| News | Blog | Data exchange in the EU: New rules in the Data Governance Act (Part 2/2)

Data exchange in the EU: New rules in the Data Governance Act (Part 2/2)

On the path to greater digital sovereignty, the EU is focussing on an explicitly European data strategy. The key building blocks are the promotion of infrastructures and the creation of a new legal framework. This second part highlights the key rules for data intermediaries in the Data Governance Act.


Against the background of the European Data Strategy, various projects are already working on the development of federated European data spaces. The new infrastructures should enable sovereign data exchange. The Data Governance Act (DGA) is part of this infrastructure development process. This was proposed as a draft by the EU Commission in November 2020 and adopted by the European legislator in spring 2022 following the conclusion of the trilogue negotiations. The DGA sets out new legal rules to facilitate the voluntary exchange of data between its owners and interested parties.

The DGA as a European legal framework for data exchange

The regulation is directly applicable law throughout the EU and has been in force for most applications since the end of September 2023. The main subjects of the DGA are rules on the activities of data intermediary services (Art. 10 et seq. DGA) and organisational framework conditions for the voluntary registration of data altruism organisations (Art. 16 et seq. DGA). In addition, certain requirements are set out to facilitate the further use of data from public bodies that had to or were allowed to be passed on due to other regulations (e.g. for research purposes) (Art. 3 et seq. DGA). According to recital 3 of the DGA, the primary objectives of this Regulation are, on the one hand, to develop a single market without borders for data of all kinds within the European Union and, on the other hand, to promote a data society and data economy that comply with the principles of person-centredness, trustworthiness and security. However, the realisation of the internal market through the approximation of laws is at the centre of the objectives of this Regulation (Art. 114 TFEU). According to recital 1 of the DGA, achieving this objective is in turn in line with the EU’s geopolitical hope of achieving open strategic autonomy in the area of the digital economy in global competition and thus digital sovereignty at a supra-individual level.

The need for harmonised rules for data brokerage services arose for the EU legislator from the identification of a market failure. Many companies that would in principle be willing to exchange data with other people lacked sufficient confidence that the recipients of the data would only process it in accordance with the agreement and not pass it on to third parties or violate data protection regulations. In order to reduce the transaction costs caused by this lack of trust (in particular initiation and agreement costs), intermediaries specialising in data exchange – so-called data brokerage services – are to come onto the scene. Requirements for the activities of intermediaries, which serve to increase trust in their services and thus promote the shared use of data, should in turn be introduced uniformly at European level in order to contribute to the realisation of a single market for data.

The DGA provides for cross-sectoral governance of data exchange processes in data spaces and through data intermediation services. However, the regulation does not create a comprehensive horizontal governance structure that would incentivise desired data flows, impose conditions on data flows that require consideration and set limits on undesired data flows. Rather, it only contains individual regulatory fragments where the EU has identified a need for action and which will only have the desired governance effect in conjunction with the other general European digital legislation (e.g. DA, GDPR, PSI Directive, Trade Secrets Directive) and the sector-specific digital legislation.

The European data strategy: legislation and infrastructure

In order to concretise this European approach, the EU has formulated the European Data Strategy (2020). With the Data Governance Act (DGA) and the Data Act (DA), two important laws were introduced in this context that are intended to provide an overarching framework for the data-agile economy. While the DA primarily establishes legal obligations for data access in certain situations, the DGA essentially regulates the framework conditions for voluntary data sharing. In addition to the creation of a legal framework, the second important component of the European Data Strategy is to promote measures for the development and strengthening of European infrastructures for the shared use of data. The very design of their architecture should ensure that data-based value creation remains with the respective producers and cannot be siphoned off by non-European big tech platforms. Currently, the US companies Amazon Web Services (AWS), Microsoft Azure and Google Cloud together cover around two thirds of the cloud market in the EU.

Scope of application and requirements for data brokering services in the DGA

In the literature and in practice, there are numerous descriptions of services that mediate the exchange of data between other actors. As a suitable generic term, the term data intermediary combines very different constructs and designations for facilitating data exchange. This includes, in particular, the well-known term data trustee. Although this term is also used in different ways, regardless of the exact legal and technical construction, the term already implies the essential commonality of the subgroup, namely the fiduciary duty to act in the interests of the data owners (and/or data users).

The DGA itself only addresses a subset of the group of data intermediaries, as it is aimed at data intermediation services. Art. 2 para. 11 DGA defines that such a service uses its means to establish business relationships for the joint use of data between an unspecified number of data owners (data subjects) and data users. In particular, it explicitly excludes all services that do not aim to engage in commercial activity, such as closed data systems or public bodies without the intention of establishing business relationships. Art. 10 of the DGA specifies the scope of application of the regulations on data intermediary services to three categories of services: intermediary services for the exchange of data between data owners and potential data users, intermediary services for making personal and non-personal data accessible by natural persons and services of data cooperatives.

Gaia-X only provides a technical and normative regulatory framework within which actors can set up and design their intermediary services and become part of a “federated and interoperable Gaia-X ecosystem”. Since Gaia-X itself does not offer data switching services, but is a standardisation project, it does not fall under the scope of Art. 10 et seq. DGA. However, the situation is different for specific data spaces based on the Gaia-X standard. For example, the individual services of the federation around EuroDaT (e.g. the applications in the EuroDaT app stores) in their current conception most likely fulfil the requirements of a data intermediary service according to Art. 10 lit. a DGA, because for the financial data ecosystem EuroDaT – as a neutral intermediary with a transaction-based fiduciary function – wants to make data shareable, analysable and usable between data providers, result users and data service providers.

Diagram of the processes in the federation around EuroDaT (source: Data sovereignty in the networked EuroDaT ecosystem at a glance brochure)

Providers of data brokering services must register with the relevant national authority (in Germany, the Federal Network Agency) and are then listed in a register of the EU Commission (Art. 11 DGA). The provision of the services is linked to a whole list of conditions in Art. 12 DGA, compliance with which is monitored by the national authorities in accordance with Art. 14 DGA. The requirements concern, among other things, content-related specifications for the use of the data (purpose, representation of interests), conditions for the provision of services (commercial conditions, format, standards), security mechanisms for risk cases (unlawful use, abusive practices, insolvency, security level) as well as the procedural organisation (protocol obligation).

Conclusion

The EU wants to be at the forefront of a global data-driven society before the end of this decade. The establishment of a new legal framework and technical infrastructure for sovereign data exchange are essential means of achieving this goal set out in the European Data Strategy. The extent to which the measures outlined in the article are promising in terms of making an effective contribution to digital sovereignty is difficult to predict. Doubts about the actual control potential of the DGA arise, among other things, from the fact that the regulation places high demands on the operation of intermediary services without at the same time actively incentivising the launch of such a service (such as data protection privileges) that go beyond the existing economic incentives. Market acceptance of the model and the technical interaction of different services between the federated data spaces are also challenges that the EU should continue to address in order to effectively compete in the global context.

This blog post is part of a two-part series on the infrastructuralisation process of European data spaces. Click here for part 1 .

The blog posts published by bidt reflect the views of the authors; they do not reflect the position of the institute as a whole.