Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

EU: Joint opinion of the EDPB and EDPS on the Draft Data Act

On 4 May 2022, the European Data Protection Supervisor ('EDPS'), jointly with the European Data Protection Board ('EDPB'), adopted their opinion1 on the Proposal for a Regulation on Harmonised Rules on Fair Access to and Use of Data ('the Draft Data Act').

In this Insight article, Grigoris Sarlidis, Partner at A.G. Erotocritou LLC, provides an overview of the key recommendations and concerns of the EDPB and the EDPS, concluding that certain modifications and clarifications need to be made in order to ensure that the Draft Data Act does not inadvertently jeopardise the rights and freedoms of data subjects.

shuoshu / Signature collection / istockphoto.com

Background

Whilst one must applaud the efforts made to ensure that the Draft Data Act does not impact or contradict the existing data protection framework, the EDPS and the EDPB suggest that additional measures are required to avoid undermining the protection of the fundamental right to privacy and to the protection of personal data; express their concerns in respect of the wording of certain provisions of the Draft Data Act; and highlight operational risks that may arise from the proposed oversight mechanism.

Recommendations

The EDPB and the EDPS note that Recital 7 of the Draft Data Act clarifies that the latter complements, and is without prejudice to, EU law on data protection and privacy (particularly the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive')). However, in an attempt to confine risks relating to the implementation or the construal of the Draft Data Act that could potentially adversely impact the current data protection framework, the EDPB and the EDPS strongly encourage the legislators to explicitly stipulate that the data protection laws currently in force take precedence where there is a contradiction with any of the terms of the Draft Data Act, insofar as the processing of personal data is concerned.

For interpretation purposes, a clarification should also be included (either in the Recitals or the main body of the Draft Data Act) to ensure that the access, use, and sharing of personal data by data holders (other than data subjects) should take place in full conformity with all the rules set out in the GDPR, Regulation (EU) 2018/1725 on Data Protection for EU institutions and bodies ('the EUDPR'), and the ePrivacy Directive, including perhaps a provision requiring that data subjects are notified once controllers access their personal data.

Moreover, the EDPB and the EDPS urge legislators to incorporate clear limitations on the use of data generated by products or services by any entity (other than the data subjects), particularly in situations where the data in question may likely allow to draw precise conclusions relating to the private lives of data subjects (use of data for the purposes of direct marketing or advertising, employee monitoring, credit scoring, or to assess suitability to health insurance).

Concerns

With respect to Chapter V of the Draft Data Act, the EDPB and the EDPS have expressed serious concerns on the lawfulness, necessity, and proportionality of the obligation to make data available to a public sector body and EU institutions, agencies, or bodies in case of an ‘exceptional need’. From a legal point of view, any restriction on the right to personal data must be properly justified, foreseeable, and articulated without any ambiguity so that the public can clearly understand its scope of application. Moreover, bearing in mind the principles of necessity and proportionality, the Draft Data Act should include a provision explicitly specifying the scope and manner of application of the powers of the competent authorities. Moreover, additional appropriate safeguards should have been incorporated to shield the public from any arbitrary interference.

The EDPB and the EDPS also correctly note that the circumstances that give grounds to the above bodies and institutions to access such data are not defined in a stringent manner and that certain public bodies and EU institutions, agencies, and bodies should be excluded from the scope of Chapter V, given their specific nature and mission: in fact, such institutions should exclusively rely on their powers deriving under sectoral legislation in order to be able to oblige data holders to make any data available to them.

Implementation and enforcement

The EDPB and the EDPS have pointed out that the risk of operational difficulties that stem from Chapter IX of the Draft Data Act. In particular, Article 31 does not harmonise the supervision of the application of the Draft Data Act across the EU, nor does it provide for a consistent mechanism that would guarantee a uniform application of the Draft Data Act. In this regard, taking also into account the lack of uniformity in relation to the penalties that each member state would be able to impose under the Draft Data Act, there is a risk of forum shopping.

Moreover, Article 31 of the Draft Data Act, as currently phrased, grants the option to Member States to designate one or more competent authorities as the responsible authority/authorities for the application and enforcement of the Draft Data Act. Arguably, this governance architecture could lead to complications and confusions for not only organisations, but also data subjects, resulting in inconsistent regulatory approaches which would hinder monitoring and enforcement.

Conclusion

Undoubtedly, the Draft Data Act is a major initiative for the safeguarding of individual fundamental rights and freedoms with respect to the processing of personal data. However, the Draft Data Act, as it is currently drafted, is somewhat surrounded by a cloud of uncertainty and ambiguity rendering the recommendations and concerns raised by EDPB and the EDPS crucial in ensuring that the rights of data subjects are duly protected.

Grigoris Sarlidis Partner
[email protected]
A.G. Erotocritou LLC, Limassol


1. EDPB-EDPS Joint Opinion 2/2022 on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data Data Act, available at: https://edpb.europa.eu/system/files/2022-05/edpb-edps_joint_opinion_22022_on_data_act_proposal_en.pdf