Activities of Miapetra KUMPULA-NATRI related to 2020/0340(COD)
Plenary speeches (1)
Data Governance Act (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)
Amendments (108)
Amendment 110 #
Proposal for a regulation
Recital 1
Recital 1
(1) The Treaty on the functioning of the European Union (‘TFEU’) provides for the establishment of an internal market and the institution of a system ensuring that competition in the internal market is not distorted. The establishment of common rules and practices in the Member States relating to the development of a framework for data governance embedded fundamental rights-based European values should contribute to the achievement of those objectives.
Amendment 112 #
Proposal for a regulation
Recital 2
Recital 2
(2) Over the last few years, digital technologies have transformed the economy and society, affecting all sectors of activity and daily life, and the COVID19 crisis is likely to result in permanent changes to life in Europe, in which digitalisation will have a major role. Data is at the centre of this transformation: data-driven innovation will bring enormous benefits both for citizens and the economy, for example through improved personalised medicine, new mobility, and its contribution to the European Green Deal23 . In its Data Strategy24 , the Commission described the vision of a common European data space, a Single Market for data in which data could be used irrespective of its physical location of storage in the Union in compliance with applicable law. It also called for the free and safe flow of data with third countries, subject to exceptions and restrictions for public security, public order and other legitimate public policy objectives of the European Union, in line with international obligations. In order to turn that vision into reality, it proposes to establish domain- specific common European data spaces, as the concrete arrangements in which data sharing and data pooling can happen. As foreseen in that strategy, such common European data spaces can cover areas such as health, mobility, manufacturing, financial services, energy, or agriculture or thematic areas, such as the European green deal or European data spaces for public administration or skills. COVID 19 is also widening the digital gap, especially the gender gap as women's digital literacy is lagging behind while the majority of services are digitalised. It is necessary to promote gender balance in the digital sector, bearing in mind the way people and companies use ICT and other digital technologies to work and interact in the new digital society. _________________ 23Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the European Green Deal. Brussels, 11.12.2019. (COM(2019) 640 final) 24 COM (2020) 66 final.
Amendment 116 #
Proposal for a regulation
Recital 2 a (new)
Recital 2 a (new)
(2 a) The Union’s growth potential depends on the skills of its population and workforce. Bearing in mind that 42% of EU citizens lack basic digital skills, a key element to increase trust from citizens in intensifying data sharing will be to actively promote digital literacy, to reinforce education and training in that area and to ensure lifelong data literacy. This is necessary for a critical analysis to decide how to use and share data, for combating disinformation and building an active digital citizenship as well as to be protected from cybersecurity threats.
Amendment 118 #
Proposal for a regulation
Recital 2 b (new)
Recital 2 b (new)
(2 b) The Union has to devote attention to the needs of building of data spaces and data economy, while particular attention should be given to software engineering and attracting talent to ICT sector in order to build European know- how focusing on next-generation and cutting-edge technologies.
Amendment 119 #
Proposal for a regulation
Recital 2 c (new)
Recital 2 c (new)
(2 c) Action at Union level is necessary to address the fact that women are under- represented at all levels in the digital sector in Europe; from students (32% at Bachelor, Master or equivalent level) up to top academic positions (15%) and that the gender gap is largest in ICT specialist skills and employment, where only 18% are women1a. _________________ 1a https://ec.europa.eu/digital-single- market/en/news/digital-economy- scoreboard-shows-women-europe-are- less-likely-work-or-be-skilled-ictgender gap in digital
Amendment 120 #
Proposal for a regulation
Recital 2 d (new)
Recital 2 d (new)
(2 d) Another crucial element to increase trust, part of the broad learning aspect, is establishing a public dialogue to raise awareness of the importance of data, facilitating correct data, protecting data rights holders and providing tools for critical assessment to benefit from data, while protecting the rights of data holders.
Amendment 121 #
Proposal for a regulation
Recital 2 e (new)
Recital 2 e (new)
(2 e) Digital Europe Programme, among other EU and national programmes, should support the cooperation towards achieving a European ecosystem for trusted data sharing (via common European data spaces) and digital infrastructures, as well as to support the interoperability and standardisation. Fostering the common data spaces must be done in respect with consumer and data protection legislation. It is also important to strengthen the European Digital Innovation Hubs and their network to help companies, especially SMEs, to achieve an advantage of European data economy.
Amendment 123 #
Proposal for a regulation
Recital 3
Recital 3
(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges and laying down requirements for data governance. The regulation should aim to build a borderless digital single market and human-centric, trustworthy and secure data society and economy. Sector- specific legislation can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the envisaged legislation on the European health data space25 and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law that include rules relating to cross-border or Union wide sharing or access to data26 . This Regulation is therefore without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (27 ), and in particular the implementation of this Regulation shall not prevent cross border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place, Directive (EU) 2016/680 of the European Parliament and of the Council (28 ), Directive (EU) 2016/943 of the European Parliament and of the Council (29 ), Regulation (EU) 2018/1807 of the European Parliament and of the Council (30 ), Regulation (EC) No 223/2009 of the European Parliament and of the Council (31 ), Directive 2000/31/EC of the European Parliament and of the Council (32 ), Directive 2001/29/EC of the European Parliament and of the Council (33 ), Directive (EU) 2019/790 of the European Parliament and of the Council (34 ), Directive 2004/48/EC of the European Parliament and of the Council (35 ), Directive (EU) 2019/1024 of the European Parliament and of the Council (36 ), as well as Regulation 2018/858/EU of the European Parliament and of the Council (37 ), Directive 2010/40/EU of the European Parliament and of the Council (38 ) and Delegated Regulations adopted on its basis, and any other sector-specific Union legislation that organises the access to and re-use of data. This Regulation should be without prejudice to the access and use of data for the purpose of international cooperation in the context of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data sharing servicintermediaries and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act should also apply. _________________ 25 See: Annexes to the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Commission Work Programme 2021 (COM(2020) 690 final). 26For example, Directive 2011/24/EU in the context of the European Health Data Space, and relevant transport legislation such as Directive 2010/40/EU, Regulation 2019/1239 and Regulation (EU) 2020/1056, in the context of the European Mobility Data Space. 27Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p.1) 28 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. (OJ L 119, 4.5.2016, p.89) 29Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. (OJ L 157, 15.6.2016, p.1) 30 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. (OJ L 303, 28.11.2018, p. 59) 31Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities. (OJ L 87, 31.03.2009, p. 164) 32Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce). (OJ L 178, 17.07.2000, p. 1) 33Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society. (OJ L 167, 22.6.2001, p. 10) 34 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC. (OJ L 130, 17.5.2019, p. 92) 35Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (OJ L 157, 30.4.2004). 36Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information. (OJ L 172, 26.6.2019, p. 56). 37 Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018). 38 Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport. (OJ L 207, 6.8.2010, p. 1)
Amendment 126 #
Proposal for a regulation
Recital 4
Recital 4
(4) Action at Union level is necessary to increase trust in data sharing by establishing proper mechanisms for control over data and in order to address other barriers to a well- functioning data- driven economy and to create a Union- wide governance framework for data access, control and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharing providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons. This action is without prejudice to the international trade agreements concluded by the Union.
Amendment 133 #
Proposal for a regulation
Recital 5
Recital 5
(5) The idea that data that has been generated at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 as well as sector-specific legislation ensure that the public sector makes more of the data it produces easily available for use and re-use. However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data not accessible on the basis of specific national or Union legislation, such as Regulation (EU) 2016/679 and Directive (EU) 2016/680) in public databases is often not made available, not even for research or innovative activities. Due to the sensitivity of this data, certain technical and legal procedural requirements must be met before they are made available, in order to ensure the respect of rights others have over such data. Such requirements are usually time- and knowledge-intensive to fulfil. This has led to the underutilisation of such data. While some Member States are setting up structures, processes and sometimes legislate to facilitate this type of re-use, this is not the case across the Union. Both public and private (such as research centres, universities) would benefit from clear conditions of access to the data. This would allow them to build partnerships with public bodies more efficiently and to advance in research without an undue burden of identifying the data and negotiating the conditions for access to such data. Especially, in order to facilitate the use of scientific data to promote European research and innovation, further clarification is needed on the use allowed for this data which should enable use for scientific and research purposes including by private and public entities.
Amendment 138 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use ofand in line with the rules on personal data processing should ensure the safe re-use of certain categories of protected data, for example personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 and 9 of Regulation (EU) 2016/679. This Regulation should not be read as creating a new legal basis for the processing of personal data. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 157 #
Proposal for a regulation
Recital 13 a (new)
Recital 13 a (new)
(13 a) In case of sharing the data related to the employment with a third party, companies must transmit that data in full respect of the principles and provisions of GDPR, in particular in respect of Article 88 which provides the conditions for processing data in the context of employment. Additional safeguards should be put in place to avoid misuse of sensitive data. Workers should be able to exercise an unambiguous and informed consent in the processing of their data, for which a strong trade unions' involvement in the new governance of data and AI at company and sectoral level should be implemented. Workers or their representatives must, at the appropriate levels, be guaranteed quality information and consultation in good time on those processes, to guarantee a meaningful exchange with management.
Amendment 188 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to incentivise the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation and developing a harmonised approach and processes for public sector bodies to make scientific data available for purposes of research. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data holders with management of the consent, including consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors.
Amendment 194 #
Proposal for a regulation
Recital 22
Recital 22
(22) Providers of data sharing services (data intermediaries) are expected to play a key role in the data economy, as in particular in supporting voluntary data sharing practices or data sharing arrangements set by Union or national law. They could become a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjects, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an indefinite number of data holders and data users, excluding data sharing services that are meant to be used by a closed group of data holders and users. Providers of cloud services should be excluded, as well as service providers that obtain data from data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright- protected content, should not be covered by this Regulation. Intermediation services developed jointly by multiple legal persons for the purpose of sharing data in the context of a specific collaboration or joint undertaking, including the provision of products and services connected to the Internet-of-Things should be excluded. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providers for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not-for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of generalpublic interest by increasing the volume of data available for such purposes. _________________ 42Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173/349. 43Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Amendment 196 #
Proposal for a regulation
Recital 22 a (new)
Recital 22 a (new)
(22 a) Data intermediary services could also be set up by public entities such as cities and municipalities fully complying with the rules of this Regulation. Cities gather vast amounts of data of their citizens and the users of their services. Better utilising this data could bring benefits both to the cities and the users of their services through better interoperability of data and improved personal data management for individuals through implementing MyData principles. These services could facilitate the transfer of both public sector data and data provided by the individuals themselves or by third parties. These services should function by fully complying with existing legislation and especially with Regulation EU 2016/679 (GDPR).
Amendment 201 #
Proposal for a regulation
Recital 24
Recital 24
(24) Data cooperatives seek to strengthen the position of individuals in making explicit and informed choices before consenting to data use, influencing the terms and conditions of data user organisations attached to data use or potentially solving disputes between members of a group on how data can be used when such data pertain to several data subjects within that group. In this context it is important to acknowledge that the rights under Regulation (EU) 2016/679 can only be exercised by each individual and cannot be conferred or delegated to a data cooperativeThe data rights holders may authorise the intermediation service to exercise data rights on their behalf, however data sharing services under Article 9(1)(b) and (c) may only receive a revocable mandate by data subjects to exercise their rights under Regulation (EU)2016/679. Data cooperatives could also provide a useful means for one-person companies, micro, small and medium-sized enterprises that in terms of knowledge of data sharing, are often comparable to individuals.
Amendment 209 #
Proposal for a regulation
Recital 26 a (new)
Recital 26 a (new)
(26 a) Data intermediaries should take reasonable measures to ensure interoperability with other data intermediation services to ensure the proper functioning of the market. Reasonable measures could include following the existing, commonly-used standards. The European Data Innovation Board should facilitate the emergence of additional industry standards, where necessary. Data sharing service providers should implement in due time the measures for interoperability between the data sharing services set out by the European Data Innovation Board.
Amendment 212 #
Proposal for a regulation
Recital 26 b (new)
Recital 26 b (new)
(26 b) COVID-19 crisis has clearly shown just how important digital technologies have become in our daily lives. Telemedicine, teleworking, videoconference and online educational platforms are all great examples of how the digital tools can have a transformative impact on our societies. The digital transformation of our societies and economies is creating new opportunities for innovation and efficiency, while also providing new opportunities in addressing societal challenges. However, as our dependency on digital technologies continues to grow and with it the volume of generated data, individuals, governments and businesses are facing an increased risk of data loss, theft, abuse and misuse. These challenges highlight the need to strengthen Union’s resilience and digital autonomy by investing further into digital skills, technological and industrial capacities necessary to respond to these challenges. A future-proof data governance framework needs to use state- of-the-art cybersecurity standards and utilize cybersecurity solutions that will ensure high levels of protection of personal and non-personal data.
Amendment 217 #
Proposal for a regulation
Recital 27
Recital 27
(27) In order to ensure the compliance of the providers of data sharing services with the conditions set out in this Regulation, such providers should have a place of establishment in the Union. Alternatively, where a provider of data sharing services not established in the Union offers services within the Union, it should designate a representative. Designation of a representative is necessary, given that such providers of data sharing services handle personal data as well as commercially confidential data, which necessitates the close monitoring of the compliance of such service providers with the conditions laid out in this Regulation. In order to determine whether such a provider of data sharing services is offering services within the Union, it should be ascertained whether it is apparent that the provider of data sharing services is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the website or of an email address and of other contact details of the provider of data sharing services, or the use of a language generally used in the third country where the provider of data sharing services is established, should be considered insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of users who are in the Union, may make it apparent that the provider of data sharing services is planning to offer services within the Union. The representative should act on behalf of the provider of data sharing services and it should be possible for competent authorities to contact the representative. The representative should be designated by a written mandate of the provider of data sharing services to act on the latter's behalf with regard to the latter's obligations under this Regulation. In case of processing of personal data, the previously mentioned data sharing service providers not established in the Union are subject to the rules and principles of the GDPR.
Amendment 220 #
Proposal for a regulation
Recital 28
Recital 28
(28) This Regulation should be without prejudice to the obligation of providers of data sharing services to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. When providers of data intermediaries process personal data, this Regulation does not affect the protection of personal data. Where the data sharing service providers are data controllers or processors in the sense of Regulation (EU) 2016/679 they are bound by the rules of that Regulation. This Regulation should be also without prejudice to the application of competition law.
Amendment 221 #
Proposal for a regulation
Recital 28 a (new)
Recital 28 a (new)
(28 a) As laid down in Article 11 of this Regulation, the data intermediaries shall have procedures and sanctions in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services. These rules could be defined for example in a rulebook that lays out the code of conduct and rules for the data network in question. In practice, sanctions could mean e.g. excluding the data user that does not comply with the rules and procedures that have been agreed within the network or with existing legislation. The data intermediaries are subject to compliance monitoring as laid in the Article 13 of this Regulation. Therefore, it is necessary to set up tools for the data intermediaries surveillance the compliance within the users of their services.
Amendment 231 #
Proposal for a regulation
Recital 35
Recital 35
(35) There is a strong potential in the use of data made available freely and voluntarily by data subjects based on theirand by data rights holders based on their informed and valid consent or, where it concerns non-personal data, made available by legal persons, for purposes of generalpublic interest. Such purposes would include healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics or improving the provision of public services. Altruistic consent is not meant for working life situations, as employees relation to employer is not a relation that allows the worker to decide voluntarily whether to give consent or not. Support to scientific research, including for example technological development and demonstration, fundamental research, applied research and, privately funded research and collaborative knowledge, should be considered as well purposes of generalpublic interest. This Regulation aims at contributing to the emergence of pools of data made available on the basis of data altruism that have a sufficient size in order to enable data analytics and machine learning, including across borders in the Union.
Amendment 237 #
Proposal for a regulation
Recital 36
Recital 36
(36) Legal entities that seek to support purposes of generalpublic interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘Data Altruism Organisations recognised in the Union’. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non-personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a generalpublic interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available.
Amendment 240 #
Proposal for a regulation
Recital 37 a (new)
Recital 37 a (new)
(37 a) This Regulation is without prejudice to the establishment, organisation and functioning of entities other than Public Sector bodies that engage in the sharing of data and content on the basis of open licenses, thereby contributing to the creation of commons resources available to all. This includes open collaborative knowledge sharing platforms like Wikipedia and Wikidata, open access scientific and academic repositories, open source software development platforms and Open Access content aggregation platforms like European. Organisations building such open Access commons knowledge repositories play an important role in the online infrastructure. Nothing in this Regulation should therefore be interpreted to limit the ability of non- profit organizations to make data and content available to the public under open licenses.
Amendment 246 #
Proposal for a regulation
Recital 39 a (new)
Recital 39 a (new)
(39 a) As highlighted in Recitals, the European data strategy is building upon the emergence of interoperable data spaces that will enable the use and sharing of data, irrespective of its physical location of storage being in the Union or not, in compliance with applicable law. For these data spaces to be able to emerge in a coordinated manner respecting the common aim of data strategy, it is important to define common design principles. Common building blocks and soft infrastructure make cross-sectorial data sharing easier, while there should always be a room for domain specific solutions. The aim of the data space would be to make data findable, accessible, interoperable and reusable (FAIR). The dataspaces should follow at least the three following principles: 1) “data sovereignty”, 2) data level playing field, 3) decentralised soft infrastructure and public-private governance. Data sovereignty for natural person or organisation is the innovative and transformative concept underlying the data space. When the data level playing field exists, players compete on quality of services, and not on the amount of data they control. A data level playing field is a pivotal condition to create a fair data sharing economy. For the design, creation and maintenance of the data level playing field, a sound governance is needed in which all the all the stakeholders of a data space need to feel represented and engaged. The dataspaces should also include sufficient rules on cybersecurity according to union law.
Amendment 247 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics). The European Data Protection Board and the European Data Protection should be invited to appoint a representative to the European Data Innovation Board as well as representative of data space support center and standardisation organisations. Stakeholders, civil society organisations and relevant third parties, including SME representative and social partners, shall be invited to attend meetings of the Board and to participate in its work, where relevant. The Commission must ensure that small and medium-sized entities, as well as start-ups, are adequately represented in the Board, to ensure that these critical members of our economic community benefit directly from expert knowledge, whilst contributing towards the expansion of the European data economy and a more efficient dissemination of data.
Amendment 263 #
Proposal for a regulation
Recital 41
Recital 41
(41) The main task of the Board should be assisting to form the interoperability between emerging data spaces. The Board should support the Commission in coordinating national practices and policies on the topics covered by this Regulation, and in supporting cross- sector data use by adhering to the European Interoperability Framework (EIF) principles and through the utilisation of standards and specifications (such as the Core Vocabularies44 and the CEF Building Blocks45 ), without prejudice to standardisation work taking place in specific sectors or domains. Work on technical standardisation may include the identification of priorities for the development of standards and establishing and maintaining a set of technical and legal standards for transmitting data between two processing environments that allows data spaces to be organised without making recourse to an intermediary. The Board should cooperate with sectoral bodies, networks or expert groups, or other cross- sectoral organisations dealing with re-use of data. Regarding data altruism, the Board should assist the Commission in the development of the data altruism consent form, in consultation with the European Data Protection Board. _________________ 44 https://joinup.ec.europa.eu/collection/sema ntic-interoperability-community- semic/core-vocabularies 45 https://joinup.ec.europa.eu/collection/conn ecting-europe-facility-cef
Amendment 264 #
Proposal for a regulation
Recital 41 a (new)
Recital 41 a (new)
(41 a) Data innovation board should address not only strategic level, but also the tactical and operational level across the different actors in data economy acting in the Union. This means, for example, the coordination of activities that need to follow the strategic directives regarding aspects such as data space interoperability/federation, interoperability of data intermediaries and data sovereignty. To meet the requirements of scale and the market demands, it is imperative that the industry is involved so that it is turned into a true public/private endeavour. To achieve this, the data innovation board shall establish a permanent subgroup called the Data Exchange Board (“the DEB”) in the form of an expert group. It will consist of actors that have a direct interest in the establishment, governance and adoption of a standardised approach to data sharing and exchange with the help of European data spaces. Those actors should be researchers, practitioners, representatives of consumer associations and public and private initiatives for data sharing and exchange. The DEB will be responsible for detailing, maintaining and adopting the agreements that will ultimately define the soft infrastructure. In practical terms, the DEB will execute at a tactical and operational level the goals set by the DIB at the strategic level. These actors should be researchers, practitioners, and public and private initiatives for data sharing and exchange. In a later phase, the DEP should focus on maintaining the soft infrastructure and keeping it up to date (change management).
Amendment 273 #
Proposal for a regulation
Recital 46
Recital 46
(46) This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter, including the right to privacy, the protection of personal data, the freedom to conduct a business, the right to property and the integration of persons with disabilities, . The European Charter of Fundamental Rights provides rights and freedoms for citizens in the European Union under the realms of dignity, freedoms, equality, solidarity, citizens' rights, and justice. The Charter calls on institutions, bodies, offices and agencies of the Union and the Member States when they are implementing Union law to respect the rights, observe the principles and promote their application, in particular the right to respect private and family life, home and communications, protection of personal data protection and transparent administration. The European Charter of Fundamental Rights should serve as the compass for every action deployed from the Data Governance Act.
Amendment 276 #
Proposal for a regulation
Article 1 – paragraph 1 – point a a (new)
Article 1 – paragraph 1 – point a a (new)
(a a) rules regarding the right of natural persons and organisations to deal with data they generate in a data.
Amendment 277 #
Proposal for a regulation
Article 1 – paragraph 1 – point a b (new)
Article 1 – paragraph 1 – point a b (new)
(a b) the governance structure for a soft infrastructure that will evolve over time, enabling data sovereign data sharing.
Amendment 283 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
(2) This Regulation is without prejudice to specific provisions in other Union legal acts or national laws regarding access to or re- use of certain categories of data, or requirements related to processing of personal or non-personal data. Where a sector-specific Union legal act or national law requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector- specific Union legal act or national law shall also apply.
Amendment 285 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2 a) Provisions regarding the protection, processing, use and free movement of personal data, are subject to Regulation (EU) 2016/679 and Directive 2002/58/EC. Where personal and non- personal data in a data set are inextricably linked, this Regulation shall not prejudice the application of Regulation (EU) 2016/679.[1] This Regulation does not create legal basis for the processing of personal data outside of the provisions already laid in Regulation(EU) 2016/679 and Directive 2002/58/EC.
Amendment 291 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ’Data Sovereignty’ means the capability of an individual or an organisation to have control over their personal and business data. This entails that they should be able to know which party holds which data, under what conditions (purpose, duration, reward) and where data is kept. They should also be able to re-use the data at other places.
Amendment 293 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) ’Soft Infrastructure’ means the set of functional, legal, technical and operational agreements which will support decentralised data sharing. A soft infrastructure is invisible, made up of technology neutral agreements and standards, on how to participate in an ecosystem. As all participants implement the same minimal set of functional, legal, technical and operational agreements and standards, they can interact in the same manner independent of the sector or domain.
Amendment 304 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘data rights holder’ [this to be valid in whole text] means; a legal person or data subject who, in accordance with applicable Union or national law,) in the case of personal data, a data subject or a controller [who has an appropriate legal basis to grant access to or to transfer personal data under her control] b) in the case of non-personal data, a natural or legal person who has the right to grant access to or to share certain personal otransfer non- personal data under its control;.
Amendment 307 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5 a (new)
Article 2 – paragraph 1 – point 5 a (new)
(5 a) ‘Data source’ means: a) in the context of personal data, a processor b) in the context of non-personal data, a natural or legal person who processes the non-personal data on behalf of the data holder.
Amendment 309 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data user’ means: a natural or legal person who has lawful access to certain personal) in the case of personal data, a recipient that is a natural or legal person b) in the case orf non-personal data and is authorised to use that data for commercial or non-commercial purposes;, natural or legal person who receives non- personal data.
Amendment 310 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6 a (new)
Article 2 – paragraph 1 – point 6 a (new)
(6 a) ‘consent’ of the data subject, as defined in Article 4(11) of Regulation (EU) 216/679, means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Amendment 316 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
Amendment 323 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consent by data subjects to: an extraordinary and voluntary individual act of donation. It need to be carried out under the GDPR provisions and ensure the explicit, unambiguous and clear consent of data subjects to guarantee that data subjects are clearly informed, that their consent is freely given and easy to withdrawal any time. Data altruims can be used to share and process personal data pertaining to themdata subjects, or permissions of other data holders to allow the use of their non- personal data without seeking a reward, forincluding a financial reward. Data altruism can only be carried out for two purposes of: for general public interest, such as scientific research purposes or improving public services; for the benefit of the general public. Data altruism should be carried out only within the European Economic Area. Data altruism should not be used asa mean to accumulate power over data and should not be subject to marketing or to commercial practices.
Amendment 332 #
Proposal for a regulation
Article 2 – paragraph 1 – point 12 – point a
Article 2 – paragraph 1 – point 12 – point a
(a) they are established for the specific purpose of meeting needs in the generalpublic interest, and do not have an industrial or commercial character;
Amendment 333 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘secure processing environment’ means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner that allows for the operator of the secure processing environment to determine and supervise all data processing actions, including to display, storage, download, export of the data and calculation of derivative data through computational algorithms. A ‘secure processing environment’ should also be understood as protection against threats.
Amendment 337 #
Proposal for a regulation
Article 2 – paragraph 1 – point 15
Article 2 – paragraph 1 – point 15
(15) ‘representative’ means any natural or legal person established in the Union explicitly designated to act on behalf of a provider of data sharing services or an entity that collects data for objectives of generalpublic interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by a national competent authority instead of the provider of data sharing services or entity with regard to the obligations of that provider of data sharing services or entity set up by this Regulation.
Amendment 339 #
Proposal for a regulation
Article 2 – paragraph 1 a (new)
Article 2 – paragraph 1 a (new)
‘Data space’ means a logically defined entity, in which all the participants follow jointly agreed principles and framework of sharing of data. Data space refers to the integration of and interaction between different actors including data rights holders, data sources, data intermediaries and data users, that are involved in, or affected by, related data access and sharing arrangements, according to their different roles, responsibilities and rights, technologies and business models. The aim of a data space is to create interoperability and trust for a data transfer and a seamless digital area with the scale that will enable the development of new products and services based on data.
Amendment 344 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) data held by cultural establishments protected by intellectual property rights of third and educational establishments;
Amendment 350 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
(2) By way of derogation from paragraph 1, an exclusive right to re-use data referred to in that paragraph may be granted to the extent necessary for the provision of a service or a product in the generalpublic interest.
Amendment 353 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
(4) In all cases not covered by paragraph 3 and where the generalpublic interest purpose cannot be fulfilled without granting an exclusive right, the principles of transparency, equal treatment and non- discrimination on grounds of nationality shall apply.
Amendment 354 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
(5) The period of exclusivity of the right to re-use data shall not exceed three years12 months with the possibility of a further 12-month extension, subject to approval by the competent body referred to in Article 7(1). Where a contract is concluded, the duration of the contract awarded shall be as aligned with the period of exclusivity.
Amendment 357 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
(6) The award of an exclusive right pursuant to paragraphs (2) to (5), including the reasons why it is necessary to grant such a right, shall be transparent and be made publicly available online two months before entry into force, regardless of a possible publication of an award of a public procurement and concessions contract.
Amendment 359 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
(7 a) (7a) Where an exclusive right to re-use data does not meet the conditions set out in paragraphs 2, 3 and 4, the exclusive right shall be void.
Amendment 362 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
(1) Public sector bodies which are competent under national law to grant or refuse access for the re-use and the process to request such re-use of one or more of the categories of data referred to in Article 3 (1) shall make publicly available the conditions for allowing such re-use. In that task, they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 364 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
(2) Conditions for re-use shall be non- discriminatory, lawful, transparent, proportionate and objectively justified with regard to categories of data and purposes of re-use and the nature of the data for which re-use is allowed. These conditions shall not be used to restrict competition.
Amendment 371 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) Public sector bodies may impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secrets.
Amendment 387 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
(5) The public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public sector body shall be able to verify the means and any results of processing of data undertaken by the re- user and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties.
Amendment 392 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
(6 a) In order to provide such support as described in paragraph (6), the public sector body may establish a data intermediation service as defined in Art 2. This service shall be considered in the scope of data intermediation services described in Art 9, subject to the notification procedure described in Art 10, and subject to the conditions set out in Art 11 with the exception of paragraph (1), which requires the placement of intermediation services into a separate legal entity. It will be subject to monitoring by the competent authorities described in Art 12-13.
Amendment 411 #
Proposal for a regulation
Article 5 – paragraph 11
Article 5 – paragraph 11
(11) Where specific Union acts adopted in accordance with a legislative procedure establish that certain non-personal data categories held by public sector bodies shall be deemed to be highly sensitive for the purposes of this Article such as where their transfer to third countries may put at risk Union policy objectives (for instance safety and public health) or may lead to the risk of re-identification of anonymised data, the Commission shall be empowered to adopt delegated acts in accordance with Article 28 supplementing this Regulation by laying down special conditions applicable for transfers to third-countries. The conditions for the transfer to third- countries shall be based on the nature of data categories identified in the Union act and on the grounds for deeming them highly sensitive, non-discriminatory and limited to what is necessary to achieve the public policy objectives identified in the Union law act, such as safety and public health, as well as risks of re-identification of anonymized data for data subjects, in accordance with the Union’s international obligations. They may include terms applicable for the transfer or technical arrangements in this regard, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or, in exceptional cases, restrictions as regards transfers to third-countries.
Amendment 425 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
(4) Where they apply fees, public sector bodies shall take measures to incentivise the re-use of the categories of data referred to in Article 3 (1) for non- commercial purposes and by small and medium-sized enterprises in line with State aid rules. In that regard, public sector bodies may also make the data available at a discounted fee or free of charge, in particular when used for public services for SMEs and civil society, and educational establishments.
Amendment 443 #
Proposal for a regulation
Article 7 – paragraph 2 – point d a (new)
Article 7 – paragraph 2 – point d a (new)
(d a) a harmonised approach for public sector bodies to make scientific data available for purposes of research in order to support rapid innovation in the EU small and medium-sized enterprises in line with State aid rules.
Amendment 445 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
(4) The competent body or bodies shall have adequate legal, financial and technical capacities and expertise to be able to comply with relevant Union or national law concerning the access regimes for the categories of data referred to in Article 3 (1).
Amendment 447 #
Proposal for a regulation
Article 8 – paragraph 1
Article 8 – paragraph 1
(1) Member States shall ensure that all relevant information concerning the application of Articles 5 and 6 is available through a single information point, unless the information concerns one sector only in which case the information can be made available through a sectoral competent body referred to in Article 7 (1). Functions of a single information point may be automatically provided if adequate support by a public sector body is ensured. Member States shall be allowed either to establish a new information point o rto rely on an existing structure.
Amendment 449 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
(2) The single information point shall receive requests for the re-use of the categories of data referred to in Article 3 (1) and shall transmit them to the competent public sector bodies, or the competent bodies referred to in Article 7 (1), where relevant and where possible and appropriate, by automated means. When request concerns only one sector, the request may also be made directly to a sectoral competent body referred to in Article 7 (1). The single information point shall make available by electronic means a register of available data resources containing relevant information describing the nature of available data.
Amendment 452 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
(2 a) The Commission shall establish a European single information point, network offering information on the data available in national single information points and on how to request and access data via those single information points.
Amendment 460 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) intermediation services between data subjects that seek to make their personal or non-personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in Regulation (EU) 2016/679;
Amendment 464 #
Proposal for a regulation
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
(1 a) any operations involving personal data in the scope of Article 9 is subject to the rules of the GDPR and therefore the conditions for the joint use of the data is subject to these rules.
Amendment 475 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
(3) A provider of data sharing services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representative in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representative is established. The representative shall be mandated by the data intermediary services to be addressed in addition to or instead of it by, in particular, competent authorities and data holders, on all issues related to the service, for the purposes of ensuring compliance with this Regulation. The designation of a representative by the provider of data sharing services shall be without prejudice to legal actions which could be initiated against the provider of data sharing services themselves.
Amendment 495 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
(9) The competent authority shall notify the Commission of each new notification. The Commission shall keep a public register of providers of data sharing servicesall data intermediator in Union.
Amendment 502 #
Proposal for a regulation
Article 11 – paragraph 1 – point 2
Article 11 – paragraph 1 – point 2
(2) the metadata collected from the provision of the data sharing service may be used only for the development of that service respecting the GDPR as a legal basis of processing of personal data;
Amendment 508 #
Proposal for a regulation
Article 11 – paragraph 1 – point 3 a (new)
Article 11 – paragraph 1 – point 3 a (new)
(3 a) the provider cannot condition the commercial terms, (including pricing)of data sharing services by the fact whether or to what degree the data holder or data user uses other services from the same company, even if under separate legal entity;
Amendment 510 #
Proposal for a regulation
Article 11 – paragraph 1 – point 4 a (new)
Article 11 – paragraph 1 – point 4 a (new)
(4 a) the provider may offer additional specific tools to data holders facilitating the exchange of the data, such as aggregation, analysis, improving the quality of data or anonymization, only at the explicit request or approval of the data holder. The third-party tools offered in that context shall not use data for purposes other than those requested or approved by the data holder;
Amendment 513 #
Proposal for a regulation
Article 11 – paragraph 1 – point 5
Article 11 – paragraph 1 – point 5
(5) the provider shall have procedures and sanctions in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services;
Amendment 515 #
Proposal for a regulation
Article 11 – paragraph 1 – point 6 a (new)
Article 11 – paragraph 1 – point 6 a (new)
(6 a) the provider shall avoid lock-in effects and ensure interoperability with the other data intermediaries (as defined in article 2) in particular by providing openly accessible application programming inter faces and using open data formats, where technically feasible;
Amendment 517 #
Proposal for a regulation
Article 11 – paragraph 1 – point 6 b (new)
Article 11 – paragraph 1 – point 6 b (new)
(6 b) The intermediator services should follow the interoperability requirements defined in the common European data spaces.
Amendment 520 #
Proposal for a regulation
Article 11 – paragraph 1 – point 8
Article 11 – paragraph 1 – point 8
(8) the provider shall take measures to ensure a high level of security for the storage and transmission of non-personal data; in the case of breach of personal data, such as health data, the data intermediary shall without undue delay, and where feasible, not later than 72 hours after becoming aware of it, notify the personal data breach to the competent supervisory authority as defined by Article 33 of the Regulation (EU) 216/679.
Amendment 526 #
Proposal for a regulation
Article 11 – paragraph 1 – point 11
Article 11 – paragraph 1 – point 11
(11) where a provider provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place. Such a consent does not replace the need to have a lawful basis for data processing as set by the GDPR.
Amendment 529 #
Proposal for a regulation
Article 11 – paragraph 1 – point 11 a (new)
Article 11 – paragraph 1 – point 11 a (new)
(11 a) (1 a) the data intermediary must ensure the right conditions to keep data secured.
Amendment 542 #
Proposal for a regulation
Article 13 – paragraph 4 – point a
Article 13 – paragraph 4 – point a
(a) to impose dissuasive financial penalties which may include periodic penalties with retroactive effect;. The penalties should be proportionate to the size of the provider and the severity of the breach.
Amendment 548 #
Proposal for a regulation
Article 13 – paragraph 6 a (new)
Article 13 – paragraph 6 a (new)
(6 a) Upon the request of a data intermediary the competent authority shall confirm that the data intermediary complies with the requirements laid down Articles 10 and 11.
Amendment 552 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
This Chapter shall not apply to not-for- profit entities whose activities consist only in seeking to collect data for objectives of generalpublic interest, made available by natural or legal persons on the basis of data altruism.
Amendment 558 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
(1) Donating personal or non- personal data is a voluntary and free act of the data subject and hence subject to high-level safeguards. Each competent authority designated pursuant to Article 20 shall keep a public register of recognised data altruism organisations.
Amendment 561 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
(2) The Commission shall maintain a public Union register of recognised data altruism organisations. The Commission shall monitor and audit the register of recognised data altruism organizations.
Amendment 571 #
Proposal for a regulation
Article 16 – paragraph 1 – point a
Article 16 – paragraph 1 – point a
(a) be a legal entity constituted to meet objectives of generalpublic interest;
Amendment 590 #
Proposal for a regulation
Article 17 – paragraph 4 – point f
Article 17 – paragraph 4 – point f
(f) a website where information on the entity and the activities can be found including as a minimum the information as referred to in letters a, b, d, e and h of this paragraph;
Amendment 592 #
Proposal for a regulation
Article 17 – paragraph 4 – point h
Article 17 – paragraph 4 – point h
(h) the purposes of generalpublic interest it intends to promote when collecting data;
Amendment 596 #
Proposal for a regulation
Article 17 – paragraph 7
Article 17 – paragraph 7
(7) Any entity entered in the register of recognised data altruism organisations shall submit any changes of the information provided pursuant to paragraph 4 to the competent authority within 14 calendar days from the day on which the change takes place. The competent authority shall inform the Commission by electronic means of each such notification without delay.
Amendment 603 #
Proposal for a regulation
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) a description of the way in which the generalpublic interest purposes for which data was collected have been promoted during the given financial year;
Amendment 605 #
Proposal for a regulation
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) a list of all natural and legal persons that were allowed to use data it holds, including a summary description of the generalpublic interest purposes pursued by such data use and the description of the technical means used for it, including a description of the techniques used to preserve privacy and data protection;
Amendment 609 #
Proposal for a regulation
Article 19 – paragraph 1 – introductory part
Article 19 – paragraph 1 – introductory part
(1) Any entity entered in the register of recognised data altruism organisations shall inform data holders prior to any processing of their data:
Amendment 610 #
Proposal for a regulation
Article 19 – paragraph 1 – point a
Article 19 – paragraph 1 – point a
(a) about the purposes of generalpublic interest for which it permits the processing of their data by a data user in an easy-to- understand manner;
Amendment 616 #
Proposal for a regulation
Article 19 – paragraph 1 – point b
Article 19 – paragraph 1 – point b
(b) about any processing outside the Union. as well as the localisation of the process;
Amendment 621 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
(2) The entity shall also ensure that the data is not be used for other purposes than those of generalpublic interest for which it permits the processing.
Amendment 637 #
Proposal for a regulation
Article 21 – paragraph 3
Article 21 – paragraph 3
(3) Where the competent authority finds that an entity does not comply with one or more of the requirements of this Chapter it shall notify the entity of those findings and give it the opportunity to state its views, within a reasonable time limit30 days.
Amendment 647 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
(1) In order to facilitate the collection of data based on data altruism, the Commission may adopt implementing acts developing a European data altruism consent form with cooperation of Data innovation board. The form shall allow the collection of consent across Member States in a uniform format. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2).
Amendment 649 #
Proposal for a regulation
Article 22 – paragraph 2
Article 22 – paragraph 2
(2) The European data altruism consent form shall use a modular approach allowing customisation for specific sectors and for different purposes leading to full understanding of the purpose.
Amendment 653 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
(3) Where personal data are provided, the European data altruism consent form shall ensure that data subjects are able to give free and unambiguous consent to and to be able withdraw their consent from a specific data processing operation in compliance with the requirements of Regulation (EU) 2016/679 at any time.
Amendment 667 #
Proposal for a regulation
Chapter V a (new)
Chapter V a (new)
Amendment 669 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
(1) The Commission shall establish a European Data Innovation Board (“the Board”) in the form of an Expert Group, consisting of the representatives of competent authorities of all the Member States, the European Data Protection Board, the Commission, relevant data spaces the representative of datas pace support center, and other representatives of competent authorities in specific sectors, and standardisation organisations.
Amendment 678 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
(2) Stakeholders and relevant third parties may, civil society organisations and relevant third parties, including SME representatives and social partners, shall be invited to attend meetings of the Board and to participate in its work, where relevant.
Amendment 683 #
Proposal for a regulation
Article 26 – paragraph 2 a (new)
Article 26 – paragraph 2 a (new)
(2 a) The Commission shall ensure a balanced composition of the invitations of stakeholders to participate in the work of Board, accounting for gender as well as geographical diversity, and made up of members with diverse industrial backgrounds, with a well thought out selection process.
Amendment 686 #
Proposal for a regulation
Article 26 – paragraph 4 a (new)
Article 26 – paragraph 4 a (new)
(4 a) The data protection supervisory authorities established under national and Union law are the “competent authority”, insofar as the processing of personal data is concerned.
Amendment 689 #
Proposal for a regulation
Article 27 – paragraph 1 – point -a (new)
Article 27 – paragraph 1 – point -a (new)
(-a) to assist and advise the Commission and the emerging data spaces on how to enable the interoperability, and if possible, scalability, of the emerging data spaces within the Union. This assistance could include assistance on agreeing principles on soft infrastructure (standards) as well as assistance on how to get the best out of the financial help under Digital Europe Programme.
Amendment 690 #
Proposal for a regulation
Article 27 – paragraph 1 – point -a a (new)
Article 27 – paragraph 1 – point -a a (new)
(-a a) to advise and assist the Commission on a soft infrastructure with data sovereignty as key design principle, to form a set of agreements enabling a unified way for control over data
Amendment 695 #
Proposal for a regulation
Article 27 – paragraph 1 – point c
Article 27 – paragraph 1 – point c
(c) to advise the Commission on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing between emerging data spaces, cross-sectoral comparison and exchange of best practices with regards to sectoral requirements for security, access procedures, while taking into account sector-specific standardisations activities in particular in clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral;;
Amendment 697 #
Proposal for a regulation
Article 27 – paragraph 1 – point c a (new)
Article 27 – paragraph 1 – point c a (new)
(c a) to collaborate with sectoral boards and expert groups which may be established in establishing data spaces to perform similar but sector specific tasks defined in (a) – (e) for The Board for cross-sectoral data sharing.
Amendment 700 #
Proposal for a regulation
Article 27 – paragraph 1 – point d a (new)
Article 27 – paragraph 1 – point d a (new)
(d a) establish a permanent sub group called the Data Exchange Board (“the DEB”) in the form of an expert group consisting of actors that have a direct interest in the establishment, governance, and adoption of a standardised approach to data sharing and exchange with the help of European data spaces and to support it in defining the interoperability measures for the data intermediaries. These actors should be researchers, practitioners, and public and private initiatives for data sharing and exchange.
Amendment 705 #
Proposal for a regulation
Article 27 – paragraph 1 – point d b (new)
Article 27 – paragraph 1 – point d b (new)
Amendment 711 #
Proposal for a regulation
Article 27 – paragraph 1 – point e a (new)
Article 27 – paragraph 1 – point e a (new)
(e a) The advise the European Commission on data protection matters and the development of consistent practices related to the processing of personal data that do not fall within the competences attributed to the European Data Innovation Board.
Amendment 731 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall notify the Commission of those rules and measures by [date of application of the Regulation] and shall notify the Commission without delay of any subsequent amendment affecting them. For those who infringe the provisions on data altruism, Member States may impose financial sanctions.