EU Data Governance Act
The EU Data Governance Act builds trust mechanisms for data sharing, regulating data intermediaries, public-sector data reuse, and data altruism. Applicable since September 2023, it is enforced by national competent authorities.
Overview
The EU Data Governance Act (DGA), Regulation (EU) 2022/868, is a horizontal regulation designed to increase trust in data sharing and to make more data available for reuse across the European Union. Adopted in 2022, it became applicable in September 2023. It complements the Data Act: where the Data Act sets rights and obligations around access to specific data, the DGA builds the institutional and trust framework that enables voluntary data sharing.
The DGA addresses four areas: reuse of protected public-sector data, regulation of data intermediation services, data altruism, and coordination through a European Data Innovation Board.
Who It Applies To
The regulation applies to public-sector bodies holding protected data, providers of data intermediation services that connect data holders with data users, organizations engaging in data altruism, and the data users and holders who participate in these arrangements. It is relevant to companies building data-sharing platforms or marketplaces operating in the EU.
Key Requirements
Public bodies may allow reuse of certain protected data (such as data subject to confidentiality or third-party IP) under conditions that preserve protection, including secure processing environments and anonymization. Data intermediation service providers must notify a competent authority, act as neutral third parties, keep intermediation structurally separate from other services, and meet conditions ensuring they do not exploit the data they broker. Recognized data altruism organizations must register, operate on a not-for-profit basis, and meet transparency and safeguarding rules.
Penalties for Non-Compliance
Member states designate competent authorities and set penalties for infringements, which must be effective, proportionate, and dissuasive. Authorities can require corrective action and, for non-compliant intermediaries or altruism organizations, suspend or end the ability to operate under the framework's protected labels.
How to Comply
Organizations operating data intermediation services in the EU should notify the relevant authority, enforce strict neutrality and structural separation, and document safeguards. Entities pursuing data altruism should register and meet transparency obligations. Public bodies should establish secure processing environments and conditions for reuse. Align practices with GDPR for any personal data involved.