Are You Prepared for the New Data Governance Challenges and Opportunities in the EU?

With the promise of a single European data space, the European Union Data Strategy was published in 2020, after years of multi-stakeholder consultation. Its goal is to create a single market for data security as well as enable access to high-quality industrial data, boosting growth and creating value while minimizing environmental impacts (European Strategy for Data). Data governance experts across sectors from around the world are following the developments of this legislative initiative closely, and CDOs should be aware of the opportunities and challenges it will bring for their day-to-day operations, including expanded compliance obligations. 

Background and purpose of the new rules

After years of a primary focus on personal data with the European Union General Data Protection Regulation (GDPR), and the Digital Service Act Package on platforms regulation, the EU now is focused on both personal and nonpersonal data protection and capitalization. In November 2021, the European Commission adopted two supporting documents: the Recommendation on a Common European Data Space for Cultural Heritage and theDigital Europe Work Programme 2021-2022. These bring into practice the concept of Common European Data Spaces  proposed in  the 2020 European Strategy for Data. [1] 

To further advance the Strategy for Data, the Commission is pushing two new normatives: the Data Governance Act and the Data Act. Both proposals have also received large multi-stakeholder input to support a better understanding of the actors, the process adopted, and data.

The Data Governance Act (DGA), published on February 23, 2022, is a horizontal framework for data sharing that covers both personal and nonpersonal data. With these new rules, the DGA effectively aligns its international transfer regime of nonpersonal data with the one of personal data initially defined by the GDPR and Schrems I & II jurisprudence. However, potential conflicts with the GDPR are still being identified and clarified. The DGA has a strong extraterritorial focus. The measure introduces provisions that encourage EU internal data sharing to increase the value derived from society-wide access to data between Member States. While on the other hand, the new rules proposed by the DGA pose significant challenges to the cross-border exchange of nonpersonal data with the rest of the world, therefore potentially reducing non-EU member countries’ access to knowledge and information held in Europe.  

By its turn, the Data Act brings a proposal for harmonized rules on fair access to and use of data. Its core elements are: (1) It sets new rules allowing businesses and consumers to access data generated by connected devices; (2) Introduces a framework for business-to-government (B2G) data sharing, but limited to public emergencies and narrowly defined situations of exceptional need; (3) Introduces interoperability as a key measure of the European data governance framework. 

The challenges

While ambitious, these initiatives are yet to provide a clear path for implementation and raise questions on the facilitation of cross-border data flows between the EU and the rest of the world. CDOs grappling with this legislation will need to dig deep to understand the full complexity of these packages and how they are interrelated, once they are approved and adopted.

While facilitating sharing within the EU, the DGA will potentially increase the transaction costs for organizations outside the EU, and not only for personal data. Through a combination of implementing and delegated acts, the Commission may declare the adequacy of non-EU  countries’ legal regimes vis-à-vis the EU in providing appropriate safeguards to nonpersonal data.

Additionally, the EU Data Strategy supporting documents do not clarify the next steps for those organizations considering bids for the Digital Europe Work Program — a ​​new EU funding program focused on bringing digital technology to businesses, citizens, and public administrations. The current version of the program is set for seven years (2021-2027) and foresees various upcoming calls, allocating billions of Euros in funding and investment. [2]

Opportunities

The DGA  normalizes a new framework — “data intermediation services” — for companies and individuals to engage in data sharing in a secure environment. This could be a key area to watch for companies and professionals working in data governance.

This framework, based on the creation of a trusted and independent intermediary, aims to facilitate data sharing between data subjects and data holders, on the one hand, and data users on the other hand. To ensure that the shared data is not used by entities providing the intermediary services themselves, the measure introduces structural separation requirements, which obliges intermediaries to be structurally separated from any commercial activity rather than offering intermediation services. 

Thus, the DGA also recognizes “data cooperatives” as a services intermediary, and thus empowers individuals and SMEs to choose if using intermediaries instead of consenting large corporations to access and use their data. The DGA paves the way for the development of data stewardship models rooted in the collective exercise of users’ rights. 

What these initiatives may mean for data governance globally 

It’s worth considering how your data governance and management plans will be affected by these normatives, especially how some of the foreseen mechanisms might resemble localization requirements from an operational standpoint. It will also be interesting to observe the domino effect these norms will have on the rest of the world — a phenomenon known as the Brussels effect — since they raise the standard of protection and the compliance burden for both personal and nonpersonal data.

Carolina Rossini is Chief Impact and Partnerships Officer, Datasphere Initiative.

Francesco Vogelezang is a Datasphere Initiative Fellow and a policy analyst at the Open Future Foundation. Read Vogelzang’s more detailed analysis of the Data Governance Act in this blog post.

[1] By establishing such spaces the Commission aims “at overcoming legal and technical barriers to data sharing across organizations, by combining the necessary tools and infrastructures and addressing issues of trust, for example by way of common rules developed for the space“ (European Strategy for Data, p15).

[2]  Areas of investment include: High Performance Computing, Artificial Intelligence, Cybersecurity and Trust,  Advanced Digital Skills, Deployment and Best Use of Digital Capacity and Interoperability