European strategy for data: the CNIL and its counterparts comment on the Data Governance Act and the Data Act
On 5 May 2022, the European Data Protection Committee (EDPS) and the European Data Protection Supervisor (EDPS) adopted an opinion on the proposed EU Data Act. This opinion, which follows the one of March 2021 on data governance (DGA), marks a further step in building a European data economy that respects fundamental rights and freedoms.
What are the Data Governance Act and the Data Act?
The Data Governance Act and the Data Act are part of the European strategy for data, presented by the European Commission in February 2020. This strategy aims to develop a single market for data by supporting responsible access, sharing and re-use, while respecting the values of the European Union and in particular the protection of personal data.
It is part of the broader context of the European Commission's action plan to ensure Europe's digital sovereignty by 2030, and is complementary to the European strategy on artificial intelligence.
The Data Governance Act
The Data Governance Act was adopted in May 2022 and will be applicable in September 2023. It aims to promote the sharing of personal and non-personal data by setting up intermediation structures. This regulation includes:
- guidance and technical and legal assistance to facilitate the re-use of certain categories of protected public sector data (confidential business information, intellectual property, personal data);
- mandatory certification for providers of data intermediation services ;
- optional certification for organisations practising data altruism.
The Data Act Regulation
The European Commission's legislative proposal, presented on 23 February 2022, aims to ensure a better distribution of the value derived from the use of personal and non-personal data between the actors of the data economy, particularly in relation to the use of connected objects and the development of the Internet of Things.
As such, the proposed Data Act aims to :
- facilitate the sharing of data between companies (B2B) and with consumers (B2C), in particular by setting an obligation to make data generated by the use of connected objects and related services accessible, in return for fair and equitable compensation;
- allow the use of data held by undertakings and, subject to justification of an exceptional need, by public bodies of the Member States and the institutions, agencies or bodies of the Union;
- Facilitating the switching of data processing services (cloud and edge computing) by regulating the contractual relationship between service providers and consumers, including the gradual abolition of switching fees for consumers;
- provide for the development of interoperability standards for data and its re-use across sectors;
- put in place safeguards against unlawful access to non-personal data in the cloud by third country governments.
The opinions of the CNIL and its counterparts
The challenges linked to the articulation of this new legislative framework on data with the General Data Protection Regulation (GDPR) led the European Commission to seek the expertise of the CNIL and its counterparts. The Data Governance Act and the Data Act require, from different angles, two key elements to ensure their proper articulation with the GDPR:
- the consistency of these future provisions with the rights and obligations of the GDPR; and
- Intelligent governance around data protection authorities to ensure the efficient and effective application of the different legal frameworks and to ensure their readability for citizens and economic actors concerned.
The need to ensure consistency with the GDPR
Legitimate objectives and improved rights and protections
Data protection authorities and the European Supervisor recognise the legitimate objective of the DGA to foster the availability of data through the establishment of data intermediation structures and the strengthening of data sharing mechanisms across the EU. Similarly, the Data Act's objective of unlocking the potential of data to develop valuable knowledge for sectors such as science, health or climate action is welcomed by data protection authorities and the European Supervisor.
The Data Act could also provide a more effective right to data portability to facilitate innovation and promote competition, and give consumers meaningful control over how their data generated through the use of connected objects is used.
Finally, the framework of access requests by foreign authorities and transfers of non-personal data by these two regulations will converge the models of personal and non-personal data protection.
Safeguards needed to protect the rights of individuals
At the same time, the protection of personal data is essential and integral to confidence in the development of the digital economy. The European Data Protection Committee and the European Data Protection Supervisor have called on the co-legislators (European Parliament and Council of the EU) to ensure that the DGA and the Data Act do not undermine the protection of personal data. The co-legislators took this recommendation for the DGA into account by specifying that the GDPR would prevail in case of conflict with the DGA.
With regard to the rights of access, use and sharing of data under the Data Act, the CNIL and its counterparts call on the co-legislators to put in place additional safeguards for data subjects. They should also ensure the legality, necessity and proportionality of the obligation to make data available to public sector bodies and EU institutions on the basis of an exceptional need, and define more strictly the assumptions of "public emergency" or "exceptional need".
The need for smart governance
The CNIL and its counterparts also warn that the non-designation of data protection authorities for the supervision of the DGA could lead to real complexity for digital actors and data subjects, and undermine the consistency of the supervision of the application of the GDPR. However, the co-legislators indicated that data protection authorities could be considered as competent authorities for the DGA.
Similarly, the designation of data protection authorities as competent authorities for the Data Act will avoid inconsistencies with the fundamental right to protection of personal data and ensure a one-stop shop for data actors. The co-legislators should therefore designate data protection authorities as coordinating authorities for the application of the whole Data Act. Indeed, data protection authorities have legal and technical expertise in supervising the processing of personal data, and in supporting innovative actors and business models.
In this respect, the CNIL has launched a working group on data openness and sharing which will produce a practical guide, with very concrete criteria and examples, on how to apply these texts.