Data Governance Act: data intermediation services provider, a new player involved in personal data processing?
The European Union (“EU”) is forging ahead with the construction of its internal data market. The EU's aim is to build a true data economy by opening up the production and use of data, particularly within sectoral areas (health, agriculture, energy, etc.), in order to obtain economic spin-offs, which, according to some conjectures, amount to several points of the EU's gross domestic product.
Two legislative pillars have thus been designed by the EU to achieve such objectives. The Data Act, adopted on December 13, 2023 and will apply from September 12, 2025, aims at opening up the use of industrial data and foster the European cloud market. The Data Governance Act (also known by its acronym “DGA”), adopted on May 30, 2022 and applicable since September 24, 2023, aims at allowing access to an ever-increasing amount of data, and strengthening control over data.
This second text creates a new role in the European data economy, the data intermediation services provider, which services are strictly regulated. Among these data intermediation services, the Personal Information Management Service (“PIMS”), is, according to a report by the European Commission's Joint Research Center in 2023, aiming at providing people with tools to control the use of their personal data.
While one of the DGA's main requirements for future data intermediation services is that they should be totally neutral with regard to the services they operate, the DGA is making a departure from this obligation with regard to PIMS.
Indeed, PIMS providers have a particular obligation to act in the best interests of such data subjects when facilitating the exercise of their rights. The DGA requires these providers to inform and, where appropriate, advise data subjects in a concise, transparent, comprehensible and easily accessible manner on the intended uses of data by data users and on the standard terms and conditions attached to such uses, before data subjects give their consent (see article 12, m) of the DGA).
This transparency requirement could duplicate that provided for in the GDPR. Indeed, the data controller (i.e., the reuser of personal data made available via the PIMS) will, in any event, have to comply with the provisions of the GDPR for the data processing it implements and, thus, inform data subjects of the data processing carried out, in accordance with the principles of transparency enshrined in Articles 13 and 14 of the GDPR. The latter article, applicable in particular where personal data has not been obtained from the data subject (which may be the case when personal data is subsequently reused via an intermediation service) obliges the controller to provide the required information to data subjects within a certain period, unless “the data subject already has this information”.
Should data controllers therefore understand, when re-using personal data via the services provided by data intermediation services provider, that they will not themselves have to inform the data subjects of the data processing they will be carrying out, if this information has already been provided by the data intermediation services provider?
This question, and others raised by the DGA with regard to this new personal data intermediation service, will need to be resolved before we can fully appreciate the role this new player will play in personal data processing.
Article provided by INPLP members: Charlotte Barraco-David and Marie-Hélène Tonnellier (OYAT, France)
Co-Author: Clyde Coutellier
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)