112 Amendments of Eva KAILI related to 2022/0047(COD)
Amendment 97 #
Proposal for a regulation
Recital 1
Recital 1
(1) In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation in products connected to the Internet of Things in particular has increased the volume and potential value of data for consumers, businesses and society. High -quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity, while respecting users’ choices and applicable legislation to protect them.
Amendment 99 #
Proposal for a regulation
Recital 2
Recital 2
(2) Barriers to data sharing prevent an optimal allocation of data to the benefit of society. These barriers include a lack of incentives for data holders to enter voluntarily into data sharing agreements, uncertainty about rights and obligations in relation to data, costs of contracting and implementing technical interfaces, the high level of fragmentation of information in data silos, poor metadata management, the absence of standards for semantic and technical interoperability, bottlenecks impeding data access, a lack of common data sharing practices and abuse of contractual imbalances with regards to data access and use.
Amendment 103 #
Proposal for a regulation
Recital 4
Recital 4
(4) In order to respond to the needs of the digital economycontribute to the digital transition of the Union, a comprehensive harmonisation at Union level is needed to ensure fairness in the allocation of value from data among all actors in the data economy as well asto avoid fragmentation resulting from national legislation, and therefore to create trust in the data sharing environment. Moreover, to foster access to and use of data. and to remove barriers to a well-functioning internal market for data, it is necessary to lay down a harmonised framework specifying who, other than the manufacturer or other data holder is entitled to access the data generated by products or related services, under which conditions and on what basis. Accordingly, Member States should not adopt or maintain additional national requirements on those matters falling within the scope of this Regulation, unless explicitly provided for in this Regulation, since this would affect the direct and uniform application of this Regulation.
Amendment 105 #
Proposal for a regulation
Recital 4
Recital 4
(4) In order to respond to the needs of the digital economy, protect consumers and to remove unjustified barriers to a well-functioning internal market for data, it is necessary to lay down a harmonised framework specifying who, other than the manufacturer or other data holder is entitled to access the data generated by products or related services, under which conditions and on what basis. Accordingly, Member States should not adopt or maintain additional national requirements on those matters falling within the scope of this Regulation, unless explicitly provided for in this Regulation, since this would affect the direct and uniform application of this Regulation.
Amendment 109 #
Proposal for a regulation
Recital 5
Recital 5
(5) This Regulation ensures that users of a product or related service in the Union including data subjects and consumers, can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties and for the purposes of their choice. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for users, micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC and for all other types of enterprises, including start- ups. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a product or related service. Instead, it takes as its starting point the control that the data holder effectively enjoys, de facto or de jure, over data generated by products or related services.
Amendment 130 #
Proposal for a regulation
Recital 14
Recital 14
(14) Physical products that obtain, generate or collect, by means of their components or operating systems or embedded software, data concerning their performance, use or environment and that are able to communicate that data via a publicly available electronic communications service (often referred to as the Internet of Things) should be covered by this Regulation with the exception of prototypes. Electronic communications services include land- based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. The data represent the digitalisation of user actions and events and should accordingly be accessible to the user, while information derived or inferred from this data, where lawfully held, should not be considered within scope of this Regulation. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, in particular though facilitating the maintenance and repair of the products in question.This Regulation applies to products placed on the marketin the Union and thus does not apply to products in development stage such as prototypes.
Amendment 158 #
Proposal for a regulation
Recital 18
Recital 18
(18) The user of a product should be understood as the legal or natural person, such as a business or, consumer or public sector body , which has purchased, rented or leased the product. Depending on the legal title under which he uses it, such a user bears the risks and enjoys the benefits of using the connected product and should enjoy also the access to the data it generates. The user should therefore be entitled to derive benefit from data generated by that product and any related service.
Amendment 169 #
Proposal for a regulation
Recital 20
Recital 20
(20) In case several persons or entities own a product or are party to a lease or rent agreement and benefit from access to a related service, reasonable efforts should be made in the design of the product or related service or the relevant interface so that all personseach user can have access to data they generate. Users of products that generate data typically require a user account to be set up. This allows for identification of the user by the manufacturer as well as a means to communicate to exercise and process data access requests. Manufacturers or designers of a product that is typically used by several persons should put in place the necessary mechanism that allow separate user accounts for individual persons, where relevant, or the possibility for several persons to use the same user account. Access should be granted to the user upon simple request mechanisms granting automatic execution, not requiring examination or clearance by the manufacturer or data holder. This means that data should only be made available when the user actually wants this. Where automated execution of the data access request is not possible, for instance, via a user account or accompanying mobile application provided with the product or service, the manufacturer should swiftly inform the user how the data may be accessed.
Amendment 181 #
Proposal for a regulation
Recital 23
Recital 23
(23) Before concluding a contract for the purchase, rent, or lease of a product or the provision of a related service, clear and sufficient information should be provided by the data holder to the user on how the data generated may be accessed. This obligation provides transparency over the data generated and enhances the easy access for the user. This obligation to provide information does not affect the obligation for the controller to provide information to the data subject pursuant to Article 12, 13 and 14 of Regulation 2016/679.
Amendment 185 #
Proposal for a regulation
Recital 24
Recital 24
(24) This Regulation imposes the obligation on data holders to make data available in certain circumstances. Insofar as personal data are processed, the data holder should be a controller under Regulation (EU) 2016/679. Where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice in accordance with this Regulation. However, this Regulation does not create a legal basis under Regulation (EU) 2016/679 for the data holder to provide access to personal data or make it available to a third party when requested by a user that is not a data subject and should not be understood as conferring any new right on the data holder to use data generated by the use of a product or related service. This applies in particular where the manufacturer is the data holder. In that case, the basis for the manufacturer to use non-personal data should be a contractual agreement between the manufacturer and the user. This agreement may be part of the sale, rent or lease agreement relating to the product. Any contractual term in the agreement stipulating that the data holder may use the data generated by the user of a product or related service should be fair and transparent to the user, including as regards the purpose for which the data holder intends to use the data. This Regulation should not prevent contractual conditions, whose effect is to exclude or limit the use of the data, or certain categories thereof, by the data holder. This Regulation should also not prevent sector-specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by the data holder on well- defined public policy grounds.
Amendment 189 #
Proposal for a regulation
Recital 25
Recital 25
(25) In sectors characterised by the concentration of a small number of manufacturers supplying end users, there are only limited options available to users with regard to sharing data with those manufacturers. In such circumstances, contractual agreements may be insufficient to achieve the objective of user empowerment. The data tends to remain under the control of the manufacturers or other data holders, making it difficult for users to obtain value from the data generated by the equipment they purchase, rent or lease. Consequently, there is limited potential for innovative smaller businesses to offer data-based solutions in a competitive manner and for a diverse data economy in Europe. This Regulation should therefore build on recent developments in specific sectors, such as the Code of Conduct on agricultural data sharing by contractual agreement. Sectoral legislation may be brought forward to address sector-specific needs and objectives. Furthermore, the data holder should not use any data generated by the use of the product or related service in order to derive insights about the economic situation of the user or its assets or production methods or the use in any other way that could undermine the commercial position of the user on the markets it is active on. This would, for instance, involve using knowledge about the overall performance of a business or a farm in contractual negotiations with the user on potential acquisition of the user’s products or agricultural produce to the user’s detriment, or for instance, using such information to feed in larger databases on certain markets in the aggregate (,e.g. databases on crop yields for the upcoming harvesting season) as such use could affect the user negatively in an indirect manner. The user should be given the necessary technical interface to manage permissions, preferably with granular permission options (such as “allow once” or “allow while using this app or service”), including the prominent option to withdraw permission.
Amendment 191 #
Proposal for a regulation
Recital 26
Recital 26
(26) In contracts between a data holder and a consumer as a user of a product or related service generating data, EU consumer law applies, Directive 2005/29/EC, which applies against unfair commercial practices, and Directive 93/13/EEC which applies to the terms of the contract to ensure that a consumer is not subject to unfair contractual terms. For unfair contractual terms unilaterally imposed on a micro, small or medium- sized enterprise as defined in Article 2 of the Annex to Recommendation 2003/361/EC63 , this Regulation provides that such unfair terms should not be binding on that enterprise. _________________ 63 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises
Amendment 220 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to prevent the exploitation of users, third parties to whom data has been made available upon request of the user should only process the data for the purposes agreed with the user and share it with another third party only if, as clearly unequivocally informed to the user in timely manner, this is necessary to provide the service requested by the user.
Amendment 223 #
Proposal for a regulation
Recital 34
Recital 34
(34) In line with the data minimisation principle, the third party should only access additional information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it exclusively for the purposes agreed with the user, without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. TData holder or the third party should not make the exercise of the rights or choices of users unduly difficult including by offering choices to users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, by subverting or impairing the autonomy, decision-making or free choices of the user, including by means of a digital interface with the user. in this context,or a part thereof, including its structure, design, function or manner of operation. In this context, the data holders and third parties should not rely on so-called dark patterns in designing their digital interfaces. Dark patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. These manipulative techniques can be used to persuade users, particularly vulnerable consumers, to engage in unwanted behaviours, and to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service, in a way that subverts and impairs their autonomy, decision-making and free choice. Common and legitimate commercial practices that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. TData holders and third parties should comply with their obligations under relevant Union law, in particularcluding the requirements set out in Directive 2005/29/EC, Directive 2011/83/EU, Directive 2000/31/EC and Directive 98/6/EC.
Amendment 332 #
Proposal for a regulation
Recital 72
Recital 72
(72) This Regulation aims to facilitate switching between data processing services, which encompasses all conditions and actions that are necessary for a customer to terminate a contractual agreement of a data processing service, to conclude one or multiple new contracts with different providers of data processing services, to port all its digital assets, including data, to the concerned other providers and to continue to use them in the new environment while benefitting from functional equivalence. Digital assets refer to elements in digital format for which the customer has the right of use, including data, applications, virtual machines and other manifestations of virtualisation technologies, such as containers. Functional equivalence means the maintenance of a minimum level of functionality of a service after switching, and should be deemed technically feasible whenever both the originating and the destination data processing services cover (in part or in whole) the same service type. Services can only be expected to facilitate functional equivalence for the functionalities that both the originating and destination services offer. This Regulation doesn't instate an obligation of facilitating functional equivalence for data processing services of the PaaS and/or SaaS service delivery model. Meta- data, generated by the customer’s use of a service, should also be portable pursuant to this Regulation’s provisions on switching.
Amendment 339 #
Proposal for a regulation
Recital 79
Recital 79
(79) Standardisation and semantic interoperability should play a key role to provide technical solutions to ensure interoperability. In order to facilitate the conformity with the requirements for interoperability, it is necessary to provide for a presumption of conformity for interoperability solutions that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council. These standards should be developed in open, technology neutral and inclusive way line with Chapter II of the Regulation (EU) No 1025/2012. The Commission should adopt common specifications in areas where no harmonised standards exist or where they are insufficient in order to further enhance interoperability for the common European data spaces, application programming interfaces, cloud switching as well as smart contracts. Additionally, common specifications in the different sectors could remain to be adopted, in accordance with Union or national sectoral law, based on the specific needs of those sectors. Reusable data structures and models (in form of core vocabularies), ontologies, metadata application profile, reference data in the form of core vocabulary, taxonomies, code lists, authority tables, thesauri should also be part of the technical specifications for semantic interoperability. Furthermore, the Commission should be enabled to mandate the development of harmonised standards for the interoperability of data processing services in consultation with the European Data Innovation Board as outlined in the Article 30 of the Regulation (EU) No 2022/868.
Amendment 340 #
Proposal for a regulation
Recital 80
Recital 80
(80) To promote the interoperability of smart contracts in data sharing applications, it is necessary to lay down essential requirements for smart contracts for professionals who create smart contracts for others or integrate such smart contracts in applications that support the implementation of agreements for sharing data. For example, smart contracts should guarantee that conditions for data sharing are respected. In order to facilitate the conformity of such smart contracts with those essential requirements, it is necessary to provide for a presumption of conformity for smart contracts that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council.
Amendment 343 #
Proposal for a regulation
Recital 80 a (new)
Recital 80 a (new)
(80 a) The number of devices connected to the Internet, both in enterprise networks and consumer households, including machines, sensors, and cameras that make up the Internet of Things (IoT), continues to grow at a steady pace. Since it is expected that by the end of the decade a number of connected devices across the Union will be extremely high, providing for digital identity of IoT devices and their secure authentication is becoming an urgent priority. International Data Corporation estimates that the number of connected IoT devices is expected to reach 41.6 billion by 2025. While an increasing number of devices is connected to the internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. Ensuring secure digital identities for IoT devices needs to be a continuous, automated process but this needs to start at the point of manufacture and continue throughout the device lifecycle. Connected devices create a data-rich network which means improved functionality and potential revenue growth for organisations, but they also come with significant business and compliance risks. These begin to outweigh the strategic benefits unless businesses and governments prioritise securing digital identities. By extending the concept of digital identity and attestation of attributes to IoT devices, the European Digital Identity Framework can help mitigate cybersecurity risks and add value to the data exchanged by adding a new trust layer to network and information systems, communications networks, digital products, services and devices used by citizens, organisations and businesses.
Amendment 345 #
Proposal for a regulation
Recital 81 a (new)
Recital 81 a (new)
(81 a) In order to further enhance coordination in thee nforcement of this Regulation, the European Data Innovation Board should foster the mutual exchange of information amongst competent authorities as well as advise and assist the Commission in matters falling under this Regulation that fall within the competences of Article 30 of Regulation (EU) 2022/868. A subgroup for stakeholder involvement referred to in Article 29(2)(c) of that Regulation should participate in the consultation on a continual basis.
Amendment 348 #
Proposal for a regulation
Recital 82
Recital 82
(82) In order to enforce their rights under this Regulation, natural and legal persons should be entitled to seek redress for the infringements of their rights under this Regulation by lodging complaints with competent authorities. Those authorities should be obliged to cooperate to ensure the complaint is appropriately handled and resolved swiftly. In order to make use of the consumer protection cooperation network mechanism and to enable representative actions, this Regulation amends the Annexes to the Regulation (EU) 2017/2394 of the European Parliament and of the Council68 and Directive (EU) 2020/1828 of the European Parliament and of the Council69 . _________________ 68 Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (OJ L 345, 27.12.2017, p. 1). 69 Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).
Amendment 359 #
Proposal for a regulation
Article 1 – paragraph 1 a (new)
Article 1 – paragraph 1 a (new)
1 a. This Regulation covers personal and non-personal data, including the following types of data or in the following contexts: (a) Chapter II applies to data concerning the performance, use and environment of products and relatedservices. (b) Chapter III applies to anyprivate sector data subject to statutory data sharing obligations. (c) Chapter IV applies to any private sector data accessed and used on the basis of contractual agreements between businesses. (d) Chapter V applies to any privatesector data with a focus on non-personal data. (e) Chapter VI applies to any dataprocessed by data processing services. (f) Chapter VII applies to any non- personal data held in the Union by providers of data processing services.
Amendment 362 #
Proposal for a regulation
Article 1 – paragraph 2 – point a
Article 1 – paragraph 2 – point a
(a) manufacturers of products and suppliers of related services placed on the market in the Union and the Union based users of such products or services;
Amendment 395 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point(1), of Regulation (EU) 2016/679;
Amendment 398 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) 'non-personal data' means data other than personal data;
Amendment 413 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 d (new)
Article 2 – paragraph 1 – point 1 d (new)
(1 d) ‘consent’ means consent as defined in article 4, point (11), of Regulation (EU) 2016/679;
Amendment 420 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘product’ means a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not theo storinge and processing of data data, to display or play content, or to record and transmit content;
Amendment 432 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person, including a data subject, that owns, rents or leases a product or receives a related services;
Amendment 440 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data holder’ means a legal or natural person who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, to make available certain data; When in possession of personal data, only a controller as defined by Article 4.7 of Regulation (EU) 2016/679 can be a ‘data holder’
Amendment 443 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6 a (new)
Article 2 – paragraph 1 – point 6 a (new)
(6 a) 'data subject' means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 471 #
Proposal for a regulation
Article 2 – paragraph 1 – point 16
Article 2 – paragraph 1 – point 16
(16) ‘smart contract’ means a computer program stored in anthat runs on a blockchain. It is a collection of code and data that define its functions and state, it is not controlled by a user, instead it is deployed to the network and run as programmed. It is processed and stored on the blockchain, in a decentralised electronic ledger system wherein the outcome of the execution of the program is recorded on the electronic ledgeras well;
Amendment 477 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 a (new)
Article 2 – paragraph 1 – point 20 a (new)
(20 a) ‘metadata’ means a structured description of the contents of the data facilitating the discovery and use of this data, as well as any other data collected for the purposes of the provision of the service, including configuration parameters, security settings, logs, and other information regarding the use of the service by the final users. As for data generated by the use of connected products, the relevant metadata means the metadata that the data holder uses for its own purpose.
Amendment 478 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 a (new)
Article 2 – paragraph 1 – point 20 a (new)
(20 a) ‘common European data spaces’ mean purpose- or sector-specific or cross -sectoral interoperable frameworks of common standards and practices to share or jointly process data for, inter alia, development and provision of new products and services, scientific research or civil society initiatives.
Amendment 485 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 c (new)
Article 2 – paragraph 1 – point 20 c (new)
(20 c) 'operator within data spaces' mean legal persons, such as data holders, data users, and data intermediation service providers, that facilitate or engage in data sharing within and across the common European data spaces;
Amendment 495 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user. This should be done without endangering their functionality nor going against data security requirements from Regulation 2016/679, product regulations or technical standardisation
Amendment 496 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user. Products and related services should offer data subjects the possibility to use them anonymously and have their personal data and metadata encrypted by default.
Amendment 504 #
Proposal for a regulation
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
1 a. The data holder shall not be liable towards the user for any direct or indirect damages arising from, relating to and/or in connection with data made accessible.
Amendment 510 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product or a related service, consumers should be presented with granular, meaningful consent options for data processing, within the meaning of Article4 (11) of Regulation (EU) 2016/679, differentiating between data that is essential for the functioning of the product and a related and other types of data. In addition, at least the following information shall be provided to the user, in a clear and comprehentimely, prominent and comprehensible and easily accessible format:
Amendment 541 #
Proposal for a regulation
Article 3 – paragraph 2 – point e
Article 3 – paragraph 2 – point e
(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder, such as its trading name, contact details and the geographical address at which it is established;
Amendment 553 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2 a. The data holder shall not make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a neutral manner, or coerce, deceive or manipulate the user in any way, or subvert or impair the autonomy, decision-making or free choices of the user, including by means of a digital interface or a part thereof, including its structure, design, function or manner of operation
Amendment 589 #
Proposal for a regulation
Article 4 – paragraph 4
Article 4 – paragraph 4
4. The user shall not use the data obtained pursuant to a request referred to in paragraph 1 to develop a product that competes with the product or related service from which the data originate.
Amendment 636 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
6 a. The data holder shall not make the usability of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service.
Amendment 650 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the end-users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, by subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user or a part thereof, including its structure, design, function or manner of operation;
Amendment 651 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non- neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the user or a part thereof, including its structure, design, function or manner of operation;
Amendment 655 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is strictly necessary to provide the service requested by the user;
Amendment 657 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) make the data available it receives available to another third party, in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user; and after the user has explicitly been made aware of this in a clear, easily accessible and prominent way;
Amendment 685 #
Proposal for a regulation
Article 8 – paragraph -1 (new)
Article 8 – paragraph -1 (new)
-1 The obligations laid down in this chapter are without prejudice to Regulation (EU) 2016/679.
Amendment 723 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The data holder mayshall apply appropriate technical and organisational protection measures, including smart contracts and encryption, to prevent unauthorised access to the data, including metadata, and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right to effectively provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1).
Amendment 734 #
Proposal for a regulation
Article 12 – paragraph 2 a (new)
Article 12 – paragraph 2 a (new)
2 a. Any contractual term in a data sharing agreement between data holders and data recipients which, to the detriment of the data subjects undermines the application of their rights to privacy and data protection, derogates from it, or varies its effect, shall not be binding on that party.
Amendment 767 #
Proposal for a regulation
Article 14 – paragraph 2 a (new)
Article 14 – paragraph 2 a (new)
2 a. This chapter shall not preclude from voluntary cooperation among public sector body or to a Union institution, agency or body and businesses based on non-exceptional needs for delivering public services, without prejudice to the provisions of GDPR.
Amendment 816 #
Proposal for a regulation
Article 17 – paragraph 1 – point c
Article 17 – paragraph 1 – point c
(c) explain the purpose of the request, the choice of data providers, the intended use of the data requested, and the duration of that use;
Amendment 820 #
Proposal for a regulation
Article 17 – paragraph 1 – point d a (new)
Article 17 – paragraph 1 – point d a (new)
(d a) specify the geographical limits that apply to the request for data;
Amendment 826 #
Proposal for a regulation
Article 17 – paragraph 1 – point e a (new)
Article 17 – paragraph 1 – point e a (new)
(e a) submit a declaration on the lawful and secure handling of the data received, detailing the technical and organisational measures it has taken to safeguard the rights and freedoms of data subjects;
Amendment 833 #
Proposal for a regulation
Article 17 – paragraph 1 – point e b (new)
Article 17 – paragraph 1 – point e b (new)
(e b) specify the third parties it intends to share the obtained data with;
Amendment 834 #
Proposal for a regulation
Article 17 – paragraph 2 – point a
Article 17 – paragraph 2 – point a
(a) be made in writing and be expressed in clear, concise and plain language understandable to the data holder;
Amendment 836 #
Proposal for a regulation
Article 17 – paragraph 2 – point a a (new)
Article 17 – paragraph 2 – point a a (new)
Amendment 844 #
Proposal for a regulation
Article 17 – paragraph 2 – point d
Article 17 – paragraph 2 – point d
(d) concern, insofar as possible, non- personal data; to the extent that personal data are requested, they shall be provided in an anonymised or aggregate form;
Amendment 858 #
Proposal for a regulation
Article 17 – paragraph 4 – subparagraph 1
Article 17 – paragraph 4 – subparagraph 1
Paragraph 3 does not preclude a public sector body or a Union institution, agency or body to exchange data obtained pursuant to this Chapter with another public sector body, Union institution, agency or body, in view of completing the tasks in Article 15 or to make the data available to a third party in cases where it has outsourced, by means of a publicly available agreement, technical inspections or other functions to this third party. The obligations on public sector bodies, Union institutions, agencies or bodies pursuant to Article 19 apply. The third party shall not use the data it receives to develop a product or a service that competes with the product or service from which the accessed data originate, or share the data with another third party.
Amendment 872 #
Proposal for a regulation
Article 18 – paragraph 1
Article 18 – paragraph 1
1. A data holder receiving a request for access to data under this Chapter shall make the data available to the requesting public sector body or a Union institution, agency or body without undue delay, taking into account provision of time and necessary technical, organisational and legal measures.
Amendment 899 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) implement the necessary measures to prevent data from the data holder to be shared with public or semi-public entities which are market competitors with the data holder, leading to unfair competition situations.
Amendment 900 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) have in place appropriate and proportionate technical and organisational measures to manage cyber risks that could affect the confidentiality, integrity, or availability of the requested data;
Amendment 903 #
Proposal for a regulation
Article 19 – paragraph 1 – point b b (new)
Article 19 – paragraph 1 – point b b (new)
(b b) disclose to the responding data holder when a cybersecurity incident has occurred that is affecting the confidentiality, integrity, or availability of the requested data that are in the possession of a public sector body or a Union institution, agency, or body as soon as possible and no later than 72 hours after having determined that the incident has occurred.
Amendment 913 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Disclosure of trade secrets or, alleged trade secrets or business sensitive internal information to a public sector body or to a Union institution, agency or body shall only be required to the extent that it is strictly necessary to achieve the purpose of the request. In such a case, the public sector body or the Union institution, agency or body shall take appropriate measures to preserve the confidentiality of those trade secrets.
Amendment 990 #
Proposal for a regulation
Article 26 – title
Article 26 – title
Technical aspects of switching and interoperability
Amendment 994 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
2. For data processing services other than those covered by paragraph 1, providers of data processing services shall make open interfaces publicly available and free of charge for the purposes of portability and interoperability.
Amendment 997 #
Proposal for a regulation
Article 26 – paragraph 4
Article 26 – paragraph 4
4. Where the open interoperability specifications or European standards referred to in paragraph 3 do not exist for the service type concerned, the provider of data processing services shall, at the request of the customer, export all data generated or co-generated, including the relevant data formats and data structures, in a structured, commonly used and machine- readable format. The exporting data processing service shall ensure that the customer, after switching to a service covering the same service type offered by a different provider of data processing services, can enjoy functional equivalence in the use of the new service.
Amendment 1003 #
Proposal for a regulation
Article 27 – paragraph 1
Article 27 – paragraph 1
1. Providers of data processing services shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer orthird country governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
Amendment 1009 #
Proposal for a regulation
Article 27 – paragraph 3 – subparagraph 2
Article 27 – paragraph 3 – subparagraph 2
The addressee of the decision may ask the opinion of the Commission, its bodies or relevant competent bodies or authorities, pursuant to this Regulation, in order to determine whether these conditions are met, notably when it considers that the decision may relate to commercially sensitive data, or may impinge on national security or defence interests of the Union or its Member States.
Amendment 1011 #
Proposal for a regulation
Article 27 – paragraph 3 – subparagraph 3
Article 27 – paragraph 3 – subparagraph 3
The European Data Innovation Board established under Regulation [xxx – DGA](EU) 2022/868 shall advise and assist the Commission in developing guidelines on the assessment of whether these conditions are met.
Amendment 1017 #
Proposal for a regulation
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Operators ofwithin data spaces shall comply with, the following essential requirements applicable to the services offered by the operator, to facilitate interoperability of data, data sharing mechanisms and services:
Amendment 1019 #
Proposal for a regulation
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Operators ofwithin data spaces shall comply with, the following essential requirements, applicable to the services offered by the operator, to facilitate interoperability of data, data sharing mechanisms and services:
Amendment 1021 #
Proposal for a regulation
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Amendment 1022 #
Proposal for a regulation
Article 28 – paragraph 1 – subparagraph 1 – point a
Article 28 – paragraph 1 – subparagraph 1 – point a
(a) the dataset content, use restrictions, licences, data collection methodology, data quality and uncertainty shall be sufficiently described in a machine-readable format to allow the recipient to find, access and use the data;
Amendment 1026 #
Proposal for a regulation
Article 28 – paragraph 1 – subparagraph 1 – point c
Article 28 – paragraph 1 – subparagraph 1 – point c
(c) the technical means to access the data, such as application programming interfaces, and their terms of use and quality of service shall be sufficiently described to enable automatic access and transmission of data between parties, including continuously or in real-time in a machine-readable format, where that is necessary for the good functioning of the product or service and is technically feasible;
Amendment 1030 #
Proposal for a regulation
Article 28 – paragraph 1 – subparagraph 1 – point d
Article 28 – paragraph 1 – subparagraph 1 – point d
(d) the means to enable the interoperability of smart contracts for data sharing within their services and activities shall be provided.
Amendment 1033 #
Proposal for a regulation
Article 28 – paragraph 2
Article 28 – paragraph 2
2. The Commission, in consultation with the European Data Innovation Board in line with the Articles 29and 30 (f)and 30(h) of the Regulation (EU)No 2022/868 is empowered to adopt delegated acts, in accordance with Article 38 to supplement this Regulation by further specifying the essential requirements referred to in paragraph 1.
Amendment 1037 #
Proposal for a regulation
Article 28 – paragraph 3 a (new)
Article 28 – paragraph 3 a (new)
Amendment 1045 #
Proposal for a regulation
Article 28 – paragraph 6
Article 28 – paragraph 6
6. The Commission, in consultation with the European Data Innovation Board in line with the Articles 29 and 30(f)and 30(h) of the Regulation (EU) 2022/868 may adopt guidelines laying down interoperability specifications for the functioning of common European data spaces, such as architectural models and technical standards implementing legal rules and arrangements between parties that foster data sharing, such as regarding rights to access and technical translation of consent or permission.
Amendment 1046 #
Proposal for a regulation
Article 29 – title
Article 29 – title
Interoperability and portability for data processing services
Amendment 1048 #
Proposal for a regulation
Article 29 – paragraph 1 – introductory part
Article 29 – paragraph 1 – introductory part
1. Open interoperability specifications and European standards for the interoperability and portability of data processing services shall:
Amendment 1050 #
Proposal for a regulation
Article 29 – paragraph 1 – point a
Article 29 – paragraph 1 – point a
(a) be performance oriented towards achieving interoperability and portability between different data processing services that cover the same service type;
Amendment 1051 #
Proposal for a regulation
Article 29 – paragraph 1 – point b
Article 29 – paragraph 1 – point b
(b) enhance interoperability and portability of digital assets between different data processing services that cover the same service type;
Amendment 1052 #
Proposal for a regulation
Article 29 – paragraph 1 – point b
Article 29 – paragraph 1 – point b
(b) enhance portability of data and of digital assets between different data processing services that cover the same service type;
Amendment 1054 #
Proposal for a regulation
Article 29 – paragraph 1 – point c
Article 29 – paragraph 1 – point c
(c) guarantefacilitate, where technically feasible, functional equivalence between different data processing services that cover the same service type.
Amendment 1055 #
Proposal for a regulation
Article 29 – paragraph 1 – point c a (new)
Article 29 – paragraph 1 – point c a (new)
(c a) include provisions for technical advances which allow for new functions and innovation in data processing services.
Amendment 1057 #
Proposal for a regulation
Article 29 – paragraph 2 – introductory part
Article 29 – paragraph 2 – introductory part
2. Open interoperability specifications and European standards for the interoperability and portability of data processing services shall address:
Amendment 1063 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. For the purposes of Article 26(3) of this Regulation, the Commission in consultation with the European Data Innovation Board in line with the Articles 29 and 30(f) and 30(h) of Regulation (EU) 2022/868 shall be empowered to adopt delegated acts, in accordance with Article 38, to publish the reference of open interoperability specifications and European standards for the interoperability of data processing services in central Union standards repository for the interoperability of data processing services, where these satisfy the criteria specified in paragraph 1 and 2 of this Article.
Amendment 1065 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. For the purposes of Article 26(3) of this Regulation, the Commission shall be empowered to adopt delegated acts, in accordance with Article 38, to publish the reference of open interoperability specifications and European standards for the interoperability and portability of data processing services in central Union standards repository for the interoperability and portability of data processing services, where these satisfy the criteria specified in paragraph 1 and 2 of this Article.
Amendment 1071 #
Proposal for a regulation
Article 30 – paragraph 1 – point b
Article 30 – paragraph 1 – point b
(b) safe termination and interruption: ensure that a mechanism exists to terminate the continued execution of transactions: the smart contract shall include internal functions which can reset or instruct the contract to stop or interrupt the operation to avoid future (accidental) executions; in this regard, the conditions under which a smart contract could be reset or instructed to stop or interrupted, should be clearly and transparently defined. Especially, it should be assessed under which conditions non-consensual termination or interruption should be permissible.
Amendment 1074 #
Proposal for a regulation
Article 30 – paragraph 1 – point c
Article 30 – paragraph 1 – point c
(c) data archiving and continuity: foresee, if a smart contract must be terminated or deactivated, a possibility to archivhow the transactional data, the smart contract logic and code should be archived in order to keep the record of the operations performed on the data in the past (auditability); and
Amendment 1077 #
Proposal for a regulation
Article 30 – paragraph 1 – point d
Article 30 – paragraph 1 – point d
(d) access control: as smart contracts are capable of controlling large amounts of value and data, while running immutable logic based on code deployed on the blockchain, they shall be protected through rigorous access control mechanisms at the governance and smart contract layers.; and
Amendment 1078 #
Proposal for a regulation
Article 30 – paragraph 1 – point d a (new)
Article 30 – paragraph 1 – point d a (new)
(d a) recovery plans: beyond designing security access controls, smart contracts need to address the possibility of malicious exploits by “preparing for failures” and a fallback plan for responding effectively to attacks by incorporating features and components such as, but not limited to, contract upgrades, emergency stops, event monitoring to track calls to smart contract functions and changes to state variables.
Amendment 1093 #
Proposal for a regulation
Article 30 a (new)
Article 30 a (new)
Article 30 a Digital Identity of Internet of Things devices 1. Internet of Thing (IoT) data generating devices, such as machines, sensors, websites or cloud servers, can have a digital identity and electronic attestation of attributes within the meaning of the Regulation (EU) 910/2014 (European Digital Identity Framework). Digital identity of IoT devices shall allow for identification of a device, and for establishment of a relationship between a device and its owner. 2. The European Digital Identity Wallet (EDIW) within the meaning of Article 6a of the Regulation (EU) 910/2014 (European Digital Identity Framework) shall allow for issuing of electronic attestation of attributes of IoT devices that can be associated with the user of the EDIW at his/her request. 3. The Commission shall be empowered by delegated acts to adopt minimum data sets for the digital identity of certain categories of IoT devices and for their electronic attestation of attributes.
Amendment 1094 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. Each Member State shall designate one or morean independent competent authoritiesy as responsible for the application and enforcement of this Regulation. Member States may establish one or more new authorities or rely on existing and for ensuring and coordinating cooperation with other relevant authorities.
Amendment 1097 #
Proposal for a regulation
Article 31 – paragraph 2 – point a a (new)
Article 31 – paragraph 2 – point a a (new)
(a a) the independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2018/1725 shall be responsible for monitoring the application of this Regulation insofar as EU institutions, agencies, or bodies process personal data.
Amendment 1100 #
Proposal for a regulation
Article 31 – paragraph 2 – point b
Article 31 – paragraph 2 – point b
(b) for specific sectoral data exchange issues related to the implementation of this Regulation, the competence of sectoral authorities shall be respected, including that of the competent authorities established under the Common European Data Spaces;
Amendment 1105 #
Proposal for a regulation
Article 31 – paragraph 3 – introductory part
Article 31 – paragraph 3 – introductory part
3. Member States shall ensure that the respective tasks and powers of the competent authorities designated pursuant to paragraph 1 of this Article are clearly defined and shall at least include:
Amendment 1106 #
Proposal for a regulation
Article 31 – paragraph 3 – point a a (new)
Article 31 – paragraph 3 – point a a (new)
(a a) coordinating the relevant cooperation with other authorities;
Amendment 1107 #
Proposal for a regulation
Article 31 – paragraph 3 – point b
Article 31 – paragraph 3 – point b
(b) handling complaints arising from alleged violations of this Regulation, and investigating, to the extent appropriate, the subject matter of the complaint and regularly and meaningfully informing the complainant of the progress and the outcome of the investigation swiftly within a reasonable period, in particular if further investigation or coordination with another competent authority is necessary;
Amendment 1110 #
Proposal for a regulation
Article 31 – paragraph 3 – point d
Article 31 – paragraph 3 – point d
(d) imposing, through administrative or juridical procedures, dissuasive financial penalties which may include periodic penalties and penalties with retroactive effect, or initiating legal proceedings for the imposition of fines;
Amendment 1111 #
Proposal for a regulation
Article 31 – paragraph 3 – point e
Article 31 – paragraph 3 – point e
(e) monitoring technological developments of relevance for the making available and use of data with a view of better enforcing this Regulation; ;
Amendment 1114 #
Proposal for a regulation
Article 31 – paragraph 3 – point f
Article 31 – paragraph 3 – point f
(f) cooperating with competent authorities of other Member States to ensure the consistent swift and effective application of this Regulation, including the exchange of all relevant information by electronic means, in a timely manner without undue delay;
Amendment 1117 #
Proposal for a regulation
Article 31 – paragraph 3 – point h
Article 31 – paragraph 3 – point h
(h) cooperating with all relevant competent authorities and the European Data the European Data Innovation Board to ensure that the obligations of Chapter VIthis Regulation are enforced consistently with other Union legislation and self-regulation applicable to providers of data processing service;ctor specific data governance rules and regulations
Amendment 1119 #
Proposal for a regulation
Article 31 – paragraph 4
Article 31 – paragraph 4
Amendment 1121 #
Proposal for a regulation
Article 31 – paragraph 6
Article 31 – paragraph 6
6. When carrying out their tasks and exercising their powers in accordance with this Regulation, the competent authorities shall be independent and remain free from any external influence, whether direct or indirect, and shall neither seek nor take instructions from any other public authority or any private party.
Amendment 1126 #
Proposal for a regulation
Article 31 a (new)
Article 31 a (new)
Article 31 a Role of the European Data Innovation Board The European Data Innovation Board should foster the mutual exchange of information amongst competent authorities as well as advise and assist the Commission in matters of this Regulation falling under the competences of the Board in line with Article 30 of Regulation (EU) 2022/868
Amendment 1127 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
1. Without prejudice to any other administrative or judicial remedy, natural and legal persons shall have the right to lodge a complaint, individually or, where relevant , collectively, with the relevant competent authority in the Member State of their habitual residence, place of work or establishment if they consider that their rights or the obligations under this Regulation have been infringed.
Amendment 1129 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Competent authorities shall cooperate early in the process to handle and resolve complaints, including by effectively and in a timely manner, including by setting reasonable deadlines for adopting formal decisions, ensuring equality of the parties, ensuring the right to be heard from complainants and access to the file throughout the process, exchanging all relevant information by electronic means, without undue delay. This cooperation shall not affect the specific cooperation mechanism provided for by Chapters VI and VII of Regulation (EU) 2016/679.
Amendment 1130 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Competent authorities shall cooperate to handle and resolve complaints, including by effectively and in a timely manner, including by setting reasonable deadlines for adopting formal decisions, ensuring equality of the parties, ensuring the right to be heard from complainants and access to the file throughout the process, exchanging all relevant information by electronic means, without undue delay. This cooperation shall not affect the specific cooperation mechanism provided for by Chapters VI and VII of Regulation (EU) 2016/679.
Amendment 1139 #
Proposal for a regulation
Article 33 – paragraph 2
Article 33 – paragraph 2
2. Member States shall by [date of application of the Regulation] notify the Commission , the European Data Protection Board and the European Data Innovation Boardof those rules and measures and shall notify it them without delay of any subsequent amendment affecting them. The Commission shall regularly update and maintain an easily accessible public register of those measures.
Amendment 1143 #
The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. These non-binding contractual terms shall be openly freely available in easily usable electronic format.
Amendment 1145 #
Proposal for a regulation
Article 34 – paragraph 1 a (new)
Article 34 – paragraph 1 a (new)
Amendment 1153 #
Proposal for a regulation
Article 41 – paragraph 1 – point e a (new)
Article 41 – paragraph 1 – point e a (new)
(e a) evaluation of the impacts of this Regulation to the development of business practices and monetisation practices of the European data economy and possible needs for reviewing the Regulation.