Key considerations for the EU Data Governance Act
In this week’s issue of In Perspective, Samad Miah, Data Protection Consultant at Xcina Consulting, looks at the key takeaways from the EU’s proposed Data Governance Act and what it might mean for data protection practitioners. The French Data Protection Authority reaches a decision relating to Google Analytics and new draft guidance issued by the Information Commissioner’s Office in the UK relating to pseudonymisation.
Learn the details of these and other key emerging themes as events unfold. Follow our round-up of latest stories and find out what the latest developments mean for you. Our weekly review below helps you decide.
Key things to consider in the European Union’s new Data Governance Act
What happened
- In March 2022, the EU Data Governance Act will be finalised with the intention for it to come into force in summer 2023.
- The Data Governance Act applies to data in general, not just data relating to and identifying individuals (i.e. personal data).
- Therefore it covers any digital representation of acts, facts or information.
- The EU Data Governance Act is the first of the EU’s planned new initiatives on data with proposals currently being drafted or deliberated relating to Digital Services and Artificial Intelligence.
Why it matters
- The Act encourages great re-use of public sector data by utilising secure data environments and anonymisation techniques.
- The Act established a licensing regime for ‘data intermediaries’. These are organisations that set up commercial arrangements between data holders and data users but do not add extra value to the data themselves. Data intermediaries will (e.g. consent management platforms) will have to meet certain license conditions to ensure their independence such restricting the re-use of data and metadata.
- Additionally, the new Act promotes the access and use of data for scientific research.
- Lastly, the Act sets a number of restrictions to transfers of non-personal data to third countries.
French data protection regulator issues decision on the use of Google Analytics
What happened
- Following the a number of complaints filed by the non-profit organisation ‘NOYB’ the French Data Protection Regulator (the CNIL) has indicated that the transfer of personal data to the USA through Google Analytics is illegal.
- This follows several similar decisions and statements issued by the Austrian, Dutch and Danish data protection regulators as well as the European Data Protection Supervisor.
Why it matters
- Since the invalidity of the Privacy Shield, and in the absence of an adequacy decision, transfers to the USA are not sufficiently regulated and do not offer a sufficient level of protection.
- Google Analytics uses a unique identifier attributed to website visitors, which is considered personal data (and not anonymous).
- Even though Google may have adopted additional measures to secure the transfer of their personal data to the USA, the CNIL has stated that these would not be sufficient to prevent access to this data by American intelligence services.
ICO publishes draft guidance on pseudonymisation
What happened
- The data protection regulator (the ICO) in the UK has published new guidance on pseudonymisation.
- This guidance form part of a larger consultation that the ICO has initiated covering anonymisation and privacy-enhancing technologies.
Why it matters
- The new guidance covers topics such as the definition of pseudonymisation, what it means in practice and its benefits.
- The guidance states that the status of data can change depending on who holds it. For example, pseudonymous data which you can still identify using a key or other separate identifiers might no longer be identifiable in the hands of a different organisation who does not have access to that key.