the European Commission on governance of cross-sectoral standardisation.

Data processing in the EU

The draft DGA requires providers of data sharing services to be established within the EU or the European Economic Area, or name a representative in the region. Data sharing service providers are also required to have ‘adequate safeguards in place … that prevent it from responding to requests from authorities of third countries.’ The draft DGA also places stricter requirements on sensitive non-commercial data, such as possible limitations on transfer to third countries.

The draft DGA is expected to be adopted in the coming months as regulation with EEA relevance.