Agreement Reached on EU Data Governance Act
Agreement Reached on EU Data Governance ...

Agreement Reached on EU Data Governance Act

The Act would introduce data intermediary services and encourage data altruism across Member States

clock5 Min Read

Featured Image

The European Commission announced on November 30, 2021, that trilogue negotiations have concluded and that a political agreement had been reached between the Commission,  European Parliament, and the Council of the European Union on the EU Data Governance Act (DGA). The proposal for the DGA was initially introduced on November 25, 2020, and has been under discussion over the past 12 months. The DGA is the first legislative initiative adopted under the European strategy for data and aims to increase trust in data sharing and establish trusted data use for research and innovation, among other things.

Margrethe Vestager, Executive Vice-President, A Europe Fit for the Digital Age, said: “This Regulation is a first building block for establishing a solid and fair data-driven economy. It is about setting up the right conditions for trustful data sharing in line with our European values and fundamental rights. We are creating a safe environment in which data can be shared across sectors and Member States for the benefit of society and the economy.”

Register for the webinar: The Automated Data Map: Your Foundation for Privacy, Security, and Governance on January 13 at 11 AM EST

What is the EU Data Governance Act?

The Council of the European Union has highlighted that the DGA will establish robust procedures to facilitate the reuse of certain protected public sector data, and foster data altruism across the EU.

One of the more significant elements of the proposed DGA is the Council’s aim to define a new business model for data intermediation services that would serve as trusted environments for organizations or individuals to share data. The Council highlights that data intermediation service will help:

  • support voluntary data sharing between companies
  • facilitate the fulfillment of data sharing obligations set by law
  • organizations share data without fear of it being misused or losing competitive advantage
  • individuals exercise their rights under the GDPR
  • enable individuals to gain control over their data and allow them to share it with trusted companies

The Council also explains that the control that individuals will gain over how they share their data will be managed via novel personal information management tools, such as personal data spaces or data wallets. These are apps that share such data based on the data subject’s consent. Data intermediation service providers will be prohibited from profiting from the data that they handle, however they will be able to charge a fee for their services. The DGA also provides for certifications to identify compliant providers of data intermediation services.

Additionally, the DGA would introduce safeguards against the unlawful transfer of non-personal data similar to how personal data transfers are regulated under the GDPR. As such, the European Commission would be able to adopt adequacy decisions for countries that have the appropriate safeguards in place to protect non-personal data to an EU standard. The Commission may also develop a set of contractual clauses for scenarios where non-personal data is transferred to a third country.

In order to assist the Commission in enhancing the interoperability of data intermediation services, the European Data Innovation Board will be created. The Board’s duties will also include issuing guidelines on the developments of personal data spaces, among other things.

What Does the EU Data Governance Act Mean for Organizations and Next Steps

The introduction of safeguards for the transfer of non-personal data will pose an interesting challenge for organizations, many of which are still being affected by the fallout from the Schrems II decision. Adding an additional layer of regulated data will mean that organizations will need to identify this data, where this data lives, and how it is being used.

The provisional agreement reached by the European Parliament, the Council of the European Union, and the European Commission is now subject to approval by the Council and will be submitted to the Council’s Permanent Representatives Committee for endorsement. Following approval, the new requirements under the DGA will apply 15 months after the entry into force of the regulation.

With the final stages of this legislative process concluding, the importance of organizations having a unified privacy and data governance program is now under the spotlight. And, as part of that program, having strong data discovery and mapping processes in place to be able to handle this broader scope of data.

While the DGA’s regulations are still under discussion, organizations can begin to strengthen their privacy and governance programs by finding and understanding their data, both personal and non-personal. OneTrust enables businesses to know their data holistically – what type of data they process, where the data is located, the business processes, the third parties involved, and the many-to-many relationships between them. OneTrust can automatically populate an ever-green data map to serve as a single source of truth to actively discover, classify, and map data in real-time. With this map, AI-powered regulatory intelligence can help to flag risks and potential regulatory violations and recommends workflows so businesses can establish trust with consumers, employees, and regulators.

Register for the webinar: The Automated Data Map: Your Foundation for Privacy, Security, and Governance on January 13 at 11 AM EST

Further resources: 

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on the EU Data Governance Act.


data discovery
Data Governance
data mapping
EU Data Governance Act

You Might Also Be Interested In

FEB 24, 2022
Privacy Management

Privacy 101: Steps to Establishing a Sustainable Privacy Program

FEB 17, 2022
Privacy Management

Privacy 101: The Basics of Building a Privacy Program (No Matter Your Size)

FEB 10, 2022
Privacy Management

Privacy 101: Where Do I Start?

JAN 20, 2022
Privacy Management

The Ultimate Incident Management Handbook

FEB 22, 2022
Data Governance

Privacy Automation: Bridging the Gap Between Compliance & Data Governance to Deliver Trusted Public Services

JAN 25, 2022
Data Transfers

Austria DSB Rules on Analytics Complaint: The Implications on Data Transfers

FEB 09, 2022
Privacy Management

Global Data Residency Requirements: What You Need to Know

FEB 08, 2022
Data Discovery

Go Beyond Workflow: Mature Your Privacy Program through Automation, Intelligence & Governance

Onetrust All Rights Reserved