News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Proposal for an EU Data Governance Act — a first analysis Related reading: European Commission expected to unveil Digital Services Act in December

rss_feed

""

On Nov. 25, 2020, the European Commission published its draft Data Governance Act. The act is one of the deliverables included in the commission’s 2020 European Strategy for Data, which sets out policy measures and investments designed to give the EU a competitive advantage by enabling it to capitalize on its vast quantity of data. Other deliverables that will follow before the end of the year are the Digital Services Act and the Digital Markets Act.

The act aims to create a framework that encourages greater reuse of data by increasing trust in data intermediaries and strengthening various data-sharing mechanisms across the EU. The act will play a central role in enabling and guiding the creation of EU-wide common, interoperable data spaces in strategic sectors, such as energy, mobility and health, which, in turn, are meant to bring benefits to citizens through improved personalized medicine, new mobility and contributions to the European Green Deal, among other things.

The proposal sets out rules relating to the following:

  • Conditions for reuse of public sector data that is subject to existing protections, such as commercial confidentiality, intellectual property or data protection.
  • Obligations on providers of certain data-sharing services, defined as entities that provide various types of intermediation services.
  • Introduction of the concept of data altruism and the possibility for organizations to register as “Data Altruism Organization recognized in the Union.”
  • Establishment of a European Data Innovation Board, a new formal expert group chaired by the European Commission.

It is interesting to note that “data” is defined in the act as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording.” This is a broad definition that also includes personal data as defined in the EU General Data Protection Regulation. The GDPR and the act, therefore, may apply simultaneously, which explains why the recitals and provisions of the act indicate on several occasions that they are “without prejudice” to the application of the GDPR, among others. The explanatory memorandum indicates that “the measures are designed in a way that fully complies with the data protection legislation, and actually increase in practice the control that natural persons have over the data they generate.”

Reuse of public sector data

Chapter II of the Data Governance Act sets out a series of obligations and restrictions that public sector bodies are subject to if and when they allow reuse of certain data they hold. Public sector bodies are defined as “the State, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law.”

The act emphasizes that it does not create an obligation for public sector bodies to make data available for reuse. Nor does the act release public sector bodies from their existing legal obligations under the GDPR or other applicable statutes, with respect to this data.

Public sector bodies that decide to make data available for reuse are prohibited from entering into exclusive arrangements, subject to certain exceptions. They are also subject to a series of obligations, including an obligation to make publicly available the conditions for allowing such reuse. Those conditions must be non-discriminatory, proportionate and objectively justified. One or more competent bodies designated by the member states are available to render various types of assistance and support to the public sector bodies concerned. Member states are under an obligation to communicate to the European Commission the identity of the competent bodies they designate. 

There are special rules for the sharing of confidential data or data protected by intellectual property rights, with a reuser who intends to transfer this data to a third country, as well as for cross border transfers of non-personal data deemed “ highly-sensitive” by a specific union act. The recitals mention certain datasets held by actors in the public health system as an example of “highly sensitive” data. In both instances, the European Commission may issue additional rules and conditions by way of implementing and/or delegated acts.

To incentivize the reuse of data, member states will create a single information point to act as the primary interface for reusers. Natural or legal persons affected by a decision of a public sector body or a competent body shall have the right to effective judicial remedy before the courts of the member state where the relevant body is located.

Obligations on providers of data sharing services

Chapter III of the act introduces new rules for the operation of data intermediaries, termed “providers of data sharing services.” Specifically, it would establish a notification and compliance framework for providers of the following data sharing services:

  • Intermediation services between data holders and data users, which include platforms or databases enabling the exchange or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users.
  • Intermediation services between data subjects that seek to make their personal data available and potential data users.
  • Services of data cooperatives that support individuals or small- and medium-sized enterprises to negotiate terms and conditions for data processing.

The act set out several requirements that a provider of these data sharing services would need to comply with, including:

  • Notifying the relevant EU member state authority of its intent to provide such services.
  • Appointing a legal representative in one of the member states, if the provider is not established within the EU.
  • Not using the data for which it provides services, for other purposes than to put them at the disposal of a data user, and using any metadata only for the development of that service.
  • Placing the data-sharing service in a separate legal entity.
  • Having in place adequate security safeguards.
  • Acting in the data subject’s best interest when facilitating the exercise of data subjects’ rights.

Member states would be required to nominate a “competent authority” with the power to monitor compliance with the act’s requirements, impose “dissuasive” financial penalties, and “require cessation or postponement” of the provision of the service. Since the act also applies to personal data covered by the GDPR, this “competent authority” would be yet another regulator in an already complex — and according to some, overcrowded — regulatory environment for personal data.

Introduction of the concept of data altruism

Chapter IV of the act introduces the concept of data altruism, which describes situations where individuals or companies make data voluntarily available for reuse, without compensation, for the common good, such as for scientific research or improving public services. The act proposes the establishment of a registration and monitoring regime for organizations that facilitate data altruism. These organizations may use the name “data altruism organizations.” These organizations must meet certain conditions to register with competent authorities — including a requirement to operate on a not-for-profit basis and through a legally independent structure, separate from other activities — and will be subject to transparency obligations and other requirements to safeguard the rights and interests of data subjects and legal entities as regards their data. The commission will also be empowered to adopt implementing acts to develop a European data altruism consent form. The act specifies that where personal data are provided, the consent form shall ensure that individuals are able to provide and withdraw consent, for a specific data processing operation, in line with the GDPR.

Here again, member states would be required to nominate a competent authority with the power to monitor compliance with the act’s requirements; sanctions, however, would be limited to revoking an entity’s right to refer to itself as an EU data altruism organization.

European Data Innovation Board

Chapter VI of the act requires the commission to establish a new body called the European Data Innovation Board. The board would be tasked with ensuring a consistent application of the act across all member states, supporting cross-sector data sharing, and facilitating cooperation between national competent authorities. The board appears to have no sanctioning or fining authority, in line with the approach taken in other laws where enforcement is left to the member states.

The board will be composed of the competent authorities of all member states, the European Data Protection Board, the European Commission and various other representatives.

The board will focus initially on the sectors covered by the act, i.e., reuse of public sector data and operation of data sharing services and data altruism organizations. The board will also be involved in some of the other data-related activities that the commission has announced in its European Strategy for Data and that will be finalized and rolled out in the next few years.

Restrictions on international transfer

Chapter VIII sets out rules designed to regulate “transfer or access to non-personal data” in scenarios covered by the act “where such transfer or access would create a conflict with Union law or the law of the relevant member state.” It focuses in particular on scenarios in which an entity holding data covered by the act is the addressee of an order from a third-country authority seeking access to the data and sets out the conditions that must be met before the entity may provide such access. The obligations set out in this chapter are addressed to all participants in the activities covered by the act, to know, the public sector body, the reuser, the data-sharing provider and data altruism organization. These obligations are different and stand next to the tasks entrusted by the act to the European Commission in regulating certain international transfers of “highly sensitive” non-personal data or confidential data and data protected by intellectual property rights that we described above in the section reuse of public sector data.

Next steps in the legislative process

The Data Governance Act must be debated and negotiated by the European Parliament and the Council of Ministers before it is adopted. Once adopted, it will enter into force after one year. It is directly applicable in all EU member states.

Photo by Guillaume Périgois on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Jetty Tielemans IAPP Member Contributor
Headshot Sam Jungyun Choi IAPP Member Contributor
Tags
Europe
Big Data
Privacy Law
Westin Research Center
Comments

If you want to comment on this post, you need to login.

Related Stories
BCRs after ‘Schrems II’ decision: A first analysis
2
There has been a lot of discussion on the impact of the Court of Justice of the European Union’s recent “Schrems II” (C-311/18) decision on international transfers of EU personal data. Much of that discussion focused on the EU-U.S. Privacy Shield and standard contractual clauses, until recently two ...
Read More queue Save This
Related Stories
Tags
Europe
Big Data
Privacy Law
Westin Research Center
Recent Comments