August 19, 2024 | Max Atallah

Data

An Overview of the Data Governance Act

The Regulation on European data governance, also known as the Data Governance Act, is one of the cornerstones of the European Union’s (EU) data strategy. Its aim is to increase the availability of data by strengthening trust in data intermediaries and harmonizing data sharing procedures across the EU. In other words, the approach of the Data Governance Act is strongly procedural and does not provide for a right of access to data or an obligation to disclose data.

This regulation, which entered into force on 23 June 2022 and has applied from September 2023, endeavors to create a common European data space, i.e. a digital data space for data sharing, and an interoperable single market for data.

Act’s Benefits

Access to more data empowers the public sector to formulate evidence-based policies, promoting transparent governance and efficient public services. Good data management and data sharing will also enable industries to develop innovative products and services and will make many sectors of the economy more efficient and sustainable. For example, improved access to health data can revolutionize personalized treatments, enhance healthcare delivery, and accelerate research into curing diseases while generating significant saving in the healthcare sector.

Content of the Data Governance Act

The regulation provides for processes and structures that facilitate the voluntary sharing of data. The regulation is divided into 4 broad set of measures:

  • Enabling the reuse of certain public sector data for research and innovation purposes.
  • Laying down the conditions for providers of data intermediation services and the reporting and control framework for the provision of those services.
  • Simplifying processes that allows citizens and businesses to share their data voluntarily and free of charge for purposes of public interest.
  • Facilitating cross-sector and cross-border data sharing, and ensuring the right data is accessible for the right purposes

Although the regulation also affects, for example, public sector entities that handle certain categories of protected data, the practical effects of the regulation will now be examined from the perspective of providers of data intermediation services

Data Intermediary Service Providers

Data intermediary services providers are neutral third parties that establish commercial relationships for data sharing between data subjects and data holders on the one hand and data users on the other. A data subject refers to an identified or identifiable natural person.

Offering such a service is not a new phenomenon, so a company may already be considered a data intermediary service provider if its service aims to establish commercial relationships for an unspecified group of data holders and data users.

Practical Implications

As a result of the regulation, companies deemed to be data intermediary service providers must, among other things, notify the competent authority, which in Finland is Traficom, about their data intermediary services and ensure compliance with other provisions of the regulation. For instance, a data intermediary service provider must not use the data subject to data intermediary services for any purposes other than making the data available to data users, and the service provider must offer data intermediary services through a separate legal entity.

In addition to the other obligations, the regulation imposes a transparency requirement on data intermediary service providers. Practically, one of the best ways to demonstrate transparency is to provide a comprehensive, clear and accurate privacy notice. This legal document explains how the company collects, process, shares, and protects personal data. Therefore, companies that are data intermediary service providers under the regulation should update their privacy notices to comply with the regulation’s requirements. For example, the privacy notice should state that the company is an approved data intermediary service provider under the regulation and describe the types of personal and other data the company collects and processes.

Finally

Facilitating and promoting data mobility is expected to catalyze innovation and job creation across the EU, positioning the region as a frontrunner in the data-driven era. However, the impacts and benefits of the regulation can be considered to be partly dependent on other factors, as the regulation itself does not oblige to open or release data, but sets a code of conduct aimed at increasing the availability of data and unifying its sharing.

Our Associate Trainee Adeliina Sulkanen took part in writing this article.

Nordic LawPioneer in Web3 and Fintech law