54 Amendments of Maria GRAPINI related to 2020/0340(COD)
Amendment 159 #
Proposal for a regulation
Recital 1
Recital 1
(1) The Treaty on the functioning of the European Union (‘TFEU’) provides for the establishment of an internal market and the institution of a system ensuring that competition in the internal market is not distorted. The establishment of common rules and practices in the Member States relating to the development of a framework for data governance should also contribute to the achievedevelopment of those objectivesan internal market that allows the sustainable development of SMEs and micro-enterprises and fair competition.
Amendment 165 #
Proposal for a regulation
Recital 4
Recital 4
(4) Action at Union level is necessary in order to address the barriers to a well- functioning data-driven economy and to create a Union-wide safe governance framework for data access and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharing providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons.
Amendment 169 #
Proposal for a regulation
Recital 7
Recital 7
(7) The categories of data held by public sector bodies which should be subject to re-use under this Regulation fall outside the scope of Directive (EU) 2019/1024 that excludes data which is not accessible due to commercial and statistical confidentiality and data for which third parties have intellectual property rights. Personal data fall outside the scope of Directive (EU) 2019/1024 insofar as the access regime excludes or restricts access to such data for reasons of data protection, privacy and the integrity of the individual, in particular in accordance with data protection rules. The re-use of data, which may contain trade secrets, should take place without prejudice to Directive (EU) 2016/94340 , which sets the framework for the lawful acquisition, use or disclosure of trade secrets. This Regulation is without prejudice and complementary to more specific obligations on public sector bodies to allow re-use of data laid down in sector- specific Union or national law. It must be ensured that companies do not have direct access to protected data and that, as a consequence, anonymization cannot be carried out by them. __________________ 40 OJ L 157, 15.6.2016, p. 1–18
Amendment 175 #
Proposal for a regulation
Recital 9
Recital 9
(9) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding as far as possible the conclusion of agreements, which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreement should be only possible when justified and necessary for the provision of a service of general interest. This may be the case when exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of delivering the service or the product which allows the public sector body to provide an advanced digital service in the general interest. Such arrangements should, however, be concluded in compliance with public procurement rules and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited period, which should not exceed three years. In order to ensure transparency, such exclusive agreements should be published online, regardless of a possible publication of an award of a public procurement contract.
Amendment 178 #
Proposal for a regulation
Recital 11
Recital 11
(11) CIt is necessary to establish conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non- discriminatory, proportionate and objectively justified, while not restricting competition. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate effort for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-user, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons on the re-use of data pertaining to them through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or companies directly.
Amendment 181 #
Proposal for a regulation
Recital 12
Recital 12
(12) The intellectual property rights of third parties should not be affectbe ensured by this Regulation. This Regulation should neither affect the existence or ownership of intellectual property rights of public sector bodies, nor should it limit the exercise of these rights in any way beyond the boundaries set by this Regulation. The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) and the WIPO Copyright Treaty (WCT). Public sector bodies should, however, exercise their copyright in a way that facilitates re-use.
Amendment 182 #
Proposal for a regulation
Recital 13
Recital 13
(13) Data subject to intellectual property rights as well as trade secrets should only be transmitted to a third party where such transmission is lawful by virtue of Union or national law orand with the agreement of the rightholder. Where public sector bodies are holders of the right provided for in Article 7(1) of Directive 96/9/EC of the European Parliament and of the Council (41 ) they should not exercise that right in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation. __________________ 41Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).
Amendment 197 #
Proposal for a regulation
Recital 19
Recital 19
(19) In order to build trust in re-use mechanisms, it may beis necessary to attach stricter conditions for certain types of non- personal data that have been identified as highly sensitive, as regards the transfer to third countries, if such transfer could jeopardise public policy objectives, in line with international commitments. For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law, for example in the context of the European Health Data Space or other sectoral legislation. The conditions attached to the transfer of such data to third countries should be laid down in delegated acts. Conditions should be proportionate, non-discriminatory and necessary to protect legitimate public policy objectives identified, such as the protection of public health, public order, safety, the environment, public morals, consumer protection, privacy and personal data protection. The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re- identification of individuals. These conditions could include terms applicable for the transfer or technical arrangements, such as the requirement of using a secure processing environment, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or who can access the data in the third country. In exceptional cases they could also include restrictions on transfer of the data to third countries to protect the public interest.
Amendment 204 #
Proposal for a regulation
Recital 33
Recital 33
(33) The competent authorities designated to monitor compliance of data sharing services with the requirements in this Regulation should be chosen on the basis of their proved capacity and expertise regarding horizontal or sectoral data sharing, and they should be independent as well as transparent and impartial in the exercise of their tasks. Member States should notify the Commission of the identity of the designated competent authorities.
Amendment 207 #
Proposal for a regulation
Recital 36
Recital 36
(36) Legal entities that seek to support purposes of general interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘Data Altruism Organisations recognised in the Union’. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non-personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a general interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available. Legal entities should ensure that misleading marketing practices are not used to solicit donations of data.
Amendment 211 #
Proposal for a regulation
Recital 39
Recital 39
(39) To bring additional legal certainty to granting and withdrawing of consent, in particular in the context of scientific research and statistical use of data made available on an altruistic basis, a European data altruism consent form should be developed and used in the context of altruistic data sharing. Such a form should contribute to additional transparency for data subjects that their data will be accessed and used in accordance with their consent and also in full compliance with the data protection rules. It could also be used to streamline data altruism performed by companies and provide a mechanism allowing such companies to withdraw their permission to use the data at any moment in time. Persons who decide to withdraw their consent shall be ensured that the data for which they gave their consent is no longer used and that they have been removed from the projects for which they were used. In order to take into account the specificities of individual sectors, including from a data protection perspective, there should be a possibility for sectoral adjustments of the European data altruism consent form.
Amendment 214 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
(2) This Regulation is without prejudice to specific provisions in other Union legal acts regarding access to or re- use of certain categories of data, or requirements related to processing of personal or non-personal data. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act shall also apply. Regulation (EU) 2016/679 applies to any form of further use of data. In this respect, sensitive personal data shall not be re-used for security reasons.
Amendment 217 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2a) The re-use of employees’ personal data shall be prohibited. To this end, it must be ensured that public service data do not contain employees’ personal data, such as data about their mobility.
Amendment 225 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non- personal data without seeking a reward, for purposes of general interest, in accordance with the Union treaties and national legislation, such as scientific research purposes or improving public services;
Amendment 227 #
Proposal for a regulation
Article 3 – paragraph 2 – point e a (new)
Article 3 – paragraph 2 – point e a (new)
(ea) data processed in the context of employment;
Amendment 229 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
(2a) The Commission shall ensure that this Regulation does not undermine the provisions of the General Data Protection Regulation.
Amendment 233 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
(2) By way of derogation from paragraph 1, an exclusive right to re-use data referred to in that paragraph may be granted to the extent necessary for the provision of a service or a product in the general interest, defined and justified why it is of general interest.
Amendment 238 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
(5) The period of exclusivity of the right to re-use data shall not exceed threewo years. Where a contract is concluded, the duration of the contract awarded shall be as aligned with the period of exclusivity.
Amendment 239 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
(7) Agreements or other practices falling within the scope of the prohibition in paragraph 1, which do not meet the conditions set out in paragraph 2, and which were concluded before the date of entry into force of this Regulation shall be terminated at the end of the contract and in any event at the latest within threewo years after the date of entry into force of this Regulation.
Amendment 240 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
(1) Public sector bodies which are competent under national law to grant or refuse justified access for the re-use of one or more of the categories of data referred to in Article 3 (1) shall make publicly available the conditions for allowing such re-use. In that task, they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 243 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
(2) Conditions for re-use shall be lawful, clearly indicated, non- discriminatory, proportionate and objectively justified with regard to categories of data and purposes of re-use and the nature of the data for which re-use is allowed. These conditions shall not be used to restrict competition.
Amendment 244 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) Public sector bodies mayshall impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secretsand an obligation that data containing trade secrets is processed accordingly. They shall ensure that companies do not have direct access to protected data and consequently cannot carry out anonymization of this data.
Amendment 250 #
Proposal for a regulation
Article 5 – paragraph 4 – point b
Article 5 – paragraph 4 – point b
(b) to access and re-use the data within the physical premises in which the secure processing environment is located, if remote access cannot be allowed without jeopardising the rights and interests of third partiesn accordance with high security standards to be established and continuously monitored.
Amendment 252 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
(5) The public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public sector body shall be able to verify the means and any results of processing of data undertaken by the re- user and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties. To this end, the public sector bodies shall be equipped with the necessary human and financial resources for monitoring and law enforcement.
Amendment 266 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
(2) Any fees shall be non- discriminatory, proportionate and objectively justified and shall not restrict competition, cover the costs of monitoring and enforcement. They shall not create incentives to sell or lower the protection of sensitive data.
Amendment 277 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
(4) The competent body or bodies shall have adequate human resources as well as legal and technical capacities and expertise to be able to comply with relevant Union or national law concerning the access regimes for the categories of data referred to in Article 3 (1), so that data protection, privacy and confidentiality are fully respected. The competences and resources of the competent body or bodies shall prohibit unjustified outsourcing.
Amendment 279 #
Proposal for a regulation
Article 7 – paragraph 5
Article 7 – paragraph 5
(5) The Member States shall communicate to the Commission the identity of the competent bodies designated pursuant to paragraph 1 by [date of application of this Regulation]. They shall also communicate to the Commission any subsequent modification of the identity of those bodies within three days after the modification.
Amendment 281 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
(3) Requests for the re-use of the categories of data referred to in Article 3 (1) shall be granted or refused by the competent public sector bodies or the competent bodies referred to in Article 7 (1) within a reasonable time, and in any case within two months from the date of the request.
Amendment 283 #
Proposal for a regulation
Article 9 – paragraph 1 – point a
Article 9 – paragraph 1 – point a
(a) intermediation services whose sole purpose is to facilitate data sharing between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platforms or databases enabling the exchange or joint exploitationuse of data, as well as the establishment of a specific infrastructure for the interconnection of data holders and data users;
Amendment 287 #
Proposal for a regulation
Article 9 – paragraph 2 a (new)
Article 9 – paragraph 2 a (new)
(2a) The Commission shall develop a mandatory certification system for data intermediaries in order to limit the risks associated with the central role of data intermediaries and thus increase trust in these organisations and their activities.
Amendment 288 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
(1) Any provider of data sharing services who intends to provide the services referred to in Article 9 (1) shall submit a notification to the competent authority referred to in Article 12 at least ten days prior to starting its activity.
Amendment 291 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
(3) A provider of data sharing services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representative in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representative is established. The provider of the data sharing service shall provide the legal representative with the necessary resources to ensure efficient collaboration with relevant national authorities. The designation of a representative by the provider of data sharing services shall be without prejudice to legal actions which could be initiated against the provider of data sharing services themselves.
Amendment 292 #
Proposal for a regulation
Article 10 – paragraph 6 – point d
Article 10 – paragraph 6 – point d
(d) a website where clear, complete and up-to-date information on the provider and the activities can be found, where applicable;
Amendment 294 #
Proposal for a regulation
Article 10 – paragraph 6 – point f
Article 10 – paragraph 6 – point f
(f) a description of the service the provider intends to provide including by specifying which types of services referred in Article 9(1) of this Regulation are provided;
Amendment 295 #
Proposal for a regulation
Article 10 – paragraph 6 – point g
Article 10 – paragraph 6 – point g
(g) the estimated date for starting the activity;
Amendment 298 #
Proposal for a regulation
Article 10 – paragraph 7
Article 10 – paragraph 7
(7) At the request of the provider, the competent authority shall, within a maximum of one week, issue a standardised declaration, confirming that the provider has submitted the notification referred to in paragraph 4.
Amendment 300 #
Proposal for a regulation
Article 10 – paragraph 10
Article 10 – paragraph 10
Amendment 311 #
Proposal for a regulation
Article 11 – paragraph 1 – point 10
Article 11 – paragraph 1 – point 10
(10) the provider offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects onand ensure they understand potential data uses and standard terms and conditions attached to such uses;
Amendment 316 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
(3) Where the competent authority finds that a provider of data sharing services does not comply with one or more of the requirements laid down in Article 10 or 11, it shall notify that provider of those findings and give it the opportunity to state its views, within a reasonable time limitten days.
Amendment 317 #
Proposal for a regulation
Article 13 – paragraph 4 – introductory part
Article 13 – paragraph 4 – introductory part
(4) The competent authority shall have the power to require the cessation of the breach referred to in paragraph 3 either immediately or within a reasonable time limitten days and shall take appropriate and proportionate measures aimed at ensuring compliance. In this regard, the competent authorities shall be able, where appropriate:
Amendment 321 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
(1) Each competent authority designated pursuant to Article 20 shall keep a register of recognised data altruism organisations. That register shall be accessible to the public.
Amendment 324 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
(2) The Commission shall maintain a Union register of recognised data altruism organisations. The Union register shall be accessible to the public.
Amendment 326 #
Proposal for a regulation
Article 16 – paragraph 1 – point a
Article 16 – paragraph 1 – point a
(a) be a legal entity constituted to meet objectives of general interest, in line with Union treaties and national law;
Amendment 335 #
Proposal for a regulation
Article 16 – paragraph 1 – point c a (new)
Article 16 – paragraph 1 – point c a (new)
(ca) demonstrate professional expertise in processing data activities in compliance with relevant Union and national legislation;
Amendment 343 #
Proposal for a regulation
Article 17 – paragraph 7
Article 17 – paragraph 7
(7) Any entity entered in the register of recognised data altruism organisations shall submit any changes of the information provided pursuant to paragraph 4 to the competent authority within 14 calendar days from the day on which the change takes place. The competent authority which updated the register shall inform the Commission of the modifications made.
Amendment 345 #
Proposal for a regulation
Article 18 – paragraph 1 – introductory part
Article 18 – paragraph 1 – introductory part
(1) Any entity entered in the national register of recognised data altruism organisations shall keep full, comprehensible and accurate records concerning:
Amendment 346 #
Proposal for a regulation
Article 18 – paragraph 1 – point a
Article 18 – paragraph 1 – point a
(a) all natural or legal persons that were given the possibility to process data held by that entity; and their contact details;
Amendment 349 #
Proposal for a regulation
Article 19 – paragraph 1 – introductory part
Article 19 – paragraph 1 – introductory part
(1) Any entity entered in the register of recognised data altruism organisations shall inform data holders prior any processing of their data:
Amendment 351 #
Proposal for a regulation
Article 19 – paragraph 1 – point a a (new)
Article 19 – paragraph 1 – point a a (new)
(aa) about the rights that the data subject can apply with regard to the processing of its personal data;
Amendment 352 #
Proposal for a regulation
Article 19 – paragraph 1 – point b
Article 19 – paragraph 1 – point b
(b) about any processing outside the Union. and the associated risks and the location outside the Union where the processing will take place;
Amendment 354 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
(2) The entity shall also ensure that the data is not be used for other purposes than those of general interest for which it permits the processing and ensure that misleading marketing practices are not used to solicit donations of data.
Amendment 356 #
Proposal for a regulation
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
(2a) The entity shall ensure that the data is not used for advertising purposes.
Amendment 357 #
Proposal for a regulation
Article 21 – paragraph 3
Article 21 – paragraph 3
(3) Where the competent authority finds that an entity does not comply with one or more of the requirements of this Chapter it shall notify the entity of those findings and give it the opportunity to state its views, within a reasonable time limitten days.
Amendment 367 #
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
(2) The authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken, and shall inform the complainant of the right to an effective judicial remedy provided for in Article 25a maximum of 30 days.