Updated Guidance to the European Data Governance Act

On 30 May 2022, the Parliament of the European Union (EU) adopted the revised European Data Governance Act (DGA), which builds on the previous Regulation (EU) 2018/1724, which was designed to establish a single digital gateway to provide access to information (1). The DGA entered into force on 23 June 2022 and, following a 15-month grace period, will be applicable to all member states from September 2023. It forms part of the broader context of the European Commission’s (EC’s) action plan to ensure Europe’s digital sovereignty by 2030 and is complementary to the European Artificial Intelligence (AI) Strategy. The aim of the law is to create a single European market for data, while seeking to increase trust in data sharing by companies, individuals, and the public sector as well as strengthen mechanisms to increase data availability and overcome technical obstacles to reuse data.

The DGA applies to data defined as “any digital representation of acts, facts, or information and any compilation of such acts, facts, or information, including in the form of sound, visual, or audio-visual recording that is held by public sector bodies that is not subject to the Open Data Directive but is subject to the rights of others” (2). This may include personal data, including special categories of data, such as health data, statistically confidential data, trade secrets, and data that are subject to intellectual property rights.

The DGA

The DGA aims to ensure a better distribution of the value derived from the use of personal and non-personal data between the actors of the data economy, particularly in relation to the use of connected objects and the development of the Internet of Things (IoT) (3). The proposed DGA therefore aims to:

• facilitate the sharing of data between companies (B2B) and with consumers (B2C)
• re-use public sector data subject to the rights of others
• facilitate the switching of data processing services (cloud and edge computing)
• provide for the development of interoperability standards for data and its re-use across sectors

• put in place safeguards against unlawful access to non-personal data in the cloud by third country governments.

The DGA also supports the establishment and development of common European data spaces in strategic domains that involve both private and public players, in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration, and skills.

In the context of health, a document published by the EC believes that data-driven innovation will bring benefits to companies and individuals alike by creating efficiencies through “improving personalized treatments, providing better healthcare, and helping cure rare or chronic diseases … while providing efficiencies in health data will save approximately €120 billion a year in the EU health sector” (4).

Member states will have to set up a single information point to support researchers and businesses in identifying suitable data, while the EC will establish a European single-access point consisting of a searchable electronic register of all data available in each of the national single information points.

Re-use public sector data subject to the rights of others

This re-use of data concerns commercially confidential data (such as business trade secrets), statistically confidential data, data with intellectual property rights and personal data that are protected by the General Data Protection Regulation (GDPR) (5). If public sector bodies choose to share their data, it is conditional that they introduce harmonized basic conditions that will support this re-use. Technical measures that ensure the protection, privacy, and confidentiality of the data, through anonymizing or pseudonymizing the data before sharing and re-use must also be taken. It is also incumbent upon public sector bodies to verify the results of the data processed by the re-user, and they have the power to prohibit the use of the results if it believed that the rights and interests of third parties are being jeopardized (5). Under the terms of the DGA, exclusive arrangements are prohibited, although exceptions for a maximum of 12 months are possible under certain conditions.

Data intermediation services

The DGA has also defined a new business model for data intermediary services. These are services that act as a data hosting marketplace platform that enables the sharing of data but does not process or utilize the data. These intermediaries will be required to notify supervisory authorities of their intention to perform these services, and a license will be required to perform such services. To achieve this, a licensing regime will be put in place by supervisory authorities to ensure that the intermediary service is sufficiently independent and has appropriate security measures to protect privacy and confidentiality (2). Once a licence has been obtained, the data intermediary will be permitted to use a common logo that signifies it is compliant with DGA regulations and is a trusted entity. These intermediaries are permitted to charge a reasonable fee for the provision of the data intermediation service but are not authorized under any circumstance to use the stored data for their own purposes or profit.

Data altruism

The third model for data sharing is altruism, which refers to the “voluntary sharing of data based on the consent of the data subject or the permission of the data holder, without seeking any compensation, for the common good” (5). In this instance, all types of data are covered. Organizations that want to engage in data altruism can register voluntarily to increase trust in their operations where upon they will issued with a specific EU logo. For those wishing to submit data, the DGA introduces a common European data altruism consent form to obtain (or withdraw) consent or permission. It is hoped that data altruism will greatly support scientific research as it will promote the sharing of otherwise confidential data for the greater good.

The question of third countries such as the United Kingdom

While the new act is directly relevant for public sector bodies, it is important that other organizations and individuals, as well as any natural or corporate person in Europe who wishes to benefit from this data are aware of the changes brought in by the DGA. These changes take on particular significance when interpreted in the context of data transfers of DGA data outside of Europe. Data intermediaries and recognized data altruism providers will therefore need to consider if third countries offer appropriate protections for non-personal data (6). To this end, it is thought that the UK will follow in Europe’s footsteps and introduce a similar concept of data trusts to enhance data sharing within the United Kingdom in accordance with GDPR. An adequacy decision will be required before DGA data that is not personal data (as personal data will be regulated under the GDPR) can be transferred to a third country (5).

Implications of DGA for the pharmaceutical sector

The GDPR sets out many key concepts, such as health data as a special category of personal data as well as genetic and biometric data, all of which need special protection (Table I) (7). A specific feature in the field of health is that the member states have a margin to maintain or introduce further conditions as regards the processing of health, genetic, or biometric data.

This unique nature of health data does not lessen the need for the intersectoral use of health data but does underline the necessity for specific safeguards to be implemented. However, mere adherence to data protection rules is not enough to guarantee the success of data-sharing programmes. Rather, the need to address all core elements of a robust governance framework for data is what is required, particularly the tools and means for empowering individuals to keep control over how their data are being used and shared in a transparent environment (8).

References

1. EC, Proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act), COM/2020/767 final, 25 Nov. 2020.
2. Simmons & Simmons, “European Parliament Approve Draft Data Governance Act,” 13 April 2022.
3. CNIL, “European Strategy for Data: The CNIL and its Counterparts Comment on the Data Governance Act and the Data Act,” 13 July 2022.
4. EC, European Data Governance Act. Shaping Europe’s Digital Future available from ec.europa.eu [last updated 13 July 2022].
5. A. Van de Meulebroucke and L. Deschuyteneer, “New Rules of the Data Governance Act Will Apply from 24th September 2023 Onwards,” Eubelius, 7 June 2022.
6. R. Boardman, and J.M. Rodriguez, “EU Data Governance Act: What Privacy Professionals Need to Know. International Association of Privacy Professionals (IAPP),” iapp.org, 10 Feb. 2022.
7. Towards European Health Data Space (TEDHS), Why Health is a Special Case for Data Governance, Milestone Document, tehdas.eu, 23 June 2021.
8. M. Shabani, Mol. Syst. Biol. 17 (3) e10229 (2021).

About the author

Bianca Piachaud-Moustakis is lead writer at Pharmavision, Pharmavision.co.uk.

Article details

Pharmaceutical Technology Europe
Vol. 34, No. 11
November 2022
Pages: 8–9

Citation

When referring to this article, please cite it as B. Piachaud-Moustakis, “Updated Guidance to the European Data Governance Act,” Pharmaceutical Technology Europe 34 (11) 2022.