In September 2023, the Data Governance Act (DGA) took effect in the European Union. Part of the DGA is the commercial re-use of protected government information. Together with the Data Act, the DGA is intended to increase the EU's data economy and strengthen digital sovereignty. In the DGA Dossier series, I examine exactly how this regulation works, what we stand to gain from it and what it means for the European data economy.
Part of the DGA is Chapter II on the commercial reuse of protected government information. The intention is that the gold mine of protected and previously unused government data, containing personal or business-sensitive information, can still be mined commercially under conditions. Where does this stand a year and a half later? In this article I take a closer look at Chapter II, because in practice it turns out that things are not so simple and rosy after all.
For example, it appears that commercial reuse of government data under the DGA is not possible at all in the Netherlands. Reuse under the DGA thus provides us with nothing economically, while the European Commission and Dutch government have a lot of work to do on implementation. As a result, the DGA overshoots its goal: increasing the data economy. In addition, the question of the desirability of reusing this sensitive data also arises. After all, the consequences of commercially reusing this data could be significant.
In the Netherlands, commercial reuse of government information is possible through the Open Government Act (Woo) in conjunction with the Government Information Reuse Act (Who). Disclosure and reuse is only not allowed if it involves sensitive data, such as personal data or business sensitive information."[1]
To promote commercial reuse of this data anyway, the DGA was created. In practice, however, this regulation brings little change. The DGA does not create an obligation for member states to allow re-use of sensitive public sector information,[2] but it does provide conditions on how certain public sector information can be re-used[3] if there is a basis for it in national legislation. In the Netherlands we therefore fall back on our own bases, and there is not much we can do.
A number of bases for reuse of government information can currently be found. A non-exhaustive list:
Article 5.7 of the Open Government Act;
Article 41 of the Central Statistical Office Act;
Article 3.13 of the Law on Basic Registration of Persons;
Article 22 of the Police Data Act;
Article 7:458 of the Civil Code;
Article 15 of the Judicial and Criminal Records Act.
Those who read these articles carefully will see that re-use on these grounds is allowed only for the purpose of historical, statistical, scientific or journalistic research. A commercial ground for reuse is thus lacking. Whoever thinks that a ground must still be found somewhere is wrong. In its answers to questions from Dutch Members of Parliament during the discussion of the Data Governance Regulation Implementation Act, the government confirmed that there are no bases in the Netherlands for commercial re-use as referred to in this regulation. Nor is such a basis currently foreseen."[4]
One solution could be that a basis for commercial re-use is nevertheless created in the Netherlands. For example, article 5.7 of the Woo could provide the possibility for an administrative body to allow commercial reuse in addition to historical, statistical, scientific and journalistic research.
Even then, it is often not possible to simply reuse personal data commercially. The AVG and the purpose limitation principle remain in full force and prevail even in the event of a conflict with the AVG.[5] This means that for every application, government agencies must weigh up for which specific, explicitly circumscribed and justified purposes the data have been collected, and whether they will not be further processed in a manner incompatible with those purposes by the re-user. The Autoriteit Persoonsgegevens (AP) has previously been critical of this, because incompatibility quickly arises,[6] as commercial reuse goes a good deal further than the purpose for which the data were collected by the government.
One might also question the desirability of companies developing new products through the reuse of your personal data with the government. Such as a commercial company being able to develop new products using anonymized police data. Should this be made possible at all? And is it then also desirable for this company to be able to patent the product developed using this sensitive data? In addition, it is to be hoped that the party that starts working with the sensitive data will handle it properly.
However, there is a prohibition on re-identifying data subjects from the anonymized or pseudonymized datasets.[7] But despite this prohibition, re-identification is guaranteed to occur more frequently if commercial re-use is made possible. The AP warned back in 2022 that because of new technologies and more available data, it will become increasingly easy to re-identify individuals in the future.[8] Should re-identification occur, the re-user must inform the governing body. The administrative body is therefore subject to the notification obligations set out in Articles 33 and 34 of the AVG. When it comes to non-personal data, the re-user informs the legal person to whom the data refers.[9] Only then the harm has already been done.
Fortunately, for the time being there will be no basis for commercial re-use in the Netherlands and it remains difficult to comply with the principle of purpose limitation. Only now a situation has arisen in which a European regulation applies in the Netherlands, the chapter on reuse of public sector information is not applicable. However, costs have been incurred in creating and implementing this regulation. Moreover, the Netherlands must establish a mandatory central information point for data under management by administrative bodies."[10]
The cost for a member state has been budgeted by the European Commission at a one-time €10.6 million and then €600,000 annually for maintenance.[11] According to the Dutch government, it will be less in the Netherlands because it will be linked to the existing information point data.overheid.nl.[12] On top of that, there will be the costs incurred by the CBS for technical assistance and the costs of the relevant administrative body. These costs may be recovered from the applicant, but bodies may choose to drop these costs for scientific purposes, small and medium-sized enterprises and startups."[13]
In summary, in the area of re-use, the DGA can do a lot to increase our data economy, but the added value in the Netherlands remains limited. In the area of open government information, a lot is already possible under the Woo and Who regimes. The DGA complements and regulates conditions by which sensitive government information can still be reused. The Netherlands currently lacks only the crucial basis for commercial re-use. It is limited to persons with a special research function, such as scientists and journalists. The preparatory acts for commercial reuse are ready, but the gold mine cannot yet be mined.
The goal of increasing the European data economy is not being met. Of course, the Netherlands is not the only EU country, but the question is whether other countries offer a basis for commercial reuse of sensitive government information. That no such basis exists in the Netherlands and is not forthcoming for the time being is also not surprising given the major implications for privacy. What remains of the DGA? A paper tiger.
[1] Article 5.1(1) Woo.
[2] Article 1(2) and recital 11 DGA.
[3] Article 5 DGA.
[4] Questions by GroenLinks-PvdA. Parliamentary Papers II 2023/24, 36451, no. 6, p. 2 (NV II).
[5] Article 1 (3) DGA; recital 4 DGA.
[6] Opinion on the draft bill implementing Open Data Directive (AP Opinion No. z2022-00356 of June 28, 2022 to the Minister of the Interior and Kingdom Relations), The Hague: AP 2022, pp. 3-4.
[7] Article 5(5) DGA; recital 8 DGA.
[8] Opinion on the draft bill implementing Open Data Directive (AP Opinion No. z2022-00356 of June 28, 2022 to the Minister of the Interior and Kingdom Relations), The Hague: AP 2022, p. 5.
[9] J.B.A. Gerritsen, "The Data Governance Act," pp. 54-55.
[10] Article 8 DGA.
[11] Commission Staff Working Document, "Impact Assessment Report," SWD(2020)295 final, para. 8.
[12] Rijksoverheid.nl, "Fiche 2 Regulation Data Governance Act," November 25, 2020, accessed at:rijksoverheid
[13] Article 6 DGA.
