Certified Information Privacy Professional (CIPP): EU - Data Governance Act and Data Act Basics

What This Is

The Data Governance Act (DGA) and the Data Act are two new EU legislative packages that create a framework for the sharing, reuse and access of data across the EU. They complement the GDPR by tackling the “data silos” problem – e.g., a multinational manufacturer that collects sensor data from its factories in Germany, Spain and Poland can now make that data available to third?party innovators through a trusted “data?exchange” platform, while still respecting individuals’ privacy rights. For privacy professionals the DGA/DATA Act define new obligations for data?intermediaries, public?sector bodies and large?scale data holders, and they introduce fresh rights for data subjects and businesses that must be woven into any data?governance programme.

Key Terms & Provisions

• Data Governance Act (DGA) – EU: Regulation (EU) 2022/878 that establishes a European data?sharing framework for non?personal data, public?sector data and data?intermediaries.
• Data Act – EU: Regulation (EU) 2023/xxxx (still in final drafting) that extends the DGA by creating rights for business?to?business (B2B) data sharing, mandatory data?sharing obligations for “gatekeeper” providers, and rules for data?portability of non?personal data.
• Data?intermediary: An entity that facilitates the sharing of data (e.g., data?exchange platforms, data?altruism organisations). Must be neutral, transparent and non?discriminatory under the DGA.
• Data Altruism: Voluntary, non?commercial sharing of data for the public good (e.g., health?research datasets). The DGA creates a European Data Altruism Registry to certify altruistic organisations.
• Public?Sector Data: Data generated by EU Member?State bodies (e.g., traffic sensor data, environmental monitoring). The DGA requires open reuse unless justified by public?interest exceptions.
• B2B Data?Sharing Obligation: Under the Data Act, large?scale data holders (e.g., cloud providers, IoT platform operators) must provide access to data generated by their business customers on fair, reasonable, and non?discriminatory (FRAND) terms.
• Data?Portability for Non?Personal Data: The Data Act gives business customers the right to obtain their data in a structured, commonly used format and to transfer it to another provider.
• Gatekeeper: A digital platform that controls a critical data?exchange (e.g., a dominant cloud?storage service). The Data Act imposes additional transparency and sharing duties on gatekeepers.
• European Data Innovation Board (EDIB): The supervisory body that monitors implementation, issues guidelines, and resolves disputes under the DGA/DATA Act.
• Exemptions – “Public?Interest” & “Confidentiality”: Both Acts allow limited exemptions (e.g., national security, trade?secret protection) but require a formal justification and impact assessment.

Step?by?Step Process for a Data?Sharing Initiative

1. Map the Data Landscape – Identify whether the data is personal, non?personal, public?sector, or business?customer data and locate the legal owner (controller, large?scale holder, public body).
2. Determine the Applicable Regime – If the data is non?personal and you plan to use a data?exchange platform, the DGA applies; if you are a large?scale holder offering B2B services, the Data Act triggers.
3. Conduct a Data?Sharing Impact Assessment (DSIA) – Similar to a DPIA, evaluate privacy, competition and public?interest risks; document mitigation (e.g., anonymisation, contractual safeguards).
4. Select a Certified Data?Intermediary – Verify the platform’s EU?registered status, neutrality clauses, and standard?contractual clauses (SCCs) for cross?border data flows.
5. Draft the Data?Sharing Agreement – Include FRAND terms, purpose limitation, security measures, audit rights, and exit?clauses; reference the EDIB guidelines where relevant.
6. Implement Technical Controls & Monitoring – Apply access?control, encryption, logging, and data?quality checks; set up a complaint?handling process for data subjects or business customers.

Common Mistakes

CIPP Exam Insights

1. Scope Distinction – Exams often ask you to differentiate DGA (non?personal data sharing) from GDPR (personal data protection). Remember: DGA-GDPR.
2. Obligation Trigger – The Data Act’s B2B sharing duty activates only when the holder meets the large?scale threshold and the data is generated by a business customer (not the holder itself).
3. Data?Altruism Registry – A frequent “true/false” item: “A data?altruism organisation must be certified by a national authority before it can share data.” The correct answer is True – registration with the EU?wide registry is mandatory.
4. Gatekeeper Definition – Expect a scenario where a cloud?storage provider is labelled a gatekeeper; the exam will test whether you know the additional transparency and non?discriminatory?access duties.

Quick Check Questions

1. Scenario: A German automotive supplier wants to publish its anonymised production?line sensor data on a EU?wide data?exchange platform.
   Question: Which regulation primarily governs this activity, and what key step must the supplier take before publishing?
   Answer: The Data Governance Act; the supplier must register the data?intermediary (or use a certified one) and conduct a Data?Sharing Impact Assessment to ensure no personal data is inadvertently disclosed.

2. Scenario: A cloud?service provider with 12?million customers in the EU receives a request from a business client to export all usage logs in a machine?readable format.
   Question: Under which provision does the client have a right, and what timeline applies?
   Answer: The Data Act’s data?portability right for non?personal data; the provider must comply within one month of the request (extendable by two weeks for complex cases).

3. Scenario: A public?health agency wants to share COVID?19 infection data with researchers across the EU.
   Question: Can the agency share the data without any contractual safeguards?
   Answer: No – while public?sector data is generally open under the DGA, the agency must still respect public?interest exemptions (e.g., patient confidentiality) and may need to pseudonymise the data.

Last?Minute Cram Sheet (10 One?Liners)

1. DGA Art.?4 – Applies to non?personal data; personal data falls back to GDPR.
2. Data Act Recital?12 – “Large?scale holder” = 10?million end?users OR €10?billion turnover (EU?wide).
3. EDIB – The European Data Innovation Board issues binding guidelines for both Acts.
4. Data?Altruism Registry – Mandatory EU?wide registration; national authorities act as certifiers.
5. B2B Sharing Duty – Triggered only on request from the business customer; provider may refuse if it threatens trade secrets (must justify).
6. Gatekeeper Transparency – Must publish FRAND terms and technical specifications in a machine?readable catalogue.
7. Data?Sharing Impact Assessment (DSIA) – Not a DPIA, but required when the sharing poses high?risk to public interest or competition.
8. Public?Sector Data Exemption – Allowed for national security, defence, or public?order; must be documented.
9. Fine Ceiling – Breaches of the DGA/Data Act can attract up to €10?million or 2?% of global turnover, whichever is higher.
10. Cross?Border Transfer – If a DGA?covered data?intermediary transfers data outside the EU, standard contractual clauses (SCCs) or adequacy decisions are required.

Study tip: Memorise the thresholds (10?million users / €10?billion) and the two?act relationship (DGA = non?personal data sharing framework; Data Act = B2B sharing & gatekeeper rules). When you see a question about “who must share data?”, first ask: Is the data personal? If no, think DGA/Data Act; if yes, fall back to GDPR. Good luck!