CEDAR emerges at a pivotal moment of legislative transformation within the European Union. New regulations, specifically the Data Governance Act and the Data Act, form the backbone of the European data strategy. Both these critical pieces of legislation aim to balance the protection of citizens' rights and interests while simultaneously encouraging industrial and technological development.

The "European Data Strategy" itself strives to establish a unified data market within the EU. This vision facilitates the unrestricted flow of data across borders and industry sectors, stimulating innovation and economic prosperity. It prioritises both control and fairness, empowering Europeans with ownership of their data while enabling businesses to flourish in the data-driven economy. This strategy paves the way for the creation of Common European Data Spaces, a single market for data that ensures legally compliant use of data from both the EU and third countries, irrespective of its storage location.

Here is a short overview of these two important regulations.

Data Governance Act (DGA)

The Data Governance Act (DGA) is the first pillar of the European Data Strategy. 

It is a comprehensive regulation designed to govern the reuse of publicly held data, promoting data sharing through new intermediaries and encouraging altruistic data sharing. It covers both personal and non-personal data, with the General Data Protection Regulation (GDPR) applying to personal data. The DGA includes built-in safeguards to enhance trust in data sharing and reuse, which is essential for increasing data availability in the market.

It entered into force on 23 June 2022 and, following a 15 month grace period, is applicable from September 2023.

What are the key points?

1 - Re-use of certain categories of protected data held by public sector bodies

The DGA encourages the re-use of public sector data by non-public sector bodies and sets rules for the re-use of certain protected data accessible to public sector bodies. While it doesn't mandate public bodies to allow re-use, the DGA establishes technical requirements, assistance mandates, limits on exclusive re-use agreements, reasonable fee structures, and decision-making timelines. It also requires the establishment of single information points and a European register for protected public sector data to facilitate re-use. The DGA aims to extract knowledge from protected data while maintaining its confidentiality, promoting data re-use across the internal market and beyond.

2 - Data intermediation services as a “key role in the data economy”

The DGA promotes voluntary data sharing and aims to counter the dominance of large tech companies by facilitating data exchange through intermediation services. These services act as neutral third parties, connecting SMEs and start-ups with data users, charging for facilitating data sharing without using the data for direct financial gain. To ensure neutrality, intermediaries must comply with strict requirements, including structural separation, non-discriminatory terms, and using acquired data only to improve the service. Both standalone and additional service providers can be intermediaries, subject to strict separation. They must notify the competent authority, which monitors compliance, and upon confirmation, they can operate as recognized data intermediaries.

3 - Data altruism - increasing the availability of data by voluntarily donating data

The DGA promotes data altruism for the common good, encouraging voluntary data donation by recognized non-profit entities. These organisations must meet transparency requirements, safeguards for data donors, and comply with a rulebook outlining specific requirements. The DGA aims to increase data availability for economic, research, and environmental purposes. The Commission has established an EU-level register of recognized data altruism organisations and a common European consent form for uniform data collection.

Data Act

The Data Act is the second pillar of the European Data Strategy, complementing the Data Governance Act. 

It aims to enhance the EU's data economy and foster a competitive data market. It focuses on making industrial data more accessible and usable, encouraging data-driven innovation, and increasing data availability. 

The Act ensures fairness in data value allocation and clarifies data usage conditions. With the rapid growth of connected products in the EU, the Act gives users greater control over generated data and lays down general conditions for data sharing obligations. 

It also includes measures to promote fairness and competition in the European cloud market, protect companies from unfair contractual terms, and establish a mechanism for public sector data requests. 

Additionally, it introduces safeguards to prevent third-country government bodies from accessing non-personal data in violation of EU or national law. The Data Act, complementing the Data Governance Act, aims to establish an EU single market for data, positioning Europe as a leader in the data economy for the benefit of the economy and society.

 It is effective from January 2024 and will be applicable from September 2025.

What are the key points?

1 - Business-to-Business (B2B) and Business-to-Consumer (B2C) Data Sharing

The Data Act aims to create fairness in the data economy and empower users to access and share the data they generate from using connected products and related services. It allows users to directly share their data with third parties or request data holders to do so, while protecting trade secrets and security. 

2 - Mandatory Business-to-Business Data Sharing

It allows data holders obligated to share data with businesses to request reasonable compensation, covering costs for dissemination, storage, and making data available. However, micro companies, SMEs, and non-profit research organisations cannot be charged more than the costs incurred for making the data available.

3 - Unfair Contractual Terms

It protects European businesses, especially small ones, from unfair data access contracts. Bigger companies can't force unfair terms (like limited liability) on smaller businesses when acquiring data. The Act defines specific unfair terms and gives options to challenge presumed unfair ones.

4 - Business-to-Government Data Sharing

Public sector bodies can access privately held data in exceptional circumstances, such as public emergencies or specific public interest tasks, under strict conditions.

5 - Switching between Data Processing Services

It makes it easier to switch cloud service providers. Currently high fees make switching difficult. The Act will make it free, fast, and easy, allowing customers to choose the best service and providers to gain a larger pool of customers. This reduces the power imbalance between providers and customers by requiring clear contracts and allowing easy data transfer in a standard format.

6 - Unlawful Third Country Government Access

Safeguards are established to prevent non-EU governments from accessing non-personal data held in the EU in violation of EU or national laws. While the Act allows data transfer, it prioritizes EU laws and individual rights. It sets rules for these requests and ensures data stays protected even when transferred. This doesn't affect legal international cooperation.

7 - Interoperability

Essential requirements are set to ensure data interoperability within and between Common European Data Spaces, fostering research and innovation, and allowing companies to switch cloud service providers more easily.

8 - Enforcement and overarching Provisions

Member States will designate competent authorities to ensure efficient implementation, with penalties for infringements.

Comments

Both regulations form a crucial part of the EU Commission's comprehensive framework aimed at tackling unresolved data governance issues and unlocking the full potential of data in the EU. 

Similarities 

Both acts promote data sharing and utilisation, with the Data Governance Act creating mechanisms for data sharing and the reuse of public sector information, while the Data Act regulates the use of data generated by connected devices and services. 

Both acts include provisions to ensure that data handling complies with EU standards on data protection, privacy, and security, complementing the GDPR. Furthermore, by facilitating easier access to and sharing of data, both acts support the EU’s vision of a seamless Digital Single Market, where data flows freely across borders under a common regulatory framework.

Differences

The Data Governance Act focuses on the governance of data sharing across sectors, including public sector data, and establishes a framework for data intermediation services to operate in a trustworthy manner. On the other hand, the Data Act primarily targets the economic aspects of data generated by IoT devices and services, addressing issues like who can use and access different types of data and under what conditions. 

The Data Governance Act emphasises the establishment of data intermediaries that are neutral and trusted, facilitating data sharing and reuse, particularly for public sector data, while the Data Act deals more with the rights related to data generated by products and services, including B2B and B2C relations, focusing on fairness in the digital ecosystem.

Together, these acts will facilitate reliable and secure data access, promoting its use in vital economic sectors and public interest areas, ultimately contributing to the establishment of a single EU data market, benefiting the European economy and society as a whole.