As we noted in previous posts, 2020 was an important year for the data economy in the European Union. In September, the European Commission made public its data strategy for the coming years. Two months later, it published its Draft Data Governance Regulation, taking another step towards the creation of a single market for data sharing.
This draft Regulation aims to foster data availability for economic use and exploitation. The approach focuses on maximizing the economic potential of data, in contrast with the system of the General Data Protection Regulation (GDPR)—based on the protection of the fundamental right to privacy.
This is no trivial issue, especially since the boundary between personal and non-personal data is sometimes blurred. Precisely for this reason, the European Commission requested a joint opinion of the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on how the Proposal might affect the protection of personal data in the EU.
In their report of March 10, both bodies warn of the risk that the Proposal might open a door to circumvent the obligations under personal data protection regulations. To avoid this, the report suggests the following amendments:
- The Proposal should expressly indicate that data protection regulations and in particular the GDPR will prevail;
- The Proposal should link the new figures (e.g., data sharing service provider, data altruism organization, data user) to the existing roles under the GDPR (data controller, processor, joint controller) to facilitate the enforcement of personal data protection regulations;
- The Proposal should better specify the applicable legal basis for the processing of personal data where it is not based on consent, in order to justify processing for purposes other than that for which the personal data were originally collected, thus enhancing legal certainty.
The EDPB and the EDPS also warn that the Proposal might create a parallel set of rules that are inconsistent with the GDPR and the Free Flow Regulation, undermining their safeguards and causing implementation problems. This risk is particularly apparent with regard to the regulation of data sharing service providers.
Likewise, the EDPB and the EDPS disagree with the introduction of new data management figures, which could interfere with the work of national data protection authorities (in Spain, the Spanish Data Protection Agency)—thus limiting their effectiveness.
In short, the EDPB-EDPS joint opinion stresses that progress in the digital economy cannot be to the detriment of citizens’ rights. Their perspective provides an opportunity for the European Commission to review its proposal, to ensure the cohesion of EU law and the protection of personal data.
Authors: Pedro Méndez de Vigo y Beatriz García Quiroga