Data Governance Act. Blowing away barriers to accessing data held by public entities

The European Union has already enacted several Directives to allow (or mandate) the possibility for companies to access and re-use the data held by EU public administrations in the European Union. However, in many cases this access is still not allowed, where data is protected by laws that impede access to it by private entities. This is the case of personal data, data protected by some intellectual property provisions or by specific trade secret laws, etc. that cannot be generally shared by public administrations. The incoming Data Governance Act (still under legislative process) aims to provide new legal tools to enable the sharing of such data.

Context: the European Strategy for data

The European Union institutions and bodies (the EU) are aware that data is an essential resource for economic growth, competitiveness, innovation, job creation and societal progress in general. In order to maximize the possibilities of the use of data, while safeguarding the rights of EU citizens, the European Commission has developed the European Strategy for Data. The European strategy for data aims at creating a single market for data that will ensure Europe’s global competitiveness and data sovereignty.

As part of this strategy, the EU has the intention, through new legal tools, to facilitate initiatives that would make data more widely available by opening up high-value publicly held datasets across the EU, allowing their reuse for free or at a proportionate charge.

In the words of the EU Commission,

"the data governance act will increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data" and "will also support the set-up and development of common European data spaces in strategic domains, involving both private and public players: health, environment, energy, agriculture, mobility, finance, manufacturing, public administration and skills".

Current EU Open Data Directive weak points

The EU has enacted several legal tools to allow the access to data held by public administrations by the wider society. The main Directive that has been enacted in this sense is the Open Data Directive. The main objective of this Directive is to enable re-use of all data held by public administrations by anyone (including companies), by fostering standard, machine-readable, accessible, interoperable, etc. formats, through well-designed APIs. The term “Data” in the Directive should be interpreted as having an extremely wide scope, to include any kind of documents and dynamic data, for example environmental, traffic, satellite, meteorological and sensor generated data.

However, the Open Data Directive has excluded from its scope data protected by different laws or provisions. For instance:

  • Documents, such as sensitive data, which are excluded from access, including on grounds of commercial confidentiality (including business, professional or company secrets);

  • Data protected by intellectual property rights of third parties; and

  • Documents that contain personal data.

The problem here is that the exception for the access to the data is so broad, that at the end of the day a high amount of data cannot be accessed and re-used which, as stated in the Data Governance Act, "has led to the underutilisation of such data".

In the context of the aforementioned aims, it is important to understand that certain categories of information will still be protected and out of the scope of the Data Governance Act, such as data held by public undertakings, public service broadcasters, data protected for reasons of national security, defence.

Opening re-use of “restricted” information through the Data Governance Act

In view of this underutilization of data, the EU Commission has developed its Proposal for the Data Governance Act. The key elements are:

  • That each EU member state will have to create one or several bodies with the objective to support public administrations to allow the re-use of data, by providing technical and organizational support.
  • That in principle, each public administration will need to make publicly available the conditions for allowing the re-use of data, which must be non-discriminatory, proportionate and objectively justified. In this sense, there is a general prohibition of exclusive arrangements to restrict the availability of data for re-use (with some restricted and specific exceptions on the grounds of public interest).

The conditions for re-use of data may include:

  • The need to anonymize / pseudonymize the information before sharing;
  • The need to access that information only within technical environments provided and controlled by the Administration (even at the physical premises in which the secure processing environment is located, if remote access is not possible).
  • The public sector body shall be able to verify any results of processing of data undertaken by the re-user and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties.
  • If under the GDPR there is no other legal basis to allow the sharing of personal data but the consent of the data subjects, the public administration shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use.
  • The IP right of the maker of a database as provided for in Directive 96/9 shall not be exercised by public sector bodies in order to prevent the re-use of data.

The access may be subject to fees, but those fees shall be proportionate, objectively justified, non-discriminatory and shall not restrict free competition.

Potential prohibitions on data transfer outside the EU

The EU is aware that the conditions of re-use imposed by the public administration may not be enforceable in third countries, with the risk of "unlawful access that may lead to IP theft or industrial espionage". Therefore, if the public administration has considered that the data available for re-use is to be considered confidential or protected by intellectual property rights, it may prohibit the transfer of such data outside the EU.

There are some derogations to this prohibition:

  • Countries that the European Commission has declared as providing an equivalent level of protection.
  • In cases where the country has not been declared "safe", the re-user could still access the data if it accepts contractual obligations to ensure the protection of data, such us a declaration of compliance with the Data Governance Act and accepting the jurisdiction of the EU courts in relation to the same.

Where data qualifies as "highly sensitive" further restrictions can be imposed to allow data to be transferred outside the European Union.

Data Sharing Services

One of the main opportunities for business under the Data Governance Act is the creation of data sharing service providers, that will act as intermediaries between public administrations and companies with the aim of re-use. These data sharing services will be instructed to prepare the data to adapt it to the need of the re-user, while ensuring compliance with the conditions of re-use imposed by the public administration.

There is a strict framework for data sharing services. For example, such service providers will be required to notify the relevant authorities under the Data Governance Act and will not be allowed to use the data for their own purposes.

Next steps

The Data Governance Act will bring new opportunities for companies with interest in data held by the public sector in the European Union. In this sense:

  • The legislative process of the Data Governance Act should be carefully monitored. Companies may be interested in carrying out lobbying actions as the final wording may change.
  • Companies specialized in providing algorithms as service to other companies or administrations should identify business opportunities to qualify as data sharing providers.
  • Companies with interest in re-using data should start identifying specific administrations with "interesting" data, to be at the forefront of this opportunity.
  • Businesses should consider putting in place all adequate measures to make sure that all resulting intangible assets are correctly protected and to ensure compliance with applicable laws (in particular data protection laws).



Authored by Gonzalo F. Gállego and Juan Ramón Robles.



This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.