The Data Act aims to create a Europe-wide legal framework for the access to, use and sharing of data generated in the EU. With this proposal the European Commission aims to create, among other things, a unified environment for improving the exchange and use of data across all sectors of industry.
The European Federation of Data Protection Officers (EFDPO) is a European network of national associations of data protection and privacy officers. We wish to stress that the Data Act will regularly affect datasets that will contain personal data. In practice many datasets contain either personal data only or are mixed, i.e., containing both personal and non-personal data. Only very few data sets can be considered to be free of any personal data.
It is therefore very important to provide clear rules applicable under the Data Act to data sets containing personal data. The explanatory memorandum issued by the European Commission to the Data Act provides that “this proposal is consistent with existing rules on the processing of personal data (including the General Data Protection Regulation, (‘GDPR’)”, Recital 30 further provides that “processing of such [personal] data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a data set are inextricably linked.”
While this is a simple solution at first sight, there will be many unclear areas on the interplay between the Data Act and the GDPR. In particular this includes questions of the “design” of data sharing in the light of the GDPR rules. E.g., the legal bases for processing of personal data by a new controller and possibility to process data for purposes other than that for which the personal data have been collected within the meaning of Article 6(4) GDPR, the necessity to use pseudonymised data only, etc. This could contradict the basic idea and key objectives of the Data Act. The lack of clear guidance on the interplay between the Data Act and the GDPR creates a complex regulatory framework and places a heavy burden on companies who will need to reconcile several pieces of legislation containing potentially contradicting rules. Deep analyses of the data sets in relation to multiple legal provisions will be required with various necessities to weigh aspects and reconcile interpretation uncertainties which can be foreseen already now. Furthermore, additional ambiguities and unclear rules will relate to the interplay with other legislation (such the Data Governance Act, the Directive 2019/790/EU, on copyright and related rights in the Digital Single Market, the Digital Markets Act and the Digital Service Act). This will form a significant part of the problematic issues that will need to be resolved during the application of the Data Act.
This will create uncertainties, place additional burden on the regulated persons and ultimately slow down the implementation of the Data Act. The Data Act, as currently proposed, fails to address these issues and uncertainties related to its application to mixed data sets. It is currently unclear how data sets containing personal data may be accessed, shared and used e.g., big data. Potential solutions to this could include for example the introduction of regulatory sandboxes or EU-wide exemptions or legal presumptions, such as for research and development purposes, that would make it easier to find the legal basis for processing of data sets including personal data for the defined purposes (similar to what the GDPR implements in the context of compatibility of purposes, see above).
We also wish to underline that in order to achieve the European Commission’s objective to create a single data space and strengthen the EU’s position in the data economy, it will also be necessary to find experts being able to implement the Data Act rules. And this in a situation, where there is already a shortage of hundreds of thousands of skilled IT and data economy workers in the EU.
From this point, we must point out that many companies and public bodies already have experts who deal with data, data processing and data sharing in their daily work. These are data protection officers under Article 37 et seq. of the GDPR. We believe that these officers could play an important and positive role in putting the Data Act rules into practice.
We are therefore surprised that the Data Act proposal does not build on the potential and experience of the Data Protection Officers. We believe that a greater involvement of Data Protection Officers in the implementation of the Data Act would not only have a positive impact on the speed of the Data Act implementation, but would also increase the confidence of the public, the companies concerned and public authorities in the feasibility of the Data Act implementation. Finally, yet importantly, a greater reliance on the Data Protection Officers would also likely lead to significant savings for the companies and public authorities that will need to rely on the Data Act for improving their activities.
We therefore call on the European Commission, the Parliament and the Council, to pay more attention to the interplay between the Data Act and the GDPR and to the application of the Data Act to data sets containing personal data in the process of finalising the Data Act.
We propose that
Data Act addresses the current ambiguities regarding data transfers, legal basis for processing personal data for the purposes of implementing the Data Act and the question of personal data anonymisation
Data Act recognises, at least in its recitals, the role of the Data Protection Officers in its implementation with respect to data sets containing personal data. We believe that the Commission should also stress this role in its communication accompanying the Data Act.
For more information and any detailed proposals for amendments, please contact for EFDPO the secretary general, Mr. Pierre Yves Lastic.
EFDPO Press Office, phone +49 30 20 62 14 41, email: email@example.com,
President: Thomas Spaeing (Germany)
Vice Presidents: Xavier Leclerc (France), Judith Leschanz (Austria), Inês Oliveira (Portugal), Vladan Rámiš (Czech Republic)
The European Federation of Data Protection Officers (EFDPO) is the European umbrella association of data protection and privacy officers. Its objectives are to create a European network of national associations to exchange information, experience and methods, to establish a continuous dialogue with the political sphere, business representatives and civil society to ensure a flow of information from the European to the national level and to proactively monitor, evaluate and shape the implementation of the GDPR and other European privacy legal acts. In doing so, the EFDPO aims to strengthen data protection as a competitive and locational advantage for Europe. The new association is based in Brussels.
Member associations of the EFDPO
- Austria: privacyofficers.at – Verein österreichischer betrieblicher und behördlicher Datenschutzbeauftragter
- Brazil: ANPPD – Associação Nacional dos Profissionais de Privacidade de Dados
- Czech Republic: Spolek pro ochranu osobních údajů
- Croatia: CENTAR FERALIS
- France: UDPO, Union des Data Protection Officer – DPO
- French Polynesia: U.D.P.O PACIFIC
- Germany: Berufsverband der Datenschutzbeauftragten Deutschlands (BvD) e. V.; Fachverband Externe Datenschutzbeauftragte (FED) e.V.
- Greece: Hellenic Association for Data Protection and Privacy (HADPP)
- Liechtenstein: dsv.li-Datenschutzverein in Liechtenstein
- Portugal: APDPO PORTUGAL Associação dos Profissionais de Proteção e de Segurança de Dados
- Slovakia: Spolok na ochranu osobných údajov
- Switzerland: Data Privacy Community