What to know about the reuse of data held by the public sector under the EU Data Governance Act

Data Leaders members can download our full 25-page report and connect with peers via the Data Leaders Hub.

As we delve into the EU Data Governance Act (DGA), it’s crucial to note that one of its key areas of regulation is the reuse of specific categories of data held by public sector bodies. This legal framework is designed to unlock a wealth of data, both personal and non-personal, for reuse across various sectors, including businesses and academic research, thereby paving the way for exciting new possibilities.

In addition to the GDPR, inbuilt safeguards proposed by the DGA will foster trust in data sharing and reuse, unfolding new opportunities, such as through data enrichment, and enabling more accurate and effective operations.

Regardless of the industry, for data leaders who are already accessing or considering accessing data held by the public sector in the EU for reuse, it’s imperative to grasp the intricacies of this new regulation. This understanding will not only help them navigate their rights but also empower them to fully exploit the potential it offers. Similarly, data leaders from the public sector need to familiarise themselves with the framework for compliance and to identify new opportunities for service enhancements.

Categories of data held by the Public Sector covered by the Data Governance Act

The following are the categories of data held by the Public Sector subjected to the Data Governance Act. The categories encompass data that are protected due to:

  • commercial confidentiality
  • statistical confidentiality
  • intellectual property rights
  • to be personal data not regulated by the Open Data Directive.

In order to reuse these categories of data held by the public sector, both reusers and public bodies need to comply with a range of conditions. To help better understand the conditions established by the Act, we have categorised them into technical, operational, contractual, and international data transfer conditions.

Technical conditions for data reuse

In summary, to ensure the secure reuse of protected data, public sector bodies must take the following measures:

1. Data Anonymisation and Modification
– Personal data must be anonymised.
– Commercially confidential information (e.g., trade secrets, intellectual property) should be modified, aggregated, or otherwise processed to prevent unauthorised disclosure.

2. Secure Processing Environments
– Protected data can be accessed and reused either remotely in a secure processing environment managed by the public sector body, or on-site if remote access compromises third-party rights and interests. ‘Secure processing environment’ means the physical or virtual environment and organisational means to ensure compliance with Union law, in particular with regard to data subjects’ rights, intellectual property rights, and commercial and statistical confidentiality, integrity and accessibility. The secure processing environment shall allow public bodies to determine and supervise all data processing actions.

3. Preservation of System Integrity
– Regardless of the access method (remote or physical), public sector bodies must enforce conditions that safeguard the technical integrity of the secure processing environment.

Operational and contractual conditions for data reuse

In a nutshell, to maintain the integrity of protected data, public sector bodies and reusers must adhere to the following guidelines:

Public Sector Bodies Responsibilities
1. Verification: They must check the processes, means, and results of data processing conducted by reusers.
2. Prohibition of Harmful Use: They should forbid the use of processing results that might compromise third-party rights, ensuring decisions are clear and transparent to reusers.
3. Conditional Reuse: Reuse of data should be contingent on the reuser committing to confidentiality, specifically forbidding the disclosure of any information that could harm third-party rights.

Reusers’ Obligations
1. Non-Re-identification: They are prohibited from re-identifying individuals related to the data.
2. Preventive Measures: Reusers must implement technical and operational measures to avoid re-identification.
3. Breach Notification: They must report any data breaches that result in re-identification.
4. Inform Affected Parties: They should notify legal entities whose rights could be impacted by unauthorized non-personal data reuse.
5. Intellectual Property Compliance: Reusers are required to respect intellectual property rights.

Additional Guidelines
– If access to certain data cannot be granted, public sector bodies should help potential reusers obtain consent from individuals for personal data reuse or from holders of non-personal data whose rights might be impacted.
– Confidential data, such as trade secrets, can only be disclosed for reuse with appropriate consent or permission.

Conditions for international data transfer

Finally, to summarise, for reusers planning to transfer protected non-personal data held by public sector bodies to a third country, the following procedures and obligations are established:

Initial Requirements for Reusers
1. Notification of Intent: Reusers must inform the public sector body about their intention to transfer the data internationally.
2. Purpose Disclosure: They must also specify the purpose of the data transfer.
3. Permission Requirement: Obtain permission from the legal entity whose rights and interests might be affected by the data reuse.

Conditions for Transferring Confidential or IP-Protected Data
1. IP Rights Compliance: Reusers must commit to adhering to intellectual property rights even after the data is transferred.
2. Permission from Affected Parties: They must secure permission from the legal entity whose rights could be impacted by the data reuse.
3. Legal Jurisdiction Agreement: Reusers must accept the jurisdiction of the courts of the Member State from which the data is being transferred for any disputes related to the data transfer contract.

Conditions of reuse under Data Governance Act

The Data Governance Act makes it clear that the conditions imposed for data reuse shall be:

  • not used to restrict competition
  • objectively justified
  • proportionate
  • transparent, and,
  • non-discriminatory
Infographic with donut graph showing 5 conditions: Not used to restrict competition Objectively justified Proportionate Transparent Non-discriminatory

Granting exclusivity to data

The rules implemented by the Data Governance Act aim to improve data availability. One of them is the prohibition of exclusive arrangements to access data held by the Public Sector. The only exception to this prohibition applies when the exclusive right is needed to provide services or supply products in the general public interest that would not otherwise be possible.

Competent bodies

To support public sector bodies in complying with the new framework, Member States must designate competent bodies whose role is to provide technical, contractual support to facilitate the reuse of data. In addition, Member States must set up a single information point to help potential reusers find relevant information on what data is held by which public sector bodies and the conditions and fees for reusing such data.

For more on the EU Data Governance Act, check out other posts in our Data Law series.

Ensure you get stories like this and many more interesting insights from data and analytics leaders like you – directly to your inbox – by signing up to our newsletter. Would like to become a member? Get in touch!

Membership

Make better informed decisions by assessing your data and analytics capability and use community intelligence to close the gap between strategy and execution.

Newsletter

Essential Data monthly newsletter is where you can discover limited availability articles, guides and frameworks otherwise only accessible to our members.