The Data Governance Act
Requirements and possibilities for fair data exchange – an assessment of the current status.
On October 17, 2024, the Bundestag debated the Federal Government’s draft bill “on the implementation of the EU Regulation on European data governance” for the first time, only to then refer the bill to the committees for further discussion, with the Digital Affairs Committee taking the lead. This is unfortunate insofar as the Data Governance Act (DGA) was already adopted on May 30, 2022, came into force on June 23, 2022 and has been directly applicable since September 24, 2023, and the German implementing law has been overdue for over a year. As a result, the EU Commission initiated infringement proceedings against Germany and 17 other member states on May 23, 2024 and gave them two months to implement the requirements.
Integrated into the EU data strategy
The Data Governance Act (DGA) (EU 2022/868) is part of the EU Data Strategy 2020, which aims to create a single market for data in the EU and to enable and facilitate the exchange of data in accordance with the law. In the view of the EU Commission, the exchange of data currently takes the form of one-sided competition determined by “data controllers” (EG 1 + 2 DGA).
The underlying vision envisages future data access for all, a reduction of the “digital access gap”, more participation for women and SMEs, the promotion of IT knowledge by institutions and an optimization of technology design both in terms of data exchange (cyber security) and the quality of the data sets themselves (“FAIR data principles”).
The Data Governance Act is intended to promote the exchange of data at European level in the public interest and across sectors. Protected data sets collected by public bodies in the course of their activities should be made available in a legally secure manner and regardless of location. The DGA, with its 38 articles and 63 recitals, acts as both a legal and a structural instrument. Data should be shared in a trustworthy and secure manner, further use for own purposes should be made possible and the data space should be extended to third countries under framework conditions. Institutions are to act as guarantors of security and legal compliance.
This construct is both legally and institutionally demanding. For this purpose, a “central information point” (Art. 7 and 8 DGA) and a “competent authority” (Art. 13; Art. 23; Art. 26 DGA) are established in the respective member states. The draft implementation of the DGA names the Federal Network Agency (BNetzA) and the Federal Statistical Office as the competent authorities.
Data marketplaces are regulated by data brokerage services. Data and data sets are provided voluntarily by data altruistic organizations (Art. 17 DGA). Authorities monitor the conditions and the process, provide advice and impose sanctions (Art. 23 and 34 DGA). The data provided by data altruistic organizations should be shared in a trustworthy and secure manner and, above all, be able to be reused. Particularly in selected research areas, the consent-based, shared use of data should drive the acquisition of new knowledge and the development of new procedures.
The requirements of the DGA are supplemented by a specific “set of rules” (Art. 22 DGA), which the EU Commission will issue as a supplement in cooperation with stakeholders as delegated acts. The EU Commission has undertaken to draw up a “European consent form for data altruism” for both non-personal and personal data (Art. 25 DGA). This is still pending and is eagerly awaited, as the associated compatibility of the relevant legal provisions of the GDPR and DGA are currently still unresolved, particularly in the area of the further use of personal data in the event of a change of purpose.
This is because the DGA does not create a (new) legal basis for the exchange of personal data. All EU legal acts are applicable alongside the DGA or take precedence over it, such as the GDPR.
Addressees
The Data Governance Act is primarily aimed at 3 addressees:
- Public bodies
- Data switching services
- Data altruistic organizations
1. public bodies
The DGA regulates material and formal obligations to act and an official supervisory framework as well as conditions for the further use of data held by public bodies. It does not establish an obligation to reuse data. The provisions of Chapter 2 of the DGA only apply if a public sector body decides to make the data in its possession available for the purpose of re-use; if necessary, it is obliged to do so by the national legislator. Data of public undertakings, public broadcasters, cultural and educational institutions as well as data protected for reasons of public security or data outside the public task assignment are outside the scope of application (Art. 3 para. 2 DGA). The datasets must be reported to the register of protected data held by the EU public sector via the national central information point.
Charges can be levied for the provision, which must be set by the national legislator in a “transparent, non-discriminatory, proportionate and objectively justified manner that does not restrict competition” (Art. 6 DGA). The BMWK’s draft bill has been available since May 2024. The Committee for Digital Affairs is currently taking the lead on the corresponding draft bill.
2. data switching services
If a company wishes to qualify as a data brokerage service or commence a data brokerage activity, the DGA imposes a number of obligations on it (Art. 10 to 12 DGA). Existing data brokerage services have a grace period until September 24, 2025 to implement the provisions of the DGA. There is an obligation to register with and obtain approval from the respective national competent authority and, following recognition by the respective member state, an obligation to report to the EU register. 9 They are subject to supervision by the competent authority and must expect sanctions in the event of breaches of information obligations, IT security or communication requirements (imposition of fines including periodic penalty payments, the initiation of court proceedings for the imposition of fines up to and including the discontinuation of the service). By ensuring neutral, fair and secure data access, the bundling and exchange of personal and non-personal data as well as comprehensive information, consultation and reporting obligations, it should be possible to share data in a trustworthy and secure manner and use it for one’s own purposes.
The draft for the special ordinance on fees for the provision of data switching services is already available.
It remains to be seen whether these institutional measures will work. So far, only four EU member states have registered data brokerage services in the EU register.
3. data altruistic organizations
The obligations of altruistic data organizations are no less extensive than those of data brokerage services. Only organizations that meet all the requirements of Art. 18 DGA can apply for recognition as an altruistic data organization and are entered in the national and EU register after approval by the competent national body. They must be non-profit organizations, fulfill extensive recording and transparency obligations and provide legal protection guarantees for both sides. In addition, they must comply with the regulations, which set out information requirements, technical and safety requirements, communication roadmaps and recommendations on interoperability standards. The set of rules is being developed by the Commission in close cooperation with data altruistic organizations and other relevant stakeholders and is not yet available. Only Spain has registered an organization so far.
Both public and non-public market participants can benefit from the altruistic provision of data records that were previously inaccessible. Many requirements and opportunities arise for non-public market participants, which also affect the area of responsibility of the data protection officer under the GDPR.
Support from data protection officers
Data protection officers are not assigned any direct tasks within the DGA. Is that it then? No! The DGA offers many subject areas in which the expertise of the data protection officer can be brought in. Art. 1 para. 3 sentence 4 DGA already clarifies: “This Regulation does not create a legal basis for the processing of personal data, nor does it affect the rights and obligations laid down in Regulations (EU) 2016/679 or (EU) 2018/1725 or Directives 2002/58/EC or (EU) 2016/680.” For the processing of personal data, the institutions and bodies involved must therefore refer to the aforementioned regulations and the transpositions of the directives. Art. 6 para. 1 lit. c GDPR in conjunction with a requirement from the DGA is therefore ruled out. Art. 6 para. 1 lit. f GDPR is also ruled out if this is the task of a public authority. The consent of the data subject is therefore the main legal basis, provided that the data concerned is personal. Advice on data protection law can already help here to take into account the ECJ’s requirements for determining a personal reference. For example, data protection officers can use the previous case law of the ECJ on “Breyer” C-582/14 of 19.10.2016, “Scania” ECJ C-319/22 of 09.11.2023, “IAB Europe”, ECJ 604/22 of 07.03.2024 and “SRB” ECJ 557/20, now in the next instance at the ECJ C-413/23, to point out the guidelines of the ECJ.
Anonymization as processing?
Only the question of whether the process of anonymization constitutes processing in accordance with Art. 4 No. 2 GDPR is still being discussed. Trade associations such as Bitkom do not interpret this as a processing operation that requires a legal basis under the GDPR.
Art. 2 No. 7 of Directive (EU) 2019/1094 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information defines the process of anonymization:
“For the purposes of this Directive, ‘anonymization’ means the process of transforming documents into anonymous documents which do not relate to an identified or identifiable natural person or rendering personal data anonymous in such a way that the data subject cannot be identified or can no longer be identified”. Due to these “activities”, it is obvious that this also includes an activity which is included in the non-exhaustive list of examples in the definition of the term “processing” in Art. 4 No. 2 GDPR.
Consent for data transfer
If a personal reference is affirmed, a corresponding consent can be obtained from persons who wish to provide their data altruistically. The consent must then meet the requirements of the GDPR, in particular Art. 7 GDPR and the statements in recitals 42 and 43.
Not only must reference be made to the possibility of revocation (Art. 7 (3) GDPR), but the requirements for voluntariness must also be observed (Art. 7 (4) GDPR).
Recital 43 of the GDPR states that if there is a clear imbalance between the parties involved, valid consent may be in doubt, especially if the controller is a public authority. Therefore, in view of all the circumstances in the specific case, it may be unlikely that consent was given voluntarily.
The basic requirements from Recital 42 of the GDPR regarding the content of the consent, such as “knowledge of the facts” and the explanation of who the controller is and for what purposes the personal data is to be processed, can also pose a challenge when providing data. The European consent form for data altruism, which the EU Commission can create in accordance with Art. 25 GDPR, can help here.
The form is intended to enable consent and permissions to be obtained in a standardized format in all Member States. This should provide individuals and companies with legal certainty for consent or permission to provide data that they generate for purposes of general interest, for example for scientific research. This should ensure that data owners can easily give and withdraw their consent or permission (also with the help of a digital tool) and that the users of the data have legal certainty when using the data. In fact, the EU Commission has already launched an initiative to obtain guidance on this. 14 As this form is not only to be used for non-personal data, but also for personal data, data protection officers can also benefit directly here.
As part of another EU Commission initiative, a set of rules will be drawn up with additional information on the obligations laid down in the data governance act for organizations registered as “data altruistic organizations recognized in the Union”. These organizations aim to support the sharing of data in the general interest. This includes information-related, technical and security requirements as well as communication roadmaps and recommendations for interoperability standards.
Once these legal questions regarding the use of personal data have been clarified, there are further issues where data protection officers can provide support. According to one view in the commentary literature and in the orientation guide of the LfD Bavaria, joint responsibility is established during the transfer process. On the one hand, it is argued that re-users can work towards a selected type of data access vis-à-vis the public body. With regard to the intended purpose, it is sufficient for joint controllership with reference to the case law of the ECJ (C-40/17) that the parties involved pursue common interests through the data processing.
The LfD Bavaria states: “Identity of purpose is not required; rather, the pursuit of the common overriding interest “further use of the data” is sufficient. As a consequence, the public authority and the re-user must transparently determine in an agreement which of them fulfills which obligations of the GDPR in accordance with Art. 26 para. 1 sentence 2, para. 2 sentence 1 GDPR.”
If this view is followed, the corresponding agreements must also be concluded and the provisions of Art. 26 GDPR on joint processing by the parties involved must be observed.
Third country transfer
Article 31(1) of the DPA contains provisions on third country transfers. Accordingly, the public sector body, the natural or legal person to whom the right to re-use data under Chapter II has been granted, providers of data intermediary services or recognized data altruistic organizations shall take all appropriate technical, legal and organizational measures, including contractual arrangements, to prevent the international transfer of non-personal data stored in the Union or access to such data by governmental organizations. This applies if such transfer or access is contrary to Union law or the national law of the Member State concerned. There are exceptions to this, for example in the case of mutual legal assistance agreements (see para. 2) or in the context of court proceedings (see para. 3).
And in case it has been overlooked: This concerns non-personal data. For personal data, the requirements from Chapter 5 of the GDPR remain the relevant requirements for transfers outside the EU and the EEA. Even if all these requirements and specifications can only be outlined here, it is clear that data protection officers can provide direct and competent support to the parties involved. This also takes into account the second objective of the GDPR, the free movement of data.
Outlook
The DGA is criticised from various perspectives as being full of prerequisites and uncoordinated. New access claims against state institutions are not justified in the DGA and all obligations from other regulations remain in addition to the DGA or take precedence over it, which significantly complicates the application of the law. In addition, neither the EU Commission nor the member states have complied with the announced implementation measures, in some cases even lagging miles behind.
Neither the consent form for data altruism in accordance with Art. 25 DGA, which is intended to regulate consent for both non-personal and personal data, nor the set of rules for data altruism organisations, which the EU Commission wanted to develop in cooperation with these organisations, are even available in draft form. Nevertheless, both industry associations and the European Council favour data sharing as a ‘culture worth promoting’.
In view of the current political situation in Germany, legal implementation is still a long time coming: the public hearing of the Digital Committee on the ‘Data Governance Act (DGG)’ took place on 13 November. However, in view of the failure of the coalition with the traffic light coalition, further discussion is not expected until spring 2025.
