Activities of Jadwiga WIŚNIEWSKA related to 2020/0340(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)
Amendments (38)
Amendment 163 #
Proposal for a regulation
Recital 3
Recital 3
(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges and laying down requirements for data governance. Sector- specific legislation can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the envisaged legislation on the European health data space25 and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law that include rules relating to cross-border or Union wide sharing or access to data26 . This Regulation is therefore without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (27 ), and in particular the implementation of this Regulation shall not prevent cross border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place, Directive (EU) 2016/680 of the European Parliament and of the Council (28 ), Directive (EU) 2016/943 of the European Parliament and of the Council (29 ), Regulation (EU) 2018/1807 of the European Parliament and of the Council (30 ), Regulation (EC) No 223/2009 of the European Parliament and of the Council (31 ), Directive 2000/31/EC of the European Parliament and of the Council (32 ), Directive 2001/29/EC of the European Parliament and of the Council (33 ), Directive (EU) 2019/790 of the European Parliament and of the Council (34 ), Directive 2004/48/EC of the European Parliament and of the Council (35 ), Directive (EU) 2019/1024 of the European Parliament and of the Council (36 ), as well as Regulation 2018/858/EU of the European Parliament and of the Council (37 ), Directive 2010/40/EU of the European Parliament and of the Council (38 ) and Delegated Regulations adopted on its basis, and any other sector-specific Union legislation that organises the access to and re-use of data. This Regulation should be without prejudice to Union and national law on the access and use of data for the purpose of international cooperation in the context of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, as well as international cooperation in this context. This Regulation should be without prejudice to the competences of the Member States regarding activities concerning public security, defence and national security. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data sharing services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act should also apply. _________________ 25 See: Annexes to the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Commission Work Programme 2021 (COM(2020) 690 final). 26For example, Directive 2011/24/EU in the context of the European Health Data Space, and relevant transport legislation such as Directive 2010/40/EU, Regulation 2019/1239 and Regulation (EU) 2020/1056, in the context of the European Mobility Data Space. 27Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p.1) 28 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. (OJ L 119, 4.5.2016, p.89) 29Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. (OJ L 157, 15.6.2016, p.1) 30 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. (OJ L 303, 28.11.2018, p. 59) 31Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities. (OJ L 87, 31.03.2009, p. 164) 32Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce). (OJ L 178, 17.07.2000, p. 1) 33Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society. (OJ L 167, 22.6.2001, p. 10) 34 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC. (OJ L 130, 17.5.2019, p. 92) 35Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (OJ L 157, 30.4.2004). 36Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information. (OJ L 172, 26.6.2019, p. 56). 37 Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018). 38 Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport. (OJ L 207, 6.8.2010, p. 1)
Amendment 167 #
Proposal for a regulation
Recital 4
Recital 4
(4) Action at Union level is necessarycan help to increase trust in data sharing by establishing proper mechanisms for control over data and in order to address thedifferent barriers to a well- functioning data-driven economy and to create a Union-wide governance framework for data access and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharing providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons. This action is without prejudice to the international trade agreements concluded by the Union.
Amendment 173 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use of, in line with the rules on personal data processing, should ensure the safe re-use of certain categories of protected data, for example personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 and 9 of Regulation (EU) 2016/679. This Regulation should not be read as creating a new legal basis for the processing of personal data. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 180 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competition. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate effortburden for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-user, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons on the re-use of data pertaining to them through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or companies directly.
Amendment 190 #
Proposal for a regulation
Recital 22
Recital 22
(22) Providers of data sharing services (data intermediaries) are expected to play a key role in the data economy , asin particular in supporting voluntary data sharing practices between companies or data sharing arrangements set by union or national law. They could become a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjects, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an indefinite number of data holders and data users, excluding data sharing services that are meant to be used by a closed group of data holders and users. Providers of cloud services should be excluded, as well as service providers that obtain data from data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright-protected content, should not be covered by this Regulation. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providers for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not-for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of general interest by increasing the volume of data available for such purposes. _________________ 42Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173/349. 43Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Amendment 195 #
Proposal for a regulation
Recital 26
Recital 26
(26) A key element to bring trust and more control for data holder and data users in data sharingintermediation services is the neutrality of data sharingintermediation service providers as regards the data exchanged between data holders and data users. It is therefore necessary that data sharingintermediation service providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose. This will also require structural separation between the data sharingintermediation service and any other services provided, so as to avoid issues of conflict of interest. This means that the data sharingintermediation service should be provided through a legal entity that is separate from the other activities of that data sharingintermediation provider. Data sharingintermediation providers that intermediate the exchange of data between individuals as data holders and legal persons should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data holders.
Amendment 197 #
Proposal for a regulation
Recital 28
Recital 28
(28) This Regulation should be without prejudice to the obligation of providers of data sharing services to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. When providers of data intermediation services process personal data, this Regulation does not affect the protection of personal data. Where the data sharing service providers are data controllers or processors in the sense of Regulation (EU) 2016/679 they are bound by the rules of that Regulation. This Regulation should be also without prejudice to the application of competition law.
Amendment 209 #
(2) This Regulation is without prejudice to specific provisions in other Union legal acts regarding access to or re- use of certain categories of data, or requirements related to processing of personal or non-personal data. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act shall also apply. Any additional requirements shall be non-discriminatory, proportionate and objectively justified
Amendment 215 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2 a) Union law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation shall be without prejudice to Regulation (EU) 2016/679 and Directive 2002/58/EC. In the event of conflict between the provisions of this Regulation and Union law on the protection of personal data, the latter prevails.
Amendment 224 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3 a (new)
Article 2 – paragraph 1 – point 3 a (new)
(3 a) 'data subject' means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Amendment 227 #
Proposal for a regulation
Article 2 – paragraph 1 – point 4
Article 2 – paragraph 1 – point 4
Amendment 236 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
(7 a) ‘data sharing intermediation service’ - means a commercial service, which, through the provision of technical, legal and other means establishes relationships between an undefined number of data subjects and data holders, on the one hand and data users on the other hand, for the purpose of data sharing as well as the exercise of data subjects' rights. The following shall, inter alia, not be considered to be data intermediation services for the purposes of this Regulation: (a) services that obtain data from data holders, aggregate, enrich or transform the data and license the use of the resulting data to data users, without establishing a direct relationship between data holders and data users; (b) cloud infrastructure services; (c) services that focus on the intermediation of content, in particular on copyright protected content; (d) services of data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed and exclusively offered by manufacturers of objects and devices connected to the Internet-of-Things, which have as their main objective to ensure functionalities of the connected object or device and to allow value added services; (e) services of ‘consolidated tape providers’ as defined in point (53) of Article 4(1) of Directive 2014/65/EU; and (f) services of ‘account information service providers’ as defined in point 19of Article 4 of Directive(EU) 2015/2366;
Amendment 241 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seeking a reward, for purposes of general interestvoluntary sharing of data by data holders without seeking or receiving a reward, for purposes of general interest, defined in accordance with the national legislation where applicable, such as scientific research purposes or improving public services;
Amendment 243 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘secure processing environment’ means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner that allows forpreserving data subject rights under the Regulation (EU) 2016/679 and commercial confidentiality, ensuring compliance with applicable legislation and allowing the operator of the secure processing environment to determine and supervise all data processing actions, including to display, storage, download, export of the data and calculation of derivative data through computational algorithms.
Amendment 246 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
(3) The provisions of this Chapter do not create any obligation on public sector bodies to allow re-use of data nor do they release public sector bodies from their confidentiality obligations under Union or national law. This Chapter is without prejudice to Union and national law or international agreements to which the Union or Member States are parties on the protection of categories of data provided in paragraph 1. This Chapter is without prejudice to Union and national law on access to documents and to obligations of public sector bodies under Union and national law to allow the re-use of data.
Amendment 248 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
(7 a) Where an exclusive right tore-use data does not meet the conditions set out in paragraphs 2, 3 and 4, the exclusive right shall be void.
Amendment 263 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
Amendment 270 #
Proposal for a regulation
Article 5 – paragraph 11
Article 5 – paragraph 11
(11) Where specific Union acts adopted in accordance with a legislative procedure establish that certain non-personal data categories held by public sector bodies shall be deemed to be highly sensitive for the purposes of this Article, the Commission shall be empowered to adopt delegated acts in accordance with Article 28 supplementing this Regulation byimplementing powers should be conferred on the Commission as regards the laying down special conditions applicable for transfers to third-countries. The conditions for the transfer to third- countries shall be based on the nature of data categories identified in the Union act and on the grounds for deeming them highly sensitive, non- discriminatory and limited to what is necessary to achieve the public policy objectives identified in the Union law act, such as safety and public health, as well as risks of re-identification of anonymized data for data subjects, in accordance with the Union’s international obligations. They may include terms applicable for the transfer or technical arrangements in this regard, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or, in exceptional cases, restrictions as regards transfers to third-countries. The implementing powers should be exercised in accordance with Regulation (EU) [No182/2011 of the European Parliament and of the Council
Amendment 277 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
(1) Member States shall designate one or more competent bodies, which may be sectoral, to support the public sector bodies which grant access to the re-use of the categories of data referred to in Article 3 (1) in the exercise of that task. Member States shall be allowed either to establish one or more new bodies or to rely on existing ones that fulfil the conditions set out by this Regulation.
Amendment 278 #
Proposal for a regulation
Article 7 – paragraph 2 – point c
Article 7 – paragraph 2 – point c
Amendment 282 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
(3) Requests for the re-use of the categories of data referred to in Article 3 (1) shall be granted or refused by the competent public sector bodies or the competent bodies referred to in Article 7 (1) within a reasonable time, and in any case within twohree months from the date of the request.
Amendment 298 #
Proposal for a regulation
Article 10 – paragraph 7
Article 10 – paragraph 7
(7) At the request of the provider, the competent authority shall, within onetwo week, issue a standardised declaration, confirming that the provider has submitted the notification referred to in paragraph 4.
Amendment 309 #
Proposal for a regulation
Article 11 – paragraph 1 – point 6
Article 11 – paragraph 1 – point 6
(6) the provider shall ensure a reasonable continuity of provision of its services and, in the case of services which ensure storage of data, shall have sufficient guarantees in place that allow data holders and data users to obtain access to their data and transfer of their data in case of insolvency;
Amendment 313 #
Proposal for a regulation
Article 11 – paragraph 1 – point 9
Article 11 – paragraph 1 – point 9
(9) the provider shall have procedures in place to ensure compliance with the Union and national rules on competition and consumer protection;
Amendment 336 #
Proposal for a regulation
Article 16 – paragraph 1 – point b
Article 16 – paragraph 1 – point b
(b) operate on a not-for-profit basis and be independent from any entity involved in the collection, processing or storage of data that operates on a for-profit basis;
Amendment 337 #
Proposal for a regulation
Article 16 – paragraph 1 – point b a (new)
Article 16 – paragraph 1 – point b a (new)
(b a) provide supervisory mechanisms, such as ethics boards or councils, to ensure that the data controller maintains high standards of scientific ethics
Amendment 338 #
Proposal for a regulation
Article 16 – paragraph 1 – point b b (new)
Article 16 – paragraph 1 – point b b (new)
(b b) provide effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679
Amendment 339 #
Proposal for a regulation
Article 16 – paragraph 1 – point c a (new)
Article 16 – paragraph 1 – point c a (new)
(c a) ensures technical and organisational requirements for the application of data protection standards and the exercise of data subjects' rights, including the right to transfer data;
Amendment 343 #
Proposal for a regulation
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) a list of all natural and legal persons that were allowed to use data it holds, including a summarycomprehensive description of the general interest purposes pursued by such data use and the description of the technical means used for it, including a description of the techniques used to preserve privacy and data protection;
Amendment 347 #
Proposal for a regulation
Article 19 – paragraph 1 – point a
Article 19 – paragraph 1 – point a
(a) about the purposes of general interest (and in case of personal data – about the purpose of the processing which shall be specified, explicit and legitimate) for which it permits the processing of their data by a data user in an easy-to- understand manner;
Amendment 354 #
Proposal for a regulation
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
(2 a) The entity shall also ensure that consent from data subjects or permissions to process data made available by legal persons can be easily withdrawn.
Amendment 358 #
Proposal for a regulation
Article 19 – paragraph 2 b (new)
Article 19 – paragraph 2 b (new)
(2 b) The entity shall take measures to ensure a high level of security for the storage and processing of data that it has collected based on data altruism.
Amendment 367 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
(4) The form shall be available in all the official languages of the EU in a manner that can be printed on paper and read by humans as well as in an electronic, machine-readable form.
Amendment 372 #
Proposal for a regulation
Article 27 – paragraph 1 – point b
Article 27 – paragraph 1 – point b
(b) to advise and assist the Commission in developing a consistent practice of the competent authorities in the application of requirements applicable to data sharing providers; and entities performing activities related to data altruism
Amendment 373 #
Proposal for a regulation
Article 27 – paragraph 1 – point e a (new)
Article 27 – paragraph 1 – point e a (new)
(e a) to facilitate cooperation between Member States in relation to the rules on penalties laid down by the Member States pursuant to Article 31 and to issue recommendations as regards the harmonisation of those penalties across the Union
Amendment 374 #
Proposal for a regulation
Article 28
Article 28
Amendment 378 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
Amendment 381 #
Proposal for a regulation
Article 35 – paragraph 2
Article 35 – paragraph 2
It shall apply from [124 months after its entry into force].