Data Governance Act (EU) 2022/868 (DGA): the European legal framework for data governance, providing inspiration for Monaco

The DGA is of interest to the Principality of Monaco, which, although not a member of the EU, drew inspiration from it for Bill no. 1093 amending various provisions on digital matters, submitted to the Bureau of the National Council on 22 May 2024.

* * *

Presentation

Regulation (EU) 2022/868 of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act "DGA"), which is part of the European Data Strategy (COM(2020) 66 final), aims to enable the re-use of protected data (which cannot be used as open data) and to facilitate the sharing of data in areas such as health, the environment, energy, agriculture, mobility, finance, manufacturing, public administration, etc. It does not create a new obligation to make data available, but provides a framework for its re-use when it is not freely accessible, particularly when it is protected by rights (personal data, business secrets, IPR, etc.).

The DGA has been applicable since 24 September 2023 (article 38, §2) in the Member States of the European Union (EU). Transitional provisions apply to entities providing data intermediation services on 23 June 2022, which must comply with the obligations set out in Chapter III by 24 September 2025 at the latest (Article 37).

Note: The DGA should not be confused with:

• the Open Data Directive (EU) 2019/1024 of 20 June 2019 on open data and the re-use of public sector information (recast) (transposed into Member States' national law) which sets the legal framework for the re-use of public sector information, including information in the geographical, cadastral, statistical or legal fields held by public sector bodies or public undertakings, as well as data from publicly funded research.
• the Data Act Regulation (EU) 2023/2854 of 13 December 2023 concerning harmonised rules on fair access to and fair use of data, applicable from 12 September 2025 in a phased manner, which specifies who can create value from data and under what conditions. It lists principles and guidelines applicable to all sectors, with obligations for access to and fair sharing of the data generated, particularly by connected objects (connected products will have to be designed and manufactured in such a way as to enable users (businesses or consumers) to access, use and share the data generated easily and securely).

* * *

Scope of the DGA
Conditions for the re-use of certain protected data held by public sector bodies;
rules for companies providing data intermediation services;
a framework for data altruism (sharing data voluntarily and without compensation);
a framework for the European Data Innovation Board (EDIB);
measures enabling the secure flow of non-personal data outside the EU.

Scope of the DGA

• Conditions for the re-use of certain protected data held by public sector bodies;
• Rules for companies providing data intermediation services;
• Framework for data altruism (sharing data voluntarily and without compensation);
• Framework for the European Data Innovation Board (EDIB);
• Measures enabling the secure flow of non-personal data outside the EU.

* * *

LEARN MORE

¤ Re-use of certain categories of protected data held by public sector bodies (articles 3 to 9 DGA)

Protected data (commercial confidentiality including business, professional and corporate secrecy; statistical confidentiality; protection of personal data; protection of intellectual property rights) cannot be used as open data, but can be re-used under specific rules.

Re-use is defined as "the use by natural or legal persons of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks".

Where such re-use is authorised, public sector bodies must comply with the conditions for re-use laid down by the DGA (in particular, they must be non-discriminatory, transparent, proportionate, justified and made public).

Specific rules govern the transfer of protected, non-personal data by a re-user to a third country and the application of fees. Public sector bodies granting re-use permits may apply reduced or zero fees, for example for SMEs, start-ups, civil society organisations and educational establishments.

EU Member States should make available and easily accessible via a single information point all relevant information on conditions for re-use and on charges, which is collected by the European Commission on data.europa.eu (‘findability’).

¤ Requirements applicable to data intermediation services (articles 10 à 15 DGA)

Data intermediation service is defined as "a service which aims to establish commercial relationships for the purposes of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other, through technical, legal or other means, including for the purpose of exercising the rights of data subjects in relation to personal data", with exclusions (such as services focused on the intermediation of copyrighted content, etc.).

The DGA distinguishes three types of data intermediation services according to the types of persons between whom the commercial relationship is established:

• between data holders and users (e.g. "B to B" exchange platforms);
• between data subjects and users (e.g. personal information management system);
• data cooperatives (e.g. data pooling with a view to joint management).

Data intermediation service providers are neutral third parties who put people and companies that hold data in touch with others who wish to use it. The requirements imposed on them by the DGA aim to strengthen confidence in data sharing and ensure that individuals and businesses retain control over their data:

• Notifying their activity to the competent authority;
• Compliance with requirements to guarantee neutrality and avoid conflicts of interest;
• Structural separation from any other value-added services provided;
• Pricing conditions that are independent of whether the data holder or potential data user uses other services;
• Procedure for access to its service that is fair, transparent and non-discriminatory;
• Appropriate measures to ensure interoperability with other data intermediation services; etc.
  

¤ Data altruism (articles 16 à 25)

Data altruism is the voluntary provision of data without compensation for use in the public interest to advance research and develop better products and services, notably in the areas of health, climate action or the improved delivery of public services such as mobility. EU Member States can develop national policies to encourage data altruism.

The DGA creates a status for recognised data altruistic organisations under the following scheme:

• Conditions and modalities for registration;
• Each competent registration authority shall maintain and regularly update a national public register of recognised data altruistic organisations;
• Transparency obligations;
• Specific requirements to safeguard the rights and interests of data subjects and data holders with regard to their data;
• European data altruism consent form;
• EU register of recognised data altruistic organisations.

¤ Governance: competent authorities and the European Data Innovation Board (articles 26 à 31)

Each Member State will designate one or more competent authorities. In France, the Autorité de régulation des communications électroniques, des postes et de la distribution de la presse (Arcep) is the competent authority for data intermediation services, and the Commission nationale de l'informatique et des libertés (CNIL) the competent authority for data altruism (Law SREN of 21 May 2024).

The European Data Innovation Board is a group of experts that facilitates harmonisation, advises the Commission and may draw up codes of conduct. It is composed of representatives of the competent authorities for data intermediation services and the competent authorities for the registration of data altruistic organisations from all EU Member States, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS), ENISA (cybersecurity), the Commission, a representative for SMEs and other representatives of competent bodies in particular sectors as well as bodies with specific expertise.

* * *

Sources

• Regulation (EU) 2022/868 (DGA) – Text: EUR-Lex – CELEX 32022R0868
• French Law no. 2024-449 of 21 May 2024 aimed at securing and regulating digital space (SREN) – Competent authorities DGA: Légifrance
• Monegasque Bill no. 1093 tabled on 22 May 2024 – Text: Conseil National

* * *