Data
The Data Governance Act (DGA)
What is the purpose of the DGA?
The DGA is an EU Regulation (No. 2022/868) which means it takes direct effect across all EU Member States without the need for national legislative action. It was the first part of the EU's broad digital strategy to be enacted and it aims to ensure the free flow of data within the EU and strengthen the digital single market.
The DGA complements the data sharing rights created under the EU Data Act. It aims to facilitate data sharing across borders (for personal and non-personal data), while protecting privacy and fostering an innovation framework for data intermediaries to facilitate data sharing between businesses, public authorities, and individuals.
Key provisions
The DGA sets out rules relating to the reuse of public sector data, and data intermediation services as well as data altruism:
Reuse of public sector data – public sector bodies that make data under their control available for reuse must make the conditions for data reuse publicly available. The DGA does not oblige public sector bodies to allow for the reuse of data and does not release them from any existing legal obligations under the GDPR or freedom of information enactments.
Data altruism – the DGA introduces the concept of 'data altruism' and allows an organisation to register as a 'data altruism organisation recognised in the Union'. Through such organisations, individuals and companies can give their consent to make available data that they generate – voluntarily and without reward – for use in the public interest.
Data intermediation services – this category covers a wide range of data sharing services, including (i) platforms or databases for the exchange or joint use of data, including industry data spaces (ii) intermediation services between data subjects that seek to make their personal data available to potential data users (those who have the lawful right to use data for commercial or non-commercial purposes) (iii) services offered by data co-operatives.
Such organisations must notify the competent authority that they provide their services in the EU and must comply with other conditions, including providing services by a separate legal vehicle and adopting strict purpose limitation approaches to the data (comparable to those required in respect of personal data under the GDPR).
This Act also establishes a new formal expert group chaired by the European Commission: the European Data Innovation Board.
What is the jurisdictional reach of the DGA?
It applies to relevant organisations within the EU.
Who will have obligations under the DGA?
Public sector bodies, data intermediation services and organisations choosing to designate as data altruism organisations all have obligations under the DGA.
Are there sanctions for non-compliance?
Member States are responsible for appointing competent authorities to assess and enforce compliance. Such bodies shall be entitled to impose penalties for non-compliance (including financial penalties for data intermediation services). Member States are required to lay down other penalties which should be proportionate, effective and dissuasive.
Key dates and deadlines
- 23 September 2023 – the DGA entered in force and became applicable.
- 18 months from publication of the European Data Innovation Board’s rulebook – data altruism organisations must be compliant with its standards.