Insights European Data Protection Supervisor and European Data Protection Board publish joint Opinion on EU’s Data Act

Contact

The EDPS and EDPB welcome the efforts made to ensure that the Data Act does not affect the current data protection framework. At the same time, since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects’ rights are duly protected. The access, use and sharing of personal data by entities other than data subjects should be in full compliance with all data protection principles and rules. Moreover, products should be designed in such a way that data subjects are offered the option of using devices anonymously or in the least privacy intrusive way possible.

The Data Act aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (Internet of Things), medical or health devices and virtual assistants. The Data Act also aims to enhance data subjects’ right to data portability under Article 20 of the General Data Protection Regulation (2016/679/EU).

The EDPS and EDPB advise co-legislators to include limitations or restrictions on a company’s use of data that has been generated as a result of a data subject’s use of a product or service, in particular where the data in question is likely to allow precise conclusions to be drawn concerning the data subject’s private life or would otherwise be a risk to their rights and freedoms. The EDPS and EDPB recommend introducing clear limitations on the use of such data for the purposes of direct marketing or advertising, employee monitoring, calculating or modifying insurance premiums and credit scoring. There should also be limitations on the use of data to protect vulnerable data subjects, e.g., minors.

The EDPS and EDPB express “deep concerns” about the lawfulness, necessity and proportionality of the obligation to make data available to EU Member States’ public sector bodies and to EU institutions, bodies, offices and agencies (EUIs) where there is “exceptional need”. In their Joint Opinion, the EDPS and EDPB stress that any limitation on the right to the protection of personal data must be put on an accessible and foreseeable legal footing. The legal basis must also define the scope and manner of the exercise of powers by the authorities and be accompanied by safeguards to protect data subjects against arbitrary interference. The EDPS and EDPB urge co-legislators to define much more stringently emergency or “exceptional need” and clarify which public sector bodies and EUIs will be able to request data.

As regards enforcement, the EDPS and EDPB welcome the designation of data protection supervisory authorities as the authorities responsible for monitoring the application of the Data Act where the protection of personal data is concerned. The EDPS and EDPB request that national data protection authorities be designated coordinating competent authorities under the Data Act. To read the joint EDPS and EDPB press release in full, click here. To access the joint Opinion in full, click here.

Expertise