Data Governance Act (DGA): a new regulation on data control
Under the keyword “A Europe Fit for the Digital Age”, the European Union wants to take the lead in a data-based world. With the Data Governance Act, the EU Commission has presented the first legislative proposal of its EU data strategy, which will be accompanied by another proposal on high-quality data sets, the Data Act, in 2021. The Data Governance Act aims to simplify the data exchange between companies, private individuals and the public sector. The aim is to promote the availability of data and to define mechanisms for the reuse and sharing of data. The aim of the regulation is divided into three parts:
- The creation of EU-wide harmonized conditions for the re-use of protected data owned by public authorities (extended PSI).
2. The creation of a registration and supervisory framework for the provision of data sharing services (data intermediaries).
3. The creation of a framework for the voluntary registration of institutions that collect and process data being available for altruistic purposes (data altruism).
Through the regulation, the European Commission wants to introduce a mechanism for the re-use of certain categories of protected data from the public sector, which are subject to the respect of the rights of others. The following categories of data should be affected:
- data that is subject to business secrecy
- data that is subject to statistical secrecy
- data that is subject to the protection of the intellectual property of third parties
- personal data
Public authorities that allow this type of re-use must be technically equipped in such a way that data protection, privacy and confidentiality are fully granted (e.g. by deleting data with trade secrets or anonymization and pseudonymization). Data from the public sector should become available for use by companies in so-called “secure processing environments” while still being controlled by the public body.
The EU Commission would like to create with the regulation further registration rules and regulations for data intermediaries.
The following providers should be affected:
- mediation services between data owners who are legal persons and potential data users (B2B),
2. mediation services between data subjects who want to make their personal data accessible and potential data users (C2B),
3. services from data cooperative, which means services that support data subjects or SMEs (small and medium enterprises), which are members of the cooperative or which delegate the authority to the cooperative to negotiate the terms of the data processing prior to their consent. Each member state should name for this purpose one or more competent authorities on its territory.
In addition, there are a number of conditions that data intermediaries need to meet, including:
- The data intermediary may not use the data for any purposes other than making them available to the data users.
- The metadata collected during the provision of the common data-sharing service may only be used for the development of that service.
- The data intermediary acts in the best interests of the data subjects and facilitates the exercise of their rights. He advises data subjects on possible ways of using the data and the usual terms and conditions for such uses.