53 Amendments of Paul TANG related to 2022/0047(COD)
Amendment 210 #
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
3. Union law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment shall apply to personal data processed in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect the applicability of Union law on the protection of personal data, in particular Regulation (EU) 2016/679, Regulation (EU) 2018/1725 and Directive 2002/58/EC, including the powers and competences of supervisory authorities. Insofar as the rights laid down in Chapter II of this Regulation are concerned, and where users are the data subjects of personal data subject to the rights and obligations under that Chapter, the provisions of this Regulation shall complement the right of data portability under Article 20 of Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data shall prevail. However, insofar as the processing of personal data made available to a data recipient pursuant to Article 5 of this Regulation is restricted in line with Article 6 of this Regulation, these provisions should be understood as taking precedence over Article 6 of Regulation (EU) 2016/679. This Regulation does not create a legal basis for the processing of personal data and no provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications.
Amendment 225 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point(1), of Regulation (EU) 2016/679;
Amendment 227 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) 'non-personal data' means data other than personal data;
Amendment 229 #
(1 c) ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;
Amendment 232 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 d (new)
Article 2 – paragraph 1 – point 1 d (new)
(1 d) 'data subject' means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 235 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘product’ means a tangible, movable item, including where incorporated in an immovable item, item that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data nor is it primarily designed to display or play content, or to record and transmit content;
Amendment 240 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or leases a product or receives a servicesrelated service, and the data subject;
Amendment 245 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following an explicit request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law, and including a third party to whom the data is directly made available by the user;
Amendment 246 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
Article 2 – paragraph 1 – point 8 a (new)
(8 a) ‘added value service’ means any service provided to the user that can be enabled or improved by access and use of data generated by the use of the product or related service, including personalised services which mean services that, based on the processing of data of the user, offer individualised services to the user such as diet plans, route planning, fitness training, electricity consumption optimisation. They do not include purposes of direct marketing or advertising, credit scoring or determining eligibility to insurances, to calculate or modify insurance premiums or the services of a data broker, even if the data broker shares data with others that provide personalised services;
Amendment 248 #
Proposal for a regulation
Article 2 – paragraph 1 – point 9
Article 2 – paragraph 1 – point 9
(9) ‘public sector body’ means national, regional or local authorities of the Member States and bodies governed by public law of the Member States, or associations formed by one or more such authorities or one or more such bodies who have the ability to securely and reliably process the data requested from data holders;
Amendment 260 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user in a structured, commonly used and machine-readable format, free of charge. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data subjects, irrespective of their legal title over the product, are offered the possibility to use the products covered by this Regulation anonymously or in the least privacy-intrusive way possible, such as by anonymising the data. Where users can reasonably expect it due to the nature of the product, products shall be designed and manufactured, and related services shall be provided, in such a manner that a basic set of functionalities is maintained when the product or related service is used offline.
Amendment 265 #
Proposal for a regulation
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
1 a. The data holder shall not make the usability of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service.
Amendment 268 #
Proposal for a regulation
Article 3 – paragraph 1 b (new)
Article 3 – paragraph 1 b (new)
1 b. The data holder shall not incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 269 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product or a related service, users should be presented with granular, meaningful consent options for data processing, within the meaning of Article 4(11) of Regulation (EU) 2016/679, differentiating between data that is essential for the functioning of the product and a related service and other types of data. In addition, at least the following information shall be provided to the user, in a timely and prominent manner, in an easily accessible, clear and comprehensible format:
Amendment 273 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) how the user may access and request a copy of those data;
Amendment 277 #
Proposal for a regulation
Article 3 – paragraph 2 – point d
Article 3 – paragraph 2 – point d
(d) whether the manufacturer supplying the product or the service provider providing the related service intends to use the data itself or allow a third party to use the data and, if so, the identity of the third party and the purposes for which those data will be used;
Amendment 278 #
Proposal for a regulation
Article 3 – paragraph 2 – point e
Article 3 – paragraph 2 – point e
(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder, such as its trading name, contact details and the geographical address at which it is established;
Amendment 283 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time in a structured, commonly used and machine-readable format. This shall be done on the basis of a simple request through electronic means where technically feasible.
Amendment 290 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the user where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 679 and Article 5(3) of Directive 2002/58/EC are fulfilled.
Amendment 293 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon explicit request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicable, continuously and in real-time. and only for the purposes of:
Amendment 294 #
Proposal for a regulation
Article 5 – paragraph 1 – point a (new)
Article 5 – paragraph 1 – point a (new)
(a) the provision of aftermarket services, such as the maintenance and repair of the product or related service, including aftermarket services in competition with a product or related service provided by the data holder;
Amendment 295 #
Proposal for a regulation
Article 5 – paragraph 1 – point b (new)
Article 5 – paragraph 1 – point b (new)
(b) the provision of an added value service explicitly requested by the user;
Amendment 296 #
Proposal for a regulation
Article 5 – paragraph 1 – point c (new)
Article 5 – paragraph 1 – point c (new)
(c) specific data intermediation services recognised in the Union or specific services provided by data altruism organisations recognised in the Union under the conditions and requirements of Chapters III and IV of Regulation (EU) 2022/868;
Amendment 297 #
Proposal for a regulation
Article 5 – paragraph 1 – point d (new)
Article 5 – paragraph 1 – point d (new)
(d) research and innovation predominantly in the public interest;
Amendment 298 #
Proposal for a regulation
Article 5 – paragraph 1 – point e (new)
Article 5 – paragraph 1 – point e (new)
(e) purposes of non-profit organisations predominantly in the public interest.
Amendment 304 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is strictly necessary to verify the quality as user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure.
Amendment 307 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
6. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the third party where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive2002/58/EC are fulfilled.
Amendment 313 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A third party shall process thepersonal data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user, and specific purposes mentioned in article 5, paragraph 1 and under the conditions agreed with the user, and where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under Article 6 of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled and subject to the rights of the data subject insofar as personal data are concerned, and shall delete the data when they are no longer necessary for the agreed purposeexplicitly requested purpose in line with paragraph 1 of article 5.
Amendment 318 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non- neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the useror a part thereof, including its structure, design, function or manner of operation;
Amendment 322 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is strictly necessary to provide the servicepecific service explicitly requested by the user;
Amendment 325 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) make the data available it receives to another third party, in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user, and the user has explicitly been made aware of this in a clear, easily accessible and prominent way and, in the case of personal data, the rights and obligations of Regulation (EU) 2016/679 are respected;
Amendment 329 #
Proposal for a regulation
Article 6 – paragraph 2 – point f a (new)
Article 6 – paragraph 2 – point f a (new)
Amendment 330 #
Proposal for a regulation
Article 6 – paragraph 2 – point f b (new)
Article 6 – paragraph 2 – point f b (new)
(f b) incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 333 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The obligations of this Chapter related to business to business data sharing shall not apply to data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
Amendment 335 #
Proposal for a regulation
Article 7 a (new)
Article 7 a (new)
Article 7 a Unfair contractual terms imposed on users Any contractual term by data holders, third parties or data recipients which, to the detriment of the user, excludes the application of this Chapter, derogates from it, or varies its effect, shall not be binding on that party.
Amendment 337 #
Proposal for a regulation
Article 8 – paragraph 4
Article 8 – paragraph 4
4. A data holder shall not make data available to a data recipient on an exclusive basis unless explicitly requested by the user under Chapter II.
Amendment 340 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipient for making data available shall be reasonable and shall not exceed the costs directly related to making the data available. The data holder or the third party may not directly or indirectly charge users a fee or any compensation of costs for sharing or accessing data.
Amendment 342 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
Amendment 345 #
Proposal for a regulation
Article 9 – paragraph 4
Article 9 – paragraph 4
4. The data holder shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can verify that the requirements of paragraph 1 and, where applicable, paragraph 2 are met.
Amendment 347 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. Data holders and data recipients shall have access to dispute settlement bodies, certified in accordance with paragraph 2 of this Article, to settle disputes in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available in accordance with Articles 8 and 9. This is without prejudice to the data subjects’ rights to seek redress before a supervisory authority, and to the controller’s data protection obligations.
Amendment 349 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right to access data, obtain a copy or effectively provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1). Where personal data is concerned, these technical measures shall be consistent with the obligation of the data controller to implement appropriate technical and organisational measures so as to ensure a level of security appropriate to the risk of the personal data processing pursuant to data protection legislation.
Amendment 352 #
Proposal for a regulation
Article 11 – paragraph 2 – introductory part
Article 11 – paragraph 2 – introductory part
2. A data recipient that has, for the purposes of obtaining data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holder’s authorisation or in the case of personal data, an appropriate legal basis, shall without undue delay, unless the data holder or the user instruct otherwise:
Amendment 356 #
Proposal for a regulation
Article 11 – paragraph 3 – introductory part
Article 11 – paragraph 3 – introductory part
3. Paragraph 2, point (b), shall not apply in either of the following cases where non-personal data are concerned:
Amendment 359 #
2 a. Any contractual term in a data sharing agreement between data holders and data recipients which, to the detriment of the data subjects, undermines the application of their rights to privacy and data protection, derogates from it, or varies its effect, shall not be binding on that party.
Amendment 365 #
Proposal for a regulation
Article 14 – paragraph 2
Article 14 – paragraph 2
Amendment 371 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
An exceptional need to use data within the meaning of this Chapter shall be deemed to exist in any of the following circumstances:
Amendment 464 #
Proposal for a regulation
Article 31 – paragraph 1 a (new)
Article 31 – paragraph 1 a (new)
1 a. The independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Union institutions, bodies, offices and agencies. Where relevant, Article 62 of Regulation 2018/1725 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to the processing of personal data.
Amendment 468 #
Proposal for a regulation
Article 31 – paragraph 2 – point a
Article 31 – paragraph 2 – point a
Amendment 473 #
Proposal for a regulation
Article 31 – paragraph 2 – point c
Article 31 – paragraph 2 – point c
(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have experience, , sufficient technical and human resources and expertise in the field of data and electronic communications services.
Amendment 479 #
Proposal for a regulation
Article 31 – paragraph 3 – point i a (new)
Article 31 – paragraph 3 – point i a (new)
(i a) ensuring data sharing is free of charge for users.
Amendment 480 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
4. Where a Member State designates more than one competent authority, tThe competent authorities shall, in the exercise of the tasks and powers assigned to them under paragraph 3 of this Article, cooperate with each other, including, as appropriate, with the supervisory authority responsible for monitoring the application of Regulation (EU) 2016/679, to ensure the consistent application of this Regulation. In such cases, relevant Member States shall designate a coordinating competent authority.
Amendment 482 #
Proposal for a regulation
Article 31 – paragraph 5
Article 31 – paragraph 5
5. Member States shall communicate the name of the designated competent authorities and their respective tasks and powers and, where applicable, the name of the coordinating competent authority to the Commission. The Commission shall maintain a public register of those authorities.
Amendment 488 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. The Commission shall consult the European Data Protection Board when developing such model contractual terms, as far as personal data are concerned.