The final text of the Data Governance Act (DGA)

Preamble 11 to 20

(11) This Regulation should not create an obligation to allow the re-use of data held by public sector bodies. In particular, each Member State should therefore be able to decide whether data is made accessible for re-use, also in terms of the purposes and scope of such access. This Regulation should complement and be without prejudice to more specific obligations on public sector bodies to allow re-use of data laid down in sector-specific Union or national law. Public access to official documents may be considered to be in the public interest.

Taking into account the role of public access to official documents and transparency in a democratic society, this Regulation should also be without prejudice to Union or national law on granting access to and disclosing official documents. Access to official documents may in particular be granted in accordance with national law without imposing specific conditions or by imposing specific conditions that are not provided by this Regulation.

(12) The re-use regime provided for in this Regulation should apply to data the supply of which forms part of the public tasks of the public sector bodies concerned under law or other binding rules in the Member States. In the absence of such rules, the public tasks should be defined in accordance with common administrative practice in the Member States, provided that the scope of the public tasks is transparent and subject to review.

The public tasks could be defined generally or on a case-by-case basis for individual public sector bodies. As public undertakings are not covered by the definition of public sector body, the data held by public undertakings should not be covered by this Regulation. Data held by cultural establishments, such as libraries, archives and museums as well as orchestras, operas, ballets and theatres, and by educational establishments should not be covered by this Regulation since the works and other documents they hold are predominantly covered by third party intellectual property rights. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law.

This Regulation should apply to such hybrid organisations only in their capacity as research-performing organisations. If a research-performing organisation holds data as a part of a specific public-private association with private sector organisations or other public sector bodies, bodies governed by public law or hybrid research-performing organisations, i.e. organised as either public sector bodies or public undertakings, with the main purpose of pursuing research, those data should also not be covered by this Regulation.

Where relevant, Member States should be able to apply this Regulation to public undertakings or private undertakings that exercise public sector duties or provide services of general interest. The exchange of data, purely in pursuit of their public tasks, among public sector bodies in the Union or between public sector bodies in the Union and public sector bodies in third countries or international organisations, as well as the exchange of data between researchers for non-commercial scientific research purposes, should not be subject to the provisions of this Regulation concerning the re-use of certain categories of protected data held by public sector bodies.

(13) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding the conclusion of agreements which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreements should be possible only where justified and necessary for the provision of a service or the supply of a product in the general interest.

This may be the case where the exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of providing the service or supplying the product which allows the public sector body to provide a service or supply a product in the general interest. Such arrangements should, however, be concluded in accordance with applicable Union or national law and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary.

In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited duration which should not exceed 12 months. In order to ensure transparency, such exclusive agreements should be published online, in a form that complies with relevant Union law on public procurement. Where an exclusive right to re-use data does not comply with this Regulation, that exclusive right should be invalid.

(14) Prohibited exclusive agreements and other practices or arrangements pertaining to the re-use of data held by public sector bodies which do not expressly grant exclusive rights but which can reasonably be expected to restrict the availability of data for re-use that have been concluded or were already in place before the date of entry into force of this Regulation should not be renewed after the expiry of their term. In the case of indefinite or longer-term agreements, they should be terminated within 30 months of the date of entry into force of this Regulation.

(15) This Regulation should lay down conditions for re-use of protected data that apply to public sector bodies designated as competent under national law to grant or refuse access for re-use, and which are without prejudice to rights or obligations concerning access to such data. Those conditions should be non-discriminatory, transparent, proportionate and objectively justified, while not restricting competition, with a specific focus on promoting access to such data by SMEs and start-ups. The conditions for re-use should be designed in a manner promoting scientific research so that, for example, privileging scientific research should, as a rule, be considered to be non-discriminatory.

Public sector bodies allowing re-use should have in place the technical means necessary to ensure the protection of rights and interests of third parties and should be empowered to request the necessary information from the re-user. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of third parties in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate burden on the public sector bodies. Conditions attached to the re-use of data should be designed to ensure effective safeguards with regard to the protection of personal data.

Before transmission, personal data should be anonymised, in order not to allow the identification of the data subjects, and data containing commercially confidential information should be modified in such a way that no confidential information is disclosed. Where the provision of anonymised or modified data would not respond to the needs of the re-user, subject to fulfilling any requirements to carry out a data protection impact assessment and consult the supervisory authority pursuant to Articles 35 and 36 of Regulation (EU) 2016/679 and where the risks to the rights and interests of data subjects have been found to be minimal, on-premise or remote re-use of the data within a secure processing environment could be allowed.

This could be a suitable arrangement for the re-use of pseudonymised data. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of third parties. In particular, personal data should be transmitted to a third party for re-use only where a legal basis under data protection law allows such transmission. Non-personal data should be transmitted only where there is no reason to believe that the combination of non-personal data sets would lead to the identification of data subjects.

This should also apply to pseudonymised data which retain their status as personal data. In the event of the reidentification of data subjects, an obligation to notify such a data breach to the public sector body should apply in addition to an obligation to notify such a data breach to a supervisory authority and to the data subject in accordance with Regulation (EU) 2016/679.

Where relevant, the public sector bodies should facilitate the re-use of data on the basis of the consent of data subjects or the permission of data holders on the re-use of data pertaining to them through adequate technical means. In that respect, the public sector body should make best efforts to provide assistance to potential re-users in seeking such consent or permission by establishing technical mechanisms that permit transmitting requests for consent or permission from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or data holders directly. Where the public sector body transmits a request for consent or permission, it should ensure that the data subject or data holder is clearly informed of the possibility to refuse consent or permission.

(16) In order to facilitate and encourage the use of data held by public sector bodies for the purposes of scientific research, public sector bodies are encouraged to develop a harmonised approach and harmonised processes to make that data easily accessible for the purposes of scientific research in the public interest.

That could mean, inter alia, creating streamlined administrative procedures, standardised data formatting, informative metadata on the methodological and data collection choices and standardised data fields that enable the easy joining of data sets from different public sector data sources where relevant for the purposes of analysis. The objective of those practices should be to promote the publicly funded and produced data for the purposes of scientific research in accordance with the principle of ‘as open as possible, as closed as necessary’.

(17) The intellectual property rights of third parties should not be affected by this Regulation. This Regulation should neither affect the existence or ownership of intellectual property rights of public sector bodies nor limit the exercise of those rights in any way.

The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-related Aspects of Intellectual Property Rights (TRIPS Agreement) and the World Intellectual Property Organization Copyright Treaty (WCT), and Union or national intellectual property law. Public sector bodies should, however, exercise their copyright in a way that facilitates re-use.

(18) Data subject to intellectual property rights as well as trade secrets should be transmitted to a third party only where such transmission is lawful by virtue of Union or national law or with the agreement of the rights holder. Where public sector bodies are holders of the right of the maker of a database provided for in Article 7(1) of Directive 96/9/EC of the European Parliament and of the Council they should not exercise that right in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.

(19) Undertakings and data subjects should be able to have confidence in the fact that the re-use of certain categories of protected data which are held by the public sector bodies will take place in a manner that respects their rights and interests.

Additional safeguards should therefore be put in place for situations in which the re-use of such public sector data takes place on the basis of a processing of the data outside the public sector, such as a requirement that public sector bodies ensure that the rights and interests of natural and legal persons are fully protected, in particular with regard to personal data, commercially sensitive data and intellectual property rights, in all cases, including where such data is transferred to third countries.

Public sector bodies should not allow the re-use of information stored in e-health applications by insurance undertakings or any other service provider for the purpose of discriminating in the setting of prices, as this would run counter to the fundamental right of access to health.

(20) Furthermore, in order to preserve fair competition and the open market economy it is of the utmost importance to safeguard protected data of non-personal nature, in particular trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to intellectual property theft or industrial espionage.

In order to ensure the protection of the rights or interests of data holders, it should be possible to transfer non-personal data which is to be protected from unlawful or unauthorised access in accordance with Union or national law and which is held by public sector bodies to third countries, but only where appropriate safeguards for the use of data are provided.

Such appropriate safeguards should include a requirement that the public sector body transmit protected data to a re-user only if that re-user makes contractual commitments in the interest of the protection of the data. A re-user that intends to transfer the protected data to a third country should comply with the obligations laid down in this Regulation even after the data has been transferred to the third country. To ensure the proper enforcement of such obligations, the re-user should also accept the jurisdiction of the Member State of the public sector body that allowed the re-use for the judicial settlement of disputes.

Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox