07.12.2021

DGA is Dada

Portrait von Winfried Veil
Winfried Veil

With the Data Governance Act (DGA) the EU has reached a new level of legislative hubris. It invents obligations with an excessiveness that actually only allows the conclusion that this is a satirical exaggeration. One could also say: Dada meets Kafka. The result is a bureaucratic collection of nonsense for which Aline Blankertz suggests the term "dataism". Should the EU really be serious about all this?

The original Commission draft dates from November 2020. In the so-called trilogue between the EU Commission, the European Parliament and the Council, an agreement was reached on 30 November 2021. The final draft can be found in the fourth column of the four-column document. According to reports, this version is to be adopted in February/March 2022. As a rule, there are no more amendments to a text agreed in the trilogue.

1. "Without prejudice" to the GDPR

Remember: the stated aim of the DGA is to make data available in order to promote data use. However, the DGA does not repeal regulations that stand in the way of data availability.

In particular, the provisions of the GDPR remain untouched. The fear that the GDPR could be "softened" is so great that the new text includes a fourfold safeguard in Art. 1(2a):

  • DGA "shall be without prejudice to" GDPR
  • "in the event of conflict between the provisions" data protection law "should prevail"
  • DGA "does not create a legal basis for the processing of personal data"
  • DGA "does not alter any obligations and rights set out in" GDPR

The final version of the DGA thus rejects any change of the GDPR even more clearly than the original Commission draft, which was content with a "without prejudice" in Recital 3.

2. GDPR no longer a "trust-enabler"?

It is noteworthy that the EU apparently no longer considers the GDPR sufficient as a trust-enabler (Rec. 4):

"Action at Union level is necessary to increase trust in data sharing by establishing proper mechanisms for control by data subjects and data holders over the data that relates to them [...]."

One really wonders what the whole thing with the GDPR has actually achieved, if now for trust-building further

"proper mechanisms for data subjects to know and meaningfully exercise their rights, as well as regarding the re-use of certain types of data".

and

"in particular, more transparency regarding the purpose of data use and conditions under which data is stored by businesses".

are considered necessary. Reminder:

These obligations - as seen - remain untouched. If the EU is of the opinion that the GDPR obligations are not sufficient, then either they have not understood the GDPR or they have lost confidence in it. Should rules that are considered sufficient for Google, Facebook, tax authorities and credit agencies not be sufficient for data processing for public benefit?

There is a third explanation - the 'dataist' explanation: deconstructing one's own set of rules through grandiose exaggeration, so that everything implodes and makes room for a great new regulation. But, alas, the lawmaker as artist? It is more likely that the DGA's dataism is involuntary.

3. Re-use of public sector data

The DGA wishes to promote the re-use of public sector data. Data generated or collected at the expense of the taxpayer should benefit the public good. The DGA describes an "underutilisation" of this data (Rec. 5(6)). Therefore, there is a need for "access to and use of such data" (Rec. 5(7)).

This sounds plausible. The concern is legitimate.

But if data is not further used because access to it is difficult for legal reasons, one might think that these legal reasons would be removed. Not so the DGA. Instead of establishing legal access claims or reducing protection claims, the DGA states (Art. 3(3)):

"This Chapter does not create any obligation on public sector bodies to allow re-use of data nor does it release public sector bodies from their confidentiality obligations under Union or national law."

The DGA thus completely passes the buck to the member states. They are supposed to create access rights and thus also solve the delicate problem of balancing access and confidentiality claims.

Instead, the DGA lays down additional conditions for further use. Member states or public sector bodies are subject to the following obligations, among others:

  • In principle, no exclusive rights re-use (Art. 4).
  • Re-use conditions must be non-discriminatory, transparent, proportionate and objectively justified (Art. 5(2)).
  • Ensure protection of data in the case of re-use - for example, through anonymisation or a secure processing environment (Art. 5(3)).
  • Right to verify the process, means and results of re-use (Art. 5(5)).
  • Right to prohibit the use of the results of re-use (Art. 5(5)).
  • Conditional confidentiality agreements (Art. 5(5a)). ...

The DGA imposes a total of 27 obligations on public sector bodies that intend to make possible or actually enable the re-use of data (see orange tiles on the Dataprotection Landscape). "Re-users" are subject to 9 obligations under the DGA (see pink tiles on the Dataprotection Landscape).

Mind you, these are additional obligations on top of the obligations under the GDPR.

The willingness of public bodies to make data available is weak anyway, because it is - as the DGA correctly states - "time- and knowledge-intensive" (Rec. 5(5)). The requirements of the DGA now make it even more difficult for Member States to allow the re-use of data. The willingness of public bodies to make data available will not exactly increase.

Imposing conditions for a re-use that is legally not possible or hardly takes place in fact, is - to use one of the founding fathers of Dadaism Hugo Ball's words - anyway:

"A fool's game out of nothing."
4. Data Intermediaries

The second area in which the DGA sought to advance data use is that of data intermediaries. According to the new definition in Art. 2(2a), a data intermediary is a service that aims to establish commercial relationships for the purpose of data sharing data between an undetermined number of data subjects and data holders, on the one hand, and data users on the other hand.

Again, such intermediary services are, of course, already permissible today on the basis of the GDPR.

The DGA is now inventing further requirements. Anyone who wants to offer such a service must (!) submit a notification as a data intermediary (Art. 10(1)). Only after such notification may the data intermediary take up its activity (Art. 10(4)). In addition to the "Verbotsprinzip" (i.e. the precautionary principle) of the GDPR, there is thus a second prohibition that is only lifted by notification.

As a reminder: Art. 18 ff. Data Protection Directive 95/46 provided that automated processing operations had to be notified to the data protection supervisory authority before they were carried out. The GDPR describes the abolition of the notification requirement as a great step forward (cf. Rec. 89). It was celebrated as a paradigm shift by the EU Commission (cf. Communication 2018/43, p. 3):

"The Regulation moves away from a system of notification to the principle of accountability."

If a notification obligation is now introduced and the former notification obligation is thus revived, this does not only mean a bureaucratic and financial burden. Apparently, the lawmaker does not trust the GDPR alone to ensure the necessary user confidence.

What's more, the notification obligation is apparently also intended to apply to the intermediation of non-personal (!) data, because the definition of the term "data intermediation service" does not provide for any restriction to personal data. Whether the EU even has the legislative competence for such a far-reaching ban on the processing of non-personal data is highly questionable.

A data intermediary must fulfil 31 legal requirements (see orange tiles on the Dataprotection Landscape). The notification contains at least 11 information requirements. The requirements for the data intermediary include strict purpose limitation. All these obligations are in addition to 68 obligations under the GDPR.

Member States must establish another supervisory authority here. This in turn has 15 obligations (see pink tiles on the Dataprotection Landscape).

5. Data Altruism

In the case of data altruism, too, the DGA cannot itself come up with regulations that would facilitate the use of data. Instead, the responsibility is shifted to the member states here as well (Art. 14a (1)):

"Member States may have in place organisational and/or technical arrangements to facilitate data altruism. In support of this Member States may define national policies for data altruism."

Not only does the DGA not facilitate data access, it subjects the data altruistic organisation additional 20 obligations, whereby the documentation obligation comprises four aspects, the "annual activity report" eight information aspects and the additional information obligation four aspects. If one counts all duties individually, one arrives at 33 duties to register, inform, form, act, document, cooperate, notify and cease and desist.

These obligations are also in addition to the 68 obligations under the GDPR.

The effort for the Member States should also not be underestimated. They must establish an authority, keep a register and fulfil registration, monitoring, notification, publication and cooperation obligations. If one adds up these obligations, one also arrives here at the considerable number of 15 state/authority obligations.

Finally, the EU Commission also keeps a register, has to create a "common logo", the "European data altruism consent form" and a "rulebook". The latter in particular is astonishing. One would not have thought it possible that in addition to data protection impact assessments, codes of conduct, certifications, adequacy decisions, standard contractual clauses, binding corporate rules, processor and joint controller contracts, records of processing activities, there would still have been room for the invention of a "rulebook".

According to reports, the negotiators in Brussels had German collection laws in mind when considering data altruism. These laws regulate or govern donations of money or things (cf. for example the Thuringian Collection Act). Comparing data donations with donations in kind also has something of Dada about it. Interestingly, most of the collection laws in Germany have been repealed without replacement in recent years, with reference to a reduction in the administrative burden and the dismantling of official controls.

6. Conclusion

In this form, the DGA will achieve the opposite of what is desired, because it will make life more difficult for all those who want to or could promote the use of data. Member States will be restricted in their legislative options. Public sector bodies will not make their data available for re-use because of the DGA. Data intermediaries will not offer their services because of the DGA. Data altruistic organisations will not process data for public benefit because of the DGA.

The only hope is that the ideas of data sharing, data trusts and data donations will find more friends despite the DGA.

From the Dadaist manifesto of 1918:

"Dada is a club [...] which one can join without incurring liabilities."

The DGA is Dada.

 

Zurück