EU: Unpacking the EU's suite of new era digital legislation - Part three: the Data Governance Act
On 16 May 2022, around 18 months on from the initial proposal of the European Commission ('the Commission'), the Council of the European Union ('the Council') announced that the Digital Governance Act ('DGA') had been adopted by the EU co-legislators following the Council's final approval of the European Parliament's position, making it the first legislative initiative adopted under the European Strategy for Data. The DGA, together with several other data and digital related legislative proposals, comprises the EU's envisaged regulatory framework for a digital single market in the EU. In this five-part Insight series, OneTrust DataGuidance aims to bring you up to speed, demystifying the acronyms as we unpick the broader policy context informing the legislative proposals, the key obligations that they will entail for affected parties, and the issues that must still be resolved in order to reach political consensus, with accompanying commentary provided by Wim Nauwelaerts, Partner at Alston & Bird. In part three, we take a look at the DGA.
On 19 February 2020, the European Commission unveiled its European Strategy for Data, setting out its key data-related policy objectives for 2020-2025. In particular, the Strategy identifies data as an essential resource for economic growth, competitiveness, innovation, job creation, and societal progress in general, and sets out the EU's objective of creating a single market for data that will ensure Europe's global competitiveness and data sovereignty, wherein common European rules and efficient enforcement mechanisms will ensure that:
- data can flow within the EU and across sectors;
- European rules and values are fully respected, in particular personal data protection, consumer protection legislation, and competition law; and
- the rules for access to and use of data are fair, practical, and clear, and there are clear and trustworthy data governance mechanisms in place, creating an open but assertive approach to international data flows based on European values.
Complementing the newly announced proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data ('the Draft Data Act'), which seeks to establish a framework to facilitate the third objective above, the DGA takes aim at the first objective, aiming to promote the availability of data and build a trustworthy environment to facilitate its use for research and the creation of innovative new services and products, by creating mechanisms to facilitate the reuse of certain categories of protected public-sector data, increase trust in data intermediation services ('DIS'), foster data altruism across the EU, and facilitate the development common European data spaces in strategic domains such as health, the environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills.
Through the above summarised suite of measures, the DGA aims to establish trust as the bedrock for the EU data economy, a point emphasised by Member of Parliament Angelika Niebler following Parliament's approval of the DGA: "Our goal with the DGA is to set the foundation for a data economy in which people and businesses can trust. Data sharing can only flourish if trust and fairness are guaranteed, stimulating new business models and social innovation. Experience has shown that trust – be it trust in privacy or in the confidentiality of valuable business data – is a paramount issue. The Parliament insisted on a clear scope, making sure that the credo of trust is inscribed in the future of Europe's data economy".
Relationship between the DGA and GDPR
The DGA expressly provides that it is without prejudice to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and makes reference to the GDPR throughout.
Nauwelaerts provides his assessment of how the two pieces of legislation will interact, and the challenges that such interaction may present:
"Both the GDPR and EU Member State law on the protection of personal data will apply to personal data processed in connection with the DGA, including with regard to the powers and competences of data protection authorities. This is also the case where data processing in the context of the DGA involves both personal and non-personal data that are inextricably linked i.e., if there are mixed data sets. In the event of a conflict between the DGA and the GDPR/EU Member State law on the protection of personal data, the DGA makes it clear that data protection law will prevail.
Despite the prevalence of data protection law, the DGA introduces several new concepts and definitions that do not appear to be in line with key data protection principles and concepts as these are defined in the GDPR. For instance:
- The DGA covers processing of 'personal data' (as defined in the GDPR) and 'non-personal data' (which means data other than personal data). However, both concepts combined are referred to as 'data', which the DGA restricts to any digital representation of acts, facts or information. This seems to suggest that 'non-digital' processing of personal data will not be in scope of the DGA.
- The DGA assigns a central role to 'data holders', which it defines as persons who have the right to grant access to or share certain personal data. However, the DGA fails to elaborate on what this right entails and under what conditions it can be exercised. This can lead to practical difficulties of interpretation, taking into account that the right as such does not exist in the GDPR.
- Similarly, the DGA refers to 'data users' as persons who have lawful access to certain personal data and have the right under the GDPR to use that data for commercial or non-commercial purposes. Based on this definition, there will be an interplay between the 'data user' concept and the notions of (joint) controller and processor in the GDPR, but the DGA remains unclear on this point. As a result, there is a risk of ambiguity around the controller/processor roles that the main actors under the DGA - in particular data holders and data users - will play in practice".
Reuse of public-sector data
Chapter II of the DGA will regulate the re-use of protected data held by public sector bodies, aiming to create a mechanism to enable the safe reuse of certain categories of public-sector data that is subject to the rights of others. For the purposes of Chapter II of the DGA, 'protected data' means data protected on the grounds of (Article 3(1) of the DGA):
- commercial confidentiality, including business, professional, and company secrets;
- statistical confidentiality;
- the protection of intellectual property rights of third parties; or
- the protection of personal data, insofar as such data fall outside the scope of Directive (EU) 2019/1024 on Open Data and the Re-use of Public Sector Information.
Member States will be required to make publicly available the conditions for allowing such re-use and the procedure to request the re-use via a single information point, as required by Article 8 of the DGA, and ensure that public-sector bodies allowing this type of reuse will need to be properly equipped, in technical terms, to ensure that privacy and confidentiality are fully preserved, with anonymisation featuring as a recommended technical measure in terms of protected personal data.
Nauwelaerts takes a closer look at these requirements and explains how they will interact with existing data protection regulation:
"The DGA requires public sector bodies to ensure that the protected nature of data is preserved. It will be possible to grant data access for re-use purposes where the public sector body (or the competent body), has ensured that the personal data have been anonymised before they are shared with re-users.
Public sector bodies will also have to impose contractual obligations on re-users that a) prohibits them from re-identifying data subjects to whom the data relates, b) forces them to take technical and operational measures to prevent re-identification, and c) requires them to notify the public sector body of any data breach resulting in the re-identification of the data subjects. The obligation to notify data breaches to the public sector body will apply in addition to the obligation to notify personal data breaches to data protection authorities and to affected data subjects under the GDPR, which may create additional compliance hurdles for both public sector bodies and re-users.
Although anonymisation of personal data is the rule, the DGA appears to allow re-use of personal data in exceptional cases. Where the provision of anonymised data would not respond to the needs of the re-user, the DGA allows public sector bodies to permit on-premise or remote re-use of the data within a secure processing environment. This could involve the re-use of data that have been pseudonymised by or on behalf of the public sector body. In those scenarios, public sector bodies should facilitate the re-use of data on the basis of data subjects' consent, by providing adequate technical means. These should permit transmitting consent requests from re-users to the relevant data subjects, where practically feasible. That way no contact information needs to be shared and re-users are unable to contact data subjects directly. Where the public sector body transmits a request for consent, it will be responsible for ensuring that the data subject is clearly informed of the possibility to refuse consent. In addition to providing transparency towards data subjects, public sector bodies will have to make sure that they meet all other controller requirements under the GDPR. This includes establishing the re-user's qualification as a controller or processor for GDPR purposes.
It is noteworthy that data subjects who are directly affected by a decision allowing re-use of their data will have a right of redress in the EU Member State of the public sector body that took the decision. This right of redress will need to be provided by national law and include the possibility of review by the local data protection authority".
In addition, the Commission will set up a European single access point with a searchable electronic register of public-sector data, which will be available via national single information points.
Data intermediation services
DIS are defined in Article 11 of the DGA as a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal, or other means, including for the purpose of exercising the rights of data subjects in relation to personal data. The Council further outlined that these services can take the form of digital platforms.
Chapter III of the DGA creates a framework to regulate and foster the development of DIS, the chief purpose of which is to provide a secure environment in which companies or individuals can share data and which 'are expected to play a key role in the data economy'.
Notably, Nauwelaerts highlighted that such framework "is without prejudice to the obligation of DIS providers to comply with the GDPR and the responsibility of data protection authorities to ensure compliance with that the GDPR. Where DIS providers process personal data as controllers or processors, they are bound by the relevant controller or processor obligations in the GDPR."
Requirements for trustworthy service providers
Chapter III sets out requirements for DIS providers to notify national competent supervisory authorities regarding the intention to provide such services (Article 11 of the DGA), conditions for providing such services (Article 12 of the DGA), including that service providers will not be allowed to use shared data for other purposes (Article 12a of the DGA), and monitoring of DIS (Article 14 of the DGA), with the underpinning objective being that DIS are neutral and trusted, and that companies will therefore be able to share their data without fear of their being misused or of losing their competitive advantage.
Elaborating on the above, Nauwelaerts identifies a number of potential compliance challenges for DIS providers:
"From a transparency perspective, a DIS provider offering services to data subjects will be required to act in the data subjects' best interest and make it easier for data subjects to exercise their rights, in particular by informing and advising data subjects in a concise, transparent, intelligible and easily accessible manner about intended uses of their data, before data subjects give consent to such uses. If DIS providers anticipate that data will be used by data users in third-country jurisdictions (outside of the EU), they should provide data subjects with tools to both give and withdraw consent. This could impose considerable burdens on DIS providers in terms of consent management, and raises questions about the possibility for DIS providers to make use of proven data transfer tools under the GDPR, such as the European Commission's Standard Contractual Clauses".
Facilitation of data subject rights
Notably, the DGA highlights in Recital 30 that the promotion of DIS providers seeks to enhance the agency of data subjects, and in particular individuals' control over data relating to them, noting that such providers will assist individuals in exercising their rights under the GDPR, in particular giving and withdrawing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure, the right to restrict processing, and the right to data portability.
On this last right, Nauwelaerts notes an additional requirement for DIS providers: "To facilitate data portability - one of the data subject rights in the GDPR - DIS providers must also facilitate the exchange of data and convert them into specific formats to enhance interoperability within and across sectors, or if requested by data users".
Elaborating on the above, the Council notes that such services may be provided, for example, by means of novel personal information management tools, such as personal data spaces or data wallets, which are apps that share such data with others, based on the data holder's consent.
For Nauwelaerts, the DGA's promotion of personal data spaces is worth noting:
"It is interesting that the DGA explicitly notes that in certain situations, it may be desirable to keep data within a 'personal data space' so that processing can happen within that space without personal data being transmitted to third parties, in order to maximise the protection of personal data and privacy. Such personal data spaces could contain static personal data such as name, address or date of birth as well as dynamic data that an individual generates through, for example, the use of an online service or an object connected to the Internet of Things. They could also be used to store verified identity information such as passport numbers or social security information, as well as credentials such as driving licences, diplomas or bank account information".
Scope considerations for multinationals and non-EU service providers
For multinationals in the EU and non-EU service providers, Nauwelaerts notes that the relevant provisions of the DGA bear similarities with now-familiar GDPR provisions in this area:
"DIS providers with establishments in more than one EU Member State will fall under the jurisdiction of the EU Member State in which they have their 'main establishment', a concept that mirrors the notion of main establishment that is used in the GDPR".
Specifically, the main establishment of a DIS provider in the Union should be the place of its central administration in the Union and should be determined in accordance with objective criteria and should imply the effective and real exercise of management activities (Recital 41 of the DGA).
In addition, and also similarly to the GDPR, Nauwelaerts highlights that "the DGA can apply extraterritorially to DIS providers that are not established in the EU but offer DIS to data subjects, data holders and data users within the EU. In that case, the DIS providers will be required to designate a legal representative for DGA purposes in one of the EU Member States where they offer their services".
The DGA further clarifies that in order to determine whether such a DIS provider is offering services within the Union, it should be ascertained whether it is apparent that the DIS provider is planning to offer services to persons in one or more Member States. In this respect, the DGA clarifies that the mere accessibility in the EU of the website or of an email address and other contact details of the DIS provider, or the use of a language generally used in the third country where the DIS provider is established, should be considered to be insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that language, or the mentioning of users who are in the Union, could make it apparent that the DIS provider is planning to offer services within the Union (Recital 42 of the DGA).
The Council has underlined that one of the primary objectives of the DGA is to make it easier for individuals and companies to make data voluntarily available for the common good, such as medical research projects. With this objective in mind, the DGA sets out a comprehensive framework for the registration, operation, and monitoring of recognised data altruism ('RDA') organisations, aiming to foster the necessary trust in data altruism, encouraging individuals and companies to donate data to such organisations so that they can be used for wider societal good.
The DGA defines 'data altruism' as voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data without seeking or receiving a reward that goes beyond compensation related to the costs that they incur where they make their data available for objectives of general interest as provided for in national law, where applicable, such as healthcare, combating climate change, improving mobility, facilitating the development, production and dissemination of official statistics, improving the provision of public services, public policy making, or scientific research purposes in the general interest (Article 2(16 of the DGA).
Chapter IV of the DGA regulates data altruism. The DGA encourages Member States to establish national policies for data altruism, which may, in particular, assist data subjects in making personal data related to them (held by public sector bodies) available voluntarily for data altruism (Article 16 of the DGA).
Registration and identification
In particular, Article 17 of the DGA provides that national competent authorities will keep and regularly update a public national register of RDA organisations, whilst the Commission will maintain a public EU register of RDA organisations.
In order to qualify for registration as a data altruism organisation, an organisation must (Article 18 of the DGA):
- carry out data altruism activities;
- be a legal person established pursuant to national law to meet objectives of general interest as provided for in national law, where applicable;
- operate on a not-for-profit basis and be legally independent from any entity that operates on a for-profit basis;
- carry out its data altruism activities through a structure that is functionally separate from its other activities; and/or
- comply with the rulebook referred to Article 22(1) of the DGA, at the latest 18 months after the date of entry into force of the delegated acts referred to in that paragraph.
Rules for trustworthy data altruism organisations
The DGA further specifies reporting and transparency obligations for data altruism organisations (Articles 19 and 20 of the DGA), as well as specific measures for safeguarding data subject and data holder rights, including in relation to transparency, purpose limitation, obtaining and facilitating the withdrawal of consent, (non-personal) data security, and transfers of and third-country access to non-personal data (Article 21 of the DGA).
Further to the above, Nauwelaerts pinpoints important areas of overlap between the DGA and the GDPR for data altruism organisations:
"The DGA makes it possible for RDA organisations to collect data directly from natural and legal persons or to process data collected by others for altruistic purposes. However, since data subjects cannot 'waive' their fundamental right to the protection of personal data - even for altruistic purposes - RDA organisations remain fully bound by the data protection rules and principles as well as the relevant controller and processor obligations in the GDPR. As far as lawful basis for data processing is concerned, data altruism will typically rely on consent of data subjects within the meaning of Articles 6(1)(a) and 9(2)(a), of the GDPR, and that consent will have to comply with all the requirements for lawful consent in the GDPR".
Additionally, Nauwelaerts identifies a potential challenge for RDA organisations in relation to data processing for scientific research purposes:
"In line with the guidance from the European Data Protection Board ('EDPB'), the DGA specifies that RDA organisations can pursue scientific research purposes on the basis of consent. That consent should in principle be specific as to the (altruistic) purposes for which the data will be used. However, in practice it often not possible to identify (all) the purposes of personal data processing for scientific research at the time of collection. Therefore, data subjects should be allowed to give their consent to certain areas of scientific research (where in keeping with recognised ethical standards for scientific research) or only to certain parts of research projects. Both the EDPB and European Data Protection Supervisor ('EDPS') have emphasised in the past that consent for purposes of general interest as such, not strictly defined and referring to possibly different and much broader scope than scientific research, is problematic under the GDPR. Given the controversy around the scope of consent in this context, RDA organisations may find it challenging to specify processing to a level that data protection authorities are comfortable with".
In terms of data protection obligations, Nauwelaerts identifies the following as key for RDA organisations:
- keeping full and accurate records concerning all natural or legal persons that were given the possibility to process data held by that RDA organisation, alongside their contact details;
- informing data subjects prior to any processing of their data in a clear and easily comprehensible manner of the objectives of general interest and the purposes for which the RDA organisation permits the data to be processed by a data user; and
- providing tools for obtaining consent from data subjects, in addition to tools for easy withdrawal of such consent.
In addition, Article 22 of the DGA promises of a more detailed rulebook of measures supplementing the above outlined provisions, which will address the following:
- appropriate information requirements to ensure that data subjects and data holders are provided, before consent or permission for data altruism is given, with sufficiently detailed, clear and transparent information regarding the use of data, the tools for giving and withdrawing consent or permission, and the measures taken to avoid misuse of the data shared with the data altruism organisation;
- appropriate technical and security requirements to ensure the appropriate level of security for the storage and processing of data, as well as for the tools for giving and withdrawing consent or permission;
- communication roadmaps taking a multi-disciplinary approach to raise awareness of data altruism, of the designation as a 'data altruism organisation recognised in the Union' and of the rulebook among relevant stakeholders, in particular data holders and data subjects that would potentially share their data; and
- recommendations on relevant interoperability standards.
Further to the requirements regarding obtaining and facilitating the withdrawal of consent for altruistic data sharing, the DGA also foresees the adoption of a standard European data altruism consent form, allowing the collection of consent or permission across Member States in a uniform format (Article 25(1) of the DGA). In particular, the DGA specifies that the forthcoming consent form will use a modular approach allowing customisation for specific sectors and for different purposes, and ensure, where personal data is involved, that data subjects are able to give consent to and withdraw consent from a specific data processing operation in compliance with the requirements of the GDPR.
Another layer of data transfer regulation
Organisations relying on cross-border data flows will by now be familiar with EU and Member State frameworks regulating the cross-border transfer of data and the operational challenges these may present, particularly since the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'). The DGA expressly provides that it is without prejudice to the GDPR's cross-border data transfer regime, and instead seeks to add an addtional layer to data transfer regulation, with respect to non-personal data, with measures set out in by Chapter VII of the DGA with the aim of safeguarding public-sector data, DIS, and data altruism organisations against unlawful international transfer of or governmental access to non-personal data.
In particular, Article 31(1) of the DGA requires public sector bodies, DIS, and recognised data altruism organisations to take all reasonable technical, legal, and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the EU where such transfer or access would create a conflict with EU law or Member State Law.
Furthermore, the DGA provides that the Commission may adopt adequacy decisions, based on similar factors to those considered for the purposes of personal data transfers under the GDPR, declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU (Recital 21 of the DGA).
Also, similarly to the GDPR data transfer regime, the DGA provides that the Commission may adopt model contractual clauses to support public-sector bodies and re-users in the case of transfers of non-personal data covered by the DGA to third countries (Article 5(11) of the DGA).
Nauwelaerts explains, "One rationale for these restrictions appears to be the concern that third country decisions requiring transfer of or access to data in scope of the DGA may not be sufficiently proportional and specific, for instance, in establishing a link to certain suspected persons and infringements. This concern is surprising, to say the least, as the DGA's restrictions relate to non-personal data only. Non-personal data is, by definition, anonymous and should therefore not give rise to the type of risks associated with governmental data access in third countries that the European Court of Justice considered in the Schrems II Case".
European Data Innovation Board
The DGA provides for the establishment of a new supervisory authority to oversee the implementation of the DGA's data governance framework, the European Data Innovation Board ('EDIB'), consisting of representatives of the competent authorities for DIS and the competent authorities for the registration of data altruism organisations of all Member States, the European Data Protection Board, the European Data Protection Supervisor, the European Union Agency for Cybersecurity, and the Commission, among others.
In particular, the EDIB will advise and assist the Commission in enhancing the interoperability of DIS and issuing guidelines on how to facilitate the development of data spaces, among other tasks set out in Article 30 of the DGA.
The DGA was published in the Official Journal of the European Union on 3 June 2022 and enters into force 20 days after publication i.e. on 23 June 2022. It will apply from 24 September 2023.
Alexis Galanis Lead Privacy Analyst
Comments provided by:
Wim Nauwelaerts Partner
Alston & Bird, Brussels