report

data governance act presentation

Confederation of European Data Protection Organisations

Live Webinar: Data Act and Data Governance Act – implications on personal data and for the DPO

Sep 27, 2022

The Data Governance Act (DGA) and the Data Act are part of the Commission’s European strategy for data aimed at creating a single market for data that ensures Europe’s global competitiveness and data sovereignty.

The draft Data Act is a fundamental proposal of this strategy. It is designed to stimulate a competitive data market, present opportunities for data-driven innovations and make data more accessible for all while at the same time ensuring fairness in the digital environment:

  • The Data Act expands on the GDPR’s right to portability to non-personal data generated by connected products and related services;
  • It facilitates the data sharing and use/reuse of generated data by users and selected third parties, setting standards at an EU-wide level;
  • It provides for use by public sector bodies of data held by the private sector in cases of exceptional need.

The adopted DGA is another important legislative proposal of the European strategy for data and focuses on providing a legal framework, processes and structures to promote data sharing:

  • It encourages wider re-use of data held by public sector bodies and provides for a legal framework when public sector bodies decide to make data (including personal data) available for re-use to third parties;
  • It sets up a regime for data intermediation services;
  • It provides for a legal framework for “data altruism”.

Although the intentions of the Data Act and Data Governance Act are to preserve the GDPR “acquis”, the implications when personal data is involved and for the function of DPO need to be further examined. CEDPO is pleased to host a Live Webinar on the intersections between DGA, DA and GDPR:

October 18, 4pm – 6pm (CET)

Online / via Zoom

Anna Buchta (Head of Unit Policy & Consultation, European Data Protection Supervisor)

Karolina Mojzesowicz (Deputy Head of Unit Data Protection, European Commission)

Florence Gaullier (Partner, Vercken & Gaullier Law Firm – Member of the Board, AFCDP)

Pascale Gelly (Vice-President International Affairs, AFCDP)

Paul Jordan (Senior Policy Advisor, CEDPO)

  • Introduction on CEDPO and European data strategy
  • Presentation on Data Act: Pascale Gelly
  • Q&A discussion with Commission and EDPS
  • Presentation on DGA: Florence Gaullier
  • Q&A with Commission and EDPS
  • Final questions from the audience

Registration:

Registration is open and accessible here .

data governance act presentation

Site Search

Recent posts.

  • Data Protection Weekly 23/2024
  • Data Protection Weekly 22/2024
  • Data Protection Weekly 21/2024

News Archives

  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020

Data Governance Act

The Data Governance Act (DGA) is the first legislative act of the European data strategy , and it was published in the Official Journal of the European Union on 3 June 2022. The DGA aims at facilitating the reuse of certain categories of protected public-sector data and increasing trust in data sharing across public sector bodies, users, data users, and data holders. It does so by allowing wider reuse of protected public-sector data, by proposing a new business model for data intermediation services and by promoting data altruism for the common good. The DGA, which provides a new framework for greater societal reuse and access to data, is the first element of an ambitious attempt to shape the European data economy. It will be complemented by the Data Act (see our observatory here ). 

Our observatory tracked the legislative development of the DGA from the Commission’s proposal in November 2020 all the way to the text adopted by the EU in May 2022. The observatory now provides a historical archive of the legislative process that led to the final text of the DGA.

data governance act presentation

... remains in line with a neoliberal focus on personal data and the individual imperative for each person to govern ‘their’ data

data governance act presentation

Reed Smith LLP

Reed Smith LLP

2 March 2022 Reed Smith In-depth

What you need to know about the new EU Data Act

The EU is continuing to expand its data laws. After much anticipation and following a sneak peek of a leaked draft of the new data law in February 2022 (see: “ What, another EU Data Act?! ”), the European Commission has finally presented its formal draft Data Act (the EU Data Act).

Below we answer some key questions about the proposed EU Data Act.

Autoren: Elle Todd Francesca Moss

What is the EU Data Act?

The EU Data Act is the second main legislative proposal forming part of the EU’s wider ‘European Strategy for Data’ adopted by the Commission in February 2020, which aims to make the EU a leader in our data-driven society.

In a nutshell, it looks to make data sharing and use/reuse easier for all by setting standards at an EU-wide level. The EU Data Act covers aspects of the use of various business-to-business and government-to-business data across all sectors in relation to the use of various data.

How does the EU Data Act fit with other laws?

Data does not fall neatly into one legal area, so the most pressing question is how these new proposals fit with those that already exist. Key interrelationships are as follows:

Data Governance Act

The EU Data Act complements the recently provisionally approved Data Governance Act (which focuses on the transfer of non-personal data, rules around the reuse of public sector data, and introduces a regime for data intermediaries). While both consider data sharing:

  • The Data Governance Act focuses on providing a legal framework, processes and structures to promote data sharing.
  • The EU Data Act focuses more on making clear who can create value from data and under what conditions.

Intellectual property

Crucially, the EU Data Act generally does not look to change the legal positions around intellectual property rights, trade secrets and competition.

There is one exception, however, in that it does address certain rights in respect of databases; notably, it clarifies that databases containing data from IoT devices should not be subject to separate legal protection under database rights to ensure that they can be accessed and used. In other words, the application of the sui generis right under Directive 96/9/EC (the EU Database Directive) would not apply to databases containing data generated or obtained by the use of IoT/connected products or related services, such as sensors, or other types of machine-generated data.

This is to prevent holders of data claiming exclusivity over data generated by connected products.

Data protection

The EU Data Act leaves intact the separate rights and obligations under the EU’s General Data Protection Regulation, Regulation (EU) 2016/679 (the EU GDPR) that apply to personal data.

The EU Data Act must be read in parallel with the EU GDPR, but builds on it and provides wider rules that apply to all ‘data’, which covers “any digital representation of acts, facts, or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording”.

The EU Data Act therefore deals with all data, not just non-personal data.

Who does the EU Data Act apply to?

The EU Data Act applies to various persons and entities, including:

  • manufacturers and providers of connected products (e.g., IoT devices) and related services in the EU;
  • data holders that make such data available to data recipients in the EU;
  • businesses that are data recipients in the EU to whom data holders make data available;
  • businesses providing data processing services (e.g., cloud services) to customers in the EU; and
  • public sector bodies in the EU.

There are some exemptions for small and medium-sized enterprises (SMEs) and micro-enterprises.

What are the key points in the EU Data Act?

Sharing data from connected products and related services

The following obligations apply generally, but not to SMEs:

  • Design – connected products and related services should be designed and made to allow, by default, easy and secure access by users (who could be either consumers or business users) to data generated through their use. You can see this as similar to ‘privacy by design’ requirements in data protection law, but here allowing data sharing and accessibility of any data.
  • Transparency – before a contract is concluded for the purchase, rent or lease of a connected product or a related service, certain information must be provided to the user in a clear and comprehensible format.
  • how access must be provided;
  • protection of trade secrets and competition; and
  • protection of personal data where the user is not the data subject.
  • to allow the switching to another service within 30 calendar days of certain minimum information about the data and the switching, and assistance with the switching (including a minimum 30 calendar day period for data retrieval); and
  • to ensure the data holder does not use the data to derive insights about the economic situation, assets and production methods of, or the use of the data by, the user that could undermine the commercial position of the user.
  • various related provisions governing the protection of personal data and trade secrets;
  • various provisions governing the purposes for which the third party may use the data;
  • data cannot be used to develop competing products; and
  • the third parties cannot include ‘gatekeepers’ (certain large, systemic online platforms as defined in the EU Digital Markets Act).
  • Contractual terms – the EU Data Act will also help SMEs by requiring that the data holder agree with the data recipient the terms for making the data available where that is required under the EU Data Act. The agreement must be based on use of fair, reasonable and non-discriminatory contractual terms. Any clauses that do not pass a ‘fairness test’ will be not be binding. Not all contractual terms are subject to the test, however, only those unilaterally imposed on SMEs. The Commission will also develop model (non-binding) contractual terms to help SMEs draft and negotiate fair data sharing contracts.
  • Compensation for data – data holders can require “reasonable” compensation from the data recipient for making the data available. Compensation must be fair, non-discriminatory and reasonable. For SMEs, it must not exceed the actual cost of making the data available.
  • Dispute resolution – the EU Data Act includes provisions to resolve disputes between data holders and data recipients in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available.
  • Sharing data with public bodies – there is an obligation to provide certain data to public bodies in exceptional circumstances, such as in response to a public emergency (e.g., natural disasters, public health emergencies, or terrorist attacks) or to fulfil legal obligations. In the case of information necessary to respond to a public emergency, access to the data will have to be granted without undue delay and free of charge. In other situations, the data holder is entitled to compensation. SMEs are excluded from these dating sharing obligations.

Cloud services and other data processing services: switching

There are new rules on cloud and data processing services to help customers to effectively switch between services (including porting data, applications and other digital assets) without incurring any costs (although the EU Data Act provides that switching charges will be able to continue for three years after the Act is in force). The EU Data Act also includes rules concerning technical aspects of switching.

Cloud services and other data processing services: international transfers or access to non-personal data

Subject to limited exceptions, adopting a similar stance as under the EU GDPR, the EU Data Act requires providers of data processing services to put safeguards in place and take all reasonable technical, legal and organisational measures to prevent the international transfer of or governmental access to non-personal data held in the EU where such transfer or access would create a conflict with EU or relevant member state law.

Interoperability

The EU Data Act:

  • requires operators of data spaces and those deploying smart contracts to comply with certain requirements to facilitate interoperability; and
  • allows the Commission to adopt further implementing acts that specify such requirements.

How will the EU Data Act be enforced?

Enforcement is at the hands of the competent authorities designated by member states (which may be either existing or new authorities), and any infringements will be sanctioned by administrative fines or financial penalties, also set at the national level.

The EU Data Act also paves the way for new dispute settlement bodies to settle disputes about data sharing and access.

What are the next steps and likely timeframes for implementation?

The Commission has only just submitted its draft legislative proposal to the European Parliament and Council, so the next step is for the text to be approved and adopted (although there is no current indication of when this will be).

In the meantime, the Commission is also looking to put together an expert group on business-to-business data sharing and cloud contracts to assist in developing the model contractual clauses – the deadline for applications is 6 April 2022.

It is important to note that when the EU Data Act is eventually approved, there will only be a 12-month implementation period.

In-depth 2022-063

Tools teilen

  • Share on Facebook
  • Share on LinkedIn
  • Share via Email
  • Print This Page

Daran könnten Sie interessiert sein

  • Search Menu
  • Sign in through your institution
  • Advance articles
  • Author Guidelines
  • Self-Archiving Policy
  • About GRUR International
  • About The German Society for the Protection of Intellectual Property
  • Editorial Board
  • Advertising & Corporate Services
  • Journals on Oxford Academic
  • Books on Oxford Academic

Issue Cover

Article Contents

I. background, ii. functions and definition of data intermediaries, iii. market developments, iv. the new legal framework: the data governance act, v. uncertainty of effects of the new market design for data intermediaries, vi. integration of data intermediaries in the market order for data sharing, vii. conclusion.

  • < Previous

Looking at the Data Governance Act and Beyond: How to Better Integrate Data Intermediaries in the Market Order for Data Sharing

  • Article contents
  • Figures & tables
  • Supplementary Data

Heiko Richter, Looking at the Data Governance Act and Beyond: How to Better Integrate Data Intermediaries in the Market Order for Data Sharing, GRUR International , Volume 72, Issue 5, May 2023, Pages 458–470, https://doi.org/10.1093/grurint/ikad014

  • Permissions Icon Permissions

This article enquires into the current prospects for data intermediaries in the context of competition and innovation policies. It asks what the conditions for and means to fulfil these promises are. This requires looking at the evolving legal framework – including the recently enacted Regulation (EU) 2022/686 ‘Data Governance Act’, which affects the incentives of data intermediaries and market actors. In particular, this article explores the obstacles for the establishment of data intermediaries, the context for their activities and the necessary conditions to be set, and complimentary measures to be taken to make them work. The overall goal is to discuss how the findings would translate into viable policy options to advance the regulatory framework that would contribute to an effective market design for data sharing. **

High hopes have recently been placed in data intermediaries as promising tools to promote data sharing. 1 Given this ‘data intermediary hype’, the EU legislature passed the Data Governance Act (DGA) on 16 May 2022. 2 This core piece of legislation aims to foster the establishment of ‘data intermediation services’ (DISs). The general aspiration is that data intermediaries should improve the accessibility of data to promote innovation. 3 As a contribution to the establishment of an infrastructure for data sharing, the DGA is a legal framework that aims to improve the availability and use of data in the EU 4 through fostering the emergence of DISs. Such services support and promote voluntary data sharing between companies as well as data sharing obligations, 5 and they are also considered as a means to challenge the positions of large platform operators, 6 to prevent unauthorised data access and to protect against antitrust violations. 7 These purposes of data intermediaries are in the focus of this study. 8

As a starting point, it is necessary to specify what we understand as data intermediaries and which ones we will focus on and why (Section II). An outline of the current development of markets for such data intermediaries follows (Section III). It is then crucial to look at the new legal framework in the EU, namely the DGA (Section IV). To discuss policy options for further advancing the legal framework for data access with regard to data intermediaries, the final subsections address the uncertainty of the new market design for data intermediaries (Section V) and how to better integrate data intermediaries in the market order for data sharing (Section VI), before concluding (Section VII).

1. Taxonomies and possible economic functions of data intermediaries

Scholars 9 and institutions 10 have put forward more than a dozen taxonomies of data sharing in general and data intermediaries in particular. The designations they use refer to distinct organisational structures or functional relationships regarding data sharing, such as data spaces, data trusts, data marketplaces 11 and data collaboratives. 12 In general, very different conceptualisations exist, 13 and there is no clearly established terminology. 14 Natalia Simon and others have identified 35 functionalities which feature data intermediaries. 15 In addition, more abstract criteria for delineation were discussed, especially regarding the competitive relevance of data intermediaries’ business models (e.g. ownership, openness, sector, remuneration or number and nature of relationships). 16

However, rather than such designations and criteria, what matters most are the economic functions which data intermediaries could assume. The reason why data intermediaries appear promising to policymakers is that they might solve different problems and overcome crucial market failures in the data economy. Those intermediaries which perform a matching function 17 can bring together data holders and users, improve the accessibility of data, 18 decrease information asymmetries regarding data and reduce costs of risk 19 for actors in the data ecosystem to share their data with others. 20 Furthermore, data intermediaries can reduce transaction costs, e.g. by standardisation and technical and contractual management of data transfers and enforcement of the agreed conditions. 21 Those data intermediaries which operate open platforms 22 can capture the value of network effects and pass them on to data holders and users if they can realise economies of scale and scope and network effects. 23

These economic functions of data intermediaries are determinants for the competitiveness of data-related markets, and data intermediaries are actors who can arguably perform such functions. Therefore, the term data intermediary will be defined broadly in this article, as will subsequently be discussed. This allows us to further differentiate when looking at data intermediaries in specific regulatory contexts and legal areas.

2. Definition of data intermediaries and data trustees

This analysis is based on a broad understanding of ‘data intermediary’ as an entity which enables and/or facilitates data sharing between data holders and data users. Data intermediary is therefore defined and used as an umbrella term, which presupposes that two criteria are fulfilled:

‒ First: separate entity/third party as separate actor in the data ecosystem . Data intermediaries are defined as (possibly) independent entities and therefore as separate (third 24 ) actors which perform a distinct economic activity. Therefore, legal analysis can treat them as a separate party to a contract; for example, they may be categorised as an undertaking under Art. 101 of the Treaty on the Functioning of the European Union (TFEU) and could possibly be held liable. In case of collaboration between different undertakings, at least a certain degree of independent organisation, such as a joint venture, is necessary. As a consequence, mere agreements between entities on data sharing (e.g. by agreeing on the legal, economic and technical terms) are not considered data intermediaries within the meaning of this study if there is no separate actor who would orchestrate or perform the data sharing. 25 Also, mere technical interfaces as such (e.g. API) which enable data sharing are not considered as data intermediaries.

‒ Second: enables/facilitates data sharing between holders and users of data . The main function of a data intermediary is to enable and/or facilitate data sharing between data holders and data users. This often involves the establishment of infrastructure for the interconnection of data holders and data users. 26 ‘Data sharing’ means the provision of data by a data holder (a person or entity that supplies data 27 ) to a data user for the purpose of joint or individual use of such data. 28 Using the data implies the technical processing of the data (e.g. transforming it, merging it with other datasets or feeding it into other systems for developing new insights, products or services). 29 Given this criterion, data escrowees, which restrict the use of data to avoid conflict with legal requirements (e.g. antitrust law or data privacy/protection), 30 are not considered data intermediaries, as long as they do not intermediate data between data holders and data users. The same is true for mere privacy management tools (PMT) 31 and data cooperatives within the meaning of the DGA (see under IV.2).

The breadth of the definition makes many other criteria irrelevant to the question as to whether an actor qualifies as a data intermediary: first, it is irrelevant whether the data intermediary is open or not to include additional data holders and users (see under IV.2). Second, data intermediaries can cover both personal and non-personal data. Third, they can be organised as a commercial or non-commercial entity (see under IV.2). Fourth, the definition does not distinguish whether the data intermediary covers voluntary or mandated data sharing. 32 Fifth, for the definition of a data intermediary it is irrelevant whether the data intermediary offers the services for remuneration. Sixth, it is also irrelevant if it acts only in its own interest (e.g. data brokers and marketplaces, or merely functional data pools) or has a particular duty to consider the interests of data users/holders.

Nevertheless, these distinctions do become relevant for differentiated subcategorisations (e.g. data trustee). Also, they inform the economic analysis because they may become decisive when it comes to inquiring into distinctive use cases, business models and technical arrangements (e.g. what role remuneration plays). Some distinctions also have legal relevance; e.g. data protection law applies once personal data are involved, and its requirements considerably affect and explain data sharing-related business models. 33

With regard to data intermediaries, the term data trustee (also data trust or trusted intermediary/third parties 34 ) is frequently used in different contexts and for various functions. 35 This study regards a large share of ‘data trustees’ as being a specific subgroup of data intermediaries, namely those which bear a fiduciary duty to act in the interest of the data holder (and sometimes also the data users 36 ). This fiduciary duty may, for example, stem from an empowerment of the data trustee to make certain decisions on behalf of the data holder. 37 The legal nature and economic function of such fiduciary duty (e.g. best interest clause; mandates to exercise data rights on behalf of the data holder 38 ) are not clearly determined and can be explored further in our study. 39 Also, such fiduciary duty does not exclude the possibility that the data trustee follows its own interests as well.

Some commentators reserve the term ‘data trustee’ for data intermediaries that cover personal data. 40 In fact, the use cases for data trustees often involve personal data, but this is not a necessary condition, 41 and therefore we use the term data trustee regardless of the type of data it handles.

The term ‘data intermediary’ is not to be confused with the legally recognised concept of ‘data intermediation services’ as laid down in the DGA. While there is substantial overlap, not all DISs covered by the DGA can be considered data intermediaries under the definition proposed here. The exact delineation and consequences for analysis are further elaborated below (under IV).

3. Overview with examples

The following chart illustrates the relationship between ‘data intermediaries’, ‘data trustees’ and ‘DISs’:

graphic

Looking at current market developments for data intermediaries and respective business models, one can say that several models exist and appear to be in a rather nascent phase. 42 In 2020, the European Commission conducted a study according to which approximately 150 organisations in the EU offer services as data intermediaries, among which only a few larger companies operate. 43 The U.S. tech giants are not noticeably active here, 44 but the European Commission feared that without further regulation, they could enter data intermediary markets without facing any noticeable competition. 45

In 2021, the most comprehensive study to date (by Natalia Simon and others) identified around 178 cases of data marketplaces, 46 amongst which two are dedicated to agricultural data, 47 four to data regarding connected cars and the automotive industry, 48 two to sensor data and nine to other B2B data. 49 In general, the authors of the study identified a high degree of fragmentation. The data intermediaries predominantly focus on the regional level or domain-specific industries. 50 The intermediaries are either state-supported or set up by consortia of businesses or other organisations. A noticeable development in Europe has been the establishment of International Data Spaces (IDS) and particularly GAIA-X.

1. Goal and content of the DGA

With the DGA, a comprehensive legal framework for data intermediaries has recently been adopted in the EU. 51 The DGA affects contractual freedom because it stipulates requirements for data intermediation, sets the standard of liability and also provides for public oversight and enforcement over certain economic activities of market actors. The following analysis enquires into these rules and limits of the legal framework for voluntary and non-sector-specific data exchange via data intermediaries. The focus lies on the implications of these rules for competition and innovation, also considering their interplay with other legal regimes.

As an EU Regulation, the DGA sets out a harmonised legal framework for DISs. The act will enter into force on 24 September 2023. However, the rules on DISs will only become applicable only by 24 September 2025. 52 The DGA is the first act that has been finalised in the implementation of the European Commission’s Data Strategy of 2020. 53 The legislator’s underlying aspiration is that the legal framework provided by the DGA should improve the availability and use of data in the EU 54 by increasing trust in DISs. Therefore, its obligations aim to achieve the trustworthy provision of DISs. 55 This should foster the emergence of DISs, which are held to support and promote voluntary data sharing between companies (be it pooling or bilateral data sharing), but also to facilitate data sharing obligations. 56 On the merits, it is novel and appears rather questionable to what extent the mere prospect of enhancing trust between market players can justify legal intervention.

To achieve this goal, the DGA installs a mandatory compliance regime, 57 which requires DISs to officially register their services as a precondition for lawfully providing them in the EU. They are obliged to comply with various requirements, otherwise they face penalties and can be suspended from offering their services. 58 In particular, the DGA provides for (at least some) neutrality of DISs regarding the data that are exchanged between data holders und users 59 and makes it structurally independent from players which often have significant market power. 60 Neutrality and independence are regarded as key elements to bring about more trust and control, 61 in addition to other obligations (see below). From a broader regulatory perspective on data access, the DGA deserves particular attention because it is based on implicit assumptions on all relevant aspects related to data access (e.g. interoperability, standardisation, data protection law, exchange of sensitive data, etc.). Also, the DGA defines the amount of leeway for sectoral policies of the Member States regarding DISs and therefore also limits their policy options.

2. Scope of the DGA: ‘Data intermediation services’

The DGA addresses DISs, which are classified here as a subcategory of data intermediaries. 62 Crucial is Art. 2(11) DGA, which contains a positive definition of DISs, 63 being ‘a service, which aims to establish commercial relationships for the purpose of data sharing between an undetermined number of data subjects and data holders, on the one hand, and data users on the other hand, through technical, legal or other means, including for the exercise of data subjects’ rights in relation to personal data’. 64 Therefore, two features stand out for DISs: first, the DGA only applies to data intermediaries that are open for an undetermined number of data holders and users. 65 Hence, the DGA does not apply to services provided for closed systems of data sharing. Second, the DGA includes commercial and non-commercial entities as DISs only if they aim to establish commercial relationships with regard to data sharing. These criteria are indicative of the market-centred approach the legislator has taken. The underlying assumption is that the DGA should create trust, which should enable DISs to scale up. 66 However, closed data sharing systems are – arguably – not in need of trust-increasing measures, nor is their main aspiration usually to grow and therefore fall outside the scope of the DGA.

Out of all DISs that could fall under the definition of Art. 2(11) DGA, Art. 10 DGA specifies and exemplifies three kinds of DIS, 67 and thereby further limits the scope of the DGA:

‒ Article 10(a) DGA quite broadly defines that the DIS ‘may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint use of data, as well as the establishment of other specific infrastructure for the interconnection of data holders and data users’. 68 According to Recital 28 DGA this includes data marketplaces, orchestrators of data sharing ecosystems (for instance in the context of common European data spaces) as well as data pools that are ‘established jointly by several legal or natural persons with the intention to license the use of such pool to all interested parties in a manner that all participants contributing to the pool would receive a reward for their contribution to the pool’. Depending on the design, GAIA-X can be regarded as a ‘typical’ example of this sort of data intermediary. 69

‒ Article 10(b) DGA specifically refers to DISs that relate to data subjects and individuals who make their data available for use and explicitly includes the enabling of data subjects’ rights under the GDPR, meaning to enhance data subjects’ control over data relating to them. 70 This includes personal information management systems (PIMS), though it is not entirely clear if only and to which extent. 71

‒ Article 10(c) covers ‘services of data cooperatives’ within the meaning of Art. 2(15) DGA. 72 Given their rather vague definition, 73 such data cooperatives perform consultancy and negotiating functions rather than data transfer and sharing being their core business. 74 They are not of further interest within this study.

Various services are not covered by the DGA. Article 2(11) DGA mentions (in a non-exhaustive list) value-added services, 75 content sharing service providers under the DSM Directive, 76 services which are only used by one data holder or closed group (e.g. IoT network) 77 and public sector bodies that offer DISs that do not aim to establish commercial relationships for the purpose of data sharing. 78 Furthermore, Art. 15 DGA exempts data altruism organisations and other not-for-profit entities to some extent. In addition, Recital 29 DGA mentions other activities which the definition of DIS does not cover. 79 Moreover, Recital 28 DGA clarifies that services – e.g. cloud storage or analytics software – are not DISs under the DGA if they only provide technical tools for data sharing ‘but are neither used for aiming to establish a commercial relationship between data holders and data users, nor allow the provider to acquire information on the establishment of commercial relationships for the purpose of data sharing, through the provision of such services’. Overall, it still remains 80 unclear which of these cases are exemptions from the scope and which just exemplify the definition.

3. Conditions for providing data intermediation services

Article 12 DGA mandates the DIS to fulfil substantial requirements when offering their services. These obligations can be grouped as follows:

a) Structural separation/unbundling of services

Article 12(a) DGA obliges the DIS to provide its services through a separate legal person. This separation principle aims to prevent conflicts of interest 81 with and limit the risk of cross-data usage. 82 It stipulates a structural unbundling between data provision, specific ‘intermediating’ data-related business activities and data use. 83 DISs who provide their services in the EU necessarily have to fulfil this requirement. 84 Yet, to be able to capture some benefits of vertical integration, Art. 12(e) DGA clarifies that DISs (and therefore the same legal person) may offer some added-value tools and services as long as they facilitate data exchange (e.g. through ‘temporary storage, curation, conversion, anonymisation, pseudonymisation’). 85 This clause accounts for the view that DISs would commonly offer such tools and services to sustain their intermediation business model and that such tools and services are to the advantage of data holders and users. In any case, Art. 12(e) DGA requires data holders (or data subjects) to explicitly request or approve such tools and services.

b) Limitations on data use

The DGA defines and limits the purposes for which the DIS may use data: according to Art. 12(a), the DIS may not use data for which it provides its intermediation services ‘for other purposes than to put them at the disposal of data users’. In addition to this data neutrality requirement, 86 Art. 12(c) DGA also limits the use of data which the DIS collects about the activities of holders and users of the service when performing its service. The DIS may use such data only for the development of that service (e.g. fraud detection or cybersecurity) and has an obligation to make this data available to data holders upon request. Both provisions resemble the recurrent issue in competition law of anti-competitive cross-data usage. Yet Art. 12(a) DGA is a strict per se prohibition which applies regardless of the outcome of the competition analysis under Art. 102 TFEU. Also, similar prohibitions in Art. 5 No. 2 and Art. 6 No. 2 DMA are limited to specific contexts and only address gatekeepers. 87 As another limitation, Art. 12(e) DGA addresses situations in which the DIS legitimately offers third-party added-value tools for facilitating the exchange of data. In such cases, Art. 12(e) DGA also prohibits third parties which provide such tools from using the data for other purposes than facilitating the data exchange as provided by the DIS. Furthermore, Art. 12(d) DGA prohibits the DIS from shifting the format of the received data for other purposes than for the data exchange. Even in that case, the DIS must offer an opt-out possibility to data subjects or data holders. 88

c) Conditions for the provision of service and use of data

The DGA contains provisions on the terms and conditions between the DIS and its data holders/users. Article 12(f) DGA stipulates a general obligation to the DIS to ‘ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data subjects and data holders, as well as for data users, including as regards prices and terms of service’. This provision aims to ensure the neutrality of the service from the perspective of data holders and users. 89 Simultaneously, it can also increase market transparency and foster condition-based competition, 90 and it sets a benchmark for a review of explicit contractual access rights. This obligation is complemented by the prohibition against DISs making their terms ‘dependent upon whether or to what degree the data holder or data user uses other services provided by the same provider or a related entity’ (Art. 12(b) DGA). This provision aims to prevent DISs from contractually bundling services (or incentivising their bundled usage), which would undermine the structural separation, so that ultimately markets are kept open. Finally, Art. 12(h) DGA entails a duty to ‘ensure a reasonable continuity of provision of its services’ 91 and – if the DIS also stores data – to install sufficient guarantees that this data remain accessible to data holders/users in case of insolvency. 92

d) Interoperability and standards

The DGA also aims to foster interoperability. Article 12(i) DGA requires the DIS to ‘take appropriate measures to ensure interoperability with other data intermediation services’, which includes using ‘commonly-used open standards in the sector in which the data intermediation service providers operate’. For this purpose, the European Commission encourages and facilitates Union-wide codes of conduct, especially on interoperability, and ‘[t]he European Data Innovation Board should facilitate the emergence of additional industry standards, where necessary’. 93 Interoperability is also privileged in Art. 12(d) DGA: the DIS may shift the format of received data solely for the purpose of data exchange to ‘enhance interoperability within and across sectors or if requested by the data user […] to ensure harmonisation with international or European data standards’.

e) Technical, organisational and legal safeguards

Article 12 DGA requires the DIS to install various technical, organisational and legal safeguards. These safeguards aim to protect the interests of the data holders and users. They include: installing procedures to prevent fraudulent or abusive practices (Art. 12(g) DGA); implementing measures to prevent unlawful transfer or access to non-personal data (Art. 12(j) DGA); informing data holders ‘in case of an unauthorised transfer, access or use of the non-personal data that it has shared’ (Art. 12(k) DGA); ensuring ‘an appropriate level of security for the storage, processing and transmission of non-personal data’, which includes ensuring ‘the highest level of security for the storage and transmission of competitively sensitive information’ (Art. 12(l) DGA). Furthermore, the DIS has to maintain a log record of the intermediation activity (Art. 12(o) DGA).

f) Special obligations regarding DISs related to data of individuals

For DISs which provide services regarding individual and especially personal data (see Art. 10(b) DGA), the DGA contains specific obligations. Article 12(m) DGA stipulates a ‘best interest clause’, according to which DISs ‘shall act in the data subjects’ best interest when facilitating the exercise of their rights’. In particular, this due diligence obligation 94 contains duties to inform and advise data subjects ‘in a concise, transparent, intelligible and easily accessible form about intended data uses by data users and standard terms and conditions attached to such uses, before data subjects give consent’. By that means, the legislator aims to prevent individuals from using such services to make more data relating to them available than what is actually in their own interest. 95 Crucial from a contractual point of view is Recital 33, which states that such DIS should ‘bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data subjects’. All DISs which provide tools for obtaining consent or permissions to process data must specify the jurisdictions in which the data use is intended to take place (Art. 12(n) DGA). Moreover, they have to ‘provide data subjects with tools to both give and withdraw consent and data holders with tools to both give and withdraw permissions to process data’.

4. Enforcement

The conditions set out in Arts. 11 and 12 DGA are subject to public enforcement. To this end, Art. 14(2) DGA grants investigative powers to the competent national authorities, and Art. 13(4) DGA allows the authorities to impose fines and to order the termination or suspension of the service. Article 34 DGA requires that penalties be effective, proportionate and dissuasive and leaves it to the Member States to specify the penalties by outlining some criteria to be taken into account when imposing penalties.

At the same time, the DGA is silent on private enforcement. A comparative view on other legal acts of the EU is inconclusive on whether private enforcement can be used in addition to public enforcement. 96 But one may argue that private enforcement applies according to the rules of the Member States. Moreover, Recital 33 DGA states that questions of liability regarding the DIS ‘could be addressed in the relevant contract, based on the national liability regimes’. In particular, data holders and data users can assert contractual claims against DISs to the extent that the conditions of Art. 12 DGA are affected. This includes suing for contractual performance, damages, termination and injunctive relief as well as the review of explicit contractual access rights. 97

From a theoretical point of view, data intermediaries can perform several desirable functions in data-driven markets – whether in the context of voluntary data sharing or mandatory data sharing. In theory, they can contribute to a more efficient data value creation by providing control over data flows both ways: they can enable and foster data sharing as well as prevent sharing to ensure compliance with the law (including Art. 101 TFEU and the GDPR).

As has been shown, the DGA provides a legal framework for a subset of data intermediaries. These rules have been criticised by economic and legal scholars in several aspects, which all relate to the question of how the DGA will affect the future development of data intermediaries. The concerns can be shared to some extent. First, it can be agreed that the DGA provides a framework with high legal uncertainty. The definition of the scope and the rules of the DGA are novel and vague, such that they are in need of further interpretation by the respective authorities and courts. 98 Recent interviews with stakeholders have confirmed some general uncertainty in the industry about the DGA’s scope of application to GAIA-X federated applications. 99 In fact, the exact scope of several obligations remains unclear, 100 and it is uncertain how DISs can meet them case by case. This appears critical, as legal certainty plays a striking role in the light of public enforcement and penalties to be introduced. 101 While the European Data Innovation Board will support the European Commission in specifying technical requirements and in developing a consistent enforcement practice (see Art. 30 DGA), much remains to be seen. In general, a side glance to other legal regimes is informative for the interpretation of the DGA: the obligations under Art. 12 DGA resemble the combination of (far reaching) ex post remedies under competition law as well as ex ante obligations under the DMA, for utility providers or in sector-specific regulation. 102 Yet parallels can only be drawn to some extent 103 because the provisions of the DGA need to be interpreted in the light of their own legislative goals, namely increasing the trust of data holders and users as well as fostering the emergence of data intermediaries. 104

Second, this legal uncertainty adds to the unpredictability of the regulatory effects of the DGA. In this regard, its positive impacts have been widely questioned. Based on the premise that regulation might make it generally more difficult to implement business models and harm/eliminate the establishment of data intermediaries, 105 some assume that the DGA may hinder rather than foster the development of DISs. 106 Others argue that the DGA would have no effect and question the attractiveness of the legal framework, as it would fail to attract supply of and demand for DISs. 107 Moreover, the DGA would miss the point by referring to other deficits to be overcome to foster data sharing, e.g. information asymmetries on the quality and provenience of data, uncertainty on enforcement of purpose limitation of the use of data, 108 de facto lock-in and lack of standardisation. 109 Companies that have already started to build up DISs now appear to be carefully considering business strategies in the light of the DGA, and clear trends are not yet visible. This can be explained by the remaining time for implementation (until September 2025). What has been emphasised is the need for the company to offer value-added services on top of the mere intermediation service.

Some stakeholders have also referred to the requirement of structural separation as being overly strict, making businesses now carefully consider withdrawing from the market or not entering it. Indeed, also from a theoretical point of view, this requirement has been criticised as being overly interventionist. 110 The structural separation requirement is held to be difficult to enforce and too rigid and undifferentiated – e.g. Julie Baloup and others claim that it should be limited to competition-law sensitive situations, meaning for markets exposed to a higher risk of cross-data usage. 111 But also when accounting for the regulatory context, it has been questioned whether DISs can be competitive compared to other services which are unregulated or less strictly regulated (especially under the proposed DMA). 112 In this regard, the data neutrality requirement would appear overly strict, considering that DISs are yet to be established and are not in a comparable situation to gatekeepers as addressed by the DMA. 113 As a consequence, the principle of strict data neutrality may effectively lead to less innovation 114 because DISs will either disappear or not even enter the market.

Given the nature of the DGA as a cornerstone for the establishment of an infrastructure for data sharing, but one that does not address a well identified market failure, 115 all predictions about future developments remain speculative in the light of the current lack of evidence. So far, scholars have based their criticism on anecdotal evidence and preconceptions about data-driven innovation. The experimental nature of the DGA 116 leads to the conclusion that significant uncertainty remains as to whether this regulation will evoke the desired effects.

Two implications for policymaking follow from this analysis. First, given the unforeseeable effects, the legislature should closely monitor market developments in the area of DISs to prevent dysfunctional market design. 117 Article 35 DGA provides an evaluation and review clause, according to which the European Commission shall evaluate the regulation and provide a report by 24 September 2025. However, the specifically mentioned aspects for assessment only include aspects of compliance, not the effectiveness of the regulation. Governments of the Member States should gather evidence on the market developments in the upcoming years to come up with suggestions for necessary amendments to the regulation.

A second implication is that regardless of the predictability of the regulatory effects of the DGA, it is conceded that data intermediaries can indeed perform several desirable functions in data-driven markets. Therefore, as a minimum condition for advancing digital regulation, the legal framework in sum should support (or at least not hinder) their development. This implies that the legislature should take data intermediaries more consciously into account when further advancing and applying rules that concern data access and digital markets, and that rules on data intermediaries are coherently integrated into the legal framework. The following section enquires into this claim more deeply.

1. Overview

With regard to the DGA, commentators have stressed the need for compatibility with the rest of the EU acquis – but considered this to be a ‘mere afterthought that is left to market players to figure out’. 118 Indeed, a coherent integration of data intermediaries in the legal orders of the EU and the Member States is ambitious and requires discussing both the relevance for and the interaction with several other legal regimes. By this means the potential of regulatory synergies can be identified, and the remaining need for the legislature to advance the legal framework can be distilled. While the DGA provides a new legal regime that interacts with all other regimes for a subset of all data intermediaries, this section also asks how the other legal regimes do and could consider data intermediaries even beyond the scope of the DGA. Given the phenomenological nature of data intermediaries, the analysis covers the interfaces with the legal regimes that essentially form a market order for data sharing.

2. Data protection

The most striking existing rules regarding data intermediaries relate to data protection. If access to and sharing of personal data is at stake, data protection rules apply. A frequently discussed issue is how data intermediaries – and in particular data trustees – can foster the exchange of personal data. Data trustees 119 are not necessarily related to personal data (see above), but they do in fact often intermediate between data subjects and processors and support data subjects in exercising their data-related rights, e.g. for pseudonymisation purposes, or mandating as agent to exercise data protection preferences. 120 In this regard, questions about data protection are at the centre of attention in legal scholarship. This is particularly true for PIMS, 121 which are intermediaries that are used to manage consent but can be extended, e.g. also to enforce data subjects’ rights 122 or to claim damages for the violation of data protection rules. 123

Within the scope of the DGA, none of these aspects are explicitly addressed. Article 1(3) DGA states that the DGA is without prejudice to the GDPR. This means that in any case, DISs have to comply with the GDPR, and the DGA does not alter/affect rules on data protection. The provision clarifies that the DGA ‘does not create a legal basis for the processing of personal data and does not alter obligations and rights set out in’ the GDPR and the ePrivacy-Directive. In fact, the DGA does not specifically distinguish between personal and non-personal data, but if personal data are affected, the requirements of data protection laws apply in any case. 124 At the same time, the requirements of the DGA are even somewhat stricter than those of the GDPR, 125 because the GDPR does allow data processing for a purpose other than the one originally specified if the data subject consents to it, while Art. 12(a) DGA strictly prohibits this.

This once more confirms the relevance of a discussion in recent years that has frequently pointed to data protection laws and their curbing effect on the establishment of data intermediaries. 126 The discussions question the ‘intermediary friendliness’ of current data protection law and revolve around four issues. First, a crucial question for the functioning of data intermediating services with regard to personal data is to what extent current data protection law enables data intermediaries to manage the consent of data subjects. The GDPR requires informed consent (Art. 4 No. 11 GDPR) and the determinateness of consent (Arts. 5(1)(b), 6(1)(1)(a) GDPR), and allows revocability of consent at any time (Art. 7(3) GDPR). Given these strong rights of the data subject, the requirements for agency and consent (through third parties) but also regarding the breadth of consent remain unclear. 127 A second question is to what extent data trustees can exercise data subjects’ rights, especially to rectification (Art. 16 GDPR) and erasure (Art. 17 GDPR). 128 Thirdly, the legal framework for the liability of data trustees is discussed. In particular, the question arises in cases where the data trustee transfers data to a user who breaches data protection law, and the data trustee could have foreseen such breaches. 129 Fourth, it has been discussed to what extent parties to a contract can exclude the possibility of the data holder to mandate data trustees. 130 This could have consequences for the evolution of competition, as it would prevent data trustees from entering the market. Such contractual clauses would appear doubtful in the light of review of the terms and conditions of a contract, data protection laws and – in case of market dominance – Art. 102 TFEU. 131

Different proposals have been made to reform data protection law to enable and foster the activities of data intermediaries. Some commentators argue that clarifications and legislative steps are needed: 132 this would include installing a regulatory framework which clarifies questions of liability, quality, trustee obligations, prohibit tying, rules for insolvency; 133 provides a legal basis for justification of data transfer to the data trustee to eliminate legal uncertainty; 134 and clarifies agency through data trustees when it comes to the exercise of data subjects’ rights. 135 Other commentators argue that no such invasive steps are needed to provide sufficient legal certainty for data intermediaries to operate with personal data. Rather, they consider more guidance through supervisory institutions to be sufficient, 136 express scepticism regarding sector-specific regulation in parallel to the GDPR, 137 and hold the market to be so immature that existing rules would leave enough leeway and incentives to develop such intermediation services. 138 Therefore, policy options in the area of data protection and data intermediaries have already been extensively discussed. Not the least due to a lack of political will to reform data protection laws, these claims are not reiterated here. Rather, the following analysis calls on policymakers to consider the broader regulatory picture for an effective integration of data intermediaries in the market order for data sharing.

3. Contract law

As regulatory intervention in private actors’ relations, the DGA deliberately limits the contractual freedom with regard to data access via DISs. The obligations are not alterable by mutual consent of the parties – unless the DGA states otherwise. 139 So even if one can think of cases in which e.g. the strict data neutrality requirement could be departed from to the benefit of both (data holder and data user) and without harming the common good (i.e. competition), 140 an agreement to deviate from the obligation would be void. In other words, even if the data holder had equal bargaining power, she could not consent to the DIS using the data for commercial exploitation. 141 The reason for this strict interpretation lies in the debatable function of the provisions to generally create trust in the activities of market actors and incentivise them to share data.

Once the provisions of the DGA for data intermediaries are applicable, they will affect the lawfulness of terms and conditions for such contracts on data access which involve DISs within the meaning of Arts. 10 and 2(11) DGA. Several obligations imposed by Art. 12 DGA arguably qualify as per se prohibitions because the DGA aims to strengthen the trust of market actors in data intermediaries at large. 142 Due to the systemic nature of the obligations, their application is not at the disposal of the parties. 143 This considerably affects the way national contract laws interact with and effectuate the DGA. Under German contract law, for example, a review of standard terms and conditions according to Sec. 307 German Civil Code (BGB) would not even be opened. 144 This applies e.g. to the case of a DIS reserving rights in its terms and conditions to use data for purposes beyond what the DGA allows (see neutrality obligation under Art. 12(a) and (c) DGA). The same goes for the case of a DIS reserving the right to offer value-added services beyond what is allowed under Art. 12(e) DGA without the approval of the data holder. Also, the DIS may not make its service ‘dependent upon whether or to what degree the data holder or data user uses other services provided by the same provider or a related entity’ (Art. 12(b) DGA). Beyond such clear-cut violations of the DGA, data access terms of DISs can be subject to the test of reasonableness according to Sec. 307 BGB. Here, the DGA sets the measure for review. Finally, a DIS could violate some obligations de facto without backing up its actions in its terms and conditions. This is the case e.g. when it offers its services through a structurally unseparated entity (Art. 12(a) DGA), offers value-added services beyond what is allowed in Art. 12(e) DGA or does not implement sufficient technical, organisational and legal safeguards, as required by the DGA to protect the interests of the data holders and users. 145 All these aspects of the interpretation of obligations and their relationship to contract remain to be interpreted and refined by courts and responsible authorities in the years ahead. There is much leeway, and the legislature should have a critical eye on whether future interpretation and application are legally coherent and economically sound.

The DGA has been criticised for insufficiently addressing the contractual relationship between DISs and data holders and users, 146 not the least because Art. 12(f) DGA incorporates FRAND and price regulation but does not further define what this means. 147 It is important to notice that Chapter III of the Draft Data Act 148 makes the FRAND principle a mandatory default for all future data access legislation. Before this background, it would appear that the EU legislature extends Art. 8(1) Draft Data Act also to Art. 12(f) DGA.

4. Competition law

A) data intermediaries as catalysts for competition law enforcement.

Competition law and data intermediaries share different points of contact. Data intermediaries can enable compliance with and enforcement of competition law. A multitude of possibilities exist to combine different datasets with one another as well as different ways to process data, and the way that sharing, pooling or use of data is organised may matter for the legality of a data exchange under competition law. For example, the risk that competitively sensitive information can be drawn from a specific dataset may differ depending on whether a dataset is transferred to a competitor, or whether the dataset remains on the server of the original ‘data controller’ and a competitor is given access to a dataset on the basis of queries and for specified purposes only. Where data are pooled, it may well matter whether data access is organised through a data intermediary, who may be charged with the task to ensure, among other things, 149 that no competitively sensitive information is derived from the relevant dataset. Simultaneously, such a data intermediary may ensure FRAND access of third parties to the pooled data where this is necessary to prevent foreclosure. If FRAND access is granted to third parties, negative effects on competition will normally be unlikely. However, the data format standards and interfaces will need to be reviewed for anti-competitive effects.

b) Data intermediaries as subjects of competition law

At the same time, data intermediaries themselves can be subject to competition law. This becomes evident when looking at the interface between the DGA and competition law: the DGA aims to promote DISs, following the assumption that they can play an important role in making data-related markets more competitive and foster data-related innovation. However, from the angle of competition law, data intermediaries must also be regarded with some caution, as they can enable illegitimate sharing of data and information. When it comes to data intermediaries that qualify as DISs under the DGA, Art. 1(4) DGA is clear when it states that the DGA is ‘without prejudice to the application of competition law’. More concretely, Recital 60 clarifies that the DGA ‘should not affect the application of the rules on competition, and in particular Arts. 101 and 102 TFEU’. In particular, this concerns ‘the rules on the exchange of competitively sensitive information between actual or potential competitors through data intermediation services’. But in fact, the DGA even reaches one step further and requires DISs to implement some additional safeguards by imposing obligations regarding the storage and transmission of competitively sensitive data. However, it is not clear what the exact scope of this obligation is. Originally, Art. 11(9) of the European Commission’s DGA proposal went far, as it required that DISs ‘shall have procedures in place to ensure compliance with the Union and national rules on competition’. However, this general compliance obligation was deleted in the legislative procedure, now amounting to Art. 12(l) DGA, which merely states that DISs ‘shall further ensure the highest level of security for the storage and transmission of competitively sensitive information’. Surprisingly, this is less than Recital 37 DGA requires, stating that:

‘Data intermediation services providers should also take measures to ensure compliance with competition law and have procedures in place to that effect. This applies in particular in situations where data sharing enables undertakings to become aware of market strategies of their actual or potential competitors. Competitively sensitive information typically includes information on customer data, future prices, production costs, quantities, turnovers, sales or capacities.’

It appears that out of negligence the legislature did not modify the Recital in congruence with the amendment of the DGA’s operational part. In substance, a Recital cannot impose such far-reaching binding obligations if these are not reflected in the operational part of the regulation. Therefore, the obligation of the DGA is to be understood as a mere duty to implement technical safeguards that meet the current technical state of the art. Beyond that, particularly the application of Art. 101 TFEU sets the benchmark for liability under competition law with regard to the exchange of sensitive information and data. In this regard, the Draft Horizontal Guidelines of the European Commission only mention ‘trustees’ 150 as independent third-party service providers as a general option to be considered by undertakings to implement precautionary measures in the case of exchanging commercially sensitive information. However, it does not further elaborate or give guidance on the particular role of data intermediaries or DISs.

The absence of data intermediaries in the Draft Horizontal Guidelines can be explained by the fact that there has not yet been any case practice in this field, following the perception that such guidelines should present past case practice to provide legal certainty and consistency of application rather than anticipating cases or steering competition policies in certain directions. However, current legal uncertainty and demand for future guidance appears high in this area. The legislature (EU as well as national) should not overlook the critical role that official guidance may play in providing legal certainty for evolving business models.

5. Draft Data Act

When looking at the Draft Data Act, it is surprising that the proposal does not refer to DISs, taking into account that the DGA can be considered as an enabling framework for the Draft Data Act. 151 Data intermediaries could play an important role to effectuate the data access right under Chapter III of the Draft Data Act by significantly reducing transaction costs and thereby enable data-driven innovation on a large scale. The reasons are that rather than the individual user or data recipient, they may better understand and aggregate third-party data demand for innovative purposes as well as be able to bundle data supplied from multiple sources in a targeted manner, further aggregate and process user data tailored to the needs of various data recipients and manage data transfer from a technical and legal perspective. 152 The Draft Data Act does not take up such cases, which might, however, be worth considering should the legislature seek to foster AI-driven innovation in the future.

An important debate is taking place on whether or to what extent the Draft Data Act actually allows users to purely commercialise the data which they can receive under Art. 4 or share with third parties under Art. 5 Draft Data Act – this means that the user of the product would not directly benefit from a service that would make use of such data, but that the user would provide the data accessed on the basis of Art. 4 simply for remuneration to third parties. 153 Data intermediaries are well placed to offer such remuneration on a large scale and further share/sell the obtained data. In the further legislative procedure, this issue should be discussed, taking into account that Art. 6(2)(c) Draft Data Act speaks against the legitimacy of such commercialisation, because it forbids the third party (here the data intermediary) to ‘make the data available it receives to another third party in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user’. This implies that a data intermediary cannot approach users and offer payment for data, which the intermediary could then process and provide to third parties who could use such data for innovative purposes. 154 If considered as politically appropriate, Art. 6(2)(c) Draft Data Act could be amended in such a way that it would allow data to be shared with third parties via data intermediaries to create data markets, at least for specific purposes. This opening clause could be attached to the DGA to protect stakeholders’ interests by requiring that only DSIs under the DGA may be chosen to perform such intermediation. 155

6. Sector-specific data access regulation

Data intermediaries can become particularly relevant in the context of data access in specific sectors and take over more targeted roles. Which model of intermediary is suitable and how to further design it depends on the specific sector and markets affected. It can be highly controversial, as the example of mandating a trustee for car data in Germany has shown. 156 In this respect it is important to mention that the DGA has set the track for sectoral approaches with regard to DISs by giving Union and national legislators the possibility for more specific regulation. The DGA stipulates EU-wide harmonisation regarding the operations of DISs. This is to be seen as a minimum standard. Article 1(2) DGA allows the introduction of ‘specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime’ by means of European Union legal act or national law, as long as they are non-discriminatory, proportionate and objectively justified. By that means, sector-specific legislation 157 can introduce stricter standards for DISs that fall under the scope of the DGA.

An already existing example is Sec. 26 TTDSG, even though it concerns the mere management of the end user’s consent with regard to telemedia (e.g. websites) and therefore a constellation that arguably does not qualify as data intermediaries as understood within this study (see above). Nevertheless, it illustrates challenges for future sector-specific regulatory approaches for data intermediaries. Section 26 TTDSG stipulates sector-specific regulation of DISs according to Art. 1(2) DGA. 158 It is a first attempt by the German legislator to provide an explicit legal basis for data protection-related consent management through intermediaries. The provision entered into force on 1 December 2021, but the actual effect remains to be seen. In particular, the TTDSG allows mandating accredited PIMS for consent management. Such consent services must fulfil certain criteria and have to undergo an accreditation procedure, which should be further outlined in a delegated act, which is currently conceptualised. 159 In substance, the provision goes beyond the obligations of the DGA, as it requires the intermediaries to ‘have no economic self-interest in giving consent and in the data managed and [to be] independent of companies that may have such an interest’ (Sec. 26(1)(2) TTDSG). 160 While Sec. 26 TTDSG resolves some of the aforementioned legal uncertainties with regard to delegating consent under protection laws, criticism remains. It has been put forward that Sec. 26 TTDSG is not mandatory for telemedia providers – neither with regard to following PIMS settings nor regarding browser settings. 161 In addition, Sec. 26 TTDSG would continue to allow individual user consent to take precedence over PIMS settings, so it could be assumed that telemedia providers would continue to ask users for consent via cookie banners regardless of whether they use PIMS. 162 Considering that such intermediaries are held to be inexistent at the moment, it appears unclear what incentive Sec. 26 TTDSG provides to create them. 163 In any case, the effectiveness of this regulatory approach will considerably depend on interoperability and standardisation. 164

Commentators have argued that the benefits of the DGA could only be reached if it imposes obligations to make use of such services not only on DISs but also on market actors. 165 Indeed, if the law requires consumers to buy a particular product, this could (artificially) create the demand for this product to such an extent that suppliers would be incentivised to enter the markets and offer this product. However, it appears questionable whether such an invasive form of market design for data access can be justified in terms of efficiency reasoning; rather, it could only be based on public policy grounds. Answering this question lies beyond the subject of this article, but in any case, for such approaches sector-specific access regulation would be well placed, while significant evidence is needed to justify such drastic market intervention.

This article has discussed the prospects for data intermediaries in the context of competition and innovation policies and the relevant legal framework for data sharing. The analysis reveals that the DGA is a core piece of legislation, but – not the least because its provisions regarding DISs only enter into effect in September 2025 – it remains entirely uncertain whether it will generate the positive effects the legislature hopes for. This article takes a rather sceptical view and urges the governments of the Member States to closely monitor the market developments in the upcoming years. At the same time, the DGA is significantly interlinked with several areas of law, while these areas also show touching points with data intermediaries beyond the scope of application of the DGA. The article has taken a bird’s-eye view by identifying and discussing these links, particularly between data intermediaries and data protection law, contract law, competition law and the Draft Data Act as well as with sector-specific data regulation. The critical look has revealed the need and outlined some options for a coherent advancement of the regulatory framework with regard to data intermediaries, which would eventually contribute to an effective market design on data sharing.

This article is a revised version of a section which the author wrote for a study for the German Federal Ministry for Economic Affairs and Climate Action (Heike Schweitzer and others, ‘Data access and sharing in Germany and in the EU: Towards a coherent legal framework for the emerging data economy’ (2022) < https://pure.mpg.de/rest/items/item_3457829_2/component/file_3457831/content > accessed 30 January 2023).

Bundesregierung, ‘Gutachten der Datenethikkommission der Bundesregierung’ (DEK 2019) 133; Martin Schallbruch and others, ‘Ein neuer Wettbewerbsrahmen für die Digitalwirtschaft: Bericht der Kommission Wettbewerbsrecht 4.0’ (Bundesministerium für Wirtschaft und Energie 2019); Bundesregierung, ‘Datenstrategie der Bundesregierung: Eine Innovationsstrategie für gesellschaftlichen Fortschritt und nachhaltiges Wachstum’ 33-35 (Die Bundesregierung 2021).

Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 [2022] OJ L152/1 (Data Governance Act).

Moritz Godel and Ashwini Natraj, ‘Independent assessment of the Open Data Institute’s work on data trusts and on the concept of data trusts’ 8 (London School of Economics, 2019).

European Commission, ‘Commission Staff Working Document: Impact Assessment Report Accompanying the document – Proposal for a Regulation of the European Parliament and of the Council on European data governance’ SWD(2020) 295 final (Data Governance Act) (2020) 1 < https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52020SC0295&from=EN > accessed 30 January 2023.

See Recital 27 DGA.

Bundesregierung, ‘Datenstrategie der Bundesregierung’ (n 1) 35.

See Christiane Wendehorst and others, ‘Datentreuhand – wie hilfreich sind sachenrechtliche Konzepte?’ in Tereza Pertot and others (eds), Rechte an Daten (Mohr Siebeck 2020) 111.

Notwithstanding that public and scholarly debate also discuss other functions, such as strengthening consumers’ rights and allowing them to participate in the commercial exploitation of their data. On the function of decreasing asymmetries in information and bargaining power, Jack Hardinges, ‘Data trusts in 2020’ ( The ODI ) < https://theodi.org/article/data-trusts-in-2020/ > accessed 28 October 2022; see Wendehorst and others in Pertot and others (n 7) 106, on the negotiating power of data trusts.

See Alina Wernick, Christopher Olk and Max von Grafenstein, ‘Defining Data Intermediaries: A Clearer View through the Lens of Intellectual Property Governance’ (2020) 2 Technology and Regulation 65; Nicolo Zingales, ‘Data collaboratives, competition law and the governance of EU data spaces’ ( Concurrences , 2021) < https://awards.concurrences.com/en/awards/2022/academic-articles/data-collaboratives-competition-law-and-the-governance-of-eu-data-spaces > accessed 30 January 2023; Heiko Richter and Peter Slowinski, ‘The Data Sharing Economy: On the Emergence of New Intermediaries’ (2019) 50 IIC 4.

For the Commission Communication from the Commission to the European Parliament pursuant to Article 294(6) of the Treaty on the Functioning of the European Union concerning the position of the Council on the adoption of a Regulation of the European Parliament and of the Council on a framework for the recovery and resolution of central counterparties and amending Regulations (EU) No 1095/2010, (EU) No 648/2012, and (EU) 2015/2365 (2020) (COM SMART 2020/694) 36; OECD, ‘Enhancing Access to and Sharing of Data: Reconciling Risks and Benefits for Data Re-use across Societies’ (2019) OECD 38; Andreas Pawelke, ‘Daten teilen, aber wie? Ein Panorama der Datenteilungsmodelle’ ( Bertelsmann Stiftung , 10 December 2020) < https://www.bertelsmann-stiftung.de/index.php?id=5772&tx_rsmbstpublications_pi2%5bdoi%5d=10.11586/2020079&no_cache=1 > accessed 27 October 2022.

See for various definitions in the literature Natalia Simon and others, ‘Definition and analysis of the EU and worldwide data market trends and industrial needs for growth’ ( TRUSTS Trusted Secure Data Sharing Space , 2021) 22-23 < https://www.trusts-data.eu/wp-content/uploads/2021/07/D2.1-Definition-and-analysis-of-the-EU-and-worldwide-data-market-trends-....pdf > accessed 30 November 2023.

Used as a wide term by Zingales (n 9).

Jürgen Kühling, ‘Der datenschutzrechtliche Rahmen für Datentreuhänder’ [2021] Zeitschrift für Digitalisierung und Recht (ZfDR) 1, 4, also providing some background; for further background, see also Heiko Richter, ‘Europäisches Datenprivatrecht: Lehren aus dem Kommissionsvorschlag für eine “Verordnung über europäische Daten-Governance”’ [2021] ZEuP 634, 640-42.

COM SMART 2020/694 (n 10) 40 eg differentiates between data marketplaces, industrial data platforms, data trustees, data collaboratives, data cooperatives and ‘personal information management systems’ (PIMS).

However, they use the term ‘data marketplaces’ as a general term for data intermediaries, see Simon and others (n 11) 34.

See Richter and Slowinski (n 9) 4, 10 ff; Bertin Martens and others, ‘Business-to-Business data sharing: An economic and legal analysis’ (2020) JRC Digital Economy Working Paper 2020-05, 28 < https://joint-research-centre.ec.europa.eu/system/files/2020-07/jrc121336.pdf > accessed 27 October 2022. See also classifications of orientation and ownership in Simon and others (n 11) 28-29.

Richter and Slowinski (n 9) 4, 13; European Commission, Staff Working Document, ‘Guidance on sharing private sector data in the European data economy “Towards a common European data space”’ SWD(2018), 125 final, 10.

See Data Governance Act (n 4) 12.

ibid 12; Richter and Slowinski (n 9) 4, 14-15.

See Richter and Slowinski (n 9) 4, 13.

See Martens and others (n 16) 29; Data Governance Act (n 4) 11.

See Richter and Slowinski (n 9) 4, 11.

See Martens and others (n 16) 15.

See Kühling (n 13).

Even though such agreements are obviously relevant under art 101 TFEU.

See also art 10(a) and Recital 27 DGA.

Data holder does not imply the legitimacy of the holder to share the data (unlike art 2(8) DGA). The data holder may have legal or de facto control over the data.

The term ‘data sharing’ is used irrespective of its legal basis (eg voluntary agreements or Union or national law – as art 2(10) DGA requires). Also, data sharing does not imply the nature of the arrangement (eg license), remuneration or whether it is performed directly or through an intermediary.

‘Data user’ does not imply the lawfulness of accessing and using this data (unlike art 2(9) DGA). Also, ‘its own’ does not imply the commerciality or non-commerciality of the purpose. The purpose (eg for business, academic work or in government) is context specific.

See Neil Cohen and Christiane Wendehorst, ‘ALI-ELI Principle for a Data Economy: Data Transactions and Data Rights’ (2021) Final Council Draft 114; Louisa Specht-Riemenschneider and others, ‘Die Datentreuhand’ [2021] MMR-Beilage 25, 27.

See Cohen and Wendehorst (n 30) (2021) 111; Specht-Riemenschneider and others (n 30) 25, 27.

Originally, the Commission’s proposal of the DGA only covered voluntary data sharing, which has been criticised and amended accordingly.

See Kühling (n 13) 1.

See OECD, ‘Enhancing Access to and Sharing of Data’ (n 10) 38.

On the genesis of the term ‘Data trust’ und ‘ Datentreuhand ’ and the strands of discussion, see Richter (n 13) 634, 641-42.

Examples for ‘ doppelseitige Treuhandverhältnisse ’ in Specht-Riemenschneider and others (n 30) 25, 35-36.

See for a conceptualisation David Fewer and others, ‘The Price of Trust? An Analysis of Emerging Digital Stewardship Models’ ( CIPPIC , 31 March 2020) < https://cippic.ca/sites/default/files/file/Data_Governance_Submission_Draft_31_March_2020.pdf > accessed 30 January 2023.

See Cohen and Wendehorst (n 30) (2021) 111; Specht-Riemenschneider and others ‘Die Datentreuhand’ (n 30) 25, 28-29, primarily distinguishing between different purposes.

On the legal uncertainty see Wendehorst and others in Pertot and others (n 7) 103; eg Specht-Riemenschneider and others (n 30) 25, 35 argue that it must be main duty stemming from a contract, not an ancillary duty, to act in the interest of the data holder.

See eg Kühling (n 13) 1, 6.

As a broader definition, see also Cohen and Wendehorst (n 30) 103-14; Specht-Riemenschneider and others (n 30) 25, 35.

But see also on failed intermediary models and the history of data marketplaces Simon and others (n 11) 20-21.

See COM SMART 2020/694 (n 10) 43, according to which many of the existing data intermediaries have less than 100 customers.

But see also Raphaël Gellert and Inge Graef, ‘The European Commissions proposed Data Governance Act: some initial reflections on the increasingly complex EU regulatory puzzle of simulating data sharing’ (2021) TILEC Discussion Paper No DP2021-006, 12 < https://n9.cl/wgt1s > accessed 28 October 2022 on the Data Transfer project developed by Apple, Facebook, Google, Microsoft and Twitter (< https://datatransferproject.dev > accessed 28 October 2022).

See Data Governance Act (n 4) 16-17.

See Simon and others (n 11) 26; the database is accessible under < https://doi.org/10.4121/14679564.v1 > accessed 28 October 2022.

See for the current stage of the market in agriculture also Specht-Riemenschneider and others (n 30) 25.

eg < https://www.caruso-dataplace.com/ > accessed 28 October 2022.

For details see Simon and others (n 11) 29-30.

See ibid 47-53 on an evaluation of data sharing initiatives.

Also, national rules such as the German s 26 TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz) are evolving for specific contexts of data intermediation.

art 37 DGA.

See European Commission, ‘Communication from the Commission to the European Parliament, the council, the European Economic and Social Committee and the Committee of the Regions: A European strategy for data’ COM(2020) 66 final (European Strategy for Data) (2020); for contextualising the bigger picture of current EU data policies, see Matthias Leistner and Lucie Antoine, ‘IPR and the use of open data and data sharing initiatives by public and private actors’ ( European Parliament , May 2022) < https://www.europarl.europa.eu/RegData/etudes/STUD/2022/732266/IPOL_STU(2022)732266_EN.pdf > accessed 30 January 2023; for a theoretical re-conceptualization Matthias Leistner and others, Big Data (Mohr Siebeck 2021).

See Data Governance Act (n 4) 1.

See Recital 5 and 32 Data Governance Act (n 4) 21; Martens and others (n 16) 7.

Julie Baloup and others, ‘White Paper on Data Governance Act’ (2021) CiTiP Working Paper 2021, 26 < https://www.researchgate.net/publication/352690055_White_Paper_on_the_Data_Governance_Act > accessed 27 October 2022.

Member States must lay down penalties for the infringement, see also Recital 55.

See Recital 33 DGA. On the concept of neutrality Baloup and others (n 57) 31.

See Recital 33 DGA.

One can reasonably argue that there are also DIS, which do not qualify as data intermediaries under the definition proposed here.

This definition was included after the Commission’s proposal had been criticised for not containing a definition and not clearly delineating the scope.

See also first sentence of Recital 28 DGA.

See art 2(11) DGA: ‘for the purpose of data sharing between an undetermined number of data subjects and data holders on the one hand and data users on the other hand’; excluding intermediating services, which are only used by one data holder or closed group (eg IoT network), see art 2(11)(c) DGA; see also Recital 28 DGA.

See Richter (n 13) 634, 644-45.

It remains not entirely clear why the legislator makes this distinction between three different types of DIS, see Andreas Hartl and Anna Ludin, ‘Recht der Datenzugänge’ [2021] MMR 534.

See also last sentence of Recital 27 DGA.

See Benedikt Falkhofen, ‘Infrastrukturrecht des digitalen Raums’ [2021] EuZW 787, 791.

See Recital 30 DGA.

See furthermore EDPB-EDPS, ‘Joint Opinion 03/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)’ (2021) 31; Falkhofen (n 69) 787, 790.

See also Recital 31 DGA.

See Baloup and others (n 57) 29, for criticism on the vagueness of the definition. Furthermore EDPB-EDPS, ‘Data Governance Act’ (n 71) 32.

See Ivana Anicic and others, ‘Konzeptstudie Datengenossenschaft’ (Parts 1 and 2) (Working Paper) Rheinische Friedrich Wilhelms University Bonn.

See also Recital 28 DGA.

See also Recital 29 DGA.

Such as consolidated tape providers, account information service providers and ‘[o]ther services that do not aim to establish commercial relationships, such as repositories aimed at enabling re-use of scientific research data in accordance with Open Access principles’.

The Commission’s proposal for the DGA has been rightly criticised for being too imprecise when it comes to its scope (Baloup and others (n 57) 27-28); Gerald Spindler, ‘Schritte zur europaweiten Datenwirtschaft – der Vorschlag einer Verordnung zur europäischen Data Governance’ [2021] CR 98, 102-03; Richter (n 13) 634, 649-52, 662; furthermore EDPB-EDPS, ‘Data Governance Act’ (n 71) 29-30, and the legislator has improved and sharpened the definition in the trilogue to some extent.

See Baloup and others (n 57) 33.

See Recital 32 DGA.

See Baloup and others (n 57) 34.

See also Recital 32 DGA.

See on the ‘novelty’ and context of this principle Richter (n 13) 634, 654.

See Baloup and others (n 57) 32.

Unless Union law mandates such conversion.

See Baloup and others (n 57) 31.

See Richter (n 13) 634, 656.

See Baloup and others (n 57) 34-35, drawing a parallel to public services.

See ibid 36, on the broader implications of such ‘action revendication’.

See Recitals 32, 34 DGA. See also European Commission, ‘Communication from the Commission to the European Parliament, the council, the European Economic and social Committee and the Committee of the regions: An EU Strategy on Standardisation – Setting global standards in support of a resilient, green and digital EU single market’ COM(2022) 31 final (EU Strategy on Standardisation) (2022), on this topic.

Natali Helberger, Hans W Micklitz and Peter Rott, ‘The Regulatory Gap: Consumer Protection in the Digital Economy’ ( ConPolicy , 26 January 2022) < https://www.conpolicy.de/en/news-detail/the-regulatory-gap-consumer-protection-in-the-digital-economy > accessed 30 January 2023.

See Richter (n 13) 634, 657-58.

eg competitors in Germany can take legal action against unfair practices or ineffective general terms and conditions in the event of violations of the obligations standardised in art 12 DGA on the basis of s 3a UWG, see ibid 658-59.

See Gellert and Graef (n 44) 14; Baloup and others (n 57) 36.

See Schweitzer and others, ‘Data access and sharing in Germany and in the EU: Towards a coherent legal framework for the emerging data economy’ ( Bundesministerium für Wirtschaft und Klimaschutz , 2022) 112-15 < https://www.bmwk.de/Redaktion/DE/Publikationen/Digitale-Welt/20221026-data-access-and-sharing-in-germany-and-in-the-eu.html > accessed 28 October 2022.

See Baloup and others (n 57) 37.

See art 34 DGA.

See Baloup and others (n 57) 35.

See Richter (n 13) 634, 653.

See Recital 5 DGA.

See Specht-Riemenschneider and others (n 30) 25, 32.

See Kühling (n 13) 1, 23.

See Hartl and Ludin (n 67) 534.

See Wolfgang Kerber, ‘DGA – einige Bemerkungen aus ökonomischer Sicht’ (University of Marburg, 2021) 3 < https://www.uni-marburg.de/de/fb02/professuren/vwl/wipol/pdf-dateien/kerber_dga_einige-bemerkungen_21012021.pdf > accessed 30 January 2023.

See Louisa Specht-Riemenschneider and Wolfgang Kerber, ‘Designing Data Trustees – A Purpose-Based Approach’ ( Konrad Adenauer Stiftung , 2022) 41-42 < https://www.kas.de/documents/252038/16166715/Designing+Data+Trustees+-+A+Purpose-Based+Approach.pdf/ffadcb36-1377-4511-6e3c-0e32fc727a4d > accessed 30 January 2023.

Baloup and others (n 57) 35 have questioned whether the obligations of art 12 DGA would unproportionally restrict the DISs’ freedom to do business under art 16 of the EU Charter of Fundamental Rights; see also Hartl and Ludin (n 67) 534, who question the proportionality for already existing business models.

See Baloup and others (n 57) 34. See also Specht-Riemenschneider and others (n 30) 25, 32, who argue that the DGA stipulates a ‘one-size-fits-all approach’, which does not adequately reflect the particularities of different data trustee models.

See Gellert and Graef (n 44) 11-13; Kerber (n 108) 3.

See Baloup and others (n 57) 34-35; still, Recital 27 DGA also mentions the importance of independency of DISs from players with significant market power.

See Richter (n 13) 634, 654-55.

But see European Commission, ‘Communication from the Commission to the European Parliament, the council, the European Economic and social Committee and the Committee of the regions: A Chips Act for Europe’ COM SWD(2022) 45 final (2022).

See Richter (n 13) 634, 661-63.

This is also true for the further market developments of PIMS under s 26 TTDSG, which can be followed with interest, as the effect of legislative intervention can be observed – albeit in a very narrow field of application – once the delegates act on the procedure and technical modalities have entered into force.

See Gellert and Graef (n 44) 15.

Some people see this as identical to the definition of art 10(b) DGA, see Kühling (n 13) 1, 7; Carla Beise, ‘Daten sind zu einem bedeutenden Wirtschaftsgut avanciert’ [2021] RDi 597, 602.

See Kühling (n 13) 1, 4-7.

For practical examples of PIMS see Rolf Schwartmannn and Steffen Weiß, ‘Datenmanagement und Datentreuhandsysteme’ ( Gesellschaft für Datenschutz und Datensicherheit , November 2020) 10-16 < https://www.gdd.de/downloads/aktuelles/sonstiges/Fokusgruppe_Datenschutz-Datenmanagement_Datentreuhandsysteme_V1.0.pdf > accessed 30 January 2023; see for the current stage of the market Aline Blankertz and Louisa Specht-Riemenschneider, ‘Wie eine Regulierung für Datentreuhänder aussehen sollte’ ( Stiftung Neue Verantwortung , 2021) 25-29 < https://www.stiftung-nv.de/sites/default/files/regulierung_fuer_datentreuhaender.pdf > accessed 30 January 2023.

See Kühling (n 13) 1, 7; on definition of PIMS also Specht-Riemenschneider and others (n 30) 25, 27.

See Kühling (n 13) 1, 12.

See Spindler (n 80) 98, 104.

See Richter (n 13) 634, 655; Kühling (n 13) 1, 23.

For details see Jürgen Kühling, Florian Sackmann and Hilmar Schneider, ‘Datenschutzrechtliche Dimension Datentreuhänder: Kurzexpertise’ ( Bundesministerium für Arbeit und Soziales , 2020) < https://www.ssoar.info/ssoar/bitstream/handle/document/70086/ssoar-2020-kuhling_et_al-Datenschutzrechtliche_Dimensionen_Datentreuhander_Kurzexpertise.pdf?sequence=1&isAllowed=y&lnkname=ssoar-2020-kuhling_et_al-Datenschutzrechtliche_Dimensionen_Datentreuhander_Kurzexpertise.pdf > accessed 30 January 2023.

See Specht-Riemenschneider and Kerber (n 109) 35-37.

See eg Kühling (n 13) 1, 12, claiming that there are no significant legal barriers.

See Kühling (n 13) 1, 14-19.

See Kühling, Sackmann and Schneider (n 126) 19-26.

See Bundesregierung, ‘Gutachten der Datenethikkommission der Bundesregierung’ (DEK 2019) (n 1) 134.

Verbraucherzentrale Bundesverband, ‘Neue Datenintermediäre’ ( VZBV , 15 September 2020) < https://www.vzbv.de/sites/default/files/downloads/2020/09/17/20-09-15_vzbv-positionspapier_datenintermediaere.pdf > accessed 30 January 2023.

See ibid 46.

See ibid 22.

See ibid 20.

eg art 12(e) DGA.

See Richter (n 13) 634, 655.

This has been criticised by Kühling (n 13) 1, 23.

See Recital 4 DGA.

Even if their derogation would not harm any party and would appear desirable from an economic point of view; on such considerations see Richter (n 13) 634, 655-59).

Wolfgang Wurmnest, ‘§ 309 para 1’ in Münchener Kommentar zum Bürgerlichen Gesetzbuch (8th edn, CH Beck 2019).

See eg art 12(g), (j), (k), (l), (o) DGA.

See Peter G Picht and Heiko Richter, ‘EU Digital Regulation 2022: Data Desiderata’ [2022] GRUR International 395, 397.

Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act), COM(2022) 68 final.

eg to ensure compliance with the GDPR.

See European Commission, ‘Communication from the Commission: Approval of the content of a draft for a Communication from the Commission – Guidelines on the applicability of Article 101 of the Treaty on the Functioning of the European Union to horizontal co-operation agreements’ [2022] OJ C164 (2022) 1159 final, para 411.

See European Strategy for Data (n 53) 12.

Josef Drexl and others, ‘Position Statement of the Max Planck Institute for Innovation and Competition of 25 May 2022 on the Commission’s Proposal of 23 February 2022 for a Regulation on Harmonised Rules on Fair Access to and Use of Data (Data Act)’ (2022) Max Planck Institute for Innovation & Competition Research Paper No 22-05, para 338.

ibid paras 14 ff.

ibid para 338.

See Tagesschau, ‘Streit um die Autodaten’ ( Tagesschau , 31 January 2022) < https://www.tagesschau.de/wirtschaft/verbraucher/autodaten-datensammeln-datenschutz-fahrstil-versicherungen-auto-datentreuhaender-101.html > accessed 28 October 2022.

See Recital 40 DGA.

See Oliver Stiemerling, Steffen Weiß and Christiane Wendehorst, ‘Forschungsgutachten zum Einwilligungsmanagement nach § 26 TTDSG’ ( eCambria experts , 16 December 2021) 21 < https://www.ecambria-experts.de/it-sachverstaendiger/wp-content/uploads/2022/01/211216-Gutachten_fuer_Bundesministerium_fuer_Wirtschaft_und_Energie_p-os37621.pdf > accessed 30 January 2023.

For proposals see ibid.

See critical remark on the vagueness of the requirement and its relationship to the DGA Stiemerling, Weiß and Wendehorst (n 158) 21, footnote 13.

See Alexander Golland, ‘Das Telekommunikation-Telemedien-Datenschutzgesetz Aufsatz’ [2021] NJW 2238, 2241.

See ibid 2238, 2241.

See Blankertz and Specht-Riemenschneider (n 121) 10-11.

For proposed details see Stiemerling, Weiß and Wendehorst (n 158).

See Specht-Riemenschneider and Kerber (n 109) 42.

Month: Total Views:
March 2023 177
April 2023 223
May 2023 260
June 2023 221
July 2023 163
August 2023 196
September 2023 277
October 2023 197
November 2023 212
December 2023 191
January 2024 176
February 2024 171
March 2024 175
April 2024 158
May 2024 141
June 2024 99
July 2024 16

Email alerts

Citing articles via.

  • Recommend to Your Librarian
  • Advertising and Corporate Services
  • Journals Career Network

Affiliations

  • Online ISSN 2632-8550
  • Copyright © 2024 German Association for the Protection of Intellectual Property and Copyright e.V
  • About Oxford Academic
  • Publish journals with us
  • University press partners
  • What we publish
  • New features  
  • Open access
  • Institutional account management
  • Rights and permissions
  • Get help with access
  • Accessibility
  • Advertising
  • Media enquiries
  • Oxford University Press
  • Oxford Languages
  • University of Oxford

Oxford University Press is a department of the University of Oxford. It furthers the University's objective of excellence in research, scholarship, and education by publishing worldwide

  • Copyright © 2024 Oxford University Press
  • Cookie settings
  • Cookie policy
  • Privacy policy
  • Legal notice

Data Act — Factsheet

Download the factsheet to find out more about the Data Act. Available in all official EU languages.

Data Act — Factsheet

The Data Act is a proposed Regulation harmonising rules on fair access to and use of data. It will play a key role in the digital decade, helping to shape the rules for the digital economy and society. 

The Data Act is part of the overall European strategy for data, and complements the Data Governance Regulation of November 2020 by clarifying who can create value from data and under which conditions. It will also introduce rules concerning the use of data generated by devices connected to the Internet of Things.

For an overview of the Data Act, download the factsheet below in your choice of official EU language. 

Related content

Press release | 23 February 2022

The Commission has proposed new rules on who can use and access data generated in the EU across all economic sectors.

Last update

9 January 2024

--> Clifford Chance

Clifford Chance

Talking Tech

An overview of the newly adopted eu data governance act.

The Data Governance Act (DGA), which creates a framework for increased data availability and re-use within the European Union (EU), entered into force on 23 June 2022. Following a grace period of 15 months, it will be applicable from 24 September 2023. The DGA is a key pillar of the European Strategy for Data, seeking to promote the re-use of protected data held by public sector bodies.  While access to such data could bring opportunities for innovation and technological advancement, as well as facilitate business models relating to data intermediation and data altruism, attention will need be paid to the conditions and safeguards for data sharing and re-use in the DGA. In this article we explore key aspects of the DGA.

Context and purpose of the EU Data Governance Act

Data has become central to our day-to-day lives and, as such, become a resource for economic and societal growth, competitiveness, efficiency, and innovation.

In recent years, the volume of data generated has grown exponentially, yet there has been limited data sharing despite its various societal and economic benefits. Three primary issues have been identified by the European Commission (EC) as hindering effective data sharing:

  • Lack of appropriate data sharing structures;
  • Technological obstacles; and
  • Low trust in data re-users and data collection for the common good.

In order to address these concerns, in November 2020, the EC published its proposal for the DGA as part of the European Strategy for Data, which aims to develop a single market for data that will support EU data sovereignty and global competitiveness.  

The stated aim of the DGA is to improve the availability of data by fostering trust in data intermediaries and by strengthening data-sharing mechanisms. These goals are envisaged to be achieved by implementing the following set of measures:

  • Mechanisms to foster access to and the re-use of certain categories of data held by public sector bodies that cannot be made available as open data due to the protections that apply to the data.
  • Measures to help ensure that data intermediaries will function as trustworthy organisers of data sharing or pooling in the common European data spaces.
  • Measures to encourage citizens and businesses to make their data available for "the common good", such as certain research, healthcare, education, or scientific purposes.
  • Measures to facilitate data sharing, specifically to enable the use of data across sectors and for certain purposes.

Scope of the DGA

The DGA establishes conditions and frameworks for the re-use, within the EU, of data held by public sector bodies which are protected due to commercial or statistical confidentiality, intellectual property rights of third parties or the protection of personal data.

While the DGA does not set out in more detail the circumstances in which it applies to organisations outside the EU, some of its provisions and recitals indicate that it has an extraterritorial reach.  In particular, any entity that is not established within the EU but which offers services within the EU and which meets the requirements to qualify as a data altruism organisation or as a data intermediary under the DGA, has to appoint a legal representative in one of the Member States where those services are offered. This means that non-EU based entities wishing to participate in the data reuse frameworks established by the DGA should also pay attention to the provisions of the DGA.

Mechanism for re-using certain protected data controlled by public sector bodies

The DGA complements and strives to fill in the gap left open by the Open Data Directive, which addresses only the re-use of public data and does not address protected data. In order to do this, the DGA focuses on the establishment of safeguards for the re-use of protected data held by public sector bodies, such as the State, regional or local authorities, or bodies governed by public law. According to the definition in the DGA, re-use encompasses the use by natural or legal persons of data controlled by public sector bodies both for commercial and non-commercial purposes. However, the DGA does not create an obligation for public sector bodies to allow the re-use of protected public sector data. Rather, the DGA merely offers a set of harmonized basic conditions under which such data re-use might be permitted. The DGA provides for the following measures for the access and re-use of public sector-controlled data:

  • Prohibitions relating to arrangements containing an exclusive right to re-use.
  • Requirements for the relevant public sector bodies to fulfil certain technical requirements to ensure that the privacy and confidentiality of data is respected during the process. This may include measures such as anonymization or pseudonymization, contractual means like confidentiality agreements, or the creation of data rooms to ensure the security of the processing environment.
  • The re-use must satisfy the principles of proportionality, non-discrimination and objective justification and it must comply with intellectual property rights.
  • Public sector bodies will have two months to decide on the re-use request and they may charge fees for the re-use of data, but only to an extent that does not exceed the necessary costs.
  • Confidential information, such as trade secrets may only be disclosed if permission or consent has been given.

As a result of this new mechanism, public sector bodies are expected to encourage the re-use of data. An example of how data can be re-used for beneficial purposes is the practice of DAMAE Medical, a French company, that uses data made available through the French Health Data Hub to improve its technology to identify signs of skin cancer more efficiently.

Data transfer to Third Countries

In relation to transfers of personal data, the DGA defers to the GDPR.  The recitals to the DGA make clear that it is not intended to prevent cross-border transfers of personal data in accordance with the GDPR and that, in event of any conflict between the DGA and any EU law on the protection of personal data, the latter prevails.

In relation to the other protected categories of data, the DGA introduces certain measures in order to safeguard the flow of data with third countries. In particular, the DGA establishes the EC's power to adopt delegated acts, where deemed necessary, that lay down the criteria for transfers to third countries. These conditions may include, amongst other things, limitations concerning the re-use of data in third countries, the categories of persons who are allowed to transfer such data to third countries and, in exceptional cases, restrictions regarding these transfers.  

Furthermore,  the DGA requires that a natural or legal person, who is re-using data under the DGA  must inform the public sector body from whom the data is obtained of its intention to transfer such data and the purpose of that transfer at the time of requesting re-use of the data.  Public sector bodies may only transfer data confidential non-personal data or data protected by intellectual property rights to a re-user intending to transfer that data to a third country  if (1) the re-user contractually commits to complying with certain obligations and accepting the jurisdiction of the Member State of the transmitting public sector body, or (2) the EC has declared that the relevant third country:

  • ensures protection of trade secrets and intellectual property in a way that is essentially equivalent to that in the EU;
  • has legal, supervisory and enforcement arrangements that ensure such protections are effectively applied and enforced; and
  • provides effective judicial redress.

The DGA also anticipates circumstances in which courts and authorities of third countries may require a public sector body, data re-user, data intermediation services provider or recognised data altruism organisation to transfer or give access to non-personal data falling within the scope of the DGA and sets conditions relating to such transfer or access.

Regulation of data intermediation service providers

The DGA offers an alternative model for data-handling practices through the concept of providers of data sharing services: data intermediaries. According to the DGA, providers of data sharing services have a key role in the data economy as they contribute to the effective pooling of data and facilitate the bilateral exchange of data. Such data intermediaries are expected to function in the public, private and third sectors as neutral third parties that will link individuals and companies with data users. Organisations offering only data intermediation services as well as companies that provide data intermediation services in addition to other services, can qualify as data intermediaries provided that, in the case of the latter, there is legal and economic separation from the other services they offer. By way of guidance, the regulation specifies that a company or organisation that wishes to qualify as a data intermediary must satisfy the following criteria:

  • Their main objective must be the establishment of a business.
  • They facilitate legal and technical connection between data holders and potential data users.
  • They facilitate services focused on intermediating between data holders and data users.
  • They offer services to data subjects with a focus on personal data as defined under the GDPR.

To ensure the safety of data, data intermediaries will be subject to strict requirements that are intended to guarantee their neutrality and prevent conflict of interest. In practice, this means that they will have to separate their data intermediation services from the other services they provide. Moreover, under the DGA, data intermediaries will also have to comply with notification requirements, as they will be required to notify their intention to provide data intermediation services to the competent authority designated by each member state to carry out the tasks related to the notification framework. The responsibility of the competent authority will be to make sure that the notification service is non-discriminatory and does not distort competition. If the data intermediary has adequately submitted the notification with all the necessary information, it will be granted confirmation which will enable the data intermediary to use the label ‘data intermediation services provider recognized in the Union’ and operate accordingly.

As one of the aims of the European digital strategy is to address the dominance of big tech companies in the flow of data, the following categories of entities cannot be considered providers of data sharing services under the regulation:

  • Cloud service providers;
  • Data brokers;
  • Services with a focus on the intermediation of content – e.g. social network companies, search engines;
  • Data exchange platforms;
  • Platforms developed in the context of objects and devices connected to the IoT (IoT platforms); and
  • Data sharing services that are meant to be used by a closed group of data holders and users.

For non-EU entities it will be more complicated to qualify as a data intermediary as they will have to meet further standards such as registration with a regulatory authority and placing their data sharing services in a separate legal entity.

Data altruism  

"Data altruism" under the DGA means the voluntary sharing by individuals and companies of data generated by them – without receiving any reward – so that it may be used for objectives in the general public interest. To reach this aim, the DGA introduces a common European data altruism consent form that will facilitate the collection of data across member states in a uniform format, while guaranteeing that consent can be given and withdrawn easily. This is expected to give legal certainty to researchers and companies who wish to use this data., and create a trusted framework that will encourage data altruism and facilitate the sharing of data for societal benefits, such as helping further the research in certain areas such as healthcare and climate change, or developing better functioning products and services in areas of public interest. The DGA also envisages the development of a "Rulebook" specifying requirements relating to data altruism (such as technical and security requirements) and the establishment of recognised data altruism organisations, which must fulfil certain criteria (including operating on an independent, not-for-profit basis) and be registered in a public national register.

Establishment of the European Data Innovation Board

As the last piece of the puzzle, the DGA puts forward the creation of the European Data Innovation Board (the Board) to help the EC develop a consistent approach to data intermediaries, data altruism, cross-sectoral data sharing, and the re-use of protected data, and to facilitate cooperation between relevant competent authorities. The Board will have the form of an expert group and will consist of the representatives from various entities, such as the competent authorities of each member state, the EC, the European Data Protection Board and the representatives of data spaces and specific sectors (e.g. health, transport, agriculture or statistics), and other relevant stakeholders.

Monitoring compliance with the DGA and possible penalties

Under the DGA, each Member States must appoint  competent authorities for (1) supporting public sector bodies in the granting or refusing of data access for re-use (2) data intermediation services and (3) the registration of data altruism organisations. Competent authorities for data intermediation services and the registration of data altruism organisations are required to monitor and supervise compliance with the provisions of the DGA falling within their remit.  and will be empowered to take certain actions (such as requiring the suspension or cessation of data sharing service, or removal of a data altruism organisation from the public national register) or, in relation to data intermediation services, impose dissuasive financial penalties (including penalties with retroactive effect) in relation to breach of the relevant DGA provisions. In other cases, each Member State is required to lay down rules on penalties applicable to infringements of particular provisions of the DGA. Such penalties must be proportionate, effective and dissuasive.

How does the DGA relate to the EU GDPR?

The DGA applies to "any digital representation of acts, facts or information", including personal data. However, the DGA does not create any new legal basis for data processing under the EU General Data Protection Regulation (GDPR) and is not intended to prevent cross-border transfer of personal data in accordance with the GDPR. Whenever personal data is concerned, if there is any inconsistency between the DGA and the GDPR, the GDPR prevails.

How does the DGA relate to the EU Data Act?

The EU's proposed regulation on harmonised rules on fair access to and use of data, commonly referred to as the "Data Act", another key pillar of the European Strategy for Data, is currently making its way through the EU legislative process (see our article: " The Data Act: A proposed new framework for data access and porting within the EU " ).  

Both the DGA and the Data Act seeks to promote data accessibility and reuse withing the EU. The DGA does so through setting out broad frameworks for data to move freely within the EU, in particular through setting conditions for re-use of protected public sector data and providing for trusted mechanisms for access to data.  The DGA does not, however, create obligations to share data. The draft Data Act complements the DGA by specifying who can use certain types of privately held data and under what circumstances, introducing mechanisms and standards to enable companies and individuals to exercise more control over data generated by their use of IoT devices or stored in data processing services such as cloud services. This includes introducing rights for companies and individuals to require that data holders make certain data available to them or to third parties in certain circumstances. The draft Data Act also introduces a framework for access by public sector bodies to data held by private data holders in cases of "exceptional need".

Download PDF

Toolkits & Client Log-in

  • Client Portal
  • Financial Markets Toolkit
  • Talking Tech Insights
  • Manage account and preferences

Create test users

  • User 0: Remove users and log-out.
  • User 1: New user, no prefs or applications.
  • User 2: Returning user, legal are, sector and jurisdiction prefs. No applications.
  • User 3: Returning user, legal are, sector and jurisdiction prefs. CP approval pending.
  • User 4: Returning user, legal are, sector and jurisdiction prefs. CP approval given.
  • User 5: Simulate async cookie load from service (upgrades existing to CP approval given)
  • User 6: Returning user, legal are, sector and jurisdiction prefs. CP approval given AND CBMCG.

Newly Launched - AI Presentation Maker

SlideTeam

  • Customer Favourites

Data Governance

Powerpoint Templates

Icon Bundle

Kpi Dashboard

Professional

Business Plans

Swot Analysis

Gantt Chart

Business Proposal

Marketing Plan

Project Management

Business Case

Business Model

Cyber Security

Business PPT

Digital Marketing

Digital Transformation

Human Resources

Product Management

Artificial Intelligence

Company Profile

Acknowledgement PPT

PPT Presentation

Reports Brochures

One Page Pitch

Interview PPT

All Categories

category-banner

  • You're currently reading page 1

Stages // require(['jquery'], function ($) { $(document).ready(function () { //removes paginator if items are less than selected items per page var paginator = $("#limiter :selected").text(); var itemsPerPage = parseInt(paginator); var itemsCount = $(".products.list.items.product-items.sli_container").children().length; if (itemsCount ? ’Stages’ here means the number of divisions or graphic elements in the slide. For example, if you want a 4 piece puzzle slide, you can search for the word ‘puzzles’ and then select 4 ‘Stages’ here. We have categorized all our content according to the number of ‘Stages’ to make it easier for you to refine the results.

Category // require(['jquery'], function ($) { $(document).ready(function () { //removes paginator if items are less than selected items per page var paginator = $("#limiter :selected").text(); var itemsperpage = parseint(paginator); var itemscount = $(".products.list.items.product-items.sli_container").children().length; if (itemscount.

  • 3D Man (65)
  • Anatomy (4)
  • Block Chain (16)
  • Branding (22)
  • Brochures Layout (6)

Data Stewardship IT Powerpoint Presentation Slides

data governance act presentation

Public finance and budgets

Countries across the OECD are facing long-term fiscal pressures in areas such as health, ageing, climate change, and defence. At the same time, governments must grapple with mounting debt levels, rising interest rates and high levels of uncertainty. In this increasingly constrained fiscal environment, reconciling new and emerging spending pressures with already stretched public finances requires high-quality budget institutions and processes.

data governance act presentation

Select a language

Key messages, oecd countries are facing long-term fiscal pressures..

The long-term fiscal pressures associated with climate change and reducing greenhouse gas emissions; ageing populations and shrinking labour supply; and rising health care and social care costs continued to mount. Interest expenditures are now increasing significantly. The current geopolitical tensions are adding further new spending pressures, including in the defence area, as well as greater economic uncertainty.

Reconciling these pressures with already stretched public finances requires high quality budget institutions and strengthened public understanding

Budgets are about more than money. They are a statement of a nation’s priorities. Engagement and oversight of the budget process by Independent Fiscal Institutions, parliaments and the public is fundamental to democratic governance and trust in government. Empowering the public to understand fiscal challenges is essential for generating the will to solve them

Governments must have credible public financial management frameworks to build trust in budgetary governance and maintain enough fiscal space to be able to finance crisis responses when needed.

Governments must have credible public financial management frameworks to build trust in budgetary governance and maintain enough fiscal space to finance crisis responses when needed.

Each of the crises of recent years has shown the importance of preserving the resilience of public finances; countries need to be able to finance large and unexpected expenditures, such as in the aftermath of major natural disasters, to support a distressed sector or to address the consequences of a major pandemic. However, debt levels in OECD countries have risen significantly in recent years.  

General government expenditures amounted to 46.3% of GDP on average across OECD countries in 2021

Between 2019 and 2021 general government expenditures as a percentage of GDP increased by 5.4 percentage points, from 40.9% in 2019. This  increase is largely explained by the COVID-19 pandemic, which led to significant economic disruption. This prompted  large-scale fiscal stimuluses, including increased spending on healthcare, social welfare programmes, and support for businesses and individuals affected by the pandemic, while at the same time GDP was falling.  

General Fiscal Balance

The fiscal balance is the difference between a government’s revenues and its expenditures. It signals if public accounts are balanced or if there are surpluses or deficits. Recurrent deficits over time imply the accumulation of public debt and may send worrying signals to consumers and investors about the sustainability of public accounts which, in turn, may deter consumption or investment decisions. Nonetheless, if debt is kept at a sustainable level, deficits can help to finance necessary public investment, or in exceptional circumstances, such as unexpected external shocks (e.g. pandemics, wars or natural disasters), can contribute to maintaining living conditions and preserving social stability. 

Related data

Related publications.

data governance act presentation

Related policy issues

  • Fiscal Frameworks Fiscal frameworks outline the government's fiscal intentions and explain how these will be implemented concretely. Well-designed fiscal frameworks provide clarity and stability in government fiscal operations, ensuring that spending on policy priorities of governments, like healthcare, education, and climate adaptation, are funded and sustainable. Additionally, they build resilience by helping governments prepare effectively for economic challenges. Learn more
  • Fiscal federalism network The OECD Network on Fiscal Relations across Levels of Government, also known as the “Fiscal Network”, provides a platform for countries to engage on intergovernmental fiscal relations and fiscal decentralisation policy issues. Its core mission is to improve the efficiency, equity and stability of fiscal systems through cross-country policy analysis and international comparisons. The Network facilitates best practice sharing through high-level meetings and maintaining a comprehensive decentralisation database, informing policymaking and reforms. Through collaborative efforts like workshops and the Fiscal Federalism publication series, the Network enables policymakers to access and contribute to research and insights on managing financial relationships across government levels. Supported by a multidisciplinary OECD team, the Network emphasises concrete outcomes, offering members a structured environment to learn, share and apply successful policy strategies. Learn more
  • Gender budgeting Gender budgeting is a public governance tool that governments can use to assess how budget decisions impact gender equality. When implemented effectively, gender budgeting helps expose how gender inequalities may have inadvertently become embedded in public policies and the allocation of resources and promotes budget measures that will be effective at closing gender gaps. Learn more
  • Green budgeting Green budgeting uses the tools of budgetary policy making to provide policy makers with a clearer understanding of the environmental and climate impacts of budgeting choices, while bringing evidence together in a systematic and co-ordinated manner for more informed decision making to fulfil national and international commitments. Learn more
  • Health budgeting Without a major policy shift, health spending is projected to outstrip both expected growth in the overall economy and in government revenues across OECD countries. Competing priorities for government spending are also squeezing health budgets. Urgent action is therefore needed to finance more resilient health systems while ensuring the fiscal sustainability of health systems. Learn more
  • Parliamentary budget offices and independent fiscal institutions Our work with parliaments and independent fiscal institutions (IFIs) supports fiscal transparency and accountability. At a time when the sustainability of public finances is under close scrutiny, these oversight institutions play a crucial role in raising the quality of the debate on fiscal policy and ensuring that public budgets are managed effectively. Learn more
  • Performance budgeting In an environment of budget constraints and high citizen expectations it is necessary to demonstrate that public expenditure is providing value for money and delivering on performance. The availability of good-quality performance information not only assists policymakers in making more informed budgetary decisions but also enables the broader public to hold the government accountable for delivering the outcomes promised to citizens. Learn more
  • Public accounts Good management of public money is vital for good governance, ensuring essential services like healthcare and education run smoothly. Public accounts track government income and spending, they show how money is managed and if the government can fund these crucial services. Learn more
  • Public debt management Prudent public debt management is critical for well-functioning national financial systems and helps to reinforce sound fiscal and monetary policies. Public debt portfolios, both in terms of their size and composition, have the potential to generate substantial risk to countries’ balance sheets and overall financial stability. The OECD promotes good practices in public debt and risk management and provides recommendations to assist policy makers in their efforts to adopt and implement prudent debt management policies. Learn more
  • Spending Reviews Spending reviews are tools for systematically analysing the government’s existing expenditure. The OECD has found that spending reviews have proved to be an important tool for governments, not only to control total expenditure by making space for more resources, but also to align spending allocations with government priorities and to improve the effectiveness of policies and programmes. Learn more

The Digital Personal Data Protection Act of India, Explained

Authors: Raktima Roy, Gabriela Zanfir-Fortuna

Raktima Roy is a Privacy Attorney with several years of experience in India and holds an LLM in Law and Technology from Georgetown University, as well as an FPF Global Privacy Intern.

The Digital Personal Data Protection Act of India ( DPDP ) sprinted through its final stages last week after several years of debates, postponements and negotiations, culminating with its publication in the Official Gazette on Friday, August 11, 2023. In just over a week, the Bill passed the lower and upper Houses of the Parliament and received Presidential assent. India, the most populous country in the world with more than 1.4 billion people, is the largest democracy and the 19th country among the G20 members to pass a comprehensive personal data protection law – which it did during its tenure holding the G20 Presidency.

The adoption of the DPDP Bill in the Parliament comes 6 years after Justice K.S. Puttaswamy v Union of India , a landmark case in which the Supreme Court of India recognized a fundamental right to privacy in India, including informational privacy, within the “right to life” provision of India’s Constitution. In this judgment, a nine-judge bench of the Supreme Court urged the Indian Government to put in place “a carefully structured regime” for the protection of personal data. As part of India’s ongoing efforts to create this regime, there have been several rounds of expert consultations and reports, and two previous versions of the bill were introduced in the Parliament in 2019 and 2022. A brief history of the law is available here . 

The law as enacted is transformational. It has a broad scope of application, borrowing from the EU’s General Data Protection Regulation (GDPR) approach when defining “personal data” and extending coverage to all entities who process personal data regardless of size or private status. The law also has significant extraterritorial application. The DPDP creates far reaching obligations, imposing narrowly defined lawful grounds for processing any personal data in a digital format, establishing purpose limitation obligations and their corollary – a duty to erase the data once the purpose is met, with seemingly no room left for secondary uses of personal data, and creates a set of rights for individuals whose personal data are collected and used, including rights to notice, access and erasure. The law also creates a supervisory authority, the Data Protection Board of India (Board), which has the power to investigate complaints and issue fines, but does not have the power to issue guidance or regulations. 

At the same time, the law provides significant exceptions for the central government and other government bodies, the degree of exemption depending on their function (such as law enforcement). Other exemptions include those for most publicly available personal data, processing for research and statistical purposes, and processing the personal data of foreigners by companies in India pursuant a contract with a foreign company (such as outsourcing companies). Some processing by startups may also be exempt, if notified by the government. The Act also empowers the central government to act upon a notification by the Board and request access to any information from an entity processing personal data, an intermediary (as defined by the Information Technology Act, 2000 – the “IT Act”) or from the Board, as well as to order suspension of access of the public to specific information. The Central Government is also empowered to adopt a multitude of “rules” (similar to regulations under US state privacy laws) that detail the application of the law. 

It is important to note that the law will not come into effect until the government provides notice of an effective date. The DPDP Act does not contain a mandated transitional period akin to the two-year gap between the 2016 enactment of the GDPR and its entry into force in May 2018. Rather, it empowers the Government to determine the dates on which different sections of the Act will come into force, including the sections governing the formation of the new Board that will oversee compliance with the law. 

This blog will lay out the most important aspects of the DPDP Act, understanding nonetheless that many of its key provisions will be shaped up through subsequent rules issued by the central government, and through practice. 

  • The DPDP Act Applies to “Data Fiduciaries,” “Significant Data Fiduciaries,” and provides rights for “Data Principals” 

The DPDP Act seeks to establish a comprehensive national framework for processing personal data, replacing a much more limited data protection framework under the IT Act and rules that currently provide basic protections to limited categories of “sensitive” personal data such as sexual orientation, health data, etc. The new law by contrast covers all “personal data” (defined as “any data about an individual who is identifiable by or in relation to such data”) and does not contain heightened protection for any special category of data. The definition of “personal data,” thus, relies on the broad “identifiability” criterion, similar to the GDPR. Only “digital” personal data, or personal data collected through non-digital means that have been digitized subsequently are covered by the law. 

The DPDP Act uses the term “data principal” to refer to the individual that the personal data relates to (the equivalent of “data subject” under the GDPR). A “data fiduciary” is the entity that determines the purposes and means of processing of personal data, alone or in conjunction with others, and is the equivalent to a “data controller” under GDPR. While the definition of data fiduciaries includes a reference to potential joint fiduciaries, the Act does not provide any other details about this relationship. 

The definition of fiduciaries does not distinguish between private and public, natural and legal persons, technically extending to any person as long as the other conditions of the law are met. 

Specific Fiduciaries, Public or Private, Are Exempted or May Be Exempted from the Core Obligations of the Act

The law includes some broad exceptions for government entities in general, and others apply to specific processing purposes. For instance, the law allows the government to exempt activities that are in the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to commit crimes if it provides notice of the exemptions. Justice Srikrishna, who as the head of an expert committee set up to recommend a data protection law in India led the creation of the 2017 first draft of the law, has been critical of these government exemptions , as have been several Members of Parliament during the legislative debate. 

Some targeted exceptions also apply to companies, and are either well defined in the law or left to the government for specification. Under what can be called an “outsourcing exception,” the Act exempts companies based in India who process the personal data of people outside of India pursuant to a contract with a company based outside of India from core DPDP obligations including the rights of access and erasure normally held by data principals. Instead, such companies are largely required to only comply with data security obligations. 

In addition, the government is empowered to exempt any category of data fiduciaries  from some or all of the law, with the DPDP itself referring to “startups” in this context. These are fairly broad provisions and do not include any guidance on how they will apply or who could benefit from them. The government will need to make a specific designation for this exception to operate.

Significant Data Fiduciaries Have Significant New Obligations, such as DPOs, DPIAs and Audits 

The DPDP Act empowers the Government to designate any data fiduciary or class of data fiduciaries as a “Significant Data Fiduciary” (SDF), which is done using a series of criteria that lack quantifiable thresholds. These factors range from assessing characteristics of the processing operations (volume and sensitivity of personal data processed and the risk posed to the rights of data principals), to broader societal and even national sovereignty concerns (potential impact of the processing on the sovereignty and integrity of India; risk to electoral democracy; security of the state; and public order).

The designation of companies as SDFs is consequential, because it comes with enhanced obligations. Chief among them, SDFs will need to appoint a Data Protection Officer (DPO), who must be based in India and be the point of contact for a required grievance redressal mechanism. SDFs must also  appoint an independent data auditor to carry out data audits and evaluate the SDF’s compliance with the DPDP Act, and to undertake periodic Data Protection Impact Assessments.

It is important to note that appointing a DPO is not an obligation for all data fiduciaries. However, all fiduciaries are under an obligation to establish a “readily available” mechanism for redressing grievances by data principals in a timely manner. In order for such a process to be operationalized, usually an internal privacy compliance function or a dedicated privacy officer would be helpful.

The DPDP Act Recognizes the Role of Data Processors

Data processors are recognized by the DPDP Act, which makes it clear that fiduciaries may engage, appoint or otherwise involve processors to process personal data on their behalf “only under a valid contract” (Section 8(2)). There are no prescribed rules for what a processing contract should entail. However, the DPDP Act places all obligations on data fiduciaries, which remain liable for complying with the law. 

Data fiduciaries remain liable for overall compliance, regardless of any contractual arrangement to the contrary with data processors. The DPDP Bill requires data fiduciaries to mandate that a processor delete data when a data principal withdraws consent, and fiduciaries be able to share information of processors they have engaged when requested by a data subject.

  • The DPDP Act Has Broad Extraterritorial Effect and Almost No Restrictions for International Data Transfers

The DPDP Act applies to the processing of “digital personal data” within India. Importantly, the definition of the “data principal” does not include any condition related to residence or citizenship, meaning that it is conceivable fiduciaries based in India who process the personal data of foreigners within the territory of the country may be covered by the Act (outside of the “outsourcing exception” mentioned above). 

The Act  also applies extraterritorially to processing of digital personal data outside India, if such processing is in connection with any activity related to offering of goods or services to data principals within India. The extraterritorial effect is similar in scope to the GDPR, and it may leave room for a broader interpretation through its inclusion of “any activity” connected to the offering of goods or services.

The DPDP Act does not currently restrict the transfer of personal data outside of India. It reverses the typical paradigm of international data transfer provisions in laws like the GDPR, by presuming that transfers may occur without restrictions, unless the Government specifically restricts transfers to certain countries (blacklisting) or enacts any other form of restriction (Section 16). No criteria for such restrictions have been mentioned in the law. This is a significant departure from previous instances of the Bill, which at one point contained data localization obligations (2018), and evolved at another point into “whitelisting” of countries (2022). 

It should also be noted that other existing sectoral laws (e.g., those governing specific industries like banking and telecommunications) already contain restrictions on cross-border transfers of particular kinds of data. The DPDP Act clarifies that existing localization mandates will not be affected by the new law. 

  • Consent Remains Primary Means for Lawful Processing of Personal Data Under the Act

Data fiduciaries are under an obligation to process personal data for a lawful purpose and only if they either obtain consent from the data principal for that purpose, or they identify a “legitimate use” consistent with Section 4. This process is conceptually similar to the approach proposed by the GDPR, requiring a lawful ground before personal data can be collected or otherwise processed. However, in contrast to the GDPR (which provides for six possible lawful grounds), the DPDP Act includes only two: strictly defined “consent” and “legitimate use.” 

Which lawful ground is used for a processing operation is consequential. Based on the wording of the Act and in the absence of further specification, the obligations of fiduciaries to give notice and respond to access, correction and erasure requests (see Section 4 of this blog) are only applicable if the processing is based on consent and on voluntary sharing of personal data by the principal. 

Valid Consent Has Strict Requirements, Is Withdrawable, And Can be Exercised Through Consent Managers

The DPDP Act requires that consent for processing of personal data be “free, specific, informed, unconditional and unambiguous with a clear affirmative action.” These conditions are similarly strict to those required under the GDPR, highlighting that the people whose personal data are processed must be free to give consent, and their consent must not be tied to other conditions.  

In order to meet the “informed” criterion, the Act requires that notice be given to principals before or at the time that they are asked to give consent. The notice must include information about the personal data to be collected, the purpose for which it will be processed, the manner in which data principals may exercise their rights under the DPDP Act, and how to make a complaint to the Board. Data principals must be given the option to receive the information in English or a local language among the languages specified in the Constitution.

The DPDP Act addresses the issue of legacy data for which companies may have received consent prior to the enactment of the law. Fiduciaries should provide the same notice to these data principals as soon as “reasonably practicable.” In that case, however, the data processing may continue until the data principal withdraws consent. 

Data fiduciaries may only process personal data for the specific purpose provided to the data principal and must obtain separate consent to process the data for a new purpose. In practice, this will make it difficult for data fiduciaries to rely on “bundled consent.” Provisions around “secondary uses” of personal data or “compatible purposes” are not addressed in the Act, making the purpose limitation requirements strict. 

Data principals may also withdraw their consent at any time – and data fiduciaries must ensure that the process for withdrawing consent is as straightforward as that for giving consent. Once consent is withdrawn, personal data must be deleted unless a legal obligation to retain data applies. Additionally, data fiduciaries must ask any processors to cease processing any personal data for which consent has been withdrawn, in the absence of legal obligations imposing data retention.

The DPDP Act allows principals to give, manage, review and withdraw their consent through a “Consent Manager,” which will be registered with the Board and must provide an accessible, transparent, and interoperable platform. Consent Managers are part of India’s “Data Empowerment And Protection Architecture” policy, and similar structures have been already functional for some time, such as in the financial sector . Under the DPDP Act, Consent Managers will be accountable to data principals and act on their behalf as per prescribed rules. The Government will notify (in the Gazette) the conditions necessary for a company to register as a Consent Manager, which may include fulfilling minimum technical or financial criteria.

“Legitimate Uses” Are Narrowly Defined and Do Not Include Legitimate Interests or Contractual Necessity

As alternative to consent, all other lawful grounds for processing personal data have been amalgamated under the “legitimate uses” section, including some grounds of processing that previously appeared under a “reasonable purposes” category in previous iterations of the bill. It is notable that the list of “legitimate uses” in Section 7 of the Act does not include similar provisions to the grounds of “contractual necessity” and “legitimate interests” found in GDPR-style data protection laws, leaving limited options to private fiduciaries for grounding processing of personal data outside of consent, including for routine or necessary processing operations. 

Among the defined “legitimate uses”, the most relevant ones for processing personal data outside of a government, emergency or public health context, are the “voluntary sharing” of personal data under Section 7(a) and the “employment purposes” use under Section 7(i). 

The lawful ground most likely to raise interpretation questions is “voluntary sharing.” It allows a fiduciary to process personal data for a specified purpose for which a principal has voluntarily provided their personal data to the data fiduciary (presumably, provided it without the fiduciary seeking to obtain consent), and for which the principal has not indicated to the fiduciary an objection to the use of the personal data. For instance, one of the illustrations included in the law to explain Section 7(a) is the hypothetical of a buyer requesting a receipt of purchase at a store be sent to her phone number, permitting the store to use the number for that purpose. There is a possibility that subsequent rules may expand this “legitimate use” to cover instances of “contractual necessity” or “legitimate interests.”

A fiduciary may also process personal data without consent for purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service to employees.

  • Data Principals Have a Limited Set of “Data Subject Rights,” But Also Obligations

The DPDP Act provides data principles a set of enumerated rights, which is limited compared to those offered under modern GDPR-style data protection laws. The DPDP guarantees a right of access and a right to erasure and correction, in addition to a right to receive notice before consent is sought (similar to the right to information in the GDPR). Thus, a right to data portability, a right to object to processing based on other grounds than consent, and the right not to be subject to solely automated decision-making are missing. 

Instead, the DPDP Act provides for two other rights – a right to “grievance redressal,” which entails the right to have an easily accessible point of contact provided by the fiduciary to respond to complaints from the principal, and a right to “appoint a nominee,” which permits the data principal to nominate someone who can exercise rights on their behalf in the event of death or incapacity.

Notably, the rights of access, erasure and correction are limited to personal data processing based on consent or the “voluntary disclosure,” legitimate use, which means that whenever government bodies or other fiduciaries rely on any of the “legitimate uses” grounds they will not need to reply to access or erasure/correction requests, unless further rules adopted by the government specify otherwise.

In addition, the right of access is quite limited in scope. It only gives data principals the right to request and obtain a summary of the personal data being processed and of the relevant processing activities (as opposed to obtaining a copy of the personal data), and the identities of all fiduciaries and processors with whom the personal data has been shared by the fiduciary, along with a summary of the data being shared. However, Section 11 of the law leaves space for subsequent rules that may specify additional information to be given access to.

Data principals have the right to request erasure of personal data pursuant to Section 12(3), but it is important to highlight that erasure may also be required automatically – after the withdrawal of consent or when the specified purpose is no longer being served (Section 8(7)(a)). Similarly, correction, completion and updating of personal data can be requested by the principal, but must also occur automatically when the personal data is “likely to be used to make a decision that affects” the principal (Section 8(3)).  

Data Principals May Be Fined if They Do Not Comply With Their Obligations

Unlike the majority of international data protection laws, Section 15 of the DPDP Act imposes duties on data principals, similar to Article 10 of Vietnam’s recently adopted Personal Data Protection Decree (titled “Obligations of data subjects”). 

These obligations include, among others, a duty not to impersonate someone else while providing personal data for a specified purpose, not suppress any material information while providing personal data for any document issued by the Government, and, significantly, not register a false or frivolous grievance or complaint. Noncompliance may result in a fine (see clause 5 of the Schedule). This may hamper the submission of complaints with the Board, per expert analysis .

  • Fiduciaries are Bound by a Principle of Accountability and Have Data Breach Notification Obligations

The DPDP Act does not articulate Principles of Processing, or Fair Information Practice Principles, but the content of several of its provisions put emphasis on purpose limitation (as explained in previous sections of the blog) and on the principle of accountability. 

Section 8 of the Act includes multiple obligations for data fiduciaries, all under an umbrella expectation in paragraph 1 that they are “responsible for complying” with the provisions of the Act and any subsequent implementation rules, both regarding processing undertaken by the data fiduciary and by any processor on its behalf. This specification echoes the GDPR accountability principle. In addition, data fiduciaries are under an obligation to implement appropriate technical and organizational measures to ensure the effective implementation of the law.

Data security is of particular importance, considering that data fiduciaries must both take reasonable security safeguards to prevent personal data breaches, and notify the Board and each affected party if such breaches occur. The details related to modalities and timeline of notification will be specified in subsequent implementation rules. 

A final obligation of data fiduciaries to highlight is the requirement they establish  a “readily available” mechanism for redressing “grievances” by data principals in a timely manner. The “grievance redress” mechanism is of utmost importance, considering that data principals cannot address the Board with a complaint until they “exhaust the opportunity of redressing” the grievance through this mechanism (Section 13(3)). The Act leaves determination of the time period for responding to grievances to delegated legislation, and it is possible that there may be different time periods for different categories of companies.

  • Fiduciaries Have a Mandate to Verify Parental Consent for Processing Personal Data of Minors under 18

The DPDP Act creates significant obligations concerning the processing of children’s personal data, with “children” defined as minors under 18 years of age, without any distinguishing sub-category for older children or teenagers. As a matter of principle, data fiduciaries are forbidden to engage in any processing of children’s data that is “likely to cause any detrimental effect on the well-being of the child.”

Data fiduciaries are under an obligation to obtain verifiable parental consent before processing the personal data of any child. Similarly, consent must be obtained from a lawful guardian before processing the data of a person with disability. This obligation, which is increasingly common to privacy and data protection laws around the world, may create many challenges in practice. A good resource for untangling its complexity and applicability is FPF’s recently published report and accompanying infographic – “ The State of Play: Is Verifiable Parental Consent Fit For Purpose? ”

Finally, the Act also includes a prohibition on data fiduciaries engaging in tracking or behavioral monitoring of children, or targeted advertising directed at children. Similar to many other provisions of the Act, the government may issue exemptions from these obligations for specific classes of fiduciaries, or may even lower the age of digital consent for children when their personal data is processed by designated data fiduciaries.

  • The Act Creates a Data Protection Board to Enforce the Law, But Reserves Regulatory Powers For the Government

The DPDP Act empowers the Government to establish the Board as an independent agency that will be responsible for enforcing the new law. The Board will be led by a Chairperson and will have Members appointed by the Government for a renewable two-year mandate.

The Board is vested with the power to receive and investigate complaints from data principals, but only after the principal has exhausted the internal grievance redress mechanism set up by the relevant data fiduciaries. The Board can issue binding orders against those who breach the law, can direct urgent measures to remediate or mitigate a data breach, imposing financial penalties and direct parties to mediation. 

While the Board is granted “the same powers as are vested in a civil court” – including summoning any person, receiving evidence, and inspecting any documents (Section 28(7)), the Act specifically excludes any access to civil courts in the application of its provisions (Section 39), creating a de facto limitation on effective judicial remedy similar to the relief provided in Article 82 GDPR. The Act grants any person affected by a decision of the Board the right to pursue an appeal in front of an Appellate Tribunal, which is designated the Telecom Disputes Settlement and Appellate Tribunal established under other Indian law.

Penalties for breaches of the law have been stipulated in a Schedule attached to DPDP Act and range from the equivalent in rupees of USD $120 to USD $30.2 million. The Board can determine the penalty amount from a preset range based on the offense. 

However, the Board does not have the power to pass regulations to further specify details related to the implementation of the Act. The Government is conferred broad discretion in adopting delegated legislation to further specify the provisions of the Act, including clarifying modalities and timelines for fiduciaries to respond to requests from data principals, the requirements of valid notice for obtaining a data principal’s consent for processing of data, details related to data breach notifications, and more. The list of operational details that may be specified by the Government in subsequent rules is open-ended and detailed in Section 40(2)(a) to (z). Subsection (z) of this provision provides a catch-all permitting the Central Government to prescribe rules on “any other matter” related to the implementation of the Act. 

In practice, it is expected that it will take time for the new Board to be established and for rules to be issued in key areas for compliance. 

Besides rulemaking power, the Central Government has another significant role in the application of the law. Pursuant to Section 36, it can require any information (including presumably personal data) that it wants (or “call for”) from the Board, data fiduciaries, and “intermediaries” as defined by the IT Act. No further specifications are made in relation to such requests, other than that they must be made “for the purposes of the Act.” This provision is broader and subject to fewer restrictions than provisions on data access requests in the existing IT Act and its subsidiary rules.

Additionally, the Central Government may also order or direct any governmental agency and any “intermediary” to block information for access by the public “in the interests of the general public.” To issue such an order, the Board will need to have sanctioned the data fiduciary concerned at least twice in the past, and the Board must advise the Central Government to issue such an order. An order blocking public access may refer to “any computer resource” that enables data fiduciaries to offer goods or services to data principals within the territory of India. While it is now common among modern comprehensive data protection laws around the world for independent supervisory authorities to order erasure of personal data unlawfully processed, or to order international data transfers or sharing of personal data to cease if conditions of the law are not met, these provisions of the DPDP Act are atypical because the orders will come directly from the Government, and also because they more closely resemble online platform regulation than privacy law.

  • Exceptions for Publicly Available Data And Processing for Research Purposes Are Notable for Training AI

Given that this law comes in the midst of a global conversation about how to regulate artificial intelligence and automated decision-making, it is critical to highlight provisions in the law that seem directed at facilitating development of AI trained on personal data. Specifically, the Act excludes from its application most publicly available personal data, as long as it was made publicly available by the data principal – for example, a blogger or a social media user publishing their personal data directly – or by someone else under a legal obligation to publish the data, such as personal data of company shareholders that regulated companies must publicly disclose by law.

Additionally, the Act exempts the processing of personal data necessary for research or statistical purposes (Section 17(2)(b)). This exemption is extremely broad, with only one limitation in the core text: the Act will still apply to research and statistical processing if the processing activity is used to make “any decision specific to the data principal.”

There is only one other instance in the DPDP Act where processing data to “make decisions” about a data principal is raised. Data fiduciaries are under an obligation to ensure the “completeness, accuracy and consistency” of personal data if it is used to make a decision that affects the data subject. In other words, while the Act does not provide for a GDPR-style right not to be subject to automated decision-making, it does require that when personal data are used for making any individual decisions, presumably including automated or algorithmic decisions, such data must be kept accurate, consistent and complete. 

Additionally, the DPDP Act remains applicable to any processing of personal data through AI systems, if the other conditions of the law are met, given the broad definitions of “processing” and of “personal data.” Further rules adopted by the Central Government or other notifications may provide more guidance in this regard.

Notably, the Act does not exempt processing of personal data for journalistic purposes, a fact criticized by the Editors’ Guild of India . In previous versions of the Bill, especially the expert version spearheaded by Justice Srikrishna in 2017, this exemption was present. It is still possible that the Central Government will address this issue through delegated legislation. 

Key Takeaways and Further Clarification

India’s data protection Act has been in the works for a significant period of time and the passage of the law is a welcome step forward after the recognition of privacy as a fundamental right in India by the Supreme Court in its landmark Puttaswamy judgment.

While the basic structure of the law is similar to many other global laws like the GDPR and its contemporaries, India’s approach has its differences, such as more limited grounds of processing, wide exemptions for government actors, regulatory powers for the government to further specify the law and to exempt specific fiduciaries or classes of fiduciaries from key obligations, no baked-in definition or heightened protection for special categories of data, and the rather unusual inclusion of powers for the Government to request access to information from fiduciaries, the Board and “intermediaries”, as well as to block access by the public to specific information in “computer resources”.

Finally, we note that many details of the Act are still left to be clarified once the new Data Protection Board of India is set up and further rules for the specification of the law are drafted and officially notified. 

Editors: Lee Matheson, Dominic Paulger, Josh Lee Kok Thong

We’re in this Together: Expert Speakers Explore Topics Related to Protecting Privacy, Security, and Online Safety for Young People in Australia

Chevron decision will impact privacy and ai regulations , ai forward: fpf’s annual dc privacy forum explores intersection of privacy and ai, comprehensive privacy anchors in the ocean state, top six major privacy enforcement trends: a u.s. legislation retrospective, reproductive rights have been privacy rights for 50 years, the world’s first binding treaty on artificial intelligence, human rights, democracy, and the rule of law: regulation of ai in broad strokes, fpf at cpdp.ai 2024: from data protection to governance of artificial intelligence – a global perspective, future of privacy forum recognizes leading careers in privacy and efforts in ai regulation with inaugural global award, newly updated guidance: fpf releases updates to the generative ai internal policy considerations resource to provide new key lessons for practitioners, posts by gabriela.

ai,related,law,concept,shown,by,robot,hand,using,lawyer

Stay Up to Date

Subscribe to receive our monthly newsletter and information about upcoming events

IMAGES

  1. The EU Data Governance Act (DGA)

    data governance act presentation

  2. The Data Governance Act (DGA)

    data governance act presentation

  3. Data Governance Act meets ToIP framework

    data governance act presentation

  4. Data Governance PowerPoint Template PPT Slides

    data governance act presentation

  5. Data Governance Roadmap PowerPoint and Google Slides Template

    data governance act presentation

  6. PPT

    data governance act presentation

VIDEO

  1. The EU Data Strategy and the Draft Data Governance Act Webinar

  2. L'UE avance sur son projet de loi Data Governance Act et ses kill switch pour smart contracts

  3. ACT Presentation- Boise State

  4. DATA GOVERNANCE presentation video

  5. is governance presentation 1

  6. CORPORATE GOVERNANCE

COMMENTS

  1. European Data Governance Act

    The Data Governance Act will also support the setup and development of Common European Data Spaces in strategic domains, involving both private and public players, in sectors such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills. The Data Governance Act entered into force on 23 June ...

  2. The EU Data Strategy and the Draft Data Governance Act Webinar

    Join the Israel Tech Policy Institute & Tel Aviv University, The Stewart & Judy Colton Law and Innovation Program for a webinar on the EU Data Strategy and t...

  3. PDF Data Governance Act

    As the first of a set of measures announced in the Data Strategy, the Commission put forward the Data Governance Act (DGA) proposal on 25 November 2020. Both the proposal and the overarching strategy integrate with Europe's 2030 Digital Compass. The Commission drew on extensive evidence from studies, stakeholder consultations and workshops for ...

  4. Data Governance Act explained

    The Data Governance Act (DGA) is a cross-sectoral instrument that aims to regulate the reuse of publicly/held, protected data, by boosting data sharing through the regulation of novel data intermediaries and by encouraging the sharing of data for altruistic purposes. Both personal and non-personal data are in scope of the DGA, and wherever ...

  5. Press corner

    The Data Act will ensure that industrial data is shared, stored and processed in full respect of European rules. It will form the cornerstone of a strong, innovative and sovereign European digital economy.". Data is a non-rival good, in the same way as streetlight or a scenic view: many people can access them at the same time, and they can be ...

  6. PDF The data act

    The proposal complements the recently adopted Data Governance Act, which aims to facilitate the voluntary sharing of data by individuals and businesses , and harmonises the rules on the use of certain public sector data might be . The proposal supplemented by additional, secondary legislation in specific sectors (e.g. car industry). ...

  7. PDF Data Act

    Data Act - Questions and Answers* Brussels, 28 June 2023 ... Following the Data Governance Act, the Data Act is the second main legislative initiatives resulting from the February 2020 European strategy for data, which aims to make the EU a leader in our data- ... protect investments in the structured presentation of data. It clarifies that ...

  8. European data governance

    The Data Governance Act (DGA) aims to make more data * available for reuse and facilitate data sharing across areas such as health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills for the benefit of European Union (EU) citizens and businesses, creating jobs and stimulating innovation.

  9. Data Act

    The new measures complement the Data Governance Act, which was the first deliverable under the European strategy for data and became applicable in September 2023. While the Data Governance Act regulates processes and structures that facilitate voluntary data sharing, the Data Act clarifies who can create value from data and under which conditions.

  10. Live Webinar: Data Act and Data Governance Act

    The Data Governance Act (DGA) and the Data Act are part of the Commission's European strategy for data aimed at creating a single market for data that ensures Europe's global competitiveness and data sovereignty.. The draft Data Act is a fundamental proposal of this strategy. It is designed to stimulate a competitive data market, present opportunities for data-driven innovations and make ...

  11. PDF AN OVERVIEW OF THE EU DATA GOVERNANCE ACT

    AN OERIEW OF THE EU DATA GOERNANCE ACT 2 November 2022 AN OVERVIEW OF THE EU DATA GOVERNANCE ACT The Data Governance Act (DGA), which creates a framework for increased data availability and re-use within the European Union (EU), entered into force on 23 June 2022. Following a grace period of 15 months, it will be applicable from 24 September 2023.

  12. Regulation

    A Union-wide governance framework should have the objective of building trust among individuals and undertakings in relation to data access, control, sharing, use and re-use, in particular by establishing appropriate mechanisms for data subjects to know and meaningfully exercise their rights, as well as with regard to the re-use of certain ...

  13. Data Governance Act

    The Data Governance Act (DGA) is the first legislative act of the European data strategy, and it was published in the Official Journal of the European Union on 3 June 2022.The DGA aims at facilitating the reuse of certain categories of protected public-sector data and increasing trust in data sharing across public sector bodies, users, data users, and data holders.

  14. (Data Governance Act) on European data governance

    on European data governance (Data Governance Act) (Text with EEA relevance) with the ordinary legislative procedure, Whereas:The Treaty on the functioning of the European Union ('TFEU') provides for the establishment of an internal market and the institution of a system ensuring that co.

  15. What you need to know about the new EU Data Act

    The EU is continuing to expand its data laws. After much anticipation and following a sneak peek of a leaked draft of the new data law in February 2022 (see: "What, another EU Data Act?!"), the European Commission has finally presented its formal draft Data Act (the EU Data Act). Below we answer some key questions about the proposed EU Data ...

  16. Looking at the Data Governance Act and Beyond: How to Better Integrate

    I. Background. High hopes have recently been placed in data intermediaries as promising tools to promote data sharing. 1 Given this 'data intermediary hype', the EU legislature passed the Data Governance Act (DGA) on 16 May 2022. 2 This core piece of legislation aims to foster the establishment of 'data intermediation services' (DISs). The general aspiration is that data intermediaries ...

  17. (PDF) White Paper on the Data Governance Act

    In November 2020, the European Commission ("EC"), adopted the Proposal for a Data Governance Act. ("DGA proposal"). It is its first legislative initiative under the 2020 European Data ...

  18. Top 7 Data Governance Templates with Examples and Samples

    Template 2: Data Governance Strategy PPT Set. This PPT Set presents a roadmap for efficient data governance strategy implementation. This template guides you through the stages of data definition and migration, data standards, validation, automation, prevention of duplication, and resolution.

  19. Data Act

    The Data Act is a proposed Regulation harmonising rules on fair access to and use of data. It will play a key role in the digital decade, helping to shape the rules for the digital economy and society. The Data Act is part of the overall European strategy for data, and complements the Data Governance Regulation of November 2020 by clarifying ...

  20. PDF Designing data governance that delivers value

    Six ways to drive data-governance excellence The organizational foundation alone, however, is not enough. Six critical practices are needed to ensure data governance creates value. 1. Secure top management's attention As the aforementioned example highlights, success with data governance requires buy-in from business leadership. The first step

  21. Data Governance

    This introduction to data governance presentation covers the inter-related DM foundational disciplines (Data Integration / DWH, Business Intelligence and Data Governance). ... Even small businesses could get in on the act, and big companies began using these tools not just for big data but also for traditional small, structured data. Insight ...

  22. An overview of the newly adopted EU Data Governance Act

    The Data Governance Act (DGA), which creates a framework for increased data availability and re-use within the European Union (EU), entered into force on 23 June 2022. Following a grace period of 15 months, it will be applicable from 24 September 2023. The DGA is a key pillar of the European Strategy for Data, seeking to promote the re-use of protected data held by public sector bodies.

  23. Data Governance

    Data Governance Processes Integrated Framework. Slide 1 of 6. Comparison Between Data Governance And Data Stewardship Ppt Infographics. Slide 1 of 5. Data strategy services with data governance showing business and it strategy. Slide 1 of 25. Data governance program powerpoint presentation slides. Slide 1 of 6.

  24. What is data governance?

    Any organization that stores data, and uses it to make business or marketing decisions, can benefit from data governance. Ensuring data privacy, data protection, and data compliance are part of data governance, but governance also encompasses data quality, management of and access to data, security measures, and enforcement of consistent data ...

  25. Regulatory reform

    Effective laws and regulations are a vital tool for policymakers to grow the economy, protect the environment and improve citizens' lives. The OECD's work on regulatory policy brings together leading global experts on better regulation, and provides advise to governments on how best to design, implement and review laws and policies to improve the well-being of society.

  26. Exploring the Relationship Between Microsoft Fabric and Microsoft

    Organizations may choose to develop or identify the data governance tools and technologies right for their current and future needs. Microsoft Purview provides a unified data governance solution to help manage and govern your on-premises, multi-cloud, and software as a service (SaaS) data. Easily create a holistic, up-to-date map of your data ...

  27. Public finance and budgets

    Public finance is the economic field focusing on the financial activities of government entities at various levels. Our work examines government expenditures, including public services, infrastructure, social welfare, defence, education, healthcare, and more. These are outlined in the national budget, reflecting financial commitments to meet obligations and provide essential services. Our ...

  28. The Digital Personal Data Protection Act of India, Explained

    The Act Creates a Data Protection Board to Enforce the Law, But Reserves Regulatory Powers For the Government; The DPDP Act empowers the Government to establish the Board as an independent agency that will be responsible for enforcing the new law. The Board will be led by a Chairperson and will have Members appointed by the Government for a ...

  29. Intel Demonstrates First Fully Integrated Optical I/O Chiplet

    What It Does: This first OCI chiplet is designed to support 64 channels of 32 gigabits per second (Gbps) data transmission in each direction on up to 100 meters of fiber optics and is expected to address AI infrastructure's growing demands for higher bandwidth, lower power consumption and longer reach.It enables future scalability of CPU/GPU cluster connectivity and novel compute ...