The DGA is expected to spur on data altruism

Germany

Voluntary data donations are intended to make data widely usable. The DGA wants to build trust in data altruism organisations.

The range of applications in which the use of data and information is playing an ever-increasing role is extremely broad: From the healthcare sector to the automotive industry, data can yield considerable benefits to any company or research institution. In addition, artificial intelligence (AI) requires large amounts of data to be analysed in order to be useful. However, data can only be used to benefit the general public if they have been collected and made available to use. The Data Governance Act (DGA), which has been in force since 24 September 2023, therefore sets out regulatory approaches to promote the donation of data and voluntary data sharing, part of the practice of data altruism, which is the subject of this blog post. 

Chapter IV DGA is aimed at organisations that operate on the basis of data altruism. The regulations in Chapter IV DGA on data altruism are intended to encourage companies and private individuals to share data voluntarily to benefit research, innovation and the economy. Article 16 (1) DGA allows Member States to establish national strategies and organisational and/or technical provisions to facilitate data altruism. But what exactly is data altruism?

The term "data altruism"

The DGA defines data altruism in Article 2 (16) as the "voluntary sharing of data on the basis of the consent of data subjects to process personal data pertaining to them, or permissions of data holders to allow the use of their non-personal data" for objectives of general interest. Article 2 (16) DGA lists objectives of general interest as including healthcare, combating climate change and improving mobility, official statistics, public services, government decision-making and scientific research in the public interest. According to the definition, the data are also free to use beyond compensation for the costs incurred by providing the data. Institutions can receive recognition as data altruism organisations in accordance with Articles 18 ff. DGA. 

In its strategy paper "Driving Progress with Data", published in August 2023, the German government also announced its intention to support data altruism, which it defines as the active contribution of individuals or institutions to improving data availability.

Recognition as a data altruism organisation brings rights and obligations with it

In addition to carrying out data altruism activities in the appropriate legal form, recognition as a data altruism organisation requires non-profit activities and the functional separation of data altruism from all other structures (Article 18 (a) to (d) DGA) to avoid conflicts of interest. In addition, pursuant to Article 18 (e) DGA, the organisations must comply with a rulebook as defined in Article 22 DGA. This is to be issued by the EU Commission and its effect will be to ensure effective and informed consent, its revocation, IT security and interoperability as well as to prevent the misuse of data. This is intended to strengthen trust in data altruism and technical mechanisms for promoting data sharing. 

Recognised data altruism organisations that meet the requirements set out in Article 18 DGA are to be kept in a regularly updated public national register as defined in Articles 17, 19 DGA and monitored by the competent authority, which is legally separate from and functionally independent of the organisation and may impose sanctions, in accordance with Articles 23 f., 26 (1) sentence 1 DGA. A common logo, similar to the one for data intermediation services is also established for recognised data altruism organisations so that they can be identified and easily recognised (Article 17 (2) sentence 2 DGA). In accordance with Article 17 (2) sentence 3 DGA, the organisations should display this logo so that it is clearly visible on every online and offline publication related to their data altruism activity. A QR code must direct readers to the public register mentioned above (Article 17 (2) sentence 4 DGA).

The DGA sets out the duties of recognised data altruism organisations to build trust

The obligations imposed on recognised data altruism organisations are intended to prevent conflicts of interest and to strengthen trust in data sharing and thus people's willingness to donate data. Trust-building transparency provisions apply to these organisations, which are required to keep records of the data collected and processed, the purpose and time of processing and the persons who have access to the data, as well as to submit an annual activity report, among other duties (Article 20 (1), (2) DGA). With regard to some of the points mentioned, Article 21 (1) DGA imposes obligations on the organisations to inform data subjects or data holders, while Article 21 (2) DGA subjects the organisations to strict purpose limitation when using data. 

Consent within the meaning of the European General Data Protection Regulation (GDPR) must be obtained before using personal data, while permission is sufficient for non-personal data. Like data intermediation services, Article 21 (4) DGA also requires data altruism organisations to ensure an appropriate level of security for the storage and processing of non-personal data. Article 21 (3) DGA is intended to contribute to increasing people's willingness to share data by imposing an obligation on organisations to provide tools for obtaining the consent of data subjects or permission to process the data provided by the data holders; they must also make it possible to simply revoke consent or permission once it has been given (see recital 52 DGA).

In accordance with Article 25 DGA, the Commission will provide a uniform and modular form to allow data altruism organisations to obtain consent or permission. This form can be used digitally or in print for various sectors and purposes in accordance with the GDPR (see recital 52 DGA).

Data altruism organisations are faced with sanctions if they fail to comply with the requirements of the DGA

If an organisation violates the requirements imposed on it by the DGA, the competent authority may, in accordance with Article 23 (3), (4) DGA, demand a statement from the organisation within 30 days and the cessation of the violation without undue delay or set a reasonable deadline for this; in addition, the authority may take proportionate measures to ensure compliance. In the event of persistent non-compliance, a decision by the authority will be announced publicly in which the organisation loses the right to use the official title "data altruism organisation recognised in the Union" mentioned above and is removed from the public national registers and the Union register (Article 24 (5) DGA).

Will the DGA succeed in creating a European data economy through data holders voluntarily making their data available?

The aim of the DGA is to promote the European data economy through widely available data and trust that the data is shared fairly. Building trust is a recurring element in areas of the DGA's application and comes in various forms: The transparency, notification and behavioural obligations, together with control and fine provisions, are measures intended to ensure security and reliability when sharing data. The aim is to overcome technical obstacles to the general re-use of data and to increase acceptance of providing personal data among the general population and economy. This goal puts the DGA at odds with legal concepts that are established to restrict how data are handled. Although the DGA mentions some means that are obviously aimed at balancing these conflicting objectives – such as confidentiality and anonymisation obligations – it is often not easy in practice to implement them.

On our website CMS Law-Now, we have already written about the conditions for the re-use of data held by public sector bodies and for data intermediation services under the DGA. Please also visit our CMS Insight page "Data Law" for more information about data law. 

For more information on the Data Act contact your CMS client partner or these CMS experts:
Philippe Heinzke, Julia Dreyer, Björn Herbers, Michael Kraus, Tom De Cordier, Italo de Feo, María González Gordon, Johannes Juranek, Ian Stevens.