Trending Articles

Blog Post


The Impact of the EU Data Governance Act on Modern Data Handliang

The Impact of the EU Data Governance Act on Modern Data Handliang

September 24, 2023, marks the full application of the majority of the provisions of the EU Data Governance Act (DGA). The transition period of 15 months for this law enacted on June 23, 2022, has lapsed. This may sound like a non-event for many, but it is an important date for organizations that generate data.

The DGA is aimed at enhancing the availability of data for altruistic purposes. It sets rules or regulations on how data goes through novel data intermediaries. To be clear, it does not redo already existing regulations on data privacy and security. Instead, it promotes altruistic data sharing and addresses new challenges in data administration given the changing IT infrastructure, environments, and data usage.

Here are some of the DGA’s most important details. These are useful pointers for organizations operating in the European Union and those that are planning to have operations in the bloc.

Data altruism and cybersecurity implications

Data altruism: this is one of the prominent keywords attached to the EU Data Governance Act. The law seeks to promote data availability and sharing for public benefit. It has a noble underpinning impetus, although some sectors have cited some concerns over its impositions.

The United States Chamber of Commerce, for example, expressed worries over some of the provisions. The association describes the law as a misguided policy because it allegedly undermines trade secrets and innovation, makes it difficult for multinational companies to conduct cross-border movement for their data, and discriminates against US businesses.

This emphasis on altruistic data sharing makes the DGA appear as a predominantly political and economic policy. On the surface, the technical and cybersecurity implications are not that apparent. The immediate response from businesses likely focuses on the impact on their bottom line more than the security aspect. However, the DGA does involve cybersecurity concerns.

As the US Chamber of Commerce pointed out, “they (the EU) may see advantage in a first-mover approach to digital regulation, but there are real risks—in terms of cybersecurity, privacy, and data transfers—that must be considered.” Organizations will have to reorganize or reconfigure their data governance systems per the requirements of the DGA. Similarly, data governance applications must adhere to the DGA.

The DGA does factor in the cybersecurity concerns. In particular, the implementation of the DGA entails the creation of the European Data Innovation Board (EDIB) to enforce the key goals of the law. The EDIB is made up of representatives from various EU agencies including the European Union Agency for Cybersecurity (ENISA). The EDIB is tasked with the formulation of a rulebook that includes details on technical and cybersecurity requirements along with communication roadmaps and guidelines on interoperability.

In other words, aside from the existing rigorous laws on data privacy and security, there will be more layers of data protection mechanisms for organizations to deal with pertinent to the requirements of the DGA.

Data intermediation

The push for data altruism, in the context of the DGA, inevitably comes with the need for secure data intermediation. Compelling organizations to altruistically share their data requires a system to ascertain that data that should be shared is shared securely and appropriately.

For this, the DGA provides for the establishment of data intermediaries that can serve as neutral third parties responsible for linking individuals and companies who have data to share. These intermediaries can operate as data marketplaces bound by strict rules on data collection and dispensation.

As summarized in a European Commission explainer, the DGA addresses concerns over the loss of competitive advantage and data misuse by setting rules for data intermediation service providers. These rules are designed to make sure that intermediaries or data marketplaces serve as trustworthy, neutral, and transparent keepers and organizers of shared data.

One of the notable rules is ensuring that data intermediaries do not directly use the data they intermediate for their own gains. For example, they are strictly prohibited from selling the data they have collected or developing products or services based on the data entrusted to them. They are also disallowed to arbitrarily modify the terms of their intermediation services concerning the use of other services of a potential data user or holder. Additionally, intermediaries are banned from taking advantage of the data and metadata they collect for purposes other than the improvement of their data intermediation service.

Moreover, intermediaries are required to strictly separate their intermediation service from their other products or services. Before they can operate as a data intermediary, they have to inform the relevant authorities (EDIB) and ascertain that their data intermediation services are legally separate from their other business offerings.

Impact on non-EU organizations

The EU Data Governance Act has a far-reaching impact. It does not only affect businesses in the European Union. It affects the data handling practices and policies of everyone who makes their products and services to consumers in the EU. As mentioned, the US Chamber of Commerce raised some concerns over the law.

The changes in the data governance setup of organizations in different parts of the world in response to the enforcement of the DGA are going to vary. Some may find it relatively easy to comply with the requirements and work with the EDIB. Others will have a hard time reconfiguring their data handling policies and processes, especially those that are still contesting the competitiveness implications of being asked to share their organization’s data. However, what is certain is that organizations will have to adjust to comply with the DGA. Otherwise, they have to make their products and services unavailable to the EU market entirely.

In conclusion

The EU Data Governance Act is purported to be a way to “ensure that it (the EU) is at the forefront of the second wave of innovation based on data.” Some are fine with it, but others are still unconvinced of the supposed benefits of the DGA. Some say that it is yet another policy that supports the perception that the EU maintains a long arm of tech regulation.

Be that as it may, the DGA is expected to affect the way organizations with operations in the EU handle their data as they contend with a policy that suggests that they should share their data for the common good and adjust their data-handling processes to keep up with another EU tech regulation. The DGA is not exactly an insurmountable obstacle, but it can present some challenges, especially for those who regularly undertake international data transfers as part of their usual operations.

Related posts