On 4 May 2022, following a request from the EU Commission, the European Data Protection Board and the European Data Protection Supervisor issued a Joint Opinion on the Data Act proposal. The scope of the opinion is limited to aspects of the Data Act proposal related to and involving personal data.
The Data Act proposal is a key pillar in the European strategy for data. Broadly speaking it has the “aim of ensuring fairness in the allocation of value from data among actors in the data economy and to foster access to and use of data”.
It is unsurprising that the Data Act – a very ambitious proposal – to some extent ‘overlaps’ with existing regimes governing personal data. It is, perhaps, also unsurprising that some of these ‘overlaps’ create points of tension or potential confusion between the two regimes. In their Joint Opinion, the EDPB and EDPS touch upon these. We summarise their key concerns here.
1. The relationship between the GDPR and the Data Act
The ‘data’ covered by the Data Act proposal is both personal and non-personal data. Article 1(3) of the Data Act therefore seeks to modulate its potential effects on European data protection laws:“[The Data Act] shall not affect the applicability of Union law on the protection of personal data, in particular [GDPR] and [the e-Privacy Directive]”.
In this respect, the EDPB and EDPS propose that Article 1(3) is strengthened so that it explicitly states that data protection law “prevails” insofar as it concerns the processing of personal data. Such an approach would reflect that, taken in the compromise text for the Data Governance Act, another key pillar in the European strategy for data which aims “to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU”.
2. The definition of “user”
Under the Data Act proposal, “user” is defined as “a natural or legal person that owns, rents or leases a product or receives a services” [sic]. In other words, a user can be a business entity (i.e. a legal person) that is not a data subject. This means that the entitlements under the Data Act proposal for users to access, use and share data extend to business entities that are not data subjects. Potentially, therefore, personal data could be acquired, shared and used under the Data Act without the knowledge of the data subjects themselves.
With that in mind, the EDPB and EDPS propose that (i) “data subjects” are added to this definition and (ii) it is then made explicitly clear that any access to and sharing of personal data by users that are not data subjects should only be possible insofar as it is permitted in compliance with data protection law.
3. The obligation on data holders to make data available to the public sector based on exceptional need
The EDPB and EDPS expressed “deep concerns” over Chapter V of the Data Act proposal under which data holders are obligated to make data available to a public sector body or an EU institution, agency or body where there is an “exceptional need” for them to use it. In particular, their view is that the circumstances in which access is justified are not sufficiently circumscribed and need to be defined more stringently. The EDPB and EDPS reason that any limitation to the right to personal data needs to be formulated with sufficient precision to enable individuals to understand its scope, the manner in which it will be exercised and include sufficient safeguards to protect individuals against arbitrary interference.
4. Implementation and enforcement
The EDPB and EDPS also level a number of concerns at the governance architecture in the Data Act proposal. Notably, they observe that:
- it neither harmonises supervision of the Data Act as between Member States, nor provides a consistency mechanism or harmonised penalties and therefore opens up the possibility of forum shopping;
- while it proposes the establishment of “competent authorities” to oversee the application and enforcement of the Data Act, the allocation of responsibility between those competent authorities, data protection authorities and “sectoral authorities” (the latter being established under sectoral regulation such as the Health Data Space Regulation) remains unclear and could lead to confusion for organisations and data subjects;
- where both personal data and non-personal data are in a data set (and therefore GDPR applies), the role of the data protection authorities should prevail in the governance architecture, given their legal and technical expertise in monitoring data processing compliance.
Quite evidently, the EDPB and EDPS are keen to preserve and protect the boundaries of the regulatory competence of data protection authorities – and in this case with some justification. Their intervention does not appear to be a case of mere legislative gerrymandering, but rather a sensible and fair interrogation of a legislative proposal.
The Joint Opinion will now need to be considered by the EU Parliament and Council, together with other stakeholder feedback on the Data Act proposal.