The Data Governance Act (DGA) is part of a complex web of EU public policy and regulation, the ultimate goal of which is to create a dataset ecosystem that feeds the digital transformation of the Member States and the objectives of the European Digital Decade:

• A digitally empowered population and highly skilled digital professionals.
• Secure and sustainable digital infrastructures.
• Digital transformation of companies.
• Digitisation of public services.

Public opinion is focusing on artificial intelligence from the point of view of both the opportunities and, above all, the risks and uncertainties. However, the challenge is much more profound as it involves in each of the different layers very diverse technologies, products and services whose common element lies in the need to favour the availability of a high volume of reliable and quality-checked data to support their development.

Promoting the use of data with legislation as leverage

At its inception the Directive 2019/1024 on open data and re-use of public sector information (Open Data Directive), the Directive 95/46/EC on the processing of personal data and on the free movement of such data, and subsequently the Regulation 2016/679 known as the General Data Protection Regulation(GDPR) opted for the re-use of data with full guarantee of rights. However, its interpretation and application generated in practice an effect contrary to its original objectives, clearly swinging towards a restrictive model that may have affected the processes of data generation for its exploitation. The large US platforms, through a strategy of free services - search engines, mobile applications and social networks - in exchange for personal data and with mere consent, obtained the largest volume of personal data in human history, including images, voice and personality profiles.

With the GDPR, the EU wanted to eliminate 28 different ways of applying prohibitions and limitations to the use of data. Regulatory quality certainly improved, although perhaps the results achieved have not been as satisfactory as expected and this is indicated by documents such as the Digital Economy and Society Index (DESI) 2022 or the Draghi Report (The future of European competitiveness-Part A. A competitiveness strategy for Europe).

This has forced a process of legislative re-engineering that expressly and homogeneously defines the rules that make the objectives possible. The reform of the Open Data Directive, the DGA, the Artificial Intelligence Regulation and the future European Health Data Space (EHDS) should be read from at least two perspectives:

• The first of these is at a high level and its function is aimed at preserving our constitutional values. The regulation adopts an approach focused on risk and on guaranteeing the dignity and rights of individuals, seeking to avoid systemic risks to democracy and fundamental rights.
• The second is operational, focusing on safe and responsible product development. This strategy is based on the definition of process engineering rules for the design of products and services that make European products a global benchmark for robustness, safety and reliability.

A Practical Guide to the Data Governance Law

Data protection by design and by default, the analysis of risks to fundamental rights, the development process of high-risk artificial intelligence information systems validated by the corresponding bodies or the processes of access and reuse of health data are examples of the legal and technological engineering processes that will govern our digital development. These are not easy procedures to implement. The European Union is therefore making a significant effort to fund projects such as TEHDAS, EUHubs4Data or Quantum , which operate as a testing ground. In parallel, studies are carried out or guides are published, such as the Practical Guide to the Data Governance Law.

This Guide recalls the essential objectives of the DGA:

• Regulate the re-use of certain publicly owned data subject to the rights of third parties ("protected data", such as personal data or commercially confidential or proprietary data).
• Boost data sharing by regulating data brokering service providers.
• Encourage the exchange of data for altruistic purposes.
• Establish the European Data Innovation Board to facilitate the exchange of best practices.

The DGA promotes the secure re-use of data through various measures and safeguards. These focus on the re-use of data from public sector bodies, data brokering services and data sharing for altruistic purposes.

To which data does it apply? Legitimation for the processing of protected data held by public sector bodies

In the public sector they are protected:

• Confidential business data, such as trade secrets or know-how.
• Statistically confidential data.
• Data protected by the intellectual property rights of third parties.
• Personal data, insofar as such data do not fall within the scope of the Open Data Directive when irreversible anonymisation is ensured and no special categories of data are concerned.

An essential starting point should be underlined: as far as personal data are concerned, the General Data Protection Regulation (GDPR) and the rules on privacy and electronic communications (Directive 2002/58/EC) also apply. This implies that, in the event of a collision between them and the DGA, the former will prevail.

Moreover, the DGA does not create a right of re-use or a new legal basis within the meaning of the GDPR for the re-use of personal data. This means that Member State or Union law determines whether a specific database or register containing protected data is open for re-use in general. Where such re-use is permitted, it must be carried out in accordance with the conditions laid down in Chapter I of the DGA.

Finally, they are excluded from the scope of the DGA:

• Data held by public companies, museums, schools and universities.
• Data protected for reasons of public security, defence or national security.
• Data held by public sector bodies for purposes other than the performance of their defined public functions.
• Exchange of data between researchers for non-commercial scientific research purposes.

Conditions for re-use of data

It can be noted that in the area of re-use of public sector data:

▪ The DGA establishes rules for the re-use of protected data, such as personal data, confidential commercial data or statistically sensitive data.

▪ It does not create a general right of re-use, but establishes conditions where national or EU law allows such re-use.

▪ The conditions for access must be transparent, proportionate and objective, and must not be used to restrict competition. The rule mandates the promotion of data access for SMEs and start-ups, and scientific research. Exclusivity agreements for re-use are prohibited, except in specific cases of public interest and for a limited period of time.

▪ Attributes to public sector bodies the duty to ensure the preservation of the protected nature of the data. This will require the deployment of intermediation methodologies and technologies. Anonymisation and access through secure processing environments (Secure processing environments or SPE) can play a key role. The former is a risk elimination factor, while PES can define a processing ecosystem that provides a comprehensive service offering to re-users, from the cataloguing and preparation of datasets to their analysis. The Spanish Data Protection Agency has published an Approach to data spaces from a GDPR perspective that includes recommendations and methodologies in this area.

▪ Re-users are subject to obligations of confidentiality and non-identification of data subjects. In case of re-identification of personal data, the re-user must inform the public sector body and there may be security breach notification obligations.

▪ Insofar as the relationship is established directly between the re-user and the public sector body, there may be cases in which the latter must provide support to the former for the fulfilment of certain duties:

• To obtain, if necessary, the consent of the persons concerned for the processing of personal data.
• In case of unauthorised use of non-personal data, the re-user shall inform the legal entities concerned. The public sector body that initially granted the permission for re-use may provide support if necessary.

▪ International transfers of personal data are governed by the GDPR. For international transfers of non-personal data, the re-user is required to inform the public sector body and to contractually commit to ensure data protection. However, this is an open question, since, as with the GDPR, the European Commission has the power to:

1. Propose standard contractual clauses that public sector bodies can use in their transfer contracts with re-users.

2. Where a large number of requests for re-use from specific countries justify it, adopt "equivalence decisions" designating these third countries as providing a level of protection for trade secrets or intellectual property that can be considered equivalent to that provided for in the EU.

3. Adopt the conditions to be applied to transfers of highly sensitive non-personal data, such as health data. In cases where the transfer of such data to third countries poses a risk to EU public policy objectives (in this example, public health) and in order to assist public sector bodies granting permissions for re-use, the Commission will set additional conditions to be met before such data can be transferred to a third country.

▪ Public sector bodies may charge fees for allowing re-use. The DGA's strategy aims at sustainability of the system, as fees should only cover the costs of making data available for re-use, such as the costs of anonymisation or providing a secure processing environment. This would include the costs of processing requests for re-use. Member States must publish a description of the main cost categories and the rules used for their allocation.

▪ Natural or legal persons directly affected by a decision on re-use taken by a public sector body shall have the right to lodge a complaint or to seek a judicial remedy in the Member State of that public sector body.

Organisational support

It is entirely possible that public sector bodies offering intermediation services will multiply. This is a complex environment that will require technical and legal support, backstopping and coordination.

To this end, Member States should designate one or more competent bodies whose role is to support public sector bodies granting re-use. The competent bodies shall have adequate legal, financial, technical and human resources to carry out the tasks assigned to them, including the necessary expertise. They are not supervisory bodies, they do not exercise public powers and, as such, the DGA does not set specific requirements as to their status or legal form. In addition, the competent body may be given a mandate to allow re-use itself.

Finally, States must create a Single Point of Information or one-stop shop. This Point will be responsible for transmitting queries and requests to relevant public sector bodies and for maintaining an asset list with an overview of available data resources (metadata). The single information point may be linked to local, regional or sectoral information points where they exist. At EU level, the Commission created the European Register of Protected Data held by the Public Sector (ERPD), a searchable register of information collected by national single points of information to further facilitate the re-use of data in the internal market and beyond.

EU regulations are rules that are complex to implement. Therefore, a special pro-activity is required to contribute to its correct understanding and implementation. The EU Guide to the Deployment of the Data Governance Act is a first tool for this purpose and will allow a better understanding of the objectives and possibilities offered by the DGA.

Data is a key part of Europe''s digital economy. This is recognised in the Data Strategy, which aims to create a single market that allows free movement of data in order to foster digital transformation and technological innovation. However, achieving this goal involves overcoming a number of obstacles. One of the most salient is the distrust that citizens may feel about the process.

In response to this need, the Data Governance Act or Data Governance Act (DGA), a horizontal instrument that seeks to regulate the re-use of data over which third party rights concur, and to promote their exchange under the principles and values of the European Union. The objectives of the DGA include strengthening the confidence of citizens and businesses that their data is re-used under their control, in accordance with minimum legal standards.

Among other issues, the DGA elaborates on the concept ofdata intermediaries , for whom it establishes a reporting and monitoring framework. 

What are data brokers?

The concept of data brokers is relatively new in the data economy, so there are multiple definitions. If focusing on the context of the DGAdata Intermediation Services Providers ( DISPs) are those "whose purpose is to establish commercial relationships for the exchange of data between an undetermined number of data subjects and data owners on the one hand, and data users on the other hand".

The Data Governance Act also differentiates betweenData Brokering Service Providers andData Altruism Organisations Recognised in the Union (RDAOs). The latter concept describes a data exchange relationship, but without seeking a profit for it, in an altruistic way.

What types of data brokering services exist according to the DGA?

Data brokering services are another piece of data sharing, as they make it easier for data subjects to share their data so that it can be reused. They canalso provide technical infrastructure and expertise to support interoperability between datasets, or act as mediators negotiating exchange agreements between parties interested in sharing, accessing or pooling data.

Chapter III of the Data Governance Act explains three types of data brokering services:

• Intermediation services between data subjects and their potential users, including the provision of technical or other means to enable such services. They may include the bilateral or multilateral exchange of data, as well as the creation of platforms, databases or infrastructures enabling their exchange or common use.
• Intermediation services between natural persons wishing to make their personal and non-personal data availableto potential users, including technical means. These services should make it possible for data subjects to exercise their rights as provided for in the General Data Protection Regulation (Regulation 2016/679).
• Data cooperatives. These are organisational structures made up of data subjects, sole proprietorships or SMEs. These entities assist cooperative members in exercising their rights over their data.

In summary, the first type of service can facilitate the exchange of industrial data, the second focuses mainly on the exchange of personal data and the third covers collective data exchange and related governance schemes.
 

Categories of data intermediaries in detail:

To explore these concepts further, the European Commission has published the report ''...Mapping the landscape of data intermediariesthereport examines in depth the types of data brokering that exist. The report''s findings highlight the fragmentation and heterogeneity of the field.

Types of data brokers range from individualistic and business-oriented to more collective and inclusive models that support greater participation in data governance by communities and individual data subjects. Taking into account the categories included in the DGA, six types of data intermediaries are described:

Source: Mapping the landscape of data intermediaries published by the European Comission

Each of these is described below:

1. Personal Information Management Systems (PIMS): provides tools for individuals to control and direct the processing of their data.
2. Data cooperatives: foster democratic governance through agreements between members. Individuals manage their data for the benefit of the whole community.
3. Data trusts: establish specific legal mechanisms to ensure responsible and independent management of data between two entities, an intermediary that manages the data and its rights, and a beneficiary and owner of the data.
4. Data syndicates: these are sectoral or territorial unions between different data owners that manage and protect the rights over personal data generated through platforms by both users and workers.
5. Data marketplaces: these drive platforms that match supply and demand for data or data-based products/services.
6. Data sharing pools: these are alliances between parties interested in sharing data to improve their assets (data products, processes and services) by taking advantage of the complementarity of the data pooled.

In order to consolidate data brokers, further research will be needed to help further define the concept of data brokers. This process will entail assessing the needs of developers and entrepreneurs on economic, legal and technical issues that play a role in the establishment of data brokers, the incentives for both the supply and demand side of data brokers, and the possible connections of data brokers with other EU data policy instruments.

The types of data intermediaries differ according to several parameters, but are complementary and may overlap in certain respects. For each type of data intermediary presented, the report provides information on how it works, its main features, selected examples and business model considerations.

Requirements for data intermediaries in the European Union

The DGA establishes rules of the game to ensure that data exchange service providers perform their services under the principles and values of the European Union (EU). Suppliers shall be subject to the law of the Member State where their head office is located. If you are a provider not established in the EU, you must appoint a legal representative in one of the Member States where your services are offered.

Any data brokering service provider operating in the EU must notify the competent authority. This authority shall be designated by each State and shall ensure that the supplier carries out its activity in compliance with the law. The notification shall include information on the supplier''s name, legal nature (including information on structure and subsidiaries), address, website with information on its activities, contact person and estimated date of commencement of activity. In addition, it shall include a description of the data brokering service it performs, indicating the category detailed in the GAD to which it belongs, i.e. brokering services between data subjects and users, brokering services between data subjects or individuals and data users or data cooperatives.

Furthermore, in its Article 12, the DGA lays down a number of conditions for the provision of data brokering services. For example, providers may not use the data in connection with the provision of their services, but only make them available. They must also respect the original formats and may only make transformations to improve their interoperability. They should also provide for procedures to prevent fraudulent or abusive practices by users. This is to ensure that services are neutral, transparent and non-discriminatory.

Future scenarios for data intermediaries

According to the report "Mapping the landscape of data intermediaries", on the horizon, the envisaged scenario for data intermediaries involves overcoming a number of challenges:

Identify appropriate business models that guarantee economic sustainability. Expand demand for data brokering services. Understand the neutrality requirement set by the DGA and how it could be implemented. Align data intermediaries with other EU data policy instruments. Consider the needs of developers and entrepreneurs. Meeting the demand of data intermediaries.

Four years after the publication of the European Commission's Communication 'A Data Strategy', the European Commission has published a Communication on the European Commission's 'Data Strategy'A Data Strategy' (February 2020) (February 2020) - setting out the broad outlines of the broad outlines of the European Union's future data economy - the profusion of data-related regulation, the growing importance of open data and the deployment of initiatives of all kinds that have an impact on the development of this area, make it advisable to carry out a review to update the state of the art. This is what the members of the PromethEUs network1 thought, under the title of 'The European Data Strategy from a Multidimensional Perspectivein June 2023, they published an analysis of the European Data Strategy from two main perspectives: political and regulatory aspectson the one hand, and geopolitical aspectson the other. This analysis is complemented by two chapters presenting the economic impact of data-driven innovation and the specific case of the digitisation of the health sector in Southern Europe.

The first of the analyses - produced by the Portuguese Institute for Public Policy-- starts from the main idea that the European Union aspires to create a data-driven economy with citizens at its centre. An objective that will, in part, be achieved by implementing the guidelines followed by legislative acts such as the Regulation on Data Governance (DGA) Regulation and the Data Act (Data Act).

Regulations to consider

In essence, the DGA enables an enabling framework for data exchange, promoting the availability of data and the creation of a reliable and secure environment in which to realise new innovative services and products. Among its main measures, three aspects stand out:

1. More extensive re-use of protected information held by the public sector (with full respect for its privacy and confidentiality).
2. A framework for the promotion of neutral data brokering services, guaranteeing data sovereignty.
3. Mechanisms for the altruistic transfer of data.

The DA aims to establish harmonised rules on fair access and use of data, to address imbalances in contractual relations between providers and users regarding ownership and use of data, to promote interoperability and efficient portability of data, and to ensure minimum conditions for users of data processing services.

Other regulatory texts have a direct or indirect impact on the overall objective described above and interact significantly with both the above-mentioned DGA and DA, as well as with specific sectoral regulations. These include the Open Data Directive (2019), the Digital Bill of Rights (2022), the Digital Markets Actact, the Digital Services Act, or the proposals for the Artificial Intelligence Actfor the aI Liability Directive and for the Gigabit Infrastructure Act. All this without forgetting the decisive impact on this field of both the Personal Data Protection Regulation (2016) and the Directive on Privacy and Electronic Communications (2002), which will be replaced by the forthcoming Regulation on the same subject.

Effects of the European data strategy

After reviewing the most relevant aspects of this regulation, the PromethEUs document highlights three dimensions in terms of the effects of the European Data Strategy: political, economic and regulatory. Effects, on the other hand, which they expect to be positive overall, although they recognise that there is uncertainty about the associated laws and their practical implementation.

Political dimension

In the policy dimension, the authors highlight the role that both the European Commission and the European Data Innovation Board (EDIB) provided for in Article 29 of the DGA will play. The EDIB has an indispensable co-ordination role which will also have to be deployed in relation to the Member States and the respective competent authorities. In this sense, the authors warn, the lack of coordination can lead to a heterogeneous institutional framework that can delay the implementation of the Strategy. They also recommend the establishment of clear guidelines and even guidelines to prevent possible confusion as to the requirements and possible penalties imposed by states.

Economic dimension

On the economic dimension, the report highlights that the Commission expects a clear positive impact and cites an OECD study that estimates that data access and sharing will generate social and economic benefits of between 0.1 and 1.5% of GDP in the public data sector, rising to between 1 and 2.5% (some studies put it at 4%) in the private sector. The Commission, the document explains, estimates that the increased availability of data for commercial use and innovation among businesses, as well as for consumers and companies using connected products and related services, could generate up to €196.7 billion per year by 2028. The implementation of the DA alone will create up to 2.2 million jobs in the period 2024-2028.

In this sense, and in relation to the Strategy's objective of boosting competitiveness and R&D investment, the authors say that the DGA and the DA should build trust for B2B data sharing; and that the central idea would be for companies not to focus their resources and business model exclusively on the internal maintenance of their data, but on the creation of value through data transformation and combination. Likewise, in relation to SMEs, they point to the need to reduce access barriers and especially compliance costs that may be induced by the DA. Even considering that SMEs are protected in many respects, they explain, such costs can be a setback for many companies. So, they say, while for some it may mean added financial costs, for others it may mean a complete redesign of the company's business models.

Regulatory dimension

Finally, regarding the regulatory dimension, the authors point out that the implementation of the DA and the DGA will require well-trained regulatory bodies for the abundant work that will emanate from them. The creation of effective corps will require, they explain, a significant investment in human resources and skills. They also warn of the risk of overlapping powers between public administrations and regulators in areas such as data protection, cybersecurity, network infrastructure and competition issues. Therefore, they conclude, proper coordination of activities, among other issues, will be of paramount importance.

Indeed, coordination is a key concept at all levels. The evolution of the Data Economy - both at EU level and globally - is linked, whatever the field under analysis, to this essential factor. A factor applicable to how the European Strategy, the real baton that is setting the pace of this process, is implemented and deployed. But it also applies to the way in which the multiple regulations concerned are interrelated and, consequently, to the essential harmonised action of the authorities and bodies that apply them in their respective areas of competence. In short, a coordination that, like the conductor's virtuoso baton, allows for a successful execution of the score. A score - the European Strategy - that translates into the vigorous melody that the Data Economy promises, as already demonstrated by the indicators and records that outline its unstoppable evolution.       

As tradition dictates, the end of the year is a good time to reflect on our goals and objectives for the new phase that begins after the chimes. In data, the start of a new year also provides opportunities to chart an interoperable and digital future that will enable the development of a robust data economy robust data economy, a scenario that benefits researchers, public administrations and private companies alike, as well as having a positive impact on the citizen as the end customer of many data-driven operations, optimising and reducing processing times. To this end, there is the European Data Strategy strategy, which aims to unlock the potential of data through, among others, the Data Act (Data Act), which contains a set of measures related to fair access to and use of data fair access to and use of data ensuring also that the data handled is of high quality, properly secured, etc.

As a solution to this need, in the last year the uNE data specifications which are normative and informative resources for implementing common data governance, management and quality processes. These specifications, supported by the Data Officethese specifications, supported by the Data Office, establish standards for well-governed data (UNE 0077), managed (UNE 0078) and with adequate levels of quality (UNE 0079), thus allowing for sustainable growth in the organisation during the implementation of the different processes. In addition to these three specifications, the UNE 0080 specification defines a maturity assessment guide and process to measure the degree of implementation of data governance, management and quality processes. For its part, the UNE 0081 also establishes a process of evaluation of the data asset itself, i.e. of the data sets, regardless of their nature or typology; in short, its content is closely related to UNE 0079 because it sets out data quality characteristics. Adopting all of them can provide multiple benefits. In this post, we look at what they are and what the process would be like for each specification.

So, with an eye to the future, we set a New Year's resolution: the application of the UNE data specifications to an organisation.

What are the benefits of your application and how can I access them?

In today's era, where data governance and efficient data management have become a fundamental pillar of organisational success, the implementation of the uNE data specifications specifications emerge as a guiding light towards excellence, leading the way forward. These specifications describe rigorous standardised processes that offer organisations the possibility to build a robust and reliable structure for the management of their data and information throughout its lifecycle.

By adopting the UNE specifications, you not only ensure data quality and security, but also provide a solid and adequate basis for informed decision-making by enriching organisational processes with good data practices. Therefore, any organisation that chooses to embrace these regulations in the new year will be moving closer to innovation, efficiency and trust in data governance and management; as well as preparing to meet the challenges and opportunities that the digital future holds digital future. The application of UNE specifications is not only a commitment to quality, but a strategic investment that paves the way for sustainable success in an increasingly competitive and dynamic business environment because:

• Maximising value contribution to business strategy
• Minimises risks in data processing
• Optimise tasks by avoiding unnecessary work
• It establishes homogeneous frameworks for reference and certification
• Facilitates information sharing with trust and sovereignty

The content of the guides can be downloaded free of charge from the AENOR portal via the links below. Registration is required for downloading. The discount on the total price is applied at the time of checkout.

• SPECIFICATION UNE 0077:2023
• SPECIFICATION UNE 0078:2023
• SPECIFICATION UNE 0079:2023
• SPECIFICATION UNE 0080:2023
• SPECIFICATION UNE 0081:2023

From datos.gob.es we have echoed the content of the same and we have prepared different didactic resources such as this infographic or this explanatory video.

How do they apply to an organisation?

Once the decision has been taken to address the implementation of these specifications, a crucial question arises: what is the most effective way to do this? The answer to this question will depend on the initial situation (marked by an initial maturity assessment), the type of organisation and the resources available at the time of establishing the master plan or implementation plan. Nevertheless, at datos.gob.es, we have published a series of contents prepared by experts in technologies linked to the data economy datos.gob.es, we have published a series of contents elaborated by experts in technologies linked to the data economy that will accompany you in the process.

Before starting, it is important to know the different processes that make up each of the UNE data specifications. This image shows what they are.

Once the basics are understood, the series of contents 'Application of the UNE data specifications' deals with a practical exercise, broken down into three posts, on a specific use case: the application of these specifications to open data. As an example, a need is defined for the fictitious Vistabella Town Council: to make progress in the open publication of information on public transport and cultural events.

• In the first post of the series, the importance of using the UNE 0077 data using the UNE 0077 Data Governance Specification to establish approved mechanisms to support the openness and publication of open data. Through this first content, an overview of the processes necessary to align the organisational strategy in such a way as to achieve maximum transparency and quality of public services through the reuse of information is provided.
• The second article in the series takes a closer look at the uNE 0079 data quality management standard and its application in the context of open data and its application in the context of open data. This content underlines that the quality of open data goes beyond the FAIR principles fAIR principles principles and stresses the importance of assessing quality using objective criteria. Through the practical exercise, we explore how Vistabella Town Council approaches the UNE processes to improve the quality of open data as part of its strategy to enhance the publication of data on public transport and cultural events.
• Finally, the uNE 0078 standard on data management is explained in a third article presenting the Data Sharing, Intermediation and Integration (CIIDat) process for the publication of open data, combined with specific templates.

Together, these three articles provide a guide for any organisation to move successfully towards open publication of key information, ensuring consistency and quality of data. By following these steps, organisations will be prepared to comply with regulatory standards with all the benefits that this entails.

Finally, embracing the New Year's resolution to implement the UNE data specifications represents a strategic and visionary commitment for any organisation, which will also be aligned with the European Data Strategy and the European roadmap that aims to shape a world-leading digital future.

Two of the European Union's most relevant data regulations will soon articulate the legal contours that will delineate the development of the data economy in the coming years. The Data Governance Act (DGA) has been fully applicable since September 24, 2023, while the wording of the Data Act (DA) was approved on November 27. 

They are not the only ones, as the legal framework already includes other important rules that regulate interconnected matters, thus revealing the proactive approach of the European Union in establishing rules of the game in line with the needs of European citizens and businesses. These guidelines provide the necessary legal security environment to achieve the ultimate goal of promoting a European Digital Single Market.  

 In the case of the DGA and the DA, the negotiations for their approval have shown that their objectives were shared by the stakeholders concerned. For both, data is a central element for digital transformation, and they share an interest in eliminating or reducing the barriers and obstacles to its sharing. They thus assume that data-driven innovation will bring enormous benefits to citizens and the economy. Therefore, creating legal frameworks that facilitate such processes is a common goal for companies, institutions and citizens. 

The contributions from the academic, business and associative worlds have been abundant and enriching, both for the drafting phase of the standards and for what will be their implementation and development in practice. One of the most reiterated questions is the concern about how the different standards of this 'digital regulatory package' will interact. Particularly important is the interaction with the General Data Protection Regulation, which is why DGA and DA have established general guidelines on the pre-eminence of said regulation in case of conflict. In this regard, the increase in regulation does not prevent specific situations from arising in practice around key concepts in the field of personal data, such as consent, purposes of processing, anonymization, or portability. 

Another of the issues highlighted has to do with the search for synergies between this regulation and current or future data business models. The recognized overall goal is to boost the development of data spaces and the data economy as a whole. This goal will be closer to the extent that the 'regulatory burden' does not reduce the incentives for companies to invest in collecting and managing data; that it does not weaken the competitive position of European companies (by adequately protecting trade secrets, intellectual property rights and confidentiality); and that there is an appropriate balance between general and business interests. 

The case of the Data Governance Act  

In the case of the DGA, the provisions related to data brokering services ––one of the central parts of the regulation–– occupied a significant part of the previous analyses carried out. For example, the question was raised as to what extent SMEs and start-ups could compete with large technology companies in the provision of these services; or whether, by requiring the structural separation required of data brokering service providers (through a separate legal entity), there could be problems related to other functionalities of the same companies.    

Along the same lines, the question arises as to whether a more decentralized data economy requires new intermediaries, or whether under the new legal formulation, they can successfully compete in data markets through alternative, non-vertically integrated business models. 

Considerations on the deployment of the Data Act  

With regard to the DA, the final wording of the regulation clarified its scope, the definition of concepts and the categorization of data, as suggested by the industry. The specific sectoral application to be developed subsequently will further define those concepts and interpretations that provide the desirable legal certainty.  

This legal certainty has also been argued in relation to trade secrets, intellectual property rights and confidentiality; an aspect that the Regulation seeks to address with safeguards aimed at preventing misuse and fraud. 

Other aspects that attracted attention were compensation for making data available; dispute resolution procedures; provisions on unfair contract terms (aimed at compensating for imbalances in bargaining power); making data available in case of exceptional need; and, finally, provisions on switching from one data processing service provider to another.  

 A positive starting point  

The starting point, in any case, is positive. The data economy in the European Union is taking hold on the basis of the European Data Strategy and the regulatory package that develops it. There are also practical examples of the potential of the industrial ecosystems that are being deployed around the Common European Data Spaces in sectors such as tourism, mobility and logistics, and agri-food, among others. In addition, initiatives that bring together public and private interests in this area are making significant progress in the deployment of technical and governance foundations, strengthening the competitive position of European companies, and achieving the ultimate goal of a single data market in the European Union. 

Click here for an extended version of this note. 

A data space is a development framework that enables the creation of a complete ecosystem by providing an organisational, regulatory, technical and governance structure with the objective of facilitating the reliable and secure exchange of different data assets for the common benefit of all actors involved and ensuring compliance with all applicable laws and regulations. Data spaces are also a key element of the European Union's new data strategy and an essential building block in realising the goal of the European single data market.

As part of this strategy, the EU is currently exploring the creation of several data space pilots in a number of strategic sectors and domains: health, industry, agriculture, finance, mobility, Green Pact, energy, public administration and skills. These data spaces offer great potential to help organisations improve decision-making, increase innovation, develop new products, services and business models, reduce costs and avoid duplication of efforts. However, creating a successful data space is not a trivial activity and requires first carefully analysing the use cases and then facing major business, legal, operational, functional, technological and governance challenges.

This is why, as a support measure, the Data Spaces Support Centre (DSSC) has also been created to provide guidance, tools and resources to organisations interested in creating or participating in new data spaces. One of the first resources developed by the DSSC was the Data Spaces Starter Kit, the final version of which has recently been published and which provides a basic initial guide to understanding the basic elements of a data space and how to deal with the different challenges that arise when building them. We review below some of the main guidelines and recommendations offered by this starter kit.

The value of data spaces and their business models

Data spaces can be a real alternative to current unidirectional platforms, generating business models based on network effects that respond to both the supply and demand of data. Among the different business model patterns existing in data spaces, we can find:

• Cost sharing: all participants save time and money by sharing data for a common purpose, such as the smart network of connected SCSN providers.
• Joint innovation: innovation is only possible if data is shared as none of the participants have the complete data individually, e.g., the Eona-X platform for mobility, transport and tourism.
• Combined forces: different actors join forces to prevent a single actor from dominating a certain space, as in the EuPro Gigant manufacturing data network.
• Shared market: actors with common interests share data with each other in order to benefit each other, such as the Catena-X automotive network.
• Greater common good: when the public and private sectors share data for a social purpose, as for example in the mobility data space developed in Spain through the Mobility Working Group of the Gaia-X Hub.

The legal aspects

The legal side of data spaces can be a major challenge as they necessarily move between multiple legal frameworks and regulations, both national and European. To address this challenge, the Data Spaces Support Centre proposes the elaboration of a reference framework composed of three main instruments:

• The cross-cutting legal frameworks that will apply to all data spaces, such as contract law, data protection, intellectual property, competition or cybersecurity laws.
• The organisational aspects to consider when establishing models and mechanisms for data governance in each specific case.
• The contractual dimension to be taken into account when exchanging data and the agreements and terms of use to be established to make this possible.

Operational activities

The design of operational activities should address the arrangements that enable the organisational functioning of the data space, such as guidelines for onboarding new participants, decision-making and conflict resolution.

In addition, consideration should also be given to business operations, such as process streamlining and automation, marketing tasks and awareness-raising activities, which are also important components of operational activities.

Functionality of data spaces

Data spaces shall share a number of basic components (or building blocks) that will provide the minimum functionality expected of them, including at least the following elements:

• Interoperability: data models and formats, data exchange interfaces and origin and traceability.
• Trust: identity management, access and usage control and secure data exchanges.
• Data value: metadata and location protocols, data usage accounting, publishing and commercial services.
• Governance: cooperation and service level agreements and continuity models.

While these components can be expected to be common to all data spaces and provide similar functionality, each individual data space can make its own design choices in implementing and realising them.

Technological aspects

Data spaces are designed to be technology agnostic, i.e., defined solely in terms of functionality and with freedom in the choice of specific technologies for implementation. In this scenario it will be important to establish clear references in terms of:

• A formal basis of de facto standards to be followed.
• Specifications to serve as a reference for the different implementations.
• Open source implementations of the basic components carried out by other actors.

Governance of data spaces

Designing, implementing and maintaining a data space requires multiple organisations to collaborate together across different functions. This requires these entities to build a common vision of the key aspects of such collaboration through a governance framework.

This will require a joint design exercise through which stakeholders formalise a set of agreements defining key strategic and operational aspects, such as legal issues, description of the network of participants, code of conduct, terms and conditions of use, data space incorporation and membership agreements, and governance model.

In the near future the DSSC support centre will identify the core components of each of the dimensions described above and provide additional guidance for each of them through the development of a common blueprint for data spaces. So, if you are considering participating in any of the data spaces initiatives that are being launched, but are not quite sure where to start, then this basic starter kit will certainly be a valuable resource in understanding the basic concepts - along with the glossary that explains all the related terminology. Also, don't forget to subscribe to the support centre's newsletter to keep up to date with all the latest news, documentation and support services on offer.

Content prepared by Carlos Iglesias, Open data Researcher and consultant, World Wide Web Foundation.

The contents and views reflected in this publication are the sole responsibility of the author.

Since the initial publication of the draft European Regulation on Data Governance, several steps have been taken during the procedure established for its approval, among which some reports of singular relevance stand out. With regard to the impact of the proposal on the right to the protection of personal data, we can highlight those prepared by some European organizations with the aim of offering their opinion on the regulation proposed by the Commission.

• On the one hand, last July the Economic and Social Council made public its opinion, which stresses the importance of safeguarding fundamental rights, warning that "the adequate protection of these rights is threatened by the distorted use of data freely collected under a consent that is not always obtained following simple procedures".
• On the other hand, the European Data Protection Committee and the European Data Protection Supervisor have issued a joint report aiming to provide the European legislator with guidance to ensure that the future Data Governance Regulation "fully dovetails with EU legislation on personal data protection, thus fostering trust in the digital economy and providing the same protection as guaranteed by EU law." What are the main indications included in the report?

Through their corresponding reports, several EU bodies emphasize the need to ensure the protection of personal data in the future Data Governance Regulation.

Conditions for lawfulness of processing

One of the main difficulties when reusing public sector information is its link to individuals who are fully identified or even could be identified. In these cases, we would be dealing with data of a personal nature and, consequently, the regulations aimed at protecting this fundamental right in the scope of the entire European Union would be applicable: the General Data Protection Regulation 2016/679 of 27 April (GDPR).

In general, both the dissemination of data by public entities and, likewise, the processing carried out by reusers must respect the principles provided for in Article 5 GDPR. Specifically, it is necessary to ensure the minimization of the data, respect the time limitation of the processing or, among other obligations, guarantee its accuracy and integrity, as well as confidentiality. Of particular importance is the prohibition on the use of data for purposes incompatible with those that initially justified the collection of the information, especially if we consider that the data will often have been obtained without the consent of the data subject, when processing is justified for the performance of activities in the public interest.

The dissemination and reuse of public sector information must comply with the requirements and obligations set forth in the General Data Protection Regulation (GDPR).

Pseudonymization and anonymization

The joint report of the Committee and the Supervisor emphasizes that the two techniques cannot be confused and, consequently, the applicable safeguards are different in each case. In particular, this distinction has to be considered by the respective public entity when assessing the feasibility of reuse from a data protection perspective.

• Anonymization means that, because there is no link to the natural persons, the data can be used without being subject to data protection regulations.
• In pseudonymization, on the other hand, it would be possible to re-identify the data subject, insofar as additional information is available to enable this. Therefore, in this case, the processing of the information would be subject to data protection regulations.

Consequently, when pseudonymized data are reused, it will be essential to base the processing on one of the conditions of lawfulness provided for in Articles 6 and 9 of the GDPR, to comply with the principles referred to above, to adopt appropriate security measures and also to respect the transparency obligations referred to in Articles 12 to 14 of the GDPR, the latter condition being particularly important to facilitate the exercise of their rights by the data subjects.

In any case, provided that it is compatible with the main purpose for which the data is used, pseudonymization is certainly a reasonable measure even when there is an adequate legal basis to proceed with the processing of personal data without the consent of the data subject, since it is a solution that strengthens his legal position against the use of the data by a third party. This is shown, for example, in the legal regulation that allows the reuse of health data for research purposes, where one of the essential conditions is precisely that the data must be pseudonymized under certain conditions. This makes it possible to guarantee re-identification when necessary for health care reasons and, at the same time, limits the impact of reuse on the legal sphere of the owner of the information.

In cases where pseudo-animation is used, it is also necessary to comply with data protection regulations

Data sharing providers and data donation

This is one of the main new features of the draft Regulation. As regards providers, the joint opinion of the Supervisor and the Committee emphasizes the need to strengthen controls prior to the start of their activity and, on the other hand, to ensure that they provide adequate information to data subjects, with particular attention being paid to the principles of data protection by design and by default, transparency and purpose limitation. It also stresses the importance of ensuring that such providers effectively assist individuals in exercising their rights under Articles 15 to 22 of the GDPR, as well as the desirability of encouraging their adherence to formalized codes of conduct.

As regards the donation of data for altruistic purposes, given that the applicable legal basis for admitting reuse would be consent, the report maintains that it is necessary to improve the proposed regulation so as to establish more precisely the purposes of general interest for which the reuse of data could be used. Otherwise, the report considers that legal certainty and the level of protection of personal data guaranteed by the GDPR would be jeopardized, in particular with regard to the principle that data shall be collected for specified, explicit and legitimate purposes (Article 5 GDPR).

In order to reuse personal data obtained from the donation for altruistic purposes, it will be necessary to have the consent of the person concerned for the specific purpose.

In short, one of the main reasons justifying the Data Governance Regulation is precisely the need to establish a new regulation for those sets of data over which there are third-party rights that hinder their reuse, as is particularly the case with the protection of personal data. Therefore, although it is of great importance to make a firm commitment to promoting the data-driven economy, it should not be forgotten that the European model is based precisely on the protection and defense of fundamental rights and public freedoms, which necessarily implies that the measures contemplated in the GDPR are at the basis of this model, as the European Data Protection Committee and the European Data Protection Supervisor have recalled in their opinions.

Content prepared by Julián Valero, Professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec).

The contents and views expressed in this publication are the sole responsibility of the author.

Updated 02/02/2024

In 2020, the proposal for a Regulation of the European Parliament and of the Council on European data governance (Data Governance Act) was made public. This is an initiative that was already announced in the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions entitled "A European strategy for data", one of whose main objectives is to promote a single market for data that favours its rapid handling and, at the same time, is based on the principles and values of the EU.

The text of this proposal was preceded by a public consultation process with wide participation, especially with regard to the data governance model (section 2.1) whit almost eight hundred contributions. Furthermore, as highlighted in the preamble of the proposal itself, the regulatory options finally adopted considered the previous analysis in which the different possible alternatives for achieving the objectives sought were analysed.

Although this new initiative was initially assessed positively, the truth is that it could raise doubts about its necessity, given that Directive (EU) 2019/1024, of 20 June 2019, on open data and the re-use of public sector information, was approved a little over a year ago.

Why then a new regulation now?

Firstly, the new proposal takes the form of a Regulation - not a new Directive - to establish a mandatory, directly applicable regime throughout the Union to harmonise the EU internal market, given the risk that unilateral regulation by States will end up fragmenting it if there is no minimum harmonisation to help boost cross-border digital services. However, the competence of the Member States with regard to the organisational measures to be taken is respected, as is their ability to legislate on access to public sector information, so that the Regulation will not affect existing state rules in this area.

Secondly, it should be noted that the regulation is complementary to the 2019 directive, given that the achievement of the objectives set out above requires an approach which goes beyond the limitations to which that party is subject. Specifically, it is a question of establishing new regulations for those sets of data on which third parties have rights that make their re-use difficult, as is the case in particular with the protection of personal data, intellectual property or, among other legal assets, statistical or commercial confidentiality. Indeed, the existence of these legal barriers may seriously hinder - and even prevent - the re-use of data of enormous value when it comes to implementing projects of great impact in the current social and technological context, such as those relating to research and those based on the innovation required by the digital transformation. The measures incorporated in the proposal for a Regulation are intended to offer solutions specifically aimed at addressing these obstacles, incorporating mechanisms that provide greater legal certainty and therefore strengthen the confidence of the holders of these rights and interests.

It is also intended to establish a number of identical mechanisms throughout the Union to encourage reuse, as is the case with:

• The establishment of a reporting regime for data sharing providers, which will be neutral, i.e. they will not be able to use the data for purposes other than making it available to re-users. The services they provide must also be transparent and non-discriminatory.
• The promotion of altruism in order to facilitate the use of data for the common good on a voluntary basis, including the implementation of a form at European level to facilitate the provision of consent for the transfer of data.
• The obligation for States to establish a single point of information which, in addition, must have a register in which to submit requests for re-use so that, once received, they are sent to the corresponding bodies and entities for resolution within a maximum period of two months.
• The creation at European level of a committee of experts with the aim of facilitating re-use, which will also have an advisory role for the Commission.

What are the main legal guarantees of the Regulation?

With these objectives in mind, the initiative aims to lay the foundations for building a model of European data governance based on transparency and neutrality as a counterweight to trends in other areas. Specifically, the aim is to establish a regulatory framework that reinforces the confidence of citizens, businesses and other organisations that their data will be reused in accordance with minimum legal standards, thus facilitating control over the uses made by third parties. Thus, among the main novelties of the proposal:

• Public bodies that allow the re-use of this type of data affected by the rights and interests of third parties are obliged to adopt the technical, organisational and legal measures that guarantee their protection.
• The possibility is established for public bodies to impose an obligation that data may be re-used only if it has been subject to "pre-processing", which consists in making it anonymous, pseudonymous or, where appropriate, deleting confidential information.
• It is foreseen that re-use is only allowed in environments directly controlled by the public body if there is no other alternative that can meet the needs of the re-user.
• Public bodies are recognised as having the power to prohibit the use of the results of data processing that contains information that endangers the rights and interests of third parties.
• The collaboration of public bodies in the collection of consent from the data subjects is facilitated without the re-users having direct contact with them.
• Effective conditions and guarantees are established for cases in which the processing of the data is to take place outside the European Union, including express acceptance of submission to the jurisdiction of the State in which the public sector body that facilitated the re-use is located.

As the European Commission emphasised in a recent Communication on the occasion of the review carried out after two years of application of the General Data Protection Regulation, its provisions " helps to  foster  trust-worthy innovation, notably through its risk-based approach and principles such as privacy by design  and  by  default ". This is precisely the approach of the new proposal: to establish the bases of a regulatory model based on the protection of the rights and interests affected, thus facilitating the optimal legal conditions that will allow the re-use of public sector information to be promoted with the appropriate guarantees.

The following infographic provides a summary of the main aspects of the DGA. Click on the images to go to the different versions:

Two-page version                                                            One-page version

Content prepared by Julián Valero, professor at the University of Murcia and Coordinator of the Research Group "Innovation, Law and Technology" (iDerTec).

Contents and points of view expressed in this publication are the exclusive responsibility of its author.