EU Data Governance Act Will Set New Standards for Public Data Access

Axel Spies

German attorney-at-law (Rechtsanwalt)

Dr. Axel Spies is a German attorney (Rechtsanwalt) in Washington, DC, and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).

Government institutions hold a wealth of information. Wouldn’t it be beneficial if everyone had fair access to this trove—for instance, for research to develop new vaccines or to operate driverless cars safely on public roads? The legal framework for public sector information and access to it is guided by the Open Data Principle. According to this principle that is already enshrined in several EU laws (e.g. the 2019 Open Data Directive), the public sector in the EU should make their databases available to everyone at the lowest cost or, where possible, free of charge. But there are various legal and practical restrictions that need to be overcome.

Open Data Principle in the Coalition Treaty

The idea that the principle of Open Data also applies to administrations or other public bodies is relatively new. Obviously, not every data set that the public sector holds can be released to the private sector. Certain data sets must remain secret, e.g. to protect national security or the personal data of individuals. “Open Data” and “Data Governance” are not legal terms in Germany. Simply put, Data Governance means the process of managing the availability, usability, integrity, and security of the data by and within companies or public bodies. “Open Data” is part of the process to make the data available.

This issue is on the agenda that the three parties forming the new coalition government (SPD, FDP, and the Greens) have agreed upon. Their Coalition Treaty, although not legally binding, states the following on data governance for the public sector: “We are leveraging the potential of data for all by supporting the development of data infrastructures and launching instruments such as data trustees, data hubs and data donations together with business, science and civil society. (…) A data institute should drive data availability and standardization, establish data trustee models and licenses. (…) With a data law, we will create the necessary legal basis for these measures” (line 451). The Coalition Treaty also addresses access to the data: “We will introduce a legal right to Open Data and improving the data expertise of public bodies. The General Data Protection Regulation (GDPR) is a good international standard-setter” (line 464).

Since the new German Government just came into office, it remains unclear when it will propose a bill, discussed in Germany as the Data Act. It is likely that the new Government (as was the case for the former Merkel Government) will look at the legislative initiatives in Brussels and try to influence them before it sends a bill for a German Data Act or a similar legislative measure to the Bundestag.

Waiting for Brussels and Its EU Data Governance Act

In this sense, the proposed EU Data Governance Act (DGA) will heavily influence the rules in Germany. The draft DGA is the first stage of implementing the European Data Strategy and will take the form of a regulation that will be directly binding on all Member States. The European Commission initiated the legislative proposal of the draft DGA on November 25, 2020. On December 1, 2021, the European Parliament and the European Council found agreement on the draft DGA. The next step is for the draft DGA to be reviewed by the European Parliament and he European Council. Adoption in 2022 is likely.

The Draft DGA aims to allow sharing of protected data, e.g. personal data, trade secrets, and protected intellectual property rights, between businesses and governments in safe “common European data spaces” and to create a single market for data. The European Commission stated that the introduction of the DGA would allow businesses to benefit from a reduction in costs for acquiring, integrating, and processing data, which would enable them to develop new data-driven products and services. A European Data Innovation Board will be established as another supervisory body.

The DGA concerns sensitive public sector data that are usually only accessible in special cases to ensure data privacy. Thanks to advanced technologies, their use is now possible while respecting the rights of third parties that are affected by the data. To tap the potential of such data beyond the 2019 Open Data Directive, the EU legislator intends to combine technology, institutions, and procedures for the best data governance approach. The DGA will result in significantly more differentiated rules for public sector data, for example:

  1. The DGA does not impose an obligation to make data accessible for further use, but only sets the conditions and procedures throughout the EU for making the data available.
  2. The DGA will only apply to a subset of all data held by public bodies, namely, to data sets that are protected for reasons of commercial or statistical secrecy, intellectual properties of third parties, or because it relates to individuals that are protected by the EU General Data Protection Regulation (GDPR) where the interests of third parties could be affected when these data sets are released.
  3. The releasing public body will have to avoid creating exclusive rights for the reuse of data, so that many parties can benefit from the release.

Whereas the rules of the DGA do not trigger an obligation for public bodies to allow further use of data, public bodies in the EU making the data available for non-commercial and commercial purposes will have to comply with the DGA throughout the EU. The DGA should make it easier for companies or non-profit organizations to access the data sets. The GDPR will continue to apply EU wide if personal data are released. The flipside is that the DGA will elevate public data holders to the status of auditing, processing, and monitoring authorities, who will also provide the technical infrastructure for this purpose. The public sector is thus given a more active role in data intermediation. It remains to be seen whether the public sector in the EU will be up to that task and will receive the necessary funding.

The views expressed are those of the author(s) alone. They do not necessarily reflect the views of the American-German Institute.