On May 16, 2022, the Council of the European Union approved the Data Governance Act (DGA) following approval from Members of the European Parliament (MEPs) in April. On November 30, 2021, the European Commission announced that negotiations had concluded and that a political agreement had been reached between the Commission,  European Parliament, and the Council of the European Union on the DGA. The proposal for the DGA was initially introduced on November 25, 2020, and had been under discussion for over 12 months. The DGA is the first legislative initiative adopted under the European strategy for data and aims to increase trust in data sharing and establish trusted data use for research and innovation, among other things.

Margrethe Vestager, Executive Vice-President, A Europe Fit for the Digital Age, said: “This Regulation is a first building block for establishing a solid and fair data-driven economy. It is about setting up the right conditions for trustful data sharing in line with our European values and fundamental rights. We are creating a safe environment in which data can be shared across sectors and Member States for the benefit of society and the economy.”

Watch the webinar: The Automated Data Map: Your Foundation for Privacy, Security, and Governance

What is the EU Data Governance Act?

The Council of the European Union has highlighted that the DGA will establish robust procedures to facilitate the reuse of certain protected public sector data, and foster data altruism across the EU.

One of the more significant elements of the proposed DGA is the Council’s aim to define a new business model for data intermediation services that would serve as trusted environments for organizations or individuals to share data. The Council highlights that data intermediation services will help:

• support voluntary data sharing between companies
• facilitate the fulfillment of data sharing obligations set by law
• organizations share data without fear of it being misused or losing competitive advantage
• individuals exercise their rights under the GDPR
• enable individuals to gain control over their data and allow them to share it with trusted companies

The Council also explains that the control that individuals will gain over how they share their data will be managed via novel personal information management tools, such as personal data spaces or data wallets. These are apps that share such data based on the data subject’s consent. Data intermediation service providers will be prohibited from profiting from the data that they handle, however they will be able to charge a fee for their services. The DGA also provides for certifications to identify compliant providers of data intermediation services.

Additionally, the DGA would introduce safeguards against the unlawful transfer of non-personal data similar to how personal data transfers are regulated under the GDPR. As such, the European Commission would be able to adopt adequacy decisions for countries that have the appropriate safeguards in place to protect non-personal data to an EU standard. The Commission may also develop a set of contractual clauses for scenarios where non-personal data is transferred to a third country.

In order to assist the Commission in enhancing the interoperability of data intermediation services, the European Data Innovation Board will be created. The Board’s duties will also include issuing guidelines on the development of personal data spaces, among other things.

What does the EU Data Governance Act mean for organizations and next steps?

The introduction of safeguards for the transfer of non-personal data will pose an interesting challenge for organizations, many of which are still being affected by the fallout from the Schrems II decision. Adding an additional layer of regulated data will mean that organizations will need to identify this data, where this data lives, and how it is being used.

The provisional agreement reached by the European Parliament, the Council of the European Union, and the European Commission in November 2021 has now been approved by MEPs and by the Council and now awaits the signature of the President of the European Parliament and the President of the Council before being published in the Official Journal. The new requirements under the DGA will apply 15 months from the date of publication meaning an effective date of August or September 2023 is likely.

With the final stages of this legislative process concluding, the importance of organizations having a unified privacy and data governance program is now under the spotlight. And, as part of that program, having strong data discovery and mapping processes in place to be able to handle this broader scope of data.

Organizations can begin to strengthen their privacy and governance programs by finding and understanding their data, both personal and non-personal. OneTrust enables businesses to know their data holistically – what type of data they process, where the data is located, the business processes, the third parties involved, and the many-to-many relationships between them. OneTrust can automatically populate an ever-green data map to serve as a single source of truth to actively discover, classify, and map data in real-time. With this map, AI-powered regulatory intelligence can help to flag risks and potential regulatory violations and recommends workflows so businesses can establish trust with consumers, employees, and regulators.