The final text of the Data Governance Act (DGA)

Preamble 21 to 30

(21) Appropriate safeguards should also be considered to be implemented where, in the third country to which non-personal data is being transferred, there are equivalent measures in place which ensure that data benefit from a level of protection similar to that applicable by means of Union law, in particular with regard to the protection of trade secrets and intellectual property rights.

To that end, the Commission should be able to declare, by means of implementing acts, where justified because of the substantial number of requests across the Union concerning the re-use of non-personal data in specific third countries, that a third country provides a level of protection that is essentially equivalent to that provided by Union law.

The Commission should assess the necessity of such implementing acts on the basis of information provided by the Member States through the European Data Innovation Board. Such implementing acts would reassure public sector bodies that re-use of data held by public sector bodies in the third country concerned would not compromise the protected nature of that data.

The assessment of the level of protection afforded in the third country concerned should, in particular, take into consideration the relevant general and sectoral law, including on public security, defence, national security and criminal law, concerning access to and protection of non-personal data, any access by the public sector bodies of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, the third country’s international commitments regarding the protection of data, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems.

The existence of effective legal remedies for data holders, public sector bodies or data intermediation services providers in the third country concerned is of particular importance in the context of the transfer of non-personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remedies.

Such implementing acts should be without prejudice to any legal obligation or contractual arrangements already undertaken by a re-user in the interest of the protection of non-personal data, in particular industrial data, and to the right of public sector bodies to oblige re-users to comply with conditions for re-use, in accordance with this Regulation.

(22) Some third countries adopt laws, regulations and other legal acts which aim to directly transfer or provide governmental access to non-personal data in the Union under the control of natural and legal persons under the jurisdiction of the Member States. Decisions and judgments of third-country courts or tribunals or decisions of third-country administrative authorities requiring such transfer of or access to non-personal data should be enforceable where they are based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State.

In some cases, situations may arise where the obligation to transfer or provide access to non-personal data arising from a third country law conflicts with a competing obligation to protect such data under Union or national law, in particular with regard to the protection of the fundamental rights of the individual or of the fundamental interests of a Member State related to national security or defence, as well as the protection of commercially sensitive data and the protection of intellectual property rights, including contractual undertakings regarding confidentiality in accordance with such law.

In the absence of international agreements regulating such matters, the transfer of or access to non-personal data should be allowed only if, in particular, it has been verified that the third-country’s legal system requires the reasons and proportionality of the decision or judgment to be set out, that the decision or judgment is specific in character, and that the reasoned objection of the addressee is subject to a review by a competent third-country court or tribunal, which is empowered to take duly into account the relevant legal interests of the provider of such data.

Moreover, public sector bodies, natural or legal persons to which the right to re-use data was granted, data intermediation services providers and recognised data altruism organisations should ensure, where they sign contractual agreements with other private parties, that non-personal data held in the Union are accessed in or transferred to third countries only in accordance with Union law or the national law of the relevant Member State.

(23) To foster further trust in the data economy of the Union, it is essential that the safeguards in relation to Union citizens, the public sector and undertakings that ensure control over their strategic and sensitive data are implemented and that Union law, values and standards are upheld in terms of, but not limited to, security, data protection and consumer protection.

In order to prevent unlawful access to non-personal data, public sector bodies, natural or legal persons to which the right to re-use data was granted, data intermediation services providers and recognised data altruism organisations should take all reasonable measures to prevent access to the systems where non-personal data is stored, including encryption of data or corporate policies. To that end, it should be ensured that public sector bodies, natural or legal persons to which the right to re-use data was granted, data intermediation services providers and recognised data altruism organisations adhere to all relevant technical standards, codes of conduct and certifications at Union level.

(24) In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non-personal data that may be identified as highly sensitive in future specific Union legislative acts, with regard to the transfer to third countries, if such transfer could jeopardise Union public policy objectives, in line with international commitments.

For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data. Other relevant sectors include transport, energy, environment and finance. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law, for example in the context of the European health data space or other sectoral law.

Those conditions attached to the transfer of such data to third countries should be laid down in delegated acts. Conditions should be proportionate, non-discriminatory and necessary to protect legitimate Union public policy objectives identified, such as the protection of public health, safety, the environment, public morality, consumer protection, privacy and personal data protection.

The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re-identification of individuals. Such conditions could include terms applicable for the transfer or technical arrangements, such as the requirement to use a secure processing environment, limitations with regard to the re-use of data in third countries or categories of persons entitled to transfer such data to third countries or to access the data in the third country. In exceptional cases such conditions could also include restrictions to the transfer of the data to third countries to protect the public interest.

(25) Public sector bodies should be able to charge fees for the re-use of data but should also be able to allow re-use at a discounted fee or free of charge, for example for certain categories of re-use such as non-commercial re-use for scientific research purposes, or re-use by SMEs and start-ups, civil society and educational establishments, so as to provide incentives for such re-use in order to stimulate research and innovation and support undertakings that are an important source of innovation and typically find it more difficult to collect relevant data themselves, in accordance with State aid rules.

In that specific context, scientific research purposes should be understood to include any type of research-related purpose regardless of the organisational or financial structure of the research institution in question, with the exception of research that is being conducted by an undertaking with the aim of developing, enhancing or optimising products or services. Such fees should be transparent, non-discriminatory and limited to the necessary costs incurred and should not restrict competition. A list of categories of re-users to which a discounted fee or no charge applies, together with the criteria used to establish that list, should be made public.

(26) In order to provide incentives for the re-use of specific categories of data held by public sector bodies, Member States should establish a single information point to act as an interface for re-users that seek to re-use that data. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level.

The single information point should be able to rely on automated means where it transmits enquiries or requests for re-use. Sufficient human oversight should be ensured in the transmission process. For that purpose existing practical arrangements such as open data portals could be used. The single information point should have an asset list containing an overview of all available data resources including, where relevant, those data resources that are available at sectoral, regional or local information points, with relevant information describing the available data.

In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated under sectoral Union or national law.

Those competent bodies should provide assistance to public sector bodies with state-of-the-art techniques, including on how to best structure and store data to make data easily accessible, in particular through application programming interfaces, as well as make data interoperable, transferable and searchable, taking into account best practices for data processing, as well as any existing regulatory and technical standards and secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information.

The competent bodies should act in accordance with the instructions received from the public sector body. Such an assistance structure could assist the data subjects and data holders with management of the consent or permission for re-use, including consent and permission to certain areas of scientific research where in keeping with recognised ethical standards for scientific research.

The competent bodies should not have a supervisory function, which is reserved for supervisory authorities under Regulation (EU) 2016/679. Without prejudice to the supervisory powers of data protection authorities, data processing should be carried out under the responsibility of the public sector body responsible for the register containing the data, which remains a data controller as defined in Regulation (EU) 2016/679 insofar as personal data are concerned. Member States should be able to have one or more competent bodies, which could act in different sectors.

The internal services of public sector bodies could also act as competent bodies. A competent body could be a public sector body assisting other public sector bodies in allowing re-use of data, where relevant, or a public sector body allowing re-use itself. Assisting other public sector bodies should entail informing them, upon request, about best practices on how to fulfil the requirements laid down in this Regulation such as the technical means to make a secure processing environment available or the technical means to ensure privacy and confidentiality where access to re-use of data within the scope of this Regulation is provided.

(27) Data intermediation services are expected to play a key role in the data economy, in particular in supporting and promoting voluntary data sharing practices between undertakings or facilitating data sharing in the context of obligations set by Union or national law. They could become a tool to facilitate the exchange of substantial amounts of relevant data.

Data intermediation services providers, which may include public sector bodies, that offer services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediation services that are independent from data subjects, data holders and data users could have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power, while allowing non-discriminatory access to the data economy for undertakings of all sizes, in particular SMEs and start-ups with limited financial, legal or administrative means.

This will be particularly important in the context of the establishment of common European data spaces, namely purpose- or sector-specific or cross-sectoral interoperable frameworks of common standards and practices to share or jointly process data for, inter alia, the development of new products and services, scientific research or civil society initiatives. Data intermediation services could include bilateral or multilateral sharing of data or the creation of platforms or databases enabling the sharing or joint use of data, as well as the establishment of specific infrastructure for the interconnection of data subjects and data holders with data users.

(28) This Regulation should cover services which aim to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data. Where undertakings or other entities offer multiple data-related services, only the activities which directly concern the provision of data intermediation services should be covered by this Regulation.

The provision of cloud storage, analytics, data sharing software, web browsers, browser plug-ins or email services should not be considered to be data intermediation services within the meaning of this Regulation, provided that such services only provide technical tools for data subjects or data holders to share data with others, but the provision of such tools neither aims to establish a commercial relationship between data holders and data users nor allows the data intermediation services provider to acquire information on the establishment of commercial relationships for the purposes of data sharing.

Examples of data intermediation services include data marketplaces on which undertakings could make data available to others, orchestrators of data sharing ecosystems that are open to all interested parties, for instance in the context of common European data spaces, as well as data pools established jointly by several legal or natural persons with the intention to license the use of such data pools to all interested parties in a manner that all participants that contribute to the data pools would receive a reward for their contribution.

This would exclude services that obtain data from data holders and aggregate, enrich or transform the data for the purpose of adding substantial value to it and license the use of the resulting data to data users, without establishing a commercial relationship between data holders and data users. This would also exclude services that are exclusively used by one data holder in order to enable the use of the data held by that data holder, or that are used by multiple legal persons in a closed group, including supplier or customer relationships or collaborations established by contract, in particular those that have as a main objective to ensure the functionalities of objects and devices connected to the Internet of Things.

(29) Services that focus on the intermediation of copyright-protected content, such as online content-sharing service providers as defined in Article 2, point (6), of Directive (EU) 2019/790, should not be covered by this Regulation. Consolidated tape providers as defined in Article 2(1), point (35), of Regulation (EU) No 600/2014 of the European Parliament and of the Council (27) and account information service providers as defined in Article 4, point (19), of Directive (EU) 2015/2366 of the European Parliament and of the Council (28) should not be considered to be data intermediation services providers for the purposes of this Regulation.

This Regulation should not apply to services offered by public sector bodies in order to facilitate either the re-use of protected data held by public sector bodies in accordance with this Regulation or the use of any other data, insofar as those services do not aim to establish commercial relationships. Data altruism organisations regulated by this Regulation should not be considered to be offering data intermediation services provided that those services do not establish a commercial relationship between potential data users, on the one hand, and data subjects and data holders who make data available for altruistic purposes, on the other.

Other services that do not aim to establish commercial relationships, such as repositories that aim to enable the re-use of scientific research data in accordance with open access principles should not be considered to be data intermediation services within the meaning of this Regulation.

(30) A specific category of data intermediation services includes providers of services that offer their services to data subjects. Such data intermediation services providers seek to enhance the agency of data subjects, and in particular individuals’ control over data relating to them.

Such providers would assist individuals in exercising their rights under Regulation (EU) 2016/679, in particular giving and withdrawing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right ‘to be forgotten’, the right to restrict processing and the right to data portability, which allows data subjects to move their personal data from one data controller to the other.

In that context, it is important that the business model of such providers ensures that there are no misaligned incentives that encourage individuals to use such services to make more data relating to them available for processing than would be in their interest. This could include advising individuals on the possible uses of their data and making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices.

In certain situations, it could be desirable to collate actual data within a personal data space so that processing can happen within that space without personal data being transmitted to third parties in order to maximise the protection of personal data and privacy.

Such personal data spaces could contain static personal data such as name, address or date of birth as well as dynamic data that an individual generates through, for example, the use of an online service or an object connected to the Internet of Things. They could also be used to store verified identity information such as passport numbers or social security information, as well as credentials such as driving licences, diplomas or bank account information.

Understanding Cybersecurity in the European Union.

1. The NIS 2 Directive

2. The European Cyber Resilience Act

3. The Digital Operational Resilience Act (DORA)

4. The Critical Entities Resilience Directive (CER)

5. The Digital Services Act (DSA)

6. The Digital Markets Act (DMA)

7. The European Health Data Space (EHDS)

8. The European Chips Act

9. The European Data Act

10. European Data Governance Act (DGA)

11. The Artificial Intelligence Act

12. The European ePrivacy Regulation

13. The European Cyber Defence Policy

14. The Strategic Compass of the European Union

15. The EU Cyber Diplomacy Toolbox