European data protection bodies highlight several areas of concern, some of which align with the desire of the tech industry to avoid over-prescriptive regulation
A key pillar of the EC’s Data Strategy: The European Data Protection Board and the European Data Protection Supervisor issued a joint opinion on the European Commission’s recent proposal for a Data Act. The Act would set out the conditions under which businesses, consumers, and public authorities can access industrial data. The proposal is one of the legislative pillars of the EC’s Data Strategy, through which the EC aims to maximise the socio-economic impact of data and create a more favourable environment for tech investment in the EU. Currently, the EC estimates that 80% of industrial data is never used, and expects the new rules to unlock €270bn of additional GDP by 2028. While the new rules should enable the creation of more value from data, they also pose a set of problems for those who will share and receive data. The joint opinion of the EDPB and the EDPS highlights some of these issues.
The three main concerns raised in the opinion: Firstly, the Data Act must retain compatibility with the existing data protection framework (i.e. the GDPR). While the EC’s proposal states that objective, the two bodies believe it needs more explicit safeguards. The Act should specify that the GDPR prevails in case of conflict, and should include provisions to ensure “data minimisation” so that devices can be used in the least intrusive way possible. Particular concern is expressed around the enhancement of the right to data portability, which would require manufacturers and data holders to provide access to data to businesses. There should also be clear limitations in cases where the use of personal data may allow precise conclusions about individuals’ private lives. Secondly, the provisions around ‘business-to-government’ data sharing cause concern since the circumstances justifying the access to data should be defined more narrowly. Finally, the current governance structure appears too complex and confusing. National data protection authorities should not only be designated as responsible for the application of the Act related to personal data, but also prevail over other authorities.
The criticisms should be a warning sign for the EC: With consumers and industry potentially aligned over the same risks arising from the Act, the EC could face strong calls for changes to the proposal. The trade association Digital Europe raised concerns about the lack of clarity and the additional burden that could arise from the overlap between the Data Act and the GDPR, and called for an approach that uses existing legal tools as much as possible before introducing new ones. The tech and telecoms industry are warning about the possible effects of additional regulation, and while consumers see the benefit of wider access to data, they could also be concerned about worsening privacy safeguards. Increasingly with the Data Act it looks like there are a number of difficult compromises to reach, the result of which could be a lengthy negotiation before a final text is adopted.