Proposals for digital and data strategies & data protection
Information Review of the Statement (Statement on the Digital Services Package and Data Strategy) of the EDPB (European Data Protection Board) of 18 November 2021 regarding concerns in relation to proposals for digital and data strategies and recommendations for data protection under the General Regulation GDPR).
Over the last year, the European Commission has presented several proposals as part of its digital and data strategies (proposals: Digital Services Act – DSA, Digital Markets Act – DMA, Data Governance Act – DGA, Artificial Intelligence Act (AIR). Special attention was drawn to the draft of Regulation establishing harmonized rules on artificial intelligence (the Artificial Intelligence Act) in April this year. This Proposal was preceded by several activities, most notably the Guidelines for Reliable Artificial Intelligence in April 2019 and the White Paper on Artificial Intelligence in February 2020. in which the European Commission presented the basic concept of artificial intelligence regulation.
On the 18th of the last month, the European Data Protection Board (EDPB) adopted a Statement on the Digital Services Package and Data Strategy, which expresses its concern and makes certain recommendations in the context of personal data processing under the proposed Artificial Intelligence Act and other proposals of the Acts in the part related to the processing of personal data. Concerns are divided into three categories 1) lack of protection of individuals’ fundamental rights and freedoms 2) fragmented supervision and 3) risks of inconsistencies.
1) Lack of protection of individuals’ fundamental rights and freedoms
The AIR proposal would allow the use of an AI system that categorizes an individual from biometrics (such as face recognition) according to ethnicity, gender, as well as political or sexual orientation, and other personal characteristics in certain circumstances. The EDPB proposes that any processing related to the grounds of discrimination should be completely prohibited, as well as systems whose scientific value has not been proven or is in conflict with fundamental values. Recognition of emotions should be allowed only in specific cases for health or research purposes and with the application of appropriate protective measures.
The AIR proposal allows in certain cases the automatic recognition of human features (such as facial, gait, fingerprint, voice and other biometric or behavioral signals) in publicly available law enforcement areas while the EDPB proposes prohibition such use altogether.
The EDPB also believes that targeted online advertising should be more strictly regulated in favor of less intrusive forms of advertising, while the profiling of children should overall be prohibited.
2) Fragmented supervision
The proposed DGA defines new types of service providers and organisations that would process large amounts of potentially sensitive data, notably, data intermediary services and data altruism organisations. However, the ‘vetting’ regime for these entities is almost declarative and as such does not provide sufficient protection for data subjects. The proposed AIR sets out a certification scheme and codes of conduct for high-risk AI systems, but it is unclear if and how these certificates and codes may interface with requirements under the GDPR.
The Digital Markets Act (DMA) proposal requires to facilitate the transfer of personal data in accordance with the GDPR and, under certain conditions, to provide access to data without a clear legal basis or duty to consult the data protection supervisory authority.
The EDPB proposes that each Proposal clearly set out the provisions that will determine and define the obligation to cooperate with data protection supervisory authority. The proposals should also enable the competent supervisory authorities under each proposal to share information obtained in the context of any audits and investigations that relate to the processing of personal data with the competent data protection authorities.
3) Risks of inconsistencies
The EDPB emphasizes that all proposals aim to regulate technologies or activities involving the processing of personal data and that the existing data protection framework is fully applicable. However, the texts of existing proposals may create some ambiguities as to the applicability of the data protection framework in certain cases. In any case, the proposals should therefore make it clear that the provisions will not affect or jeopardize the application of existing data protection rules and ensure that the provisions of the General Regulation prevail whenever personal data are processed. It points out that the same terminology is often used as in the GDPR (and the ePrivacy Directive) without explicit reference, which creates a risk that some provisions could be interpreted as certain deviations, which can lead to legal uncertainty.
Example: in many cases, the legal basis for processing of personal data is not clear from the draft text. For example, the Digital Markets Act does not provide sufficient clarity on the re-use of personal data held by public sector bodies while the proposed Artificial Intelligence Act provides general authorization for the processing of personal data but states that high-risk AI providers “may process specific categories of personal data” to ensure monitoring, detection of bias and correction and requires additional safeguards for this processing.
The EDPB therefore calls on the Commission to avoid ambiguities in the new proposals in order to ensure legal certainty and coherence with the existing data protection framework to ensure its effective application. In any case, proposals should make it clear that they will not affect or jeopardize the application of existing data protection rules and ensure that data protection rules prevail whenever personal data are processed.
The EDPB in a statement emphasizes
- the inalienable nature of the right to the protection of personal data as a right relating to every natural person;
- the need for special safeguards to ensure compliance with all data protection principles, in particular the principle of data minimization, purpose limitation and transparency;
- the need to determine the types of data that can be processed, the purposes for which the data may be processed, the data subjects, the parties with whom personal data may be shared and the retention periods.
- special attention should be paid to safeguards for processing for scientific research purposes, ensuring legal, responsible and ethical data management;
- the importance of data protection “by design and by default”.
Authors: Ines & Marko Krečak, Feralis Center