Data StrategyEDPB and EDPS joint opinion on the Data Governance Act
On 10 February 2021 the EDPB and EDPS issued a joint opinion on the EU Data Governance Act, demanding stronger safeguards for data intermediaries, clearer roles for public-sector data reuse, and privacy-by-design requirements that reshape how EU data spaces operate.
Reviewed for accuracy by Kodi C.
Executive summary. The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on the proposed Data Governance Act (DGA) on 10 February 2021, urging legislators to tighten neutrality rules for data-sharing intermediaries, add explicit GDPR safeguards to public-sector data reuse, and ensure data altruism schemes operate with informed consent and accountability. The opinion reframes how future European data spaces and data cooperatives will be supervised, signaling operational requirements for any organization that wants to broker industrial or public data.
Key changes
The following section provides additional context and analysis.
Neutrality and conflict-of-interest controls for intermediaries
The watchdogs warned that data-sharing intermediaries must be structurally separated from entities that re-use data to avoid conflicts of interest. They recommended bans on combining brokerage with advertising or profiling and pushed for mandatory auditability of access logs. That guidance affects cloud marketplaces, industry data trusts, and API gateways that plan to register under the DGA’s Chapter III regime.
Public-sector data reuse safeguards
The opinion calls for GDPR-aligned bases and technical controls when public bodies permit reuse of protected datasets. It highlights pseudonymization, purpose limitation, and confidentiality obligations for data processors handling government-held health, mobility, or financial data. Member State authorities will need standardized contract terms and security baselines before granting reuse permissions.
Data altruism expectations
For data altruism organizations, the EDPB and EDPS sought transparent consent collection, clarity on withdrawal rights, and governance that prevents mission drift. They also flagged cross-border transfers, recommending that data donated for scientific research or public-interest projects stay subject to GDPR safeguards even when processed by accredited third parties.
Implications for data leaders
Compliance architecture for data spaces
Companies contributing data to EU sector data spaces will need to show separation between data brokerage and analytics arms, implement tamper-evident access logs, and document DPIAs that cover reuse scenarios. Procurement teams sourcing third-party data services must check whether vendors are prepared for DGA registration and supervisory audits.
Contracting and consent updates
The opinion foreshadows standard contractual clauses for public-sector reuse and data altruism. Legal teams should map which datasets fall under Chapter II reuse rules, pre-build consent artifacts that withstand withdrawal, and allocate security responsibilities between controllers and processors handling donated or public data.
Cross-border transfer governance
Because the opinion stresses GDPR applicability throughout reuse chains, organizations must align DGA participation with existing transfer tools (SCCs or BCRs) and monitor adequacy assessments when data altruism projects include non-EU processors.
Immediate next steps
Track trilogue outcomes
Enterprise data offices should monitor how Parliament and Council incorporate the opinion during trilogues—especially around supervisory roles, sanctions, and certification for intermediaries. Expect binding codes of conduct to follow once the DGA text is finalized.
Prepare evidence for registration
Data intermediaries should begin assembling neutrality evidence (organizational charts, logging controls, security certifications) ahead of the formal registration schemes. Public-sector custodians can pilot standardized reuse contracts with pseudonymization requirements and breach-notification SLAs.
Coordinate with privacy teams
Privacy officers should align DGA readiness with GDPR accountability: updating records of processing, conducting DPIAs on data reuse, and validating that data altruism consents map to specific research or public-interest purposes.
Continue in the Data Strategy pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Data Strategy Operating Model Guide
Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…
-
Data Interoperability Engineering Guide
Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.
-
Data Stewardship Operating Model Guide
Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…
Coverage intelligence
- Published
- Coverage pillar
- Data Strategy
- Source credibility
- 91/100 — high confidence
- Topics
- Data Governance Act · Data Sharing · Privacy · EU Policy · Data Spaces
- Sources cited
- 3 sources (edpb.europa.eu, eur-lex.europa.eu, iso.org)
- Reading time
- 5 min
References
- EDPB and EDPS joint opinion on the Data Governance Act — edpb.europa.eu
- Proposed Regulation on European data governance (Data Governance Act) — eur-lex.europa.eu
- ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.