The EU Data Governance Act is an EU regulation that is directly applicable in all EU Member States. Its text can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R0868
The Data Governance Act consists mainly, apart from some adminstrative, institutional and procedural provisions, of three substantive parts:
- it lays down the conditions for re-use of data held by public sector bodies within the EU;
- it installs regulatory rules for data intermediaries;
- it provides for a framework for data altruism, i.e., voluntarily, non-profit sharing of data for altruistic purposes, mainly for objectives of general interest.
For commercial companies, in general, only the two first points are relevant:
Re-use of data held by public sector bodies
As a rule, exclusive rights to re-use specific data held by public sector bodies shall not be granted. Exceptions are possible under certain conditions and must comply with the principles of transparency, equal treatment and non-discrimination; the duration of an exceptional right to re-use shall not exceed 12 months.
When granting access, a number of conditions have to be met to preserve the following interests and rights, respectively, in particular the following:
- data privacy, above all in accordance with the GDPR;
- intellectual property rights;
- trade secrets;
- confidentiality;
- technical integrity of secure processing environment.
All conditions for re-use shall be non-discriminatory, transparent, proportionate and objectively justified with regard to the categories of data and the purposes of re-use and the nature of the data for which re-use is allowed.
The transfer of data to third contries is subject to special conditions.
For obtaining the data, a request is necessary. The competent bodies have to react to that request within a certain time frame. Public sector bodies may charge appropriate fees for granting access to data.
Data intermediation services
Data intermediation service providers, also called data intermediaries, are
- intermediation services between data holders and potential data users
- intermediation services between data subjects and potential data users;
- services of data cooperatives.
They have to submit a notification with the competent authority. The notification has to include information that is specified in the Data Governance Act.
Every data intermediation services provider that is established outside the EU, but offers above data intermediation services within the EU, shall designate a legal representative in one of the EU Member States in which the relevant services are offered.
The Data Governance Act sets out a number of conditions for providing intermediation services. Compliance with these conditions as well as with the notification is monitored by the respective “competent authority”. In case of infringements, amongst other measures, penalties can be imposed.
The Data Governance Act has been become applicable on 24 September 2023. The intermediation service providers have to comply with the notification requirement and the conditions for rendering their services as of 24 September 2025.