The industry joint letter, addressed to the Committee of Civil Liberties, Justice and Home Affairs of the EU Parliament (LIBE), expresses concern that the proposed Data Act, which aims to aims to facilitate access to and use of data, risks causing the unintended consequence of overriding the GDPR risk-based approach. This would ultimately undermine the goal of the Data Act of facilitating innovative uses of existing data.

In particular, the industry coalition says that it is “greatly concerned” that the Data Act undermines the GDPR’s rules on further processing under Article 6(4) GDPR. The letter states that the Data Act imposes various restrictions on third parties for certain data processing activities, including the removal of all legal bases to process data involving profiling (Article 6(2)b) and restrictions on data sharing (Article 6(2)c). According to the signatories, this would mean severely curtailing the use of the data by third parties, including legitimate partnerships between entities, which would have a chilling effect on innovation. In the coalition’s view, these limitations in the Data Act are at odds with the GDPR, which provides for six legal bases (under Article 6) to process personal data. It therefore appears that Article 6(2)b and Article 6(2)c of the Data Act would no longer be compatible with Article 6(4) of the GDPR which provides conditions for when processing is for a purpose other than that for which the personal data has been collected and is not based on the data subject’s consent.

In addition, the letter states that Articles 6(2)(b) and (c) of the Data Act are insufficiently forward-looking as they do not consider processing of data via Privacy Enhancing Technologies (PETs), which can maintain high levels of privacy and enable the safe reuse of personal data.

Further, the coalition says, Articles 6(2)(b) and (c) contradict Article 20 and Article 22 of the GDPR on data processing, the right of users to portability and the legal bases under which users may object to automated decision-making, including profiling. Preventing third parties from further processing personal data in a risk-based and GDPR-compliant way will “significantly curb the potential benefits of this proposal for a broad range of sectors such as the secondary use of electronic health data for research purposes, data sharing by insurance companies to combat fraud, or data sharing to inform consumer credit rating”.

The signatories “strongly recommend” that the Data Act defer to the GDPR legal bases and established norms to provide a coherent legal framework.

The coalition is also concerned that the proposals to restrict certain data processing purposes made in the LIBE Committee’s draft opinion on the Data Act would prevent users from consenting to share their data with legitimate third-party service providers, including for the purposes of direct marketing, advertising, credit scoring and profiling.

In the coalition’s view, users should be free to decide the purposes for which their data is shared, provided such sharing and processing has a valid GDPR legal basis and the third party complies with the necessary GDPR requirements.

The letter also states that the proposed purpose limitation represents a risk for innovation and the development of new products and services. In addition, it undermines the objective of the Data Act to stimulate competition, as data holders will still be allowed to carry out processing activities for those purposes, although it will be prohibited for third parties. In other words, data holders will maintain their competitive advantage vis-à-vis other economic operators in relation to processing activities that are key elements of the data economy.

The coalition therefore urges policymakers to ensure that the Data Act fully aligns with the GDPR. The letter concludes by saying: “It is important to recall that the Data Act’s key objective is to foster data sharing in the field of connected objects and ancillary services – not to impose new obstacles to innovation.” To access the full letter, click here.