EDPS and EDPB Assess The EC’s Data Governance Act

The EU’s data regulators urge EU stakeholders to revise a bill to allow for the sharing of data as part of the EC’s Digital Strategy.

The European Union’s (EU) bloc-wide data protection regulators have assessed the European Commission’s (EC) proposal to establish a new data sharing and usage regime. This new system would work alongside with existing EU data protection and privacy regulation and would purportedly allow nations to utilize huge data sets for a variety of purposes. This proposed law is one of the first parts of the EC’s data strategy that will help usher in the “digital age” in the EU the EC envisions.

In November 2020 the EC issued a “Proposal for a Regulation on European data governance (Data Governance Act).” The European Union Council has since proposed a compromise bill, which is a customary stage in the process of legislating in the EU. Nevertheless, the EDPS and EDPB have assessed the EC’s bill, and their concerns and suggestions may well be addressed or incorporated in subsequent revisions of the Data Governance Act (DGA).

The EC issued an “Impact Assessment” assessment along with its draft DGA and explained “[i]t is the first of a set of measures announced in the 2020 European Strategy for Data…[and] aims to stimulate the availability of data for use and to strengthen data governance mechanisms in the EU.” The EC claimed “[i]t would facilitate the following situations:

the sharing of data among businesses, against remuneration or because of other benefits they derive from sharing;

making public sector data available for reuse, in situations where such data is subject to the rights of others;

allowing the reuse of personal data with the help of a ‘personal data space’, designed to help individuals exercise their rights under the General Data Protection Regulation (GDPR);

making data reusable for altruistic purposes.”

The EC further explained:

The current initiative covers different types of data intermediaries, handling both personal and non-personal data. Therefore, the interplay with the legislation on personal data is particularly important. With the General Data Protection Regulation and ePrivacy Directive, the EU has put in place a solid and trusted legal framework for the protection of personal data and a standard for the world. The legislative framework for the common data spaces would work within the rules of the existing legislation on the protection of personal data. In particular, it would remain the responsibility of each party to identify the suitable legal basis for the processing of personal data within a common European data space.

The current proposal would complement the Directive on open data and the reuse of public sector information (Open Data Directive) . The Open Data Directive deals with data for which public sector bodies have all the relevant rights. It does not, however, cover public sector data subject to the rights of others (e.g. personal data, data protected by intellectual property rights or trade secrets). Due to these third party rights, such data cannot be made available as open data, i.e. with as little usage restrictions as possible. By facilitating the secure access to such datasets, this proposal encourages the exploitation of data whose reuse is not regulated by the existing Directive. As a consequence, the Implementing Act on High-Value Datasets under the Open Data Directive, which is expected to be adopted in 2021, will also be fully complementary with this initiative.

As to the purpose of the DGA, the EC asserted “[t]he general objective of this intervention is to leverage the potential of data for the economy and society. This would be brought about by facilitating a higher level of data sharing across the entire EU Digital Single Market.”

In February 2020, the new EC leadership issued its “European strategy for data” as part of its digital strategy, “Shaping Europe’s Digital Future,” and identified among its key actions to “[p]ropose a legislative framework for the governance of common European data spaces.” The DGA fulfills this goal, which notably is the introduction of legislation and no timeline was proposed for enactment. Nonetheless, regarding its data strategy, the EC asserted that the “EU can become a leading role model for a society empowered by data to make better decisions – in business and the public sector…[and] [t]o fulfill this ambition, the EU can build on a strong legal framework – in terms of data protection, fundamental rights, safety and cybersecurity – and its internal market with competitive companies of all sizes and varied industrial base.” The EC claimed that “[i]f the EU is to acquire a leading role in the data economy, it has to act now and tackle, in a concerted manner, issues ranging from connectivity to processing and storage of data, computing power and cybersecurity. Moreover, it will have to improve its governance structures for handling data and to increase its pools of quality data available for use and re-use.”

The EC stated that “[t]he measures laid out in this paper contribute to a comprehensive approach to the data economy that aim to increase the use of, and demand for, data and data-enabled products and services throughout the Single Market…[and] outlines a strategy for policy measures and investments to enable the data economy for the coming five years.” The EC explained this strategy will launch “a comprehensive consultation on the specific measures that could be taken to keep the EU at the forefront of the data-agile economy, while respecting and promoting the fundamental values that are the foundation of European societies.”

The EC provided this infographic update in the DGA Impact Assessment to explain the “interplay with the other initiatives announced in the Data Strategy:”

With all this background in mind, let’s turn back to the EDPS-EDPB joint opinion on DGA. The EC requested a joint opinion from the two entities. However, the two EU-wide data protection regulators found a number of issues with DGA, especially in regard to its divergence from the General Data Protection Regulation (GDPR). The regulators declined to offer specific recommendations and instead offered more general observations about the EC’s proposal and called on the Council and European Parliament to address these issues.

The EDPS and EDPB asserted:

The Proposal is of particular importance for the protection of individuals’ rights and freedoms with regard to the processing of personal data. The scope of this opinion is limited to the aspects of the Proposal related to the protection of personal data, which, as observed, represent a key -if not the most important- aspect of the Proposal.

The EDPS and EDPB stressed “it is therefore important to clearly avoid in the legal text of the Proposal any inconsistency and possible conflict with the GDPR.” The regulators stated “[t]his not only for the sake of legal certainty, but also to avoid that the Proposal has the effect of directly or indirectly jeopardizing the fundamental right to the protection of personal data, as established under Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Article 8 of the Charter of fundamental rights of the European Union.” They continued:

In particular, in this Joint Opinion, the EDPB and the EDPS point out to inconsistencies with the EU data protection legislation (as well as with other EU legislation, such as the Open Data Directive) and to problems, relating for instance to legal certainty, that would arise from the entry into force of the current Proposal.

Since the Proposal, as detailed in this Joint Opinion, raises a significant number of serious concerns, often intertwined, related to the protection of the fundamental right to the protection of personal data, it is not the aim of this Joint Opinion to provide an exhaustive list of issues to be addressed by the legislators, nor always alternative proposals or wording suggestions. Instead, this Joint Opinion aims at addressing the main criticalities of the Proposal. At the same time, the EDPB and the EDPS remain available to provide further clarifications and exchanges with the Commission.

The EDPB and the EDPS are also aware that the legislative process on the Proposal is ongoing and stress their availability to the co-legislators to provide further advice and recommendations throughout this process, to ensure in particular: legal certainty for natural persons, economic operators and public authorities; due protection of personal data for data subjects in line with the TFEU, the Charter of Fundamental Rights of the EU and the data protection acquis; a sustainable digital environment including the necessary ‘checks and balances’.

The regulators stressed:

The EDPB and the EDPS underline that, whereas the GDPR was built upon the need to reinforce the fundamental right to data protection, the Proposal clearly focuses on unleashing the economic potential of data re-use and sharing. Thus, the Proposal intends to “improve the conditions for data sharing in the internal market”, as stated in Recital (3). However, the EDPB and the EDPS note that the Proposal, also having regard to the Impact Assessment accompanying it, does not duly take into account the need to ensure and guarantee the level of protection of personal data provided under EU law. The EDPB and the EDPS consider that this policy trend toward a data-driven economy framework without a sufficient consideration of personal data protection aspects raises serious concerns from a fundamental rights viewpoint. In this regard, the EDPB and the EDPS emphasise that any proposal, including upcoming initiatives related to data, such as the European Data Act, that may have an impact on the processing of personal data, must ensure and uphold the respect and application of the EU acquis in the field of personal data protection.

The EDPS and EDPB remarked “the Proposal raises significant inconsistencies with the GDPR, as well as with other Union law, in particular as regards the following five aspects:

(a) Subject matter and scope of the Proposal

(b) Definitions/terminology used in the Proposal;

(c) Legal basis for the processing of personal data;

(d) Blurring of the distinction between (processing of) personal and non-personal data (and unclear relationship of the Proposal with the Regulation on free flows of non-personal data);

(e) Governance/tasks and powers of competent bodies and authorities to be designated in accordance with the Proposal, having regard to the tasks and powers of data protection authorities responsible for the protection of the fundamental rights and freedoms of natural persons in relation to the processing of personal data as well as for facilitating the free flow of personal data within the Union.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Markus Spiske from Pexels

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s