Update on the European Data Governance Act (the “DGA”).

Cecile Oosterveen - Legal Advisor
February 11, 2022
On 1st October 2021, the Council of the European Union reached agreement about the text of the proposed DGA and issued a mandate to the EU Presidency to commence negotiations about the proposal between the European Parliament and the European Commission. The DGA is just the latest part of an increasing puzzle of EU data law. While the GDPR governs the use of personal data, the DGA also deals with non-personal data and therefore governs a much broader scope of data regulation.

What is the goal of the DGA ?

As society becomes more and more data-driven, there was (and is) a need for a new way of data governance.

The EU Data Governance Act is a core part of the European Strategy for data which sets a governance framework to promote trust in data sharing between people and businesses.

The DGA is in fact the latest piece when it comes to data law. The European Union seeks in this manner to become a leader in a data-driven society. In fact, especially for insurers this Act is paramount as insurers are handling large amounts of data, including personally data. The data which an insurance company is storing grows every day significantly. Most importantly, the DGA will lead to help people to have full control over their data and allow them to share data with a company they trust. Data intermediation service providers would for example need to be listed in a register, so that their clients would know that they can rely on these providers.
 
The insurer is required to store information about its policyholders, employees, intermediaries and many more. Therefore, data governance in the insurance industry insurance goes even beyond basic insurance data security. An insurance companies data governance strategy must ensure that data is correct, accurate and reliable, allowing for informed and effective decision-making and providing for the needed data security.
 

Territorial scope of the DGA

The DGA does not contain an article defining the territorial scope of the provisions. Nonetheless, it does provide some details on the parameters to be considered as to where non-EU based data sharing service providers would offer services within the EU and therefore will be required to appoint an EU-based representative.

Main changes to the initial proposal

The key changes to the initial proposal are the following:

  1. The proposal contains a more precise definition of the relationship between the DGA and the EU General Data Protection Regulation (GDPR). The definition of data under the DGA is so wide that is also includes personal data as defined in the GDPR. Both regulations may therefore apply at the same time. 
    As mentioned before, the DGA does not require data sharing service providers to have an EU establishment. This means that the service provider will need to appoint a legal representative in the EU to act as a dating sharing service provider. In case the provider has multiple establishments they will be expected to have their main establishment where their central administration is located.
    The establishment criteria are crucial in order to assess to which national regulatory framework providers will be subject to. Similar criteria are outlined in the GDPR which does allow for the main establishment to be where the main decisions about personal data processing are taken if it is different from the central administration. 
    With the new DGA proposal, in the situation where an organization has two EU main establishments for the purposes of different types of data use – one for GDPR and the other for DGA, it could become a confusing burden for a company and thus lead to legal uncertainty.
  2. The Council amended further the provisions regulating the administrative arrangements enabling the reuse of public-sector data which are subject to rights of others (such as personal data and trade secrets), with the aim of increasing flexibility for Member States in relation to regulating such re-use.
  3. The proposal aims also to enable individuals and companies to share their data voluntarily for wider societal benefits. 
  4. Lastly, modifications were introduced to the proposal to allow the European Commission to adopt model contractual clauses to support public sector bodies and re-users to comply with DGA obligations in the event of transfers of public-sector data to third countries.

Next steps

As the European Council has agreed its position on the proposed DGA, the Presidency can commence negotiations with the European Parliament. The European Parliament is subject to the formal approval. 

Under the Council text, the new rules will apply 18 months after the entry into force of the regulation. 

Insurance companies will need the people, processes and technology to properly manage their data. Proper data governance implementation in line with the DGA will foster confidence and trust and could therefore be a positive step towards data-driven innovation in the European Union. Nonetheless, the delineation with other regulations such as the GDPR might need to be clarified further.

Top