Regulating data governance

By Dr Dirk Brand on 7 December 2023

While the regulation of personal data protection has increased over the past few years and is now well established in most countries in the world, regulating the use and governance of other data is still a fairly new phenomenon. 

In view of the potential of data being treated as a commodity that could be traded, and the fact that data is the fuel for artificial intelligence (AI), there is clearly a case to be made for regulating data governance.  Furthermore, data-driven innovation in areas such as health, mobility and agriculture has significant potential that could benefit society.  Evidence based policy making and the creation of new data-based solutions to societal problems such as climate change, corruption and effective energy management are strengthened by the EU Data Governance Act (DGA).

The DGA entered into force on 23 June 2022 and is applicable since September 2023.  The aims of the DGA are:

  • Enabling the re-use of certain public sector data that cannot be made available as open data, for example the re-use of health data that could assist in developing new disease treatments.
  • Regulating data intermediaries as trustworthy organisers of data sharing within the EU.
  • Encouraging citizens and businesses to make their data available for the common good, so-called data altruism.
  • Ensuring effective governance of data sharing, in particular the sharing of data across sectors and borders.

Data is defined in the DGA as:

any digital representation of acts, facts or information any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording”.

In a data-driven economy where competition as well as a human-centric approach to ensure a trustworthy data landscape are important goals, the DGA provides the data governance architecture that should guide the effective use and re-use of data.  It holds many benefits, such as:

  • Making more data available and facilitating data sharing throughout the EU, as well as with third countries.
  • Increasing trust in data sharing by providing clear rules and safeguards, for example the application of techniques such as anonymisation and differential privacy, together with comprehensive data protection impact assessments.
  • Empowering individual data subjects to have more control over their personal data and to make it easier to provide their data to the benefit of society.
  • Supporting innovation by creating opportunities for data-driven businesses, such as data-analytics enterprises and AI providers.

Since this is EU legislation, the primary focus is on the data governance landscape within the 27 Member States of the EU.  An important practical implication is that the Member States must ensure that the privacy and confidentiality of data is fully respected in the context of re-use of data.  There is a range of instruments that could be used by the Member States, such as technical solutions, contractual means (e.g. confidentiality agreements) and enabling data sharing in secure data processing environments supervised by public sector bodies. 

However, data are increasingly shared across national borders, and facilitating effective international data sharing is also an important part of the DGA.  As can be expected, the international data sharing is directly linked to the existence of appropriate safeguards in third countries to ensure the protection of data similar to that within the EU, in particular in relation to the protection of trade secrets and intellectual property rights.  There must also be effective legal remedies for data holders, public sector bodies and data intermediaries in the respective third countries.  

An interesting feature of the DGA is the recognition of data intermediaries, which are neutral third parties that enables data sharing between individuals, companies and data users.  They must comply with strict rules to ensure this neutrality and to avoid conflicts of interest, for example they are not allowed to directly use the data that they intermediate for financial gain.  A current example of such a data intermediary service is that provided by Deutsche Telekom, which established a data marketplace accessible to companies to securely manage, provide and monetize good quality data.

Why is the DGA of interest to South African companies?  

Although the DGA is not directly applicable in South Africa, it provides guidance on good data governance practices which could be used in different jurisdictions.  Nevertheless, it should be noted that any company in a third country that is engaged in data sharing with enterprises or public bodies within the EU or aims to do so, would be impacted by the DGA.  

In the context of personal data, the GDPR (General Data Protection Regulation) is the applicable legal framework that provides the relevant safeguards for international data sharing.  For non-personal data it is the DGA that provides similar safeguards regarding the international sharing of data, including access to public sector data, data intermediary services and data altruism.  It should be remembered that the DGA does not only impact the direct use and re-use of data, but also the downstream use of data in the provision of AI, for example using data obtained from a data intermediary company to develop new AI systems in agriculture.

Back to top

Please note that our blog posts are informal commentaries on developments in the law as at the time of publication and not legal advice. You should place no reliance on our blog posts; we look forward to discussing your particular matter with you.