The Data Governance Act

The European Data Governance Act (DGA) creates a new, reliable framework to encourage voluntary data sharing within the EU. For Belgian companies, it introduces new, strictly regulated roles for entities wishing to act as a "data intermediation service" or "data altruism organization. These must meet strict conditions and go through a specific procedure with the FPS Economy, with severe penalties for non-compliance.

What is the Data Governance Act?

The Data Governance Act, or Regulation (EU) 2022/868, is a cornerstone of the European data strategy. The regulation, applicable since Sept. 24, 2023, does not aim to mandate data sharing. However, it does aim to make voluntary data sharing safer, simpler and more reliable.

The ultimate goal is the creation of a unified European market for data, where data can circulate freely for the benefit of citizens, businesses and society. To achieve this, the DGA relies on three fundamental pillars:

  1. Facilitating the reuse of certain protected government data.
  2. Creating a strict framework for data intermediation services.
  3. Encouraging data altruism.

For implementation in Belgium, two laws are critical: the law of 13 May 2024 and the law of 15 May 2024. These are further complemented by the royal decree of 1 october 2024.

Pillar 1: reuse of protected government data

The DGA complements the existing rules around open data by creating a framework for the reuse of sensitive data held by public entities. Specifically, this involves data protected by:

A public body is not required in Belgium to allow reuse. However, if it does so, it must comply with the strict, non-discriminatory and transparent terms of the DGA. This includes the obligation to safeguard the protected nature of the data at all times, for example by anonymizing or providing access through a secure processing environment.

The role of the federal service integrator and the law of 13 May 2024

To put the rules around the reuse of government data into practice, an adaptation of the Belgian federal framework was necessary. This was done through the law of 13 May 2024 amending the law of 15 August 2012 establishing and organizing a federal services integrator.

This law is important because it aligns the tasks and powers of the federal service integrator (managed by the FPS Policy and Support – BOSA) with the DGA. Specifically, this law changes the existing structure to officially grant the service integrator the roles of:

  • Central information point: The one-stop shop where parties can go with questions about data reuse.
  • Competent body for technical assistance: The body that supports public entities with technical expertise on, for example, anonymization, secure environments and data storage.

Thus, the law of 13 May 13 ensures that the necessary federal structure is legally embedded to implement the first pillar of the DGA in Belgium.

Pillar 2: data intermediation services: a new, neutral player

This is perhaps the most far-reaching pillar for the private sector. The DGA regulates a new type of player: the provider of data intermediation services. These are neutral intermediaries that facilitate data sharing between data holders (companies or individuals) and data users.

What is a data intermediation service?

A data intermediation service acts as a neutral third party facilitating the exchange of data. The service provider itself does not acquire any rights to the data and may not use it for its own purposes. Examples include:

  • Data marketplaces on which companies can make data available to others.
  • Platforms that facilitate the exercise of GDPR rights where individuals (data subjects) can share their personal data with companies.
  • Data cooperatives where members (e.g., SMEs) aggregate and share data among themselves.

Cloud storage, data analytics or e-mail services are basically not included here.

The Belgian conditions for data intermediation services

A company wishing to operate as a data intermediation service in Belgium must comply with the strict conditions set out in the DGA and the additional Belgian rules laid down in the Code of Economic Law Code (CEL).

The main conditions are:

  • Structural separation: The data intermediation service must be offered through a separate legal entity. This entity may not use the data exchanged for other purposes.
  • Neutrality: Commercial terms should not depend on whether or not the provider uses other services.
  • Enrollment in the CBE: The legal entity must be registered in the Crossroads Bank for Enterprises.
  • Integrity of directors: The governing body, actual management and ultimate beneficiaries (UBOs) must not have been deprived of their civil and political rights or declared bankrupt without rehabilitation.
  • Professional card: Foreign directors must have the necessary permits to perform a professional activity in Belgium.

The procedure in practice: notification to the FPS Economy

Before an activity may start, the provider must make a notification to the registration body, which is part of the FPS Economy. The royal decree of 1 october 2024 lays down the procedure.

  1. Submission: Notification is made by registered mail (physical or electronic) with a specific form which is available on the FPS Economy website.
  2. Documents: Several documents must accompany the form, including:
    • An extract from the criminal record (not older than six months) for each director and business manager.
    • A copy of the professional card for non-exempt foreign drivers.
  3. Attachment: After complete notification, the service provider may start its activities. Upon request, the FPS Economy can issue an official statement confirming the notification.

A provider may also explicitly ask the FPS Economy to confirm that it meets all legal requirements. Only after this positive confirmation may the provider use the official label "data intermediation services provider recognised in the Union" and the corresponding logo. The decision period for this is in principle three months.

Pillar 3: data altruism: sharing data for the common good

The DGA also introduces an official framework for data altruism organizations. These are non-profit entities that collect data that individuals or companies voluntarily make available for purposes of public interest. Examples include scientific research, combating climate change or improving public services.

Conditions for recognition in Belgium

An organization may voluntarily register on the public national registry of recognized data altruism organizations. As with data intermediation services, Belgian law imposes additional conditions in the CEL:

  • It must be a non-profit legal entity established to serve purposes of public interest.
  • Data altruism activities must be functionally separated from other activities.
  • The same integrity conditions apply to directors, executives and UBOs as for data intermediation services (no disqualification, no bankruptcy without rehabilitation).

The registration process

The application for registration is also submitted to the registration body (FPS Economy) via registered mail and a specific form. Again, a recent extract from the criminal record and any professional cards must be attached.

Upon successful registration, the organization may use the label "data altruism organisation recognised in the Union" and its associated logo.

Supervision and sanctions: the FPS Economy keeps watch

In Belgium, compliance for both data intermediation services and data altruism organizations is entrusted to the FPS Economy. Supervision is carried out specifically by the General Directorate of Economic Inspection. The enforcement regime, established in Article XV.66/7 et seq. of the CEL, is purely administrative and follows a strict procedure.

Step 1: The mandatory warning

Enforcement always starts with a warning. When the Economic Inspectorate finds a violation, it sends an official warning to the company. This document is crucial because non-compliance is the direct basis for further sanctions.

The warning must be sent within 30 days of the determination of the violation and shall state, inter alia:

  • The offenses charged and the articles of law violated.
  • The deadline to stop the breach.
  • The ability to file a defense within 30 days, both orally and in writing.
  • The right to the assistance of an attorney and access to the case file.
  • The possible administrative procedures that follow if not acted upon.

Step 2: The possibility of a formal commitment

Upon receipt of the warning, the violator may make a formal commitment to stop the violation and take corrective action. If the Economic Inspectorate accepts this "commitment," the repressive measures can be discontinued. This provides an opportunity for consultation and can avoid drastic sanctions. An accepted commitment may be made public on the FPS Economy website.

Step 3: Administrative sanctions

If the warning is not heeded, an official report is drawn up and the competent department of the FPS Economy may proceed to impose severe penalties:

  • Administrative fine: A fine of €250 to €100,000, or up to 6% of total annual turnover if that amount is higher. Directors and UBOs can be held jointly and severally liable.
  • Penalty: In addition to the fine, an injunction order may be imposed, subject to a penalty payment. This can amount to €5,000 per calendar day, with a maximum of €800,000 in total.
  • Other measures: In serious cases, the activity may be suspended or completely stopped, and the entity may be removed from the European registers.

Cooperation with other authorities

The FPS Economy is not alone. The law explicitly provides for close cooperation with other crucial agencies:

  • The Data Protection Authority (DPA), in issues surrounding the processing of personal data.
  • The Belgian Competition Authority (BCA), to watch over competition rules.
  • The Center for Cybersecurity Belgium (CCB), in case of cybersecurity incidents or risks.

Conclusion

The Data Governance Act is more than a theoretical framework; it is a concrete set of rules with clear obligations and severe penalties in Belgium. Companies wishing to play a role as a data intermediary or data altruistic organization must prepare thoroughly to comply with the strict Belgian conditions and correctly go through the procedures at the FPS Economy. The official EU label offers a significant competitive advantage, but requires impeccable compliance with legislation.

Are you facing a complex data regulation case or want to find out if your business model is covered by the Data Governance Act? Our attorneys specializing in IT law and data regulation are ready to analyze your case. Feel free to contact us for an initial advice.

Contact

Questions? Need advice?
Contact Attorney Joris Deene.

Phone: 09/280.20.68
E-mail: joris.deene@everest-law.be

Topics