← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 91/100

Data Strategy Briefing — EDPB and EDPS joint opinion on the Data Governance Act

On 10 February 2021 the EDPB and EDPS issued a joint opinion on the EU Data Governance Act, demanding stronger safeguards for data intermediaries, clearer roles for public-sector data reuse, and privacy-by-design requirements that reshape how EU data spaces operate.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive summary. The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) adopted a joint opinion on the proposed Data Governance Act (DGA) on 10 February 2021, urging legislators to tighten neutrality rules for data-sharing intermediaries, add explicit GDPR safeguards to public-sector data reuse, and ensure data altruism schemes operate with informed consent and accountability.[1] The opinion reframes how future European data spaces and data cooperatives will be supervised, signaling operational requirements for any organization that wants to broker industrial or public data.

What changed

Neutrality and conflict-of-interest controls for intermediaries

The watchdogs warned that data-sharing intermediaries must be structurally separated from entities that re-use data to avoid conflicts of interest. They recommended bans on combining brokerage with advertising or profiling and pushed for mandatory auditability of access logs. That guidance affects cloud marketplaces, industry data trusts, and API gateways that plan to register under the DGA’s Chapter III regime.

Public-sector data reuse safeguards

The opinion calls for GDPR-aligned bases and technical controls when public bodies permit reuse of protected datasets. It highlights pseudonymization, purpose limitation, and confidentiality obligations for data processors handling government-held health, mobility, or financial data. Member State authorities will need standardized contract terms and security baselines before granting reuse permissions.

Data altruism expectations

For data altruism organizations, the EDPB and EDPS sought transparent consent collection, clarity on withdrawal rights, and governance that prevents mission drift. They also flagged cross-border transfers, recommending that data donated for scientific research or public-interest projects stay subject to GDPR safeguards even when processed by accredited third parties.

Implications for data leaders

Compliance architecture for data spaces

Companies contributing data to EU sector data spaces will need to demonstrate separation between data brokerage and analytics arms, implement tamper-evident access logs, and document DPIAs that cover reuse scenarios. Procurement teams sourcing third-party data services must check whether vendors are prepared for DGA registration and supervisory audits.

Contracting and consent updates

The opinion foreshadows standard contractual clauses for public-sector reuse and data altruism. Legal teams should map which datasets fall under Chapter II reuse rules, pre-build consent artifacts that withstand withdrawal, and allocate security responsibilities between controllers and processors handling donated or public data.

Cross-border transfer governance

Because the opinion stresses GDPR applicability throughout reuse chains, organizations must align DGA participation with existing transfer tools (SCCs or BCRs) and monitor adequacy assessments when data altruism projects include non-EU processors.

Next steps

Track trilogue outcomes

Enterprise data offices should monitor how Parliament and Council incorporate the opinion during trilogues—especially around supervisory roles, sanctions, and certification for intermediaries. Expect binding codes of conduct to follow once the DGA text is finalized.

Prepare evidence for registration

Data intermediaries should begin assembling neutrality evidence (organizational charts, logging controls, security certifications) ahead of the formal registration schemes. Public-sector custodians can pilot standardized reuse contracts with pseudonymization requirements and breach-notification SLAs.

Coordinate with privacy teams

Privacy officers should align DGA readiness with GDPR accountability: updating records of processing, conducting DPIAs on data reuse, and validating that data altruism consents map to specific research or public-interest purposes.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Data Governance Act
  • Data Sharing
  • Privacy
  • EU Policy
  • Data Spaces
Back to curated briefings