One of the main regulations in the EU data strategy is the proposed Data Governance Act. In the bulletin of November 11th, we described its general aspects; in this one, we will focus on its relative impacts on the discipline dictated by the GDPR, in particular, on the three situations that the proposed regulation proposes to address:
- re-use and relevant conditions, within the Union, of data held by public sector bodies
- provision of data sharing services, subject to mandatory notification and supervision
- data altruism, subject to a voluntary registration regime.
Subject matter and scope
The act – which is inspired by the FAIR principles for data management and reuse: Findable, Accessible, Interoperable, and Reusable – complements the Open Data Directive (EU) 2019/1024; like the latter, it addresses the reuse of public sector data, but unlike the directive, it addresses data that are not free as they are subject to third-party rights.
Although the scope of the DGA includes personal data, there is no clear indication in the operative part of the proposal that the GDPR has exclusive authority to regulate the use of such data; conversely, certain provisions of the DGA are not easily compatible with the GDPR or may even conflict with its requirements.
For example, the proposal brings together at the same level ‘the rights and interests’ of individuals and legal entities with regard to their data (Articles 9(c) and 19), contrary to the consideration that the rights of individuals with regard to their personal data are derived from the protection of dignity and other fundamental rights, whereas this is not the case with regard to legal entities.
Competent bodies and authorities
Also in the DGA, as in the ePrivacy Regulation proposal and in the Artificial Intelligence Regulation proposal, the Commission proposes the establishment of independent authorities (such as the authority for the notification tasks of data sharing service providers (art. 12) and the competent authority for the registration and compliance of data protection bodies (art. 20), as well as a European coordination committee (chapter VI) whose prerogatives interfere with those of the privacy supervisory authorities and the EDPB.
The identification of such authorities and committees, distinct from privacy authorities despite the close correlation of tasks and functions, generates operational complexity, may lead to confusion and operational burdens, and may also create the risk of inconsistency and divergence in regulatory approaches across the Union. As highlighted by the aforementioned joint opinion of EDPB and EDPS, “data protection supervisory authorities should be solely responsible for overseeing such processing of personal data.”