Joint opinion of EDPB and EDPS raises concerns about alignment of the proposed EU Data Act with current data protection framework
09 May 2022
You can read about the proposal in our ‘The EU Data Act - what could this mean for you?’ blog post. In short, the EDPB and EDPS are concerned that the proposed Data Act, if adopted in its current form, will result in a lowering of the individual’s rights to privacy and to protection of personal data, and call on the improvement of the proposal to align it better with the existing EU data protection legislation and with other legislative proposals in digital sphere being currently considered by the EU.
Noting that the proposed Data Act will apply to data (both personal and non-personal) generated by a wide range of products and services, including the internet of things (IoT), medical and health devices and virtual assistants, the EDPB and EDPS raise concerns about the far-reaching effect of certain provisions that do not consider the potential effects of sharing highly sensitive data about individuals generated by these devices and services, as well as about lack of additional safeguards to mitigate such effects. The Opinion analyses the proposed Data Act in detail and urges co-legislators to address a number of necessary improvements, including the following:
- restrict the use of data generated by the use of a product or service by any person other than data subjects themselves, especially where the data would make it possible to draw precise conclusions about data subjects’ private lives or would otherwise pose high risks for the rights and freedoms of individuals;
- define clear limitations on the use of data for such purposes as (i) employee monitoring; (ii) calculating insurance premiums; (iii) credit scoring; and (iv) direct marketing or advertising;
- clearly distinguish between the rights of data subjects to access and use the data generated by their own use of products or services, and the possible rights and obligations of other actors. Access by, and sharing of personal data with, persons other than the data subject should only be possible if all GDPR and ePrivacy requirements are complied with; the Opinion offers similar approach to the broader (than under GDPR) right to data portability provided in the Data Act;
- clarify that where personal data is concerned, the data holder’s authorisation to share data does not replace the requirement to have a legal basis for processing under the GDPR or, alternatively, specify that certain provisions apply only to processing of non-personal data;
- outline stringently when and what categories of data can be used by public authorities and public sector bodies during an emergency or in exceptional circumstances and on what conditions;
- national DPAs, which the proposed Act contemplates should monitor the application of the Data Act in relation to personal data, should also act as coordinating competent authorities under the Data Act. Coordinating authorities will be responsible for the application and enforcement of Chapter VI of the Data Act regulating the switching of data processing providers to address vendor lock-in issues in cloud and edge computing markets. The Opinion warns that designating any authorities other than DPAs could affect consistent enforcement of the GDPR alongside the Data Act and lead to real complexity for digital players and data subjects.
The Opinion also points out some other issues with the Data Act, such as inconsistency with the Digital Markets Act (DMA) and provides specific recommendations to better align the Data Act with the DMA.