On Dec. 10, 2021, political agreement was reached on the Data Governance Act. The remaining (largely) procedural steps are likely to be completed by March 2022 and the Act will become applicable 15 months after the date of its entry into force — i.e., summer 2023. The Data Governance Act applies to “data” — “any digital representation of acts, facts or information …” — in general, not just to personal data. It is the first of the European Union’s new initiatives on “data” to get to the legislative finishing line. In this article, we highlight the provisions of most relevance to privacy professionals. For those wanting a quick read, the key points are listed below. The full article contains an overall summary of the Act and longer analysis on the impact for privacy professionals.

  • The Act encourages wider re-use of data held by the public sector bodies, including personal data. This is to be achieved by making use of secure processing environments and anonymization techniques such as differential privacy and creation of synthetic data. This part of the Act may drive more development of, and guidance on, use of such techniques which may be of wider use, beyond the immediate goal of re-use of public sector data.
  • A licensing regime is set up for “data intermediaries.” These are organizations which set up commercial arrangements between data holders and data users, but which do not themselves add extra value to the data. Data intermediaries will need to meet license conditions designed to ensure their independence and restrict their re-use of data and metadata. The requirements will affect those offering data marketplaces and (possibly) consent management platforms. Adtech companies should take careful note.
  • Data altruism is to be encouraged. Those wanting wider access to data — in particular for scientific research — may find that this facilitates access to more data. Those operating on a not-for-profit basis for general interest purposes may want to consider becoming a recognized data altruism organization.
  • The Act contains the first steps towards restriction of transfers of non-personal data. Data intermediaries and recognized data altruism providers will need to consider if third countries offer appropriate protections for non-personal data and will need to resist attempts by public authorities in third countries to access EU originating non-personal data. There are additional restrictions applicable to those involved in re-use of public sector data, as well as mechanisms for the Commission to recognize countries as offering adequate protection and to adopt model contractual clauses for transfer of non-personal data.

Photo by Guillaume Périgois on Unsplash