European Data Protectors Call for Additional Safeguards in Data Act
On 5 May 2022, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published their Joint Opinion on the planned Data Act. The Proposal for a Regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (“Data Act”) was presented on 23 February 2022 by the Commission. The Data Act is designed to provide a legal framework on who can use and access data generated in the EU across all economic sectors. It aims to ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all. It is one of the major outcomes of the Commission's European Data Strategy of 2020 (→ eucrim 1/2020, 24).
The EDPB and EDPS acknowledged the aim of the proposal to unleash the potential of information to be extracted from data in order to gain valuable knowledge for important common values and for health, science, research and climate action. They also welcomed the importance of providing a more effective right to data portability. However, the enhanced right to portability would extend to a broad range of products and services that may reveal highly sensitive data of individuals, including vulnerable categories of data subjects. Therefore, additional safeguards are needed to avoid lowering the protection of the fundamental rights to privacy and to the protection of personal data in practice. Such additional safeguards include:
- The rights to access, use and share data: The EDPS/EDPB called on the co-legislators to explicitly specify that data protection law “prevails” over the provisions of the proposal if conflicts occur in the processing of personal data. In order to promote data minimisation, products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy intrusive way as possible, irrespective of their legal title on the device. Clear limitations or restrictions on the use of personal data generated by the use of a product or service by any entity other than data subjects should also be included.
- The obligation to make data available in case of “exceptional need”: The EDPS/EDPB voiced deep concerns over the lawfulness, necessity and proportionality of the obligation to make data available to public sector bodies and Union institutions, agencies or bodies in case of “exceptional need”.
- Implementation and enforcement: The EDPS/EDPB highlighted the risk of operational difficulties that might result from the designation of more than one competent authority responsible for the application and enforcement of the proposed legislation. They called on the co-legislators to also designate national data protection supervisory authorities as coordinating competent authorities in the Data Act.