EU Data Governance Act Approved by Council
EU Data Governance Act Approved by Counc...

EU Data Governance Act Approved by Council

The Act has been adopted by the Council of the European Union and awaits publication in the Official Journal before becoming applicable in late 2023

Robb Hiscock Content Marketing Specialist | CIPP/E, CIPM

clock5 Min Read

Featured Image

On May 16, 2022, the Council of the European Union approved the Data Governance Act (DGA) following approval from Members of the European Parliament (MEPs) in April. On November 30, 2021, the European Commission announced that negotiations had concluded and that a political agreement had been reached between the Commission,  European Parliament, and the Council of the European Union on the DGA. The proposal for the DGA was initially introduced on November 25, 2020, and had been under discussion for over 12 months. The DGA is the first legislative initiative adopted under the European strategy for data and aims to increase trust in data sharing and establish trusted data use for research and innovation, among other things.

Margrethe Vestager, Executive Vice-President, A Europe Fit for the Digital Age, said: “This Regulation is a first building block for establishing a solid and fair data-driven economy. It is about setting up the right conditions for trustful data sharing in line with our European values and fundamental rights. We are creating a safe environment in which data can be shared across sectors and Member States for the benefit of society and the economy.”

Watch the webinar: The Automated Data Map: Your Foundation for Privacy, Security, and Governance

What is the EU Data Governance Act?

The Council of the European Union has highlighted that the DGA will establish robust procedures to facilitate the reuse of certain protected public sector data, and foster data altruism across the EU.

One of the more significant elements of the proposed DGA is the Council’s aim to define a new business model for data intermediation services that would serve as trusted environments for organizations or individuals to share data. The Council highlights that data intermediation services will help:

  • support voluntary data sharing between companies
  • facilitate the fulfillment of data sharing obligations set by law
  • organizations share data without fear of it being misused or losing competitive advantage
  • individuals exercise their rights under the GDPR
  • enable individuals to gain control over their data and allow them to share it with trusted companies

The Council also explains that the control that individuals will gain over how they share their data will be managed via novel personal information management tools, such as personal data spaces or data wallets. These are apps that share such data based on the data subject’s consent. Data intermediation service providers will be prohibited from profiting from the data that they handle, however they will be able to charge a fee for their services. The DGA also provides for certifications to identify compliant providers of data intermediation services.

Additionally, the DGA would introduce safeguards against the unlawful transfer of non-personal data similar to how personal data transfers are regulated under the GDPR. As such, the European Commission would be able to adopt adequacy decisions for countries that have the appropriate safeguards in place to protect non-personal data to an EU standard. The Commission may also develop a set of contractual clauses for scenarios where non-personal data is transferred to a third country.

In order to assist the Commission in enhancing the interoperability of data intermediation services, the European Data Innovation Board will be created. The Board’s duties will also include issuing guidelines on the development of personal data spaces, among other things.

What Does the EU Data Governance Act Mean for Organizations and Next Steps?

The introduction of safeguards for the transfer of non-personal data will pose an interesting challenge for organizations, many of which are still being affected by the fallout from the Schrems II decision. Adding an additional layer of regulated data will mean that organizations will need to identify this data, where this data lives, and how it is being used.

The provisional agreement reached by the European Parliament, the Council of the European Union, and the European Commission in November 2021 has now been approved by MEPs and by the Council and now awaits the signature of the President of the European Parliament and the President of the Council before being published in the Official Journal. The new requirements under the DGA will apply 15 months from the date of publication meaning an effective date of August or September 2023 is likely.

With the final stages of this legislative process concluding, the importance of organizations having a unified privacy and data governance program is now under the spotlight. And, as part of that program, having strong data discovery and mapping processes in place to be able to handle this broader scope of data.

Organizations can begin to strengthen their privacy and governance programs by finding and understanding their data, both personal and non-personal. OneTrust enables businesses to know their data holistically – what type of data they process, where the data is located, the business processes, the third parties involved, and the many-to-many relationships between them. OneTrust can automatically populate an ever-green data map to serve as a single source of truth to actively discover, classify, and map data in real-time. With this map, AI-powered regulatory intelligence can help to flag risks and potential regulatory violations and recommends workflows so businesses can establish trust with consumers, employees, and regulators.

Register for the webinar: The Automated Data Map: Your Foundation for Privacy, Security, and Governance on January 13 at 11 AM EST

Further resources: 

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on the EU Data Governance Act.

You Might Also Be Interested In


JUL 12, 2022
Third-Party Risk

Supply Chain Scrutiny: What You Need to Know About the Uyghur Forced Labor Prevention Act (UFPLA)

FEB 04, 2021
Third-Party Risk

Third-Party Risk Exchange Demo

JUL 07, 2022
Third-Party Risk

Become a Trusted Brand: 7 Ways to Promote Your Security, Privacy, Ethics and ESG Programs

JUN 17, 2022
Ethics and Compliance

Anti-Retaliation Checklist for Compliance Programs

AUG 24, 2022
Privacy Management

US Privacy Laws & Regulations: Answering Your Biggest Questions

AUG 11, 2022
Privacy Management

Utah and Connecticut: Latest Additions to the US Privacy Landscape

JUN 16, 2022
Ethics and Compliance

EU Whistleblower Directive Checklist

JUL 26, 2022
Consent and Preferences

How to Drive Enhanced Marketing & CX Campaigns Through Trusted Data Use

BackToTop
Onetrust All Rights Reserved