[To Eurosmart members only]

Data Governance Act: Council insists on encryption and certification

On 1 October, EU Member States reached a common position on the Data Governance Act (DGA). The DGA aims to foster data sharing through three ways:

-facilitating the re-use of certain categories of data held by public sector bodies

-fostering data intermediation services

-encouraging data altruism

Member States introduced provisions relating to data security, referring to standards and certification. They also give more details on how the DGA could foster “personal data spaces”, i.e. spaces where citizens could store identity information and attributes.

Please find below a summary of key modifications made by the Member States.

Security measures

Member States made it clear that security of data should not be compromised. The public sector and businesses (e.g. re-users, data intermediation services) must take appropriate security measures. They must prevent access to the systems where non-personal data is stored. This includes using encryption of data or corporate policies. To these ends, they “should adhere to all relevant technical standards, codes of conduct and certifications at Union level”.

Public sector bodies are given a wider margin to lay down conditions for re-use of the data they hold. In fact, public sector bodies now have a duty (“shall”) to lay down conditions in order to preserve the protected nature of the data – when the Commission only gave them a possibility (“may”). However, they can choose the most appropriate conditions for re-use. For instance, public sector bodies can:

-request re-users to anonymise or pseudonymise personal data

-request re-users to modify, aggregate, commercially confidential information or content protected by intellectual property rights.

Member States also added that, the re-user “shall without undue delay, where appropriate with the assistance of the public sector body, inform the legal persons whose rights may be affected in case of an unauthorised re-use of non-personal data occurs”.

More flexibility for public authorities

Member States added a sentence in Article 1 to underline that the DGA does not create an obligation to allow re-use of public sector data. It does not either release public sector bodies from their confidentiality obligations.

Member States modified Article 5(6) to ensure that public sector bodies are not obliged to provide assistance to potential re-users in seeking consent or permission for re-use.

Transfer of data to third countries

Member States introduced safeguards to ensure that, where data are transferred to third countries, they should benefit from the same level of protection as in the EU. In addition, if the re-user intends to transfer non-personal (but sensitive) data to a third country, it shall inform the public sector bodies of its intention. The re-user shall also inform the legal person whose rights and interest may be affected. Without the green light of the legal person at stake, the data transfer cannot take place.

“Personal data spaces”

The GDA lays the ground for the creation of personal data spaces through data intermediation services. “Such personal data spaces may contain static personal data such as name, address, or data of birth, as well as dynamic data than an individual generates e.g. through the use of an online service or an object connected to the Internet of Things. They may also be used to store verified identity information (passport number, social security information) as well as proof of personal attributes (e.g. driving licence, diplomas or bank account information).”

Next steps:

Member States and the European Parliament will start negotiations.

If you have any questions on this topic, please do not hesitate to contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com