Data Governance Act: Regulation (EU) 2022/868

Regulation (EU) 2022/868 ("Data Governance Act") sets out the legislative framework at Union level for the facilitation, on the one hand, of the re-use of public sector data and, on the other hand, for the establishment of a single Union-wide market for the provision of data mediation services and for the processing data for altruistic purposes. In this respect, the Data Governance Act is expected to enhance the free flow of personal and non-personal data in the European Union and boost data-intensive markets.

On 3 June 2022, Regulation (EU) 2022/868 on European data governance (“Data Governance Act” or “Act”) has been published in the official journal of the European Union (“EU”) and entered into force on the twentieth day from its publication.

1. Purpose & Object of the Act

With the purpose of developing a borderless digital internal market and a human-centric, trustworthy and secure data society and economy through the sharing of or access to data across borders or across the EU, the Act lays down:

i. conditions for the re-use, within the Union, of certain categories of data held by public sector bodies;

ii. a notification and supervisory framework for the provision of data intermediation services;

iii. a framework for voluntary registration of entities which collect and process data made available for altruistic purposes; and

iv. a framework for the establishment of a European Data Innovation Board.

Already from its first article, the Act stipulates that its provisions are without prejudice to Regulation (EU) 2016/679 (“GDPR”) and Directive 2002/58/EC (“e-Privacy Directive”), including where personal and non-personal data in a data set are inextricably linked. In the event of conflict, the relevant Union or national law on the protection of personal data shall prevail over the provisions of the Act. Furthermore, it is explicitly stated that the Act does not create any new legal bases for the processing of personal data, nor does it affect any of the rights and obligations set out in the GDPR and the e-Privacy Directive.

2. Rules for the Re-Use of Public Sector Data

First, the Act regulates the re-use of data held by public sector bodies by means of the following main provisions:

• Subject to restrictive exemptions of general interest, the prohibition of agreements or practices which effectively grant exclusive rights or restrict the availability of public-sector data for re-use (article 4);
• Conditions for re-use shall be non-discriminatory, transparent, proportionate and objectively justified, shall not restrict competition, shall be made publicly available and will, among others, include (article 5):

i. processes of personal data anonymisation and data modification and / or aggregation in respect of commercial data protected by trade secret and / or intellectual property law;

ii. the provision of a secure processing environment during access / re-use;

iii. the adherence by the re-user to confidentiality obligations

iv. compliance with intellectual property rights and the database sui generis right;

v. prior notice to the public sector body and entities affected about transfers to third countries.

• Re-use may be subject to fees, as long as such fees can also be paid online, reflect re-use costs and are transparent, non-discriminatory, proportionate and objectively justified and do not restrict competition.
• Public sector bodies may also offer re-use at discounted fees or free of charge, in particular to SMEs and start-ups, civil society and educational establishments for non-commercial purposes, such as scientific research purposes, and by SMEs and start-ups in accordance with State aid rules (article 6);

For the establishment of their data re-use schemes, member states are obliged to designate competent bodies to assist the implementation of the Act across their public sectors (article 7), establish single information points for the receipt of enquiries or requests for re-use (article 8) and have in place a procedure for addressing requests of re-use within two months of the date of receipt of each request (article 9).

Τhe Act does not create an obligation to allow the re-use of data held by public sector bodies. It, thus, leaves to Members States the power to decide whether data is made accessible for re-use, also in terms of the purposes and scope of such access.

The rules of the Act on the reuse of public sector data complement the provisions of Directive (EU) 2019/1024 on open data and the re-use of public sector information, thus setting the framework for the development of a market for public sector data, which is expected to reach €194 billion in economic value by 2030.

3. A Legal Framework for Data Intermediation Services

In addition, the Act sets out a legal framework for the activity of data intermediation service providers. Data intermediation services are defined in the Act as services which aim to establish commercial relationships between data subjects and data holders on the one hand and data users on the other, for the purposes of data sharing through technical, legal or other means, such as infrastructure, platforms or databases (article 10).

Following the submission of a prior notification to the competent authority for data intermediation services at the member-state of their main establishment, data intermediation service providers acquire the right to provide relevant services across the EU (article 11).

Conditions for the provision of data intermediation services include, among others (article 12):

• the prohibition of data processing for purposes other than to put them at the disposal of data users;
• the provision of the service in a fair, transparent and non-discriminatory manner for data subjects, holders and users, including with regard to prices and terms of service;
• the obligation of interoperability with other data intermediation services, inter alia, by means of commonly used open standards;
• the maintenance of an appropriate level of data security and the requirement to act to the data subjects’ best interest.

Each member state shall designate an authority with the competence to supervise the compliance of data intermediation service providers with the provisions of the Act (articles 13-14).

4. Rules for Data Altruism

Furthermore, the Act establishes rules for the promotion of data altruism, which refers to the voluntary sharing of either personal data on the basis of the consent of data subjects or non-personal data by data holders without compensation for objectives of general interest.

Objectives of general interest may include public health, combating climate change, public policy making or scientific research purposes in the general interest.

According to the Act, member states may at their discretion have in place national policies, organisational and technical arrangements to facilitate data altruism, subject to a relevant notification before the Commission (article 16).

Organisations carrying out data altruism activities will be required to be non-profit, registered in the relevant national public register, implement functional separation vis-à-vis their other activities and accompany any publication of their data altruism activities with a relevant EU – wide common logo (articles 17-19).

Data altruism organisations are also subject to strict transparency requirements regarding the activity of their data users, the purpose and duration of the processing and any fees paid to cover their costs, whereas they are also obliged to publish annual transparency reports about their activities (article 20).

Accordingly, they are required to provide data subjects and data holders with specific information about the processing of their data in the context of data altruism (article 21) and will be obliged to comply with an additional rulebook issued by the Commission with more specific rules on issues such as transparency, data security, awareness raising and interoperability (article 22).

Each member state shall designate an authority with the competence to supervise the compliance of data altruism organisations with the provisions of the Act (articles 23-24).

5. Oversight Mechanism

Finally, the Act sets out the framework for the exercise by competent authorities of their powers, provides for the rights of data subjects and data holders to lodge a complaint before competent authorities and to an effective judicial remedy.

The Act also establishes the European Data Innovation Board to advise and assist the Commission in matters related to the Act and facilitate cooperation between member states and competent authorities (articles 29-30).

6. Conclusions

The Data Governance Act establishes an institutional framework for the regulation of data processing, regardless if this refers to personal or non-personal data, in combination with the GDPR, Regulation (EU) 2018/1807 on the free flow of non-personal data in the European Union and the forthcoming Act on harmonized rules on fair access to and use of data (“Data Act”).

Under this institutional framework, organizations and businesses are required to adapt their operations in view of the transition from data protection to a holistic approach based on data governance.

The Data Governance Act is expected to enhance the free flow of personal and non-personal data in the European Union and boost data-intensive markets. The Act will become applicable from 24 September 2023.

The Data Governance Act is available here.