The final text of the Data Governance Act (DGA)

Preamble 1 to 10

(1) The Treaty on the Functioning of the European Union (TFEU) provides for the establishment of an internal market and the institution of a system ensuring that competition in the internal market is not distorted. The establishment of common rules and practices in the Member States relating to the development of a framework for data governance should contribute to the achievement of those objectives, while fully respecting fundamental rights. It should also guarantee the strengthening of the open strategic autonomy of the Union while fostering international free flow of data.

(2) Over the last decade, digital technologies have transformed the economy and society, affecting all sectors of activity and daily life. Data is at the centre of that transformation: data-driven innovation will bring enormous benefits to both Union citizens and the economy, for example by improving and personalising medicine, providing new mobility, and contributing to the communication of the Commission of 11 December 2019 on the European Green Deal.

In order to make the data-driven economy inclusive for all Union citizens, particular attention must be paid to reducing the digital divide, boosting the participation of women in the data economy and fostering cutting-edge European expertise in the technology sector. The data economy has to be built in a way that enables undertakings, in particular micro, small and medium-sized enterprises (SMEs), as defined in the Annex to Commission Recommendation 2003/361/EC, and start-ups to thrive, ensuring data access neutrality and data portability and interoperability, and avoiding lock-in effects.

In its communication of 19 February 2020 on a European strategy for data (the ‘European strategy for data’), the Commission described the vision of a common European data space, meaning an internal market for data in which data could be used irrespective of its physical storage location in the Union in compliance with applicable law, which, inter alia, could be pivotal for the rapid development of artificial intelligence technologies.

The Commission also called for the free and safe flow of data with third countries, subject to exceptions and restrictions for public security, public order and other legitimate public policy objectives of the Union, in line with international obligations, including on fundamental rights. In order to turn that vision into reality, the Commission proposed establishing domain-specific common European data spaces for data sharing and data pooling.

As proposed in the European strategy for data, such common European data spaces could cover areas such as health, mobility, manufacturing, financial services, energy or agriculture, or a combination of such areas, for example energy and climate, as well as thematic areas such as the European Green Deal or European data spaces for public administration or skills.

Common European data spaces should make data findable, accessible, interoperable and re-usable (the ‘FAIR data principles’), while ensuring a high level of cybersecurity. Where there is a level playing field in the data economy, undertakings compete on quality of services, and not on the amount of data they control. For the purposes of the design, creation and maintenance of the level playing field in the data economy, sound governance is needed in which relevant stakeholders of a common European data space need to participate and be represented.

(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges and laying down certain basic requirements for data governance, paying specific attention to facilitating cooperation between Member States. This Regulation should aim to develop further the borderless digital internal market and a human-centric, trustworthy and secure data society and economy.

Sector-specific Union law can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the Union law envisaged on the European health data space and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law, which includes rules relating to the sharing of or access to data across borders or across the Union, for example Directive 2011/24/EU of the European Parliament and of the Council in the context of the European health data space, and relevant legislative acts in the field of transport, such as Regulations (EU) 2019/1239 and (EU) 2020/1056 and Directive 2010/40/EU of the European Parliament and of the Council in the context of the European mobility data space.

This Regulation should therefore be without prejudice to Regulations (EC) No 223/2009, (EU) 2018/858 and (EU) 2018/1807 as well as Directives 2000/31/EC, 2001/29/EC, 2004/48/EC, 2007/2/EC, 2010/40/EU, (EU) 2015/849, (EU) 2016/943, (EU) 2017/1132, (EU) 2019/790 and (EU) 2019/1024 of the European Parliament and of the Council and any other sector-specific Union law that regulates access to and re-use of data. This Regulation should be without prejudice to Union and national law on the access to and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, as well as international cooperation in that context.

This Regulation should be without prejudice to the competences of the Member States with regard to their activities concerning public security, defence and national security. The re-use of data protected for such reasons and held by public sector bodies, including data from procurement procedures falling within the scope of Directive 2009/81/EC of the European Parliament and of the Council, should not be covered by this Regulation.

A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data intermediation services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Data intermediation services providers that meet the requirements laid down in this Regulation should be able to use the label ‘data intermediation services provider recognised in the Union’.

Legal persons that seek to support objectives of general interest by making available relevant data based on data altruism at scale and that meet the requirements laid down in this Regulation should be able to register as and use the label ‘data altruism organisation recognised in the Union’. Where sector-specific Union or national law requires public sector bodies, such data intermediation services providers or such legal persons (recognised data altruism organisations) to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union or national law should also apply.

(4) This Regulation should be without prejudice to Regulations (EU) 2016/679 and (EU) 2018/1725 of the European Parliament and of the Council and to Directives 2002/58/EC and (EU) 2016/680 of the European Parliament and of the Council and the corresponding provisions of national law, including where personal and non-personal data in a data set are inextricably linked. In particular, this Regulation should not be read as creating a new legal basis for the processing of personal data for any of the regulated activities, or as amending the information requirements laid down in Regulation (EU) 2016/679.

The implementation of this Regulation should not prevent cross-border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail. It should be possible to consider data protection authorities to be competent authorities under this Regulation. Where other authorities function as competent authorities under this Regulation, they should do so without prejudice to the supervisory powers and competences of data protection authorities under Regulation (EU) 2016/679.

(5) Action at Union level is necessary to increase trust in data sharing by establishing appropriate mechanisms for control by data subjects and data holders over data that relates to them, and in order to address other barriers to a well-functioning and competitive data-driven economy. That action should be without prejudice to obligations and commitments in the international trade agreements concluded by the Union.

A Union-wide governance framework should have the objective of building trust among individuals and undertakings in relation to data access, control, sharing, use and re-use, in particular by establishing appropriate mechanisms for data subjects to know and meaningfully exercise their rights, as well as with regard to the re-use of certain types of data held by the public sector bodies, the provision of services by data intermediation services providers to data subjects, data holders and data users, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons. In particular, more transparency regarding the purpose of data use and conditions under which data is stored by undertakings can help increase trust.

(6) The idea that data that has been generated or collected by public sector bodies or other entities at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 and sector-specific Union law ensure that the public sector bodies make more of the data they produce easily available for use and re-use.

However, certain categories of data, such as commercially confidential data, data that are subject to statistical confidentiality and data protected by intellectual property rights of third parties, including trade secrets and personal data, in public databases are often not made available, not even for research or innovative activities in the public interest, despite such availability being possible in accordance with the applicable Union law, in particular Regulation (EU) 2016/679 and Directives 2002/58/EC and (EU) 2016/680.

Due to the sensitivity of such data, certain technical and legal procedural requirements must be met before they are made available, not least in order to ensure the respect of rights others have over such data or to limit the negative impact on fundamental rights, the principle of non-discrimination and data protection.

The fulfilment of such requirements is usually time- and knowledge-intensive. This has led to the insufficient use of such data. While some Member States are establishing structures, processes or legislation to facilitate that type of re-use, this is not the case across the Union. In order to facilitate the use of data for European research and innovation by private and public entities, clear conditions for access to and use of such data are needed across the Union.

(7) There are techniques enabling analyses on databases that contain personal data, such as anonymisation, differential privacy, generalisation, suppression and randomisation, the use of synthetic data or similar methods and other state-of-the-art privacy-preserving methods that could contribute to a more privacy-friendly processing of data. Member States should provide support to public sector bodies to make optimal use of such techniques, thus making as much data as possible available for sharing.

The application of such techniques, together with comprehensive data protection impact assessments and other safeguards, can contribute to more safety in the use and re-use of personal data and should ensure the safe re-use of commercially confidential business data for research, innovation and statistical purposes. In many cases the application of such techniques, impact assessments and other safeguards implies that data can be used and re-used only in a secure processing environment that is provided or controlled by the public sector body.

There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) No 557/2013. In general, insofar as personal data are concerned, the processing of personal data should be based upon one or more of the legal bases for processing provided in Articles 6 and 9 of Regulation (EU) 2016/679.

(8) In accordance with Regulation (EU) 2016/679, the principles of data protection should not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.

Re-identification of data subjects from anonymised datasets should be prohibited. This should not prejudice the possibility to conduct research into anonymisation techniques, in particular for the purpose of ensuring information security, improving existing anonymisation techniques and contributing to the overall robustness of anonymisation, undertaken in accordance with Regulation (EU) 2016/679.

(9) In order to facilitate the protection of personal data and confidential data and to speed up the process of making such data available for re-use under this Regulation, Member States should encourage public sector bodies to create and make available data in accordance with the principle of ‘open by design and by default’ referred to in Article 5(2) of Directive (EU) 2019/1024 and to promote the creation and the procurement of data in formats and structures that facilitate anonymisation in that regard.

(10) The categories of data held by public sector bodies which should be subject to re-use under this Regulation fall outside the scope of Directive (EU) 2019/1024 that excludes data which is not accessible due to commercial and statistical confidentiality and data that is included in works or other subject matter over which third parties have intellectual property rights.

Commercially confidential data includes data protected by trade secrets, protected know-how and any other information the undue disclosure of which would have an impact on the market position or financial health of the undertaking.

This Regulation should apply to personal data that fall outside the scope of Directive (EU) 2019/1024 insofar as the access regime excludes or restricts access to such data for reasons of data protection, privacy and the integrity of the individual, in particular in accordance with data protection rules. The re-use of data, which may contain trade secrets, should take place without prejudice to Directive (EU) 2016/943, which sets out the framework for the lawful acquisition, use or disclosure of trade secrets.

Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox