Data intermediation services play a key role in the implementation of the European strategy for data. The DGA subjects these to regulation.
In addition to the Data Act, the Data Governance Act (DGA), which has been in force since 24 September 2023, is a key pillar of the European strategy for data, with which the EU Commission aims to establish a flourishing data economy in the European Union (EU). Data sharing for the common good and sustainability goals as well as to promote innovation and future technologies such as artificial intelligence (AI) are coming under greater focus from European legislators and being adopted alongside familiar instruments for protecting personal data.
In a previous article, we provided an initial overview of the principles and aims of the DGA. The conditions for re-use of data held by public sector bodies under the DGA have also already been discussed.
In this article, we will explain the new rules for data intermediation services established by the DGA.
Data intermediation services are expected to play a "key role in the data economy"
According to legislators, data intermediation services will play a "key role in the data economy" (recital 27 DGA): The services are supposed to allow companies to voluntarily use each other's data and facilitate sharing large volumes of data in compliance with European law. Chapter III DGA subjects data intermediation services to regulation and is intended to create part of the legal framework for the planned European data spaces (recitals 2, 27 DGA).
Who is the target audience? – The term "data intermediation service" according to the DGA
Data intermediation services are intermediaries that provide infrastructure for sharing data between market participants. Only those services that are aimed at an open user group and establish business relationships between data holders or data subjects and "data users" are regulated. While the term "data subject" is congruent with the same term in the EU General Data Protection Regulation (GDPR), "data holder" is defined as an original term in the DGA. The "data holder" is defined in Article 2 (8) DGA as "a legal person, including public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal data or non-personal data".
A data holder within the meaning of Article 2 (8) DGA is therefore someone who (without being the data subject) is authorised to decide whether third parties have access to data (including personal data). Data holders and data subjects are therefore the persons who offer "their" data to third parties using the data intermediation service. Data users, by contrast, are persons who are lawfully granted access to the data of data owners or data subjects via the data intermediation service (Article 2 (9) DGA). Regulation of data intermediation services is not associated with the type of data to which access is provided. Data intermediation services for both personal and non-personal data are subject to the DGA.
As a rule, there are likely to be commercial reasons for mediating access, for example if a company wishes to license data via a data marketplace for re-use in return for payment. However, services where data are shared free of charge are also regulated. The DGA lists services that support data subjects in exercising their rights under the GDPR as a special category of regulated data intermediation services (Article 10 (b) DGA; recital 30 DGA). These services, which are intended in particular to support data subjects in asserting their rights, are also covered by the DGA. Regulation of the latter services is intended to safeguard the data protection interests of the data subjects. The aim is to ensure that providers' business models do not create false incentives to share further personal data (recital 30 DGA).
Services that act as intermediaries for copyrighted content (Article 2 (11) (b) DGA) or that are aimed at a closed group of IoT users (Article 2 (11) (c) second half-sentence DGA), as well as those that are offered by public sector bodies with no intention of establishing business relationships (Article 2 (11) (d) DGA) are not classified as data intermediation services. The DGA also does not apply pursuant to Article 2 (11) (c) DGA if the purpose of the service is only to allow the data owner to use "their" own data. According to Article 15 DGA, organisations associated with data altruism as it is defined in Article 2 (16) DGA are also not intended to be targets of the rules concerning data intermediation services (see recital 29 DGA).
Obligation to notify the authorities to increase trust in re-use of data
Providers of data intermediation services must go through a notification procedure in accordance with Article 11 (1), (3) DGA before commencing their activities. The activity is only authorised once the officials have been notified and is thereafter subject to ex-post supervision by the supervisory authority. Providers of data intermediation services can be viewed by the public in a register after notification. Certain mandatory information must be provided with the notification, which is for the most part limited to a few formal elements, such as the legal form of the provider and the name of a contact person. A brief description of the service must also be submitted. The purpose of the official notification procedure is to increase trust in the data intermediation services (see recital 38 DGA). According to Article 11 (3) DGA, it is not mandatory for notification for the data intermediation service to be based in the EU, provided that it designates a legal representative in one of the EU Member States in which it offers its services. The market place principle applies to service providers outside the EU. They are subject to the DGA if they offer their services in the Union (see Article 11 (3) DGA).
The DGA establishes extensive material obligations for data intermediation services
Data intermediation services are subject to the obligations set out in Article 12 DGA. The article, entitled "Conditions for providing data intermediation services", contains a wide array of duties of conduct for data intermediation services, which are therefore within a regulated scope. The business model is predetermined and limited by the technical and legal requirements set out in Article 12 DGA.
Acting as just a data trust is permitted
The data intermediation service may act in a purely fiduciary capacity with regard to the data. The processed data is subject to strict purpose limitation. The provider of the data intermediation service may only use the data to "put them at the disposal of data users" in accordance with Article 12 (a) DGA. Using the data to pursue other business purposes that go beyond simply providing data to data users is prohibited.
The benefit of the service to third parties is also emphasised by the fact that the data intermediation service must act "in the data subjects' best interests" in accordance with Article 12 (m) DGA. This obligation applies to data intermediation services offered to data subjects to allow them to exercise their rights under the GDPR.
The data generated through the use of the service play a dual role. The metadata (e.g. date, time and geolocation data) may be used by the data intermediation service in accordance with Article 12 (c) DGA, but only to develop or safeguard the service. Any use of this data beyond this purpose is prohibited. The permitted use of the metadata is therefore in the provider's own interest as well as in the interest of third-party users, which benefit from the service being protected and improved (recital 33 DGA). To avoid conflicts of interest, the services must be provided via a separate legal entity. It is not possible to offer the service in addition to another offer, e.g. as an add-on to a cloud service (Article 12 (a) DGA, recital 33 DGA).
Prohibitions on discrimination top off the trust-building measures
Prices, conditions and the procedure for access to the services must be fair, transparent and non-discriminatory (Article 12 (f) DGA). Furthermore, the data intermediation service must not make the pricing dependent on a user using other services provided by the data intermediation service or affiliated companies (Article 12 (b) DGA). Transactions that lead to unequal treatment between new and existing customers are also therefore prohibited, as are tie-in transactions in which a customer receives more favourable conditions by using multiple services. The fact that the data intermediation service is also subject to a transparency requirement for its prices and conditions is intended to promote competition and reduce information asymmetries.
Interoperability to increase fairness and avoid lock-in effects
To avoid lock-in effects, providers of data intermediation services must take appropriate measures to ensure interoperability with other data intermediation services (Article 12 (i) DGA). Furthermore, the service provider is not permitted to convert the data into the provider's own proprietary format. In addition to these rules, which are clearly intended to reduce the costs for data users when switching between data intermediation services, the DGA also aims to increase interoperable sharing of data between data holders and users.
In any case, the service provider must enable data sharing in the original format in which the data were provided by the data holder. However, the service provider may also convert the data into standardised formats without the consent of the data holder if this is conducive to establishing interoperability within or between several industry sectors. This results from Article 12 (d) DGA, which also indicates that data may be converted provided that this is requested by the data holder, is required by law or serves to harmonise the data with European data standards. However, the authorisation to convert data that are in the public or market interest in order to achieve interoperability is limited by an opt-out option for the data holder. The data holder is therefore not required to establish interoperability. They can also use the services for data that they only provide in a proprietary format and they can object to conversion into standardised formats.
Finally, the DGA contains further rules that are also aimed at improving the marketability of data rather than their technical interoperability. For example, the service provider should be able to offer "tools and services" to facilitate sharing data – e.g. functionalities for anonymising or pseudonymising data (Article 12 (e) DGA). Minimum standards for providing services are not specified. Liability is to be governed by national law and the contracts concluded with the service providers (recital 33 DGA).
Appropriate technical and organisational safeguards against data incidents
Providers of data intermediation services must take appropriate technical and organisational measures to prevent transfer of or access to non-personal data that is unauthorised under Union or Member State law (Article 12 (j) DGA). The DGA therefore introduces obligations that are closely modelled on the GDPR but are expressly intended to protect only non-personal data. The duty to protect non-personal data comes with a duty to inform, also inspired by the GDPR: In the event of unauthorised transfer of, access to or use of non-personal data, the data intermediation service must inform the data holder without undue delay in accordance with Article 12 (k) DGA.
These new obligations, which only concern non-personal data, apply in addition to the obligations from the GDPR that we are all familiar with. This follows from Article 1 (3) DGA, according to which the GDPR remains unaffected. However, the obligation to take precautions against the unlawful disclosure of data appears to go beyond that of the GDPR. This is because the data intermediation service is likely to be required to monitor the data transactions of its users and take measures to prevent legal violations. With regard to personal data, the data intermediation service in its position as the processor is under no such obligation, since whether the processing is lawful is a matter for the data controller.
Rights of data intermediation services: Title and common logo
If a data intermediation service fulfils the requirements of the DGA, in particular the obligations under Article 12 DGA, this can be confirmed by the competent authority upon request, allowing the service subsequently to use the title "data intermediation services provider recognised in the Union" in accordance with Article 11 (9) DGA and a common logo for data intermediation services adopted by the EU Commission (see recitals 3, 43 DGA).
Oversight and sanctions for violations: "Dissuasive financial penalties" possible
In addition to the notification procedure pursuant to Article 14 (1) sentence 1 DGA, the respective national authority is also responsible for monitoring the data intermediation services and must be legally separate and functionally independent from them pursuant to Article 26 (1) sentence 1 DGA. In the event of non-compliance with the requirements of the DGA, the competent authority can demand the cessation of the infringement, impose "dissuasive financial penalties" and order the suspension or termination of the service (Article 14 (4) DGA).
Will the DGA create a flourishing data economy?
Whether the DGA together with the Data Act will produce a flourishing data economy in the EU will depend not just on whether data holders are willing to share data. Another decisive factor will be whether there is a sufficient supply of easy-to-use and trustworthy intermediaries to broker data transactions. The market will decide whether it is sufficiently attractive for companies to start operating as data intermediation services. The DGA subjects these intermediaries to further considerable regulation, which legislators argue will build trust but could also lead to high compliance costs. As the intermediaries' business model is also subject to strict purpose limitation, the scope for economic development appears to be limited. If companies fail to establish profitable data intermediary business models, large parts of the DGA could remain irrelevant.
On our website CMS Law-Now, we have already written about the conditions for the re-use of data held by public sector bodies under the DGA. Please also visit our CMS Insight page "Data Law" for more information about data law.
For more information on the Data Act contact your CMS client partner or these CMS experts:
Philippe Heinzke, Julia Dreyer, Björn Herbers, Michael Kraus, Tom De Cordier, Italo de Feo, María González Gordon, Johannes Juranek, Ian Stevens.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.