Data Governance Act is almost here: Spanish update for data intermediation services

A bit of context

The DGA (available here) is a new regulation of the European Union that has two main objectives:

• Support the set-up and development of common European data spaces in strategic domains, involving both private and public players. Data intermediation services are key for this objective.
• Provide tools for Public Administrations to offer data for reuse when data is protected under trade secrets, privacy and intellectual property laws.

The DGA entered into force on 23 June 2022 and will be applicable from 24 September 2023.

What are Data Intermediation Services

Data intermediation service providers are new players under the DGA. These providers are the entities in charge of providing the environment and infrastructure for data holders to share data with data users.

Examples of data intermediation services include data marketplaces on which undertakings could make data available to others, providers of data sharing ecosystems that are open to all interested parties, for instance in the context of common European data spaces, as well as data pools established jointly by several entities with the intention to license the use of such data pools to all interested parties. On the other hand, the provision of cloud storage, analytics, data sharing software, web browsers, browser plug-ins or email services should not be considered to be data intermediation services under the DGA.

Conditions for Data Intermediation Services

Data intermediation service providers have a very strict regime and their activity is subject to prior notification to the competent authority in the EU. Spanish Government is already working on the authorization process. Note that entities that were providing intermediation services on 23 June 2022 have a longer period for certification (24 September 2025).

Data intermediation services must be neutral and treat the companies using their services in a fair and transparent manner and ensuring that prices are not discriminatory.

Data intermediation services shall be free from conflict of interest and not use the data for their own purposes. The general rule is that the data should not be enriched or modified by the intermediation service provider. It should be offered as provided by the data holders, with some adaptation of the format to harmonization standards or improved interoperability allowed.

There must be a structural separation between the data intermediation service and any other services provided (i.e. they must be legally separated). In addition, they cannot monetise data. Any data and metadata acquired can be used only to improve the data intermediation service

The EU Commission recently adopted the common logos to identify data intermediation service providers (available here).

Spanish Preparation for the DGA and sanctions

Spanish Government has designated the Ministry of Economic Affairs and Digital Transformation as the competent authority for data intermediation services. The notification procedure will be shortly available here. Note that data intermediation services only need to notify their activity to one EU authority, so this “one stop shop” mechanism can be very interesting.

Finally, the Spanish legislator has included a sanctioning regime in the Information Society and E-commerce Act, which includes fines up to EUR 150,000.

Next Steps

• Check that you meet all applicable DGA requirements.
• Find out about the local enforcement of the DGA in your country (e.g. authorities in charge of enforcing the sanctioning regime).

Be prepared for imminent DGA enforcement.

Authored by Gonzalo F. Gállego, Juan Ramón Robles, and Julia Sáenz.