In September 2023, the Data Governance Act (DGA) took effect in the European Union. Part of the DGA is the commercial re-use of protected public sector information. Together with the Data Act (DA), the DGA is intended to increase the EU's data economy and strengthen digital sovereignty. The idea is that the gold mine of protected and previously unused government data, containing personal or business-sensitive information, can still be mined commercially under conditions. Where does this stand a year and a half later? In this article, I take a closer look at this, because in practice it turns out not to be so simple and rosy after all.
For example, it appears that commercial reuse of government data under the DGA is not possible at all in the Netherlands. Reuse under the DGA thus provides us with nothing economically, while the European Commission and Dutch government have a lot of work to do on implementation. As a result, the DGA overshoots its goal: increasing the data economy. In addition, the question of the desirability of reusing this sensitive data also arises. After all, the consequences of commercially reusing this data could be significant.
In the Netherlands, commercial reuse of government information is possible through the Open Government Act (Woo) in conjunction with the Government Information Reuse Act (Who). Disclosure and reuse is only not allowed if it involves sensitive data, such as personal data or business sensitive information.[1]
To promote commercial reuse of this data anyway, the DGA was created. This regulation only brings little change in practice. The DGA creates no obligation for member states to allow reuse of sensitive public sector information.[2] The regulation does provide conditions on how certain public sector information can still be reused.[3]3] , if there is a basis for it in national legislation. In the Netherlands we therefore fall back on our own foundations, and not much is possible there.
A number of bases for reuse of government information can currently be found. A non-exhaustive list:
Article 5.7 of the Open Government Act;
Article 41 of the Central Statistical Office Act;
Article 3.13 of the Law on Basic Registration of Persons;
Article 22 of the Police Data Act;
Article 7:458 of the Civil Code;
Article 15 of the Judicial and Criminal Records Act.
Those who read these articles carefully will see that re-use on these grounds is allowed only for the purpose of historical, statistical, scientific or journalistic research. A commercial ground for reuse is thus missing. Whoever thinks that a ground must still be found somewhere is wrong. In its answers to questions from Dutch Members of Parliament during the discussion of the Data Governance Regulation Implementation Act, the government confirmed that there are no bases in the Netherlands for commercial re-use as referred to in this regulation. Nor is such a basis currently foreseen.[4]
One solution could be that a basis for commercial re-use is nevertheless created in the Netherlands. For example, article 5.7 of the Woo could provide the possibility for an administrative body to allow commercial reuse in addition to historical, statistical, scientific and journalistic research.
Then again, it is often not possible to simply reuse personal data commercially. The AVG and the purpose limitation principle remain unaffected and prevail even in case of conflict with the AVG.[5] This means that for every application, government agencies must weigh up for which specific, explicitly circumscribed and justified purposes the data have been collected, and whether they will not be further processed in a manner incompatible with those purposes at the reuser's premises. The Autoriteit Persoonsgegevens (AP) has previously been critical of this, because incompatibility soon arises.[6] Indeed, commercial reuse goes a good deal further than the purpose for which the data were collected by the government.
One might also question the desirability of companies developing new products through the reuse of your personal data with the government. Such as a commercial company being able to develop new products using anonymized police data. Should this be made possible at all? And is it then also desirable for this company to be able to patent the product developed using this sensitive data? In addition, it is to be hoped that the party that starts working with the sensitive data will handle it properly.
However, there is a prohibition on re-identifying data subjects from the anonymized or pseudonymized datasets.[7] But despite this prohibition, re-identification is guaranteed to become more common as commercial reuse is enabled. The AP warned back in 2022 that because of new technologies and more available data, it will become increasingly easy to re-identify individuals in the future.[8] Should re-identification occur, the re-user should inform the governing body. Therefore, the administrative body is subject to the notification obligations in Articles 33 and 34 of the AVG. When it comes to non-personal data, the re-user informs the legal person to whom the data refers.[9] Only then the harm has already been done.
Fortunately, for the time being there will be no basis for commercial re-use in the Netherlands and it remains difficult to comply with the principle of purpose limitation. Only now a situation has arisen in which a European regulation applies in the Netherlands, the chapter on reuse of public sector information does not apply. However, costs have been incurred in creating and implementing this regulation. Moreover, the Netherlands must establish a mandatory central information point for data under management by administrative bodies.[10]
The cost to a member state was budgeted by the European Commission at a one-time €10.6 million and then €600,000 annually for maintenance.[11] According to the Dutch government, it will be less in the Netherlands because it will be linked to the existing information point data.overheid.nl.[12] On top of that there will be the costs incurred by CBS for technical assistance and the costs of the relevant administrative body. These costs may be recovered from the applicant, but bodies may choose to drop these costs for scientific purposes, SMEs and startups.[13]
In summary, in the area of re-use, the DGA can do a lot to increase our data economy, but the added value in the Netherlands remains limited. In the area of open government information, a lot is already possible under the Woo and Who regimes. The DGA complements and regulates conditions by which sensitive government information can still be reused. The Netherlands currently lacks only the crucial basis for commercial re-use. It is limited to persons with a special research function, such as scientists and journalists. The preparatory acts for commercial reuse are ready, but the gold mine cannot yet be mined.
The goal of increasing the European data economy is not being met. Of course, the Netherlands is not the only EU country, but the question is whether other countries offer a basis for commercial reuse of sensitive government information. That no such basis exists in the Netherlands and is not forthcoming for the time being is also not surprising given the major implications for privacy. What remains of the DGA? A paper tiger.
[1] Article 5.1(1) Woo.
[2] Article 1(2) and recital 11 DGA.
[3] Article 5 DGA.
[4] Questions by GroenLinks-PvdA. Parliamentary Papers II 2023/24, 36451, no. 6, p. 2 (NV II).
[5] Article 1(3) DGA; recital 4 DGA.
[6] Opinion on the draft bill implementing Open Data Directive (AP Opinion No. z2022-00356 of June 28, 2022 to the Minister of the Interior and Kingdom Relations), The Hague: AP 2022, pp. 3-4.
[7] Article 5(5) DGA; recital 8 DGA.
[8] Opinion on the draft bill implementing Open Data Directive (AP Opinion No. z2022-00356 of June 28, 2022 to the Minister of the Interior and Kingdom Relations), The Hague: AP 2022, p. 5.
[9] J.B.A. Gerritsen, "The Data Governance Act," pp. 54-55.
[10] Article 8 DGA.
[11] Commission Staff Working Document, "Impact Assessment Report," SWD(2020)295 final, para. 8.
[12] Rijksoverheid.nl, "Fiche 2 Regulation Data Governance Act," November 25, 2020, accessed at:rijksoverheid
[13] Article 6 DGA.
