On 5 May the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published their Joint Opinion on the proposed Data Act, read also the press release. The Data Act covers both private and public sector and aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants. Regarding obtaining data by the public sector EDPS and EDPB are very concerned (press release):
The EDPS and EDPB express their deep concerns about the lawfulness, necessity and proportionality of the obligation to make data available to EU Member States’ public sector bodies and to EU institutions, bodies, offices and agencies (EUIs) in case of “exceptional need”. In their Joint Opinion, the EDPS and EDPB stress that any limitation on the right to the protection of personal data requires a legal basis that is adequately accessible and foreseeable. The legal basis must also define the scope and manner of the exercise of powers by the competent authorities, and be accompanied by safeguards to protect data subjects against arbitrary interference. The EDPS and EDPB urge the co-legislators to define much more stringently the hypotheses of emergency or “exceptional need”, and which public sector bodies and EUIs should be able to request data.
Read the executive summary in the opinion:
With this Joint Opinion, the EDPB and the EDPS aim to draw attention to a number of overarching concerns on the Proposal on Data Act and urge the co-legislature to take decisive action.
The EDPB and EDPS note that the Proposal would apply to a broad range of products and services, including the connected objects (‘Internet of Things’), medical or health devices and virtual assistants. Certain products and services may even process special categories of personal data, such as data concerning health or biometric data. As the Proposal does not explicitly exclude certain types of data of data from its scope, data revealing highly sensitive information about individuals could become the object of data sharing and use according to the rules established
in the Proposal.
While welcoming the efforts made to ensure that the Proposal does not affect the current data protection framework, the EDPB and the EDPS consider that additional safeguards are necessary to avoid lowering the protection of the fundamental rights to privacy and to the protection of personal data in practice. First, additional safeguards are especially necessary as the rights to access, use and share data under the Proposal would likely extend to entities other than the data subjects, including businesses, depending on the legal title under which the device is being used. Second, the EDPB and EDPS are deeply concerned by the provisions of the Proposal regarding the obligation to make data available to public sector bodies and Union institutions, agencies or bodies in case of “exceptional need”. Finally, the EDPB and the EDPS are concerned that the oversight mechanism established by the Proposal may lead to fragmented and incoherent supervision.
1. The rights to access, use and share data
To limit the risks of an interpretation or implementation of the Proposal that could affect or undermine the application of existing data protection law, the EDPB and the EDPS call on the co-legislator to explicitly specify that data protection law “prevails” in case of conflict with the provisions of the Proposal insofar as the processing of personal data is concerned.
In order to promote data minimisation, products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy intrusive way as possible, irrespective of their legal title on the device. Data holders should also limit as much as possible the amount of data leaving the device (e.g. by anonymising data).
Furthermore, the enhancement of the right to data portability mentioned in Recital 31 as one of the goals of the Proposal would require, in so far as personal data are involved, an effective empowerment of data subjects so to give them more control over their personal data. As the definition of ‘user’ encompasses legal persons, in case of exercise of this right by a business, this takes the form of a commercial obligation for the manufacturer/data holder to provide access to data to businesses and allow its exploitation, rather than the individuals’ ‘right’ to access and port their personal data. In fact, according to the concept of ‘user’ adopted by the Proposal, individuals become entitled to enhanced portability right only incidentally, depending on the legal title under which they use the product or the related service (ownership, rental or lease) rather than on their relationship with the information concerning their private use of the product or service.
Therefore, to achieve an effective empowerment of individuals with regard to their personal data, the concept of user in Article 2(5) of the Proposal and throughout the text needs to be integrated and specified as follows: (a) adding in the definition of users ‘’and the data subjects’’ (b) clearly differentiating the situations where the user is the data subject from the situation where the user is not the data subject.
Moreover, the EDPB and the EDPS recommend specifying that where the user is not the data subject, any personal data generated by the use of a product or related service shall only be made available to the user in compliance with in particular Article 6 and 9 GDPR and on the condition that, were relevant, the requirements of Article 5(3) ePrivacy Directive are fulfilled. Similar considerations apply to the making available of data to third parties upon request of a business user.
The EDPB and the EDPS stress the need to ensure that access, use, and sharing of personal data by users other than data subjects, as well as by third parties and data holders, should occur in full compliance with all of the provisions of the GDPR, EUDPR and ePrivacy Directive, including informing data subjects about the access by controllers to their personal data and facilitating the exercise of data subject rights by controllers. The EDPB and the EDPS also recall that it is important to ensure that any further processing of personal data complies in particular with Article 6(4) GDPR and, having specific regard to the possibility of automated decision-making, including profiling, with the relevant obligations provided under Article 22 GDPR.
The EDPB and the EDPS also recommend to include in the proposal clear limitations or restrictions on the use of personal data generated by the use of a product or service by any entity other than data subjects, in particular where the data at issue are likely to allow precise conclusions to be drawn concerning their private lives or would otherwise entail high risks for the rights and freedoms of the individuals concerned. In particular, the EDPS and EDPB recommend to introduce clear limitations regarding use of personal data generated by the use of a product or related services for purposes of direct marketing or advertising, employee monitoring, credit scoring or to determine eligibility to health insurance, to calculate or modify insurance premiums. This recommendation is without prejudice to any further limitations that may be appropriate, for example to protect vulnerable persons, in particular minors, or due to the particularly sensitive nature of certain categories of data (e.g. data concerning the use of a medical device or biometric data) and the protections offered by Union legislation on data protection.
2. The obligation to make data available in case of “exceptional need”
As regards Chapter V of the Proposal, the EDPB and the EDPS have deep concerns on the lawfulness, necessity and proportionality of the obligation to make data available to public sector bodies and Union institutions, agencies or bodies in case of “exceptional need”.
The EDPB and the EDPS recall that any limitation on the right to personal data must be based on a legal basis that is adequately accessible and foreseeable and formulated with sufficient precision to enable individuals to understand its scope. In accordance with the principles of necessity and proportionality, the legal basis must also define the scope and manner of the exercise of their powers by the competent authorities and be accompanied by sufficient safeguards to protect individuals against arbitrary interference.
The EDPB and the EDPS observe that the circumstances justifying the access are not narrowly specified and consider it necessary for the legislator to define much more stringently the hypotheses of emergency or exceptional need. Moreover, the EDPB and the EDPS consider certain public sector bodies and Union institutions, agencies and bodies should be excluded from the scope of Chapter V as such and should only be able to oblige data holders to make data available in accordance with the powers provided by sectoral legislation.
3. Implementation and enforcement
The EDPB and the EDPS highlight the risk of operational difficulties that might result from the designation of more than one competent authority responsible for the application and enforcement of the Proposal. The EDPB and the EDPS have serious concerns that this governance architecture will lead to complexity and confusion for both organisations and data subjects, to divergence in regulatory approaches across the Union and thus affect consistency of monitoring and enforcement.
The EDPB and the EDPS welcome the designation of the data protection supervisory authorities as competent authorities responsible for monitoring the application of the Proposal insofar as the protection of personal data is concerned, which is important to avoid inconsistencies and possible conflicts between the provisions of the Proposal and data protection laws, and to preserve the fundamental right to the protection of personal data as established under Article 16 of the Treaty on the Functioning of the European Union (TFEU) and Article 8 of the Charter of fundamental rights of the European Union.
The EDPB and the EDPS ask the co-legislators to also designate national data protection supervisory authorities as coordinating competent authorities under this Proposal. Data protection supervisory authorities have a unique expertise, both legal and technical, in the monitoring of the compliance of data processing. Moreover, the EDPB and the EDPS are of the opinion that, considering that the GDPR applies when personal and non-personal data in a data set are inextricably linked, the role of data protection authorities should prevail in the governance architecture of the Proposal.
Having regard the oversight role of the EDPS as the data protection authority for the European Union institutions, bodies and agencies and the fact that some of the European Union institutions, bodies and agencies may also act as user or a data holder within the meaning of this Proposal, the EDPB and the EDPS recommend including a reference to the EDPS as competent authority for the supervision of the whole Proposal insofar as it concerns the Union institutions, bodies, offices and agencies.
The Dutch Autoriteit Persoonsgegevens published Toezichthouders willen verbeteringen Data Act, 6 May 2022.