Latest updates on the EU Data Act

The fact that there’s enormous potential in the gigantic amount of data that’s generated every day can be agreed upon without exception. However, the risk associated with the use of this data must not be disregarded. The EDPB and the EDPS were of the same opinion in their review of the new Data Act. In their report, they criticise various points of the new legislative proposal and present solutions to bring it more in line with the General Data Protection Regulation and the ePrivacy Regulation. 

A first point of criticism from EDPB and EDPS, were the unclear terms and definitions within the new proposal. For example, the proposal doesn’t distinguish between personal and non-personal data, but simply refers to data. It’s obvious, however, that a distinction would be absolutely necessary here, especially with regard to the associated risks and legal provisions from, for example, the GDPR or the Charter of Fundamental Rights. Terms such as ‘product’ or ‘related services’ also cause confusion and risks due to the weak delimitation and containment. 

Another point criticised here in connection with its terminology is the concept of ‘exceptional needs’. According to the proposal, public bodies and union institutions, agencies or bodies may request access to data on the basis of an exceptional need. While it’s required that this need be demonstrated, when making the request, no other legal basis is required. Again, such a vague concept can’t possibly be sufficient as a basis for working, in some cases, with highly sensitive data. 

It's also unclear how the new proposal relates to other EU legislation, such as the GDPR, ePrivacy Regulation, Data Governance Act and Digital Market Act. Although it’s mentioned in the proposal that this shouldn’t affect the legal texts and is subordinate to the GDPR in conflict situations, when it comes to the processing of personal data, the open formulations in the individual articles and the lack of references again give reason for criticism. 

The EDPB and EDPS also criticised the fact that the user of the data and the data subject don’t necessarily have to be identical. Further clarification is needed on how to handle the data in such cases so that the protection and transparency of the processing remain apparent to the data subject. Especially in cases where the data is shared with third parties by the user who isn’t the data subject, this may lead to discrepancies with other EU regulations. The question is also raised as to whether notification to the data subject should be required. However, the draft law leaves this open so far. 

Last but not least, it was criticised that the responsibilities of the authorities and the complaint procedure were not sufficiently clarified. Although a responsibility of national data protection authorities for monitoring the application of the proposal has been established as far as the protection of personal data is concerned. However, the drafting is far too vague here as well and leaves questions unanswered. There’s also a lack of a European cooperation framework, which seems highly questionable for a legislative proposal that also has a cross-border character. Likewise, the EDPB and EDPS recommend including a reference to the EDPS as the competent authority for supervision of the entire proposal.

In summary, it can be said that the Data Act proposal is a law with a lot of potential, but still requires some corrections.