7 November 2022
The Data Governance Act entered into force on 23 June 2022, and will apply from September 2023. Member States must use the current ‘grace period’ to achieve compliance: setting up new policies and authorities to regulate the re-use of information covered by personal and commercial rights, such as identifiable or proprietary health data.
The first element of the European strategy for data to reach the legislative finishing line, the ‘DGA’ will pave the way for initiatives such as the European data spaces. In order to make information ‘as open as possible, as closed as necessary’ (Horizon 2020 Programme Guidelines on FAIR Data Management in Horizon 2020), it sets up key data-sharing infrastructure and forms a bridge with the General Data Protection Regulation (‘GDPR’) by requiring practical tools for individuals (and companies) to exercise their rights.
This briefing outlines some of the key features of the DGA, and considers its implications for scientific research within the EU and beyond.
The DGA regulates the secondary use of personal and non-personal data: i.e., all digitally recorded information, whether or not it identifies a natural, living person. It expands on the Open Data Directive by regulating the use of information not publicly accessible due to personal or corporate rights.
Where the information in question is personal data, it is clear that the GDPR takes precedence, and existing Data Protection Authorities retain their functions. However, they will be joined by newly created/designated Competent Authorities in EU Member States to who will enforce the DGA’s provisions. These functions span the DGA’s ‘rather heterogeneous approach’ of:
These new structures are set to significantly change the data-sharing landscape within the EU. as well as the way information could be accessed by researchers from third countries. The Regulation anticipates that public sector bodies, data intermediaries and data altruism organisations could (subject to their respective conditions) share information with users in third countries, but personal data transfers will still need to comply with the requirements of the GDPR. International data sharing will not necessarily become any easier. At best, the infrastructural safeguards provided by these certified and regulated data-sharing organisations will provide new ways of demonstrating compliance with the GDPR, particularly in its requirements for appropriate technical and organisational measures.
The good news for researchers is that the DGA requires the European Commission to produce a standard consent form for Data Altruism. Consent has been a vexed issue ever since the GDPR became applicable in 2018. In theory, a consent form officially sanctioned as sufficient for the purposes of Articles 6 and 9 GDPR would be hugely helpful in smoothing over discrepancies in interpretation; particularly where data is shared between Member States with different positions on the appropriateness of consent as a GDPR basis for research.
On its face, however, the DGA still poses some ambiguity in its framing of research consent. Recitals 26 and 50 refer to ‘consent to certain areas of scientific research where in keeping with recognised ethical standards for scientific research’; re-emphasising the importance of Recital 33 of the GDPR in its apparent widening of consent in the context of scientific research. However, Article 25(3) DGA requires:
Where personal data are provided, the European data altruism consent form shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation
This seems to require much more granular consent than merely specifying ‘areas of scientific research’; particularly if all data processing operations must be specified. One way of reconciling the broad and narrow consent standards alluded to within the DGA is to understand consent dynamically. It may be possible (as the Recitals suggest) to provide consent to areas of scientific research at the outset of the relationship with the data intermediary, data altruism organisation or public authority. However, the ongoing duty of transparency would need to be sufficiently granular that data subjects could withdraw consent to a specific processing operation as required.
Another possible answer lies in Article 25(2), which specifies that the data altruism consent form should use a ‘modular approach allowing customisation for specific sectors and for different purposes.’ It may be that a research-specific data altruism consent form could list areas of scientific research, but reassure data subjects that the processing activites within these broad research areas will be regularly updated on e.g. an organisational website or portal, and so they can review and withdraw at a more detailed level.
A key feature of the DGA is that the data sharing it facilitates must be carried out on a voluntary basis. As such, significant buy-in from data subjects and data holders will be required. This puts pressure on the policies and awareness campaigns of Member States to drum up interest and engagement in altruistic or public-sector data sharing.
As noted in the findings of a 2021 legal-ethico review, investment to make these structures accessible is needed to avoid privileging people with greater existing data-awareness. The chronic under-inclusion of groups such as ethnic minorities in voluntary research data requires engagement at the community and individual level to ensure that ‘tools’ for obtaining and managing consent are usable for a diversity of people, and that the ultimate public good of data re-use is communicated widely.
Relevant DGA Provisions
Miranda Mourby is a Researcher in Law at the Centre for Health, Law and Emerging Technologies (‘HeLEX’) at the University of Oxford.
See a list of all previous briefs.
Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.