GDPR Brief: the EU Data Governance Act — new pathways for consented reuse of information

7 Nov 2022

This briefing outlines some of the key features of the Data Governance Act (DGA), and considers its implications for scientific research within the EU and beyond.

Introduction

The Data Governance Act entered into force on 23 June 2022, and will apply from September 2023. Member States must use the current ‘grace period’ to achieve compliance: setting up new policies and authorities to regulate the re-use of information covered by personal and commercial rights, such as identifiable or proprietary health data.

The first element of the European strategy for data to reach the legislative finishing line, the ‘DGA’ will pave the way for initiatives such as the European data spaces. In order to make information ‘as open as possible, as closed as necessary’ (Horizon 2020 Programme Guidelines on FAIR Data Management in Horizon 2020), it sets up key data-sharing infrastructure and forms a bridge with the General Data Protection Regulation (‘GDPR’) by requiring practical tools for individuals (and companies) to exercise their rights.

This briefing outlines some of the key features of the DGA, and considers its implications for scientific research within the EU and beyond.

New Infrastructure 

The DGA regulates the secondary use of personal and non-personal data: i.e., all digitally recorded information, whether or not it identifies a natural, living person. It expands on the Open Data Directive by regulating the use of information not publicly accessible due to personal or corporate rights.

Where the information in question is personal data, it is clear that the GDPR takes precedence, and existing Data Protection Authorities retain their functions. However, they will be joined by newly created/designated Competent Authorities in EU Member States to who will enforce the DGA’s provisions. These functions span the DGA’s ‘rather heterogeneous approach’ of:

• Setting conditions on the secondary use of public sector data which is subject to personal or commercial rights. This could include information shared for scientific research, from entities such as public hospitals, but not necessarily universities as ‘educational establishments’ are excluded from the definition of public authorities in Article 3;
• Supervising data intermediation services, which will establish commercial relationships for data sharing between data subjects, data holders and data users.
• Regulating entities which voluntarily register as data altruism organisations, to facilitate the secondary use of information based on the consent of the data provider, for objectives of ‘general interest’ such as healthcare and scientific research.

These new structures are set to significantly change the data-sharing landscape within the EU. as well as the way information could be accessed by researchers from third countries. The Regulation anticipates that public sector bodies, data intermediaries and data altruism organisations could (subject to their respective conditions) share information with users in third countries, but personal data transfers will still need to comply with the requirements of the GDPR. International data sharing will not necessarily become any easier.  At best, the infrastructural safeguards provided by these certified and regulated data-sharing organisations will provide new ways of demonstrating compliance with the GDPR, particularly in its requirements for appropriate technical and organisational measures.

Consent

The good news for researchers is that the DGA requires the European Commission to produce a standard consent form for Data Altruism. Consent has been a vexed issue ever since the GDPR became applicable in 2018. In theory, a consent form officially sanctioned as sufficient for the purposes of Articles 6 and 9 GDPR would be hugely helpful in smoothing over discrepancies in interpretation; particularly where data is shared between Member States with different positions on the appropriateness of consent as a GDPR basis for research.

On its face, however, the DGA still poses some ambiguity in its framing of research consent. Recitals 26 and 50 refer to ‘consent to certain areas of scientific research where in keeping with recognised ethical standards for scientific research’; re-emphasising the importance of Recital 33 of the GDPR in its apparent widening of consent in the context of scientific research. However, Article 25(3) DGA requires:

Where personal data are provided, the European data altruism consent form shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation

This seems to require much more granular consent than merely specifying ‘areas of scientific research’; particularly if all data processing operations must be specified. One way of reconciling the broad and narrow consent standards alluded to within the DGA is to understand consent dynamically. It may be possible (as the Recitals suggest) to provide consent to areas of scientific research at the outset of the relationship with the data intermediary, data altruism organisation or public authority. However, the ongoing duty of transparency would need to be sufficiently granular that data subjects could withdraw consent to a specific processing operation as required.

Another possible answer lies in Article 25(2), which specifies that the data altruism consent form should use a ‘modular approach allowing customisation for specific sectors and for different purposes.’ It may be that a research-specific data altruism consent form could list areas of scientific research, but reassure data subjects that the processing activites within these broad research areas will be regularly updated on e.g. an organisational website or portal, and so they can review and withdraw at a more detailed level.

Conclusion

A key feature of the DGA is that the data sharing it facilitates must be carried out on a voluntary basis. As such, significant buy-in from data subjects and data holders will be required. This puts pressure on the policies and awareness campaigns of Member States to drum up interest and engagement in altruistic or public-sector data sharing.

As noted in the findings of a 2021 legal-ethico review, investment to make these structures accessible is needed to avoid privileging people with greater existing data-awareness. The chronic under-inclusion of groups such as ethnic minorities in voluntary research data requires engagement at the community and individual level to ensure that ‘tools’ for obtaining and managing consent are usable for a diversity of people, and that the ultimate public good of data re-use is communicated widely.

Further Reading

• Matthias Leistner, ‘The Commission’s Digital Markets and Services Package – New Rules for Big Tech and Big Data’ (2021) 70 GRUR International 6, 515–516. Available from: https://doi.org/10.1093/grurint/ikab039
• Mahsa Shabani, ‘The Data Governance Act and the EU’s Move towards Facilitating Data Sharing’ (2021) 17 Molecular Systems Biology 3. Available from: https://doi.org/10.15252/msb.202110229
• Mirelle van Eechoud, European Commission, Directorate-General for Research and Innovation, Study on the Open Data Directive, Data Governance and Data Act and their possible impact on research. Publications Office of the European Union (2022). Available from: https://data.europa.eu/doi/10.2777/71619
• Katharina Ó Cathaoir, Eugenijus Gefenas , Mette Hartlev , Miranda Mourby and Vilma Lukaseviciene, EU-STANDS4PM report: Harmonization and integration of big data of relevance for personalized medicine into in silico modelling? – Recommendations for technically feasible, and ethico-legal sustainable avenues (2021). Available from https://www.eu-stands4pm.eu/publications

Relevant DGA Provisions 

• Recital 2: Includes personalised medicine among the benefits of data-driven innovation.
• Article 2: Clarifies that ‘consent’ has the same meaning as under the GDPR, and defines altruism as including providing data for scientific research.
• Article 3: Excludes educational establishments from the definition of a public authority.
• Article 22: Requires the Commission to adopt a ‘rulebook’, including security standards and consent tools
• Article 25: Allows a modular, sector-specific approach for the data altruism consent form
• Article 29: Composition of the European Data Innovation Board
• Article 30: Tasks of the European Data Innovation Board

Miranda Mourby is a Researcher in Law at the Centre for Health, Law and Emerging Technologies (‘HeLEX’) at the University of Oxford.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.