Digital Omnibus
DaTNet is taking part in the European Commission’s Digital Omnibus process
The European Commission’s Digital Omnibus process is designed to review and further develop key European digital legislation, including the Data Governance ActDer Data Governance Act (DGA) ist eine im Mai 2022 verabschiedete, seit dem 23. September 2023 EU-weit gültige EU-Verordnung, die neue Möglichkeiten für das... (DGA). This forms the basis for trustworthy European data infrastructure: It establishes a legal framework for data trustee models, data altruism organisations and mechanisms for shared data use. The aim of the Omnibus process is to examine, on the basis of practical experience, how these regulations can be further developed to bring innovation, data protection and social trust into equilibrium.
The DataDaten sind Zeichen oder Zeichenketten, die Informationen enthalten, wobei sie auch in Form von Diagrammen oder Zeichnungen auftreten können. Sie... Trustee Competence Network (DaTNet) acts as the voice of the emerging data trust community in Germany. Through its participation in the Digital Omnibus process, DaTNet contributes the perspectives of the research community, industry, public administration and civil society to the European debate. Inspiration was created for this during the DaTNet Networking Conference in 2025, at which Dr Malte Beyer-Katzenberger (European Commission, DGEin Datengeber ist eine natürliche oder juristische Person, die personenbezogene oder nicht personenbezogenen Daten bereitstellt oder zu diesen Zugang gewährt.... CONNECT) outlined the further development of European data policy and encouraged participants to contribute their practical experiences to the consultation process.

Thanks to its positioning, DaTNet continues its work at the interface between research, policy and practice and contributes to further raising the profile of the concept of data trusteeship within the European context. This page features both the summary and the full text of the statement which was submitted.
You can download the full statement on the investigation regarding ‘Omnibus provisions for the digital sector (part of the simplification package for the digital sector)’ as well as a summary in PDF format.
Statement on the investigation regarding ‘Omnibus provisions for the digital sector (part of the simplification package for the digital sector)’
The signatory academics from the Competence Network for Data Trustee Models (DaTNet) are pleased to provide their perspective on the reform needs with regard to the Data Governance Act and the Directive on open data.
As the European Commission notes in its call for comments, measures to enhance coherence and ensure greater legal certainty are required in relation to these two legal acts. We propose the following changes:
- The Data Governance Act should improve the conditions for data sharing within the single market and, to this end, to establish a harmonised framework for data exchange. For this reason, strict requirements are included, for example, on data intermediation services to prevent the concentration of market power in the hands of individual players and to increase confidence in these service providers.
Whilst this objective is generally to be welcomed, the question arises as to why providers of data intermediation services are subject to comparatively strict regulation, whilst, for example, data brokers are exempt from regulation (Article 2(11)(a) DGA). The regulatory objective should be highlighted even more clearly here. The regulatory objective should be highlighted even more clearly here.
- The concept of a ‘separate legal person’, which is autonomous under EU law, is unclear and gives rise to tensions with national company law systems. Under German law, partnerships with legal capacity (Außen-GbR, GmbH & Co. KG) also have legal capacity, but are not ‘legal persons’. This uncertainty makes it more difficult to set up and register data trustees.
The requirement of a ‘separate legal person’ (Article 12(a) DGA) should be clarified.
Proposed amendment (Article 12(a) DGA, reworded):
‘[T]he data intermediation services provider shall not use the data for which it provides data intermediation services for purposes other than to put them at the disposal of data users.’ Data intermediation services are provided by a legally independent organisational unit which has legal personality or legal capacity and is organisationally separate from the provider’s other activities. Member States shall ensure that legal forms offering limited liability are available for this purpose.’
Reasons: The proposed wording replaces the narrow concept of a ‘legal person’ with the more appropriate criterion of legal capacity and limited liability, thereby also encompassing company forms such as the GmbH & Co. KG or the GbR with legal capacity provided that they have a clear governance structure. The term, which is to be understood autonomously within the EU legal framework, is defined in a functional manner (legal capacity rather than the narrow concept of a ‘legal person’) without undermining the required separation/neutrality; at the same time, the text addresses the significant liability risks encountered in practice (GDPR, competition law) by referring to available forms of limited liability (e.g. GmbH, AG or, where applicable, GmbH & Co. KG).
- The DGA calls for neutrality, independence and trust, without, however, laying down minimum corporate law standards for internal organisation. These matters have so far been left entirely to national law.
A new Article 12a of the DGA, ‘Corporate Governance of Data Intermediation Services’, should therefore be introduced to safeguard neutrality, independence and trust by means of minimum standards.
This new article establishes a framework for corporate governance principles applicable to data trustees and ensures that corporate law control mechanisms (duty of loyalty, advisory board, co-determination) are effectively aligned with data neutrality and the building of trust without interfering with the legal structures established by Member States.
Proposal for a new Article 12a:
‘Article 12a – Minimum corporate law requirements’
(1) Providers of data intermediation services shall have appropriate governance structures in place to ensure that
(a) the governing bodies act independently of data owners and data users;
(b) conflicts of interest are avoided through clearly defined responsibilities, incompatibilities and a related-party policy;
(c) relevant stakeholders have rights of control and participation, which are based on the categories set out in Article 10.
(2) Member States shall, in particular, allow or require the following:
– the establishment of a supervisory or advisory board,
– transparency/disclosure requirements regarding ownership and control structures,
– duties of loyalty and neutrality for shareholders and members of the governing bodies in relation to the purpose set out in the articles of association.
(3) The Commission shall issue guidelines on interpretation and best practice, whilst respecting national company law regulations.’
- The DGA’s current lack of clarity regarding the legal form creates legal uncertainty and a lack of comparability.
A special form recognised across the EU with limited liability could promote trust and market homogeneity. We therefore propose a new legal form: the ‘European Data Trust’. An optional European company form like this would establish uniform governance standards without depriving Member States of their autonomy in matters of company law along the lines of the SE (Societas Europaea) or the SCE (European Cooperative Society). Two proposed amendments to this effect comprise a new Recital 33a and a new Article 12b.
New Recital 33a:
‘In order to promote uniform minimum standards for the corporate organisation of data intermediation services, Member States may provide for a specific national legal form or designation (European Data Trust, EDaT) which is designed to ensure limited liability, neutrality and transparency.’
New Section 12b DGA – European Data Trust (EDaT):
‘(1) Member States may establish a specific legal form or a legally protected designation for providers of data intermediation services.
(2) This legal form must have the following minimum characteristics:
– limitation of liability,
– an independent supervisory body,
– a strict ban on the use of brokered data for one’s own purposes,
– greater transparency vis-à-vis the supervisory authority and in the register pursuant to Article 11.
(3) Companies that meet the requirements may use the designation “EDaT”.’
- Article 12(a) DGA requires neutrality, but there is no legally enforceable provision for data neutrality within the internal structure of the company.
The incorporation of data neutrality as an aspect of the duty of loyalty under company law broadens the scope of company law, strengthens the internal obligations of corporate bodies and makes obligations of neutrality enforceable under civil law as well.
Proposed amendment to Article 12(a) DGA:
‘This obligation is regarded, in internal matters, as a manifestation of the duty of loyalty under company law incumbent on members of the governing bodies and shareholders; it must be incorporated into the articles of association and taken into account when appointing members of the governing bodies.’
- The requirements of Article 18(2)(c) DGA (‘not-for-profit’ and legally independent) lead to funding problems and poor governance.
Article 18 DGA (data altruism organisations) should be made more precise. The proposed clarification set out below allows for self-sustaining governance structures and prevents data altruism organisations from being effectively excluded from professional corporate forms.
Section 18(2)(c) DGA – new:
‘operates on a not-for-profit basis; this is not precluded by the fact that ancillary economic activities are carried out solely to finance the altruistic purposes, provided that this does not give rise to conflicts of interest with the altruistic purpose and no profit distribution takes place; the legal independence of organisations pursuing profit-making purposes remains unaffected.’
- Article 11(6) requires, amongst other things, details of the legal form, ownership structure and relevant subsidiaries to be provided at the time of registration; the Commission maintains a public register (Article 11(14)). However, details regarding governance (supervisory bodies, conflict avoidance) are currently not provided.
Such disclosure of the governance of data intermediation services promotes transparency and trust. It makes the corporate structure for data providers and users traceable without introducing any additional registration requirements.
Proposed amendment to Article 11(6) DGA (new subparagraphs (h) to (k)):
‘(h) Details of supervisory boards/advisory boards (composition, appointment criteria, independence criteria),
(i) Conflict of Interest Policy and Rules on Related-Party Transactions,
(j) Duties of loyalty and neutrality in internal relations (enshrined in the articles of association),
(k) Key compliance measures (e.g. interoperability, security, logging) in relation to Article 12.’
Proposed amendment to Article 11(14) – sentence (new):
‘The information referred to in paragraph 6(a)-(c), (f) and (h)-(k) shall be published in this register.’
- The substantive requirements set out in Article 12 are not linked to the concerns of a concretely functional internal organisation, but they should be.
New Recital 33b – Company law and data governance:
‘As trust in data intermediation services depends largely on their organisation under company law, appropriate governance mechanisms (neutrality as a duty of loyalty, independent supervisory bodies, transparency regarding ownership and control structures) should shape the internal structure of these services. This ensures that the framework for neutrality and independence, as set out in Articles 10-12, is properly safeguarded.’
- Article 12 is currently worded in such a way that it does not cover models of transaction-based data trusteeship with sufficient precision.
It is proposed that an amendment, primarily for the sake of clarity, be made to classify the services of a transaction-based trustee (and similar activities) as a sub-category of data intermediary activities.
German: „(e) DatenvermittlungsdiensteDatenvermittlungsdienste (auch: Datenintermediäre) sind natürliche oder juristische Personen, die als neutrale Vermittler zwischen Datengebenden und Datennutzenden fungieren. Ihre Hauptaufgabe besteht darin, den Austausch von Daten... können ein Angebot zusätzlicher spezifischer Werkzeuge und Dienste für DateninhaberAn digitalen Daten kann man kein umfassendes Eigentumsrecht (§903 BGB) im vollen Wortsinn haben. Die Rede vom „Dateneigentümer“ gibt es... oder betroffene Personen umfassen, insbesondere um den Datenaustausch zu erleichtern, z. B. vorübergehende Speicherung, wertneutrale Aggregation, Auswertung, Pflege, Konvertierung, AnonymisierungAnonymisieren ist das Verändern personenbezogener Daten derart, dass sie sich nicht mehr auf eine identifizierte oder identifizierbare natürliche Person beziehen,... und Pseudonymisierung; diese Werkzeuge werden nur auf ausdrücklichen Antrag oder mit Zustimmung des Dateninhabers oder der betroffenen Person verwendet, und die in diesem Zusammenhang angebotenen Werkzeugen Dritter werden für keine anderen Zwecke verwendet;“
English: ‘(e) data intermediation services may include offering additional specific tools and services to data holders or data subjects for the specific purpose of facilitating the exchange of data, such as temporary storage, value-neutral aggregation, evaluation, curation, conversion, anonymisation and pseudonymisation, such tools being used only at the explicit request or approval of the data holder or data subject, and third-party tools offered in that context not being used for other purposes;’
- In practice, unclear terminology and inconsistencies also prove to be obstacles. Examples of this include: There are differing interpretations regarding the term ‘commercial relationships’ between data owners and data users in the context of the definition of data intermediation services in Article 2(11) DGA. Contributions to the discussion consider, for example, whether the commercial relationship is of a certain duration, whether both parties are acting in the course of their commercial or self-employed professional activities, whether the purpose of the data use is commercial, or whether an exchange transaction is taking place in the sense that the data owner receives consideration in return, e.g. a fee or access to other data.
These ambiguities regarding such a key concept as ‘commercial relationships’, which is central to the scope of the DGA, should be resolved.
- There are also unresolved issues regarding value-added services. Under Article 12(a), providers of data intermediation services shall not use the data for any purposes other than making it available to data users. An exception to this is set out in Article 12(e), which permits additional services such as conversion, anonymisation and pseudonymisation.
Due to discrepancies between the different language versions of the DGA, it is unclear whether these additional services are permitted exclusively or in particular to facilitate the exchange of data. This needs to be clarified. Furthermore, it may also be appropriate to regard low-threshold value-added services such as curation and standardisation as permissible.
- The scope and addressee of the obligations to ensure the appropriate continuation of data intermediation services in the event of insolvency (Article 12(h)) are also unclear. The standard is aimed at providers of data intermediation services, so it remains unclear whether the insolvency administrator, which has the power of disposal in the event of insolvency, is also bound by it.
It is not clear from the provision whether its aim is to ensure that the claims of data providers and data users should be given priority in the hierarchy of creditors’ claims. These ambiguities should be resolved. Only a framework for dealing with insolvency that is geared towards sustainability can strengthen confidence in new intermediaries.
- Time and again, there are calls for an obligation to make data available in the legal and policy debate concerning the usability of data held by public bodies.
It is appropriate that neither the Open DataOpen Data, auch als offene Daten bezeichnet, sind Daten, die ohne Einschränkungen öffentlich zugänglich sind und unter einer Lizenz bereitgestellt... Directive nor the Data Governance Act impose a ‘strict’ obligation to make data openly available. This should remain the case.
However, on the one hand, the cost-benefit ratio of providing open data should be reviewed. It should be kept in mind that the provision and ongoing maintenance of dynamic data via high-performance APIs entails a considerable technical, staffing and financial outlay. For local authorities in particular, which are often faced with tight budgets and limited IT resources, this requirement might not be feasible. Against this backdrop, it is worth considering whether the available resources might be better spent initially on creating a standardised and modernised basic infrastructure (rather than on ‘openness’). Such a consolidated foundation could then, in a further step, pave the way for a broader and potentially more cost-effective API deployment.
On the other hand, the critical nature of data, and of data provision, is different now than it was just a few years ago. The different geopolitical situation has since proved to be a challenge for the ‘open’ concept. This applies to science (‘Open Science’), but also to the public sector as a whole. In principle, therefore, security concerns might be justified, for example where detailed local authority data is involved. Keyword ‘Critical Infrastructure’ (KRITIS): Real-time traffic light sequences in City X, HVDs from the dam management department of Water Management Association Y, bridge load-bearing capacity and structural condition in City Z etc. may also contain information that is relevant from a security perspective.
Finally, the question arises as to whether access to public sector data should be guaranteed equally to all applicants or whether there should be restrictions on companies based in third countries or on companies designated as gatekeepers (analogous to the provisions under the Data ActDer Data Act (dt. Datenverordnung) ist ein Rechtsakt der Europäischen Union. Er gehört zur Datenstrategie, die die Kommission im Jahre..., Art. 5(3) Data Act).
Professor Dr Steffen Augsberg (University of Giessen)
Professor Dr Johannes Buchheim (Marburg University)
Professor Dr Petra Gehring (TU Darmstadt)
Professor Dr Anne Lauber-Rönsberg (TU Dresden)
Professor Dr Florian Möslein (Marburg University)
Professor Dr Sebastian Omlor (Marburg University)
