The EU’s Data Act: data protection must prevail to empower data subjects

May 5, 2022

Source: European Data Protection Board

Brussels, 5 May – The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published their Joint Opinion  on the proposed Data Act.

The EDPS and EDPB welcome the efforts made to ensure that the Data Act does not affect the current data protection framework. At the same time, since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects’ rights are duly protected. The access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles and rules. Moreover, products should be designed in such a way that data subjects are offered the possibility to use devices anonymously or in the least privacy intrusive way possible.  

The Data Act aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants. The Data Act also aims to enhance data subjects’ right to data portability under Art. 20 of the General Data Protection Regulation.

Wojciech Wiewiórowski, EDPS, said: “Data must be processed according to European values if we aim to shape a safer digital future. As we move to create new opportunities for data use, we must ensure that the existing data protection framework remains fully intact. Access to data by public authorities should always be properly defined and limited to what is strictly necessary and proportionate, which is not the case under the draft Data Act.”

The EDPS and EDPB advise the co-legislators to provide limitations or restrictions on the use of data generated by the use of a product or service by any entity other than data subjects, in particular where the data at issue is likely to allow precise conclusions to be drawn concerning data subjects’ private lives, or would otherwise entail high risks for the rights and freedoms of data subjects. The EDPS and EDPB recommend introducing clear limitations regarding the use of the relevant data for purposes of direct marketing or advertising; employee monitoring; calculating, modifying insurance premiums; credit scoring. Limitations on the use of data should also be provided to protect vulnerable data subjects, in particular minors.

The EDPS and EDPB express their deep concerns about the lawfulness, necessity and proportionality of the obligation to make data available to EU Member States’ public sector bodies and to EU institutions, bodies, offices and agencies (EUIs) in case of “exceptional need”. In their Joint Opinion, the EDPS and EDPB stress that any limitation on the right to the protection of personal data requires a legal basis that is adequately accessible and foreseeable. The legal basis must also define the scope and manner of the exercise of powers by the competent authorities, and be accompanied by safeguards to protect data subjects against arbitrary interference. The EDPS and EDPB urge the co-legislators to define much more stringently the hypotheses of emergency or “exceptional need”, and which public sector bodies and EUIs should be able to request data.

As regards enforcement, the EDPS and EDPB welcome the designation of data protection supervisory authorities as competent authorities responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. The EDPS and EDPB ask the co-legislators to designate national data protection authorities as coordinating competent authorities under the Data Act.

Andrea Jelinek, EDPB Chair, said: “It is crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market. Not just for this proposal, but also concerning other legislative proposals, such as the Data Governance Act or the Digital Markets Act. A clear distribution of competences amongst the relevant regulators will need to be ensured, as well as efficient cooperation to avoid the risk of fragmented supervision, the establishment of a parallel set of rules and to ensure legal certainty for organisations and data subjects.”

 

Recent news

EDPB Launches Data Protection Guide for small business

The EDPB has launched a Data Protection Guide to help small business owners on their way to become more data protection compliant. The Guide aims to raise awareness about the GDPR and to provide practical information to SMEs about GDPR compliance in an accessible and...

read more

Europe Day 2023

Every year in early May we celebrate peace and unity in Europe through Europe Day, to commemorate the signing of the 'Schuman Declaration'. This year, on Saturday 6 May, the EU institutions invite you to a wide range of online and on-site activities across the EU...

read more
A look back at the Privacy Symposium 2023

A look back at the Privacy Symposium 2023

For the second time in a row, the EFDPO was one of the Key Partners of the Privacy Symposium in Venice – an international conference for data protection professionals and enthusiasts from around the world. Privacy Symposium aims to bring together data protection...

read more
Generated by Feedzy