The construction of a new framework
Data Governance Act (DGA) aims at creating a single EU market for data (personal or non-personal) and provides for a new legal framework for data sharing from data holder to data user. The new legal framework arising from DGA should improve the flow of data within European cross-sectoral value chains and create specific data common spaces in various sectors of the economy.
This new legal framework does not leave aside the issue of data transfers outside the EU. In this respect, DGA provides for specific obligations depending on the status of the data holder (i.e. public sector bodies, intermediation service provider or data altruism organisations) and of the third country concerned.
Given their specific status and varying importance in each Member State, the transfer of data held by public sector bodies is governed by a specific framework imposed by the DGA.
Public sector data covered by the DGA
The European legislator underlines in the recitals of the DGA the fact that, as data has been generated or collected by public sector bodies or other entities at the expense of public budgets (e.g. health institutions, transport authorities, statistical offices), it should benefit society. Therefore, the disclosure and reuse of such data held by public bodies should be the general rule, but nevertheless subject to specific requirements.
The problem comes when specific categories of data cannot be provided to re-users since third parties rights (such as right to privacy) or Public Administration rights (such as intellectual property, trade secrets) could be affected. Under the current re-use regime of Open Data Directive, there are existing impediments to provide data subject to such third parties’ rights. Therefore the DGA has been created to permit the re-use of data that requires particular protection. In particular, DGA (art. 3(1)) provides for this list of categories of data qualified as “protected data” that may be put at the disposal of re-users: (i) commercial confidentiality, including business, professional and company secrets, (ii) statistical confidentiality, (iii) the protection of IP of third parties, or (iv) the protection of personal data.
The re-use of data under the DGA is authorized as there are specific measures to prevent the misuse of the information:
- Contractual commitments and compliance with DGA;
- Technical measures, such as the anonymization of personal data, the modification of confidential information, on-premise or remote re-use, etc.
However, this protection could be undermined or ignored if the re-user is not directly bound by the DGA or by enforceable contractual or regulatory commitments. This situation may be more likely to happen if data is initially transferred to countries where the enforcement of DGA or the commitment is not guaranteed in the same level as in the European Union. In fact, the European Union is concerned about the potential IP theft or industrial espionage or sovereignty impacts that the misuse or reversion of technical safeguards could pose in third countries.
Therefore, the DGA contains specific safeguards to be adopted for the transfer of protected data to countries outside the EU.
Transfer of certain categories of protected data held by public sector bodies
Data users who re-use such protected data held by a body public will be entitled to transfer outside the EU only non-personal confidential data or data protected by intellectual property rights (i.e. personal data transfers are not allowed). Besides, the following conditions need to be met:
- Mandatory prior information to the public sector body for any transfer of non-personal data: a re-user that intends to transfer non-personal data outside the European Union shall inform the public sector body of this intended transfer and of its purpose, at the time of requesting the re-use of such data;
- Mandatory contractual commitment: when a re-user wishes to transfer the data to a third country, it shall (i) commit to respect the conditions imposed by the public administration even after the transfer and (ii) accept the jurisdiction of the courts of the “exporting” member state. This commitment may have the form of “model contractual clause” as published by the European Commission.
Such commitment is not required when the European Commission has adopted an implementing act declaring that the legal, supervisory and enforcement arrangements of a third country (i) ensures protection of intellectual property and trade secrets in a way that is equivalent to the protection ensured under EU law, (ii) are being effectively applied and enforced; and (iii) provides effective judicial redress; and
- Potential authorization requirements: where the re-use is subject to the permission from the data holders whose IP / trade or commercial secret etc. may be breached, the transfer to the third-country shall also be specifically authorized by the legal person;
In addition, the transfer of certain specific categories of non-personal data held by public sector bodies that are deemed to be highly sensitive according to specific UE law will have to meet specific conditions set by a delegated act adopted by the European Commission. Such an exception is however limited to non-personal data categories whose transfer to third countries may put at risk Union public policy objectives, such as safety and public health or may lead to the risk of re-identification of non-personal, anonymised data.
The concept of data transfer under DGA
The DGA does not provide any definition of a data transfer. Yet, the Schrems case law surrounding the interpretation of the concept of transfer under the GDPR should have encouraged the legislator to provide a definition. But the legislator did not follow this path, although conceptual and effective links were created between the two regulations.
During the adoption process, the European legislator had to find a convergence between the existing provisions of the GDPR and the provisions of the DGA regarding transfer.
As a result, the recitals of the DGA explicitly state that the implementation of the latter should not prevent cross-border transfers of data in accordance with Chapter V of GDPR. In the event of a conflict between the DGA and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail.
The connection between these two regulations is also illustrated by the fact that the European legislator has recognized in one of the recitals of the DGA, the competence of data protection authorities to assess the provisions of this regulation. While the scope of application of the two texts is different, it seems consistent to consider that the definition of a data transfer under the DGA should not differ from the one used under the GDPR (always taking into account that under the DGA, international transfers concern non-personal data).
Therefore, one can reasonably assume that in the absence of such definition, the most conservative and consistent approach would consist in relating to the one provided by the GDPR and by the European Data Protection Board, as well as by the European Union Court of Justice, and to classify as data transfer under DGA : any communication, remote availability or access, copy or transfer, regardless of the medium, publicly or not, of data to be processed in or from a country outside the European Union.
Nevertheless, it took years to EU regulators to clarify the scope and definition of a transfer, from 1995 until 2016 and since the application of the GDPR 5 years ago. Indeed, a “transfer” is deemed occurring even when data do not move from the EU territory, insofar as a reasonably potential remote access to data would be made available (either technically of under a foreign law) to an unknown third party located outside of the EU, having no direct or contractual relationship whatsoever with the initial EU data producer. The width of such interpretation of a “data transfer” and its subsequent consequences, may not be obvious to all of those who will consider being solely subject to the DGA , but not the GDPR.
Entry into force and application
DGA is already into force and will apply from September 24, 2023. Companies willing to re-using protected data deemed transferable outside the European Union, should priorly assess how this data transfer can take place and whether it should be .
Companies that operate and circulate data inside and outside the EU need to make sure that this transfer is DGA compliant in order to avoid any risk of sanction. The DGA is an important legal innovation that is construed to enable the European single market gaining substantial competitiveness, by creating secured data flows and will allow the companies that feed it with information to do so, in complete trust. Regardless the achievement of these expectations, it is now time to enter into strategic, regulatory, legal, contractual, technical and practical assessments.
Next steps
- Determine whether the re-use of protected information held by public bodies is interesting for your business;
- Assess whether the re-use of such data involves a transfer of data to a third country;
- Assess how to comply with the requirements applicable to the re-use of data and the data transfer.
Authored by Etienne Drouard, Anaïs Ligot, Joséphine Beaufour, Juan Ramon Robles, Remy Schlich, and Théophile Tsimaratos.
