Activities of Damian BOESELAGER related to 2020/0340(COD)
Plenary speeches (1)
Data Governance Act (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)
Amendments (168)
Amendment 114 #
Proposal for a regulation
Recital 2
Recital 2
(2) Over the last few years, digital technologies have transformed the economy and society, affecting all sectors of activity and daily life. Data is at the centre of this transformation: data-driven innovation will bring enormous benefits for citizens, for example through improved personalised medicine, new mobility, and its contribution to the European Green Deal23 . In its Data Strategy24 , the Commission described the vision of a common European data space, a Single Market for data in which data could be used irrespective of its physical location of storage in the Union in compliance with applicable law. It also called for the free and safe flow of data with third countries, subject to exceptions and restrictions for fundamental rights, public security, public order and other legitimate public policy objectives of the European Union, in line withand promote the European aquis at international obligationslevel. In order to turn that vision into reality, it proposes to establish domain- specific common European data spaces, as the concrete arrangements in which data sharing and data pooling can happen. As foreseen in that strategy, such common European data spaces can cover areas such as health, mobility, manufacturing, financial services, energy, or agriculture or thematic areas, such as the European green deal or European data spaces for public administration or skills. _________________ 23Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions on the European Green Deal. Brussels, 11.12.2019. (COM(2019) 640 final) 24 COM (2020) 66 final.
Amendment 132 #
Proposal for a regulation
Recital 4
Recital 4
(4) Action at Union level is necessary in order to address the barriers to a well- functioning and competitive data-driven economy and to create a Union-wide governance framework for data access and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharing providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons.
Amendment 134 #
Proposal for a regulation
Recital 5
Recital 5
(5) The idea that data that has been generated at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 as well as sector-specific legislation ensure that the public sector makes more of the data it produces easily available for use and re-use. However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data not accessible on the basis of specific national or Union legislation, such as Regulation (EU) 2016/679 and Directive (EU) 2016/680) in public databases is often not made available, not even for research or innovative activities. Due to the sensitivity of this data, certain technical and legal procedural requirements must be met before they are made available, in order to ensure the respect of rights others have over such data. Such requirements are usually time- and knowledge-intensive to fulfil. This has led to the underutilisation of such data. While some Member States are setting up structures, processes and sometimes legislate to facilitate this type of re-use, this is not the case across the Union, therefore this act complements the existing framework on open data by providing legal certainty for mechanisms which encourage the secure and legal use of more data.
Amendment 142 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 144 #
Proposal for a regulation
Recital 8
Recital 8
Amendment 145 #
Proposal for a regulation
Recital 9
Recital 9
(9) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding as far as possible the conclusion of agreements, which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreement should be only possible when justified and necessary for the provision of a service of general interestpublic interest, in particular in the areas of scientific research. This may be also the case when exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of delivering the service or the product which allows the public sector body to provide an advanced digital service in the general interest. Such arrangements should, however, be concluded in compliance with public procurement rules and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited period, which should not exceed three yearsix months. In order to ensure transparency, such exclusive agreements should be published online, regardless of a possible publication of an award of a public procurement contract.
Amendment 148 #
Proposal for a regulation
Recital 10
Recital 10
(10) Prohibited exclusive agreements and other practices or arrangements between data holders and data re-users which do not expressly grant exclusive rights but which can reasonably be expected to restrict the availability of data for re-use that have been concluded or have been already in place before the entry into force of this Regulation should not be renewed after the expiration of their term. In the case of indefinite or longer-term agreements, they should be terminated within threone years from the date of entry into force of this Regulation.
Amendment 150 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditionlarity on the mechanisms for re- use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Thosis needed. Such mechanisms, including possible conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competitionenhancing competition as much as possible, with a specific focus on promoting access to such data for Small and Medium-sized Enterprises and Start- Ups. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to tThe re- use of data should not be limited tobeyond what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best servaccommodate the interests of the re-user without leading to a disproportionate effort for the public sector. Depending on the case at hand, bBefore its transmission, personal data should be fully and effectively anonymised, so as to definitively not allow the identification of the data subjects, or. Similarly, data containing commercially confidential information should be modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-user, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons on the re-use of data pertaining to them through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. Special emphasis for support should be put to ensure that SMEs and other small actors can compete fairly. No contact information should be given that allows re- users to contact data subjects or companies directly.
Amendment 155 #
Proposal for a regulation
Recital 12
Recital 12
(12) The intellectual property rights of third parties should not be affected by this Regulation. This Regulation should neither affect the existence or ownership of intellectual property rights of public sector bodies, nor should it limit the exercise of these rights in any way beyond the boundaries set by this Regulation. The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) and the WIPO Copyright Treaty (WCT). Public sector bodies should, however, exercise their copyright in a way that facilitates re-use and encourages a transparent and cooperative approach to data, including by using a Creative Commons approach to licensing to data that is not already open data.
Amendment 156 #
Proposal for a regulation
Recital 13
Recital 13
(13) Data subject to intellectual property rights as well as trade secrets should only be transmitted to a third party where such transmission is lawful by virtue of Union or national law or with the agreement of the rightholder. Where public sector bodies or beneficiaries of data provided by the public sector bodies are holders of the right provided for in Article 7(1) of Directive 96/9/EC of the European Parliament and of the Council (41 ) they should not exercise that right in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation. _________________ 41Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).
Amendment 160 #
Proposal for a regulation
Recital 14
Recital 14
(14) Companies and data subjects should be able to trust that the re-use of certain categories of protected data, which are held by the public sector, will take place in a manner that respects their rights and interests. Additional safeguards should thus be put in place for situations in which the re-use of such public sector data is taking place on the basis of a processing of the data outside the public sector. Such an additional safeguard could be found in the requirement that public sector bodies should take fully into accountcomply with the rights and interests of natural and legal persons (in particular the protection of personal data, commercially sensitive data and the protection of intellectual property rights) in caseall cases and especially when such data is transferred to third countries.
Amendment 165 #
Proposal for a regulation
Recital 16
Recital 16
(16) In cases where there is no implementing act adopted by the Commission in relation to a third country declaring that it provides a level of protection, in particular as regards the protection of commercially sensitive data and the protection of intellectual property rights, which is essentially equivalent to that provided by Union or national law, the public sector body should only transmit protected data to a re-user, ifblige the re- user undertakes obligations in the interest of the protection of the data. The re-user that intends to transfer the data to such third country should commit toto not to transfer non-personal data protected on grounds set out in Article 3 to a third country unless the re-user complyies with the obligations laid out in this Regulation even, including after the data has been transferred to the third country. To ensure the proper enforcement of such obligations, the re-user should also accept the jurisdiction of the Member State of the public sector body that allowed the re-use for the judicial settlement of disputes. In this regard, the public sector bodies or the competent bodies shall provide guidance and legal and administrative support to re-users, especially small actors, such as SMEs and start-ups, for the purpose of supporting them in complying with these obligations.
Amendment 169 #
Proposal for a regulation
Recital 17
Recital 17
(17) Some third countries adopt laws, regulations and other legal acts which aim at directly transferring or providing access to non-personal data in the Union under the control of natural and legal persons under the jurisdiction of the Member States. Judgments of courts or tribunals or decisions of administrative authorities in third countries requiring such transfer or access to non-personal data should be enforceable when based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. In some cases, situations may arise where the obligation to transfer or provide access to non-personal data arising from a third country law conflicts with a competing obligation to protect such data under Union or national law, in particular as regards the protection of commercially sensitive data and the protection of intellectual property rights, and including its contractual undertakings regarding confidentiality in accordance with such law. In the absence of international agreements regulating such matters, transfer or access should only be allowed under certain conditions, in particular that the third-country system requires the reasons and proportionality of the decision to be set out, that the court order or the decision is specific in character, and the reasoned objection of the addressee is subject to a review by a competent court in the third country, which is empowered to take duly into account the relevant legal interests of the provider of such data.
Amendment 171 #
Proposal for a regulation
Recital 18
Recital 18
(18) In order to prevent unlawful access to non-personal data, public sector bodies, natural or legal persons to which the right to re-use data was granted, data sharing providers and entities entered in the register of recognauthorised data altruism organisations should take all reasonable measures to prevent access to the systems where non-personal data is stored, including encryption of data or corporate policiesby providing an operational security plan upon registration and deployment of encryption of data.
Amendment 181 #
Proposal for a regulation
Recital 19
Recital 19
(19) In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non- personal data that have been identified as highly sensitive, as regards the transfer to third countries, if such transfer could jeopardise public policy objectives, in line with international commitments. For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law, for example in the context of the European Health Data Space or other sectoral legislation. The conditions attached to the transfer of such data to third countries should be laid down in delegatedthe respective acts. Conditions should be proportionate, non-discriminatory and, not restrict competition and should be necessary to protect legitimate public policy objectives identified, such as the protection of public health, public order, safety, the environment, public morals, consumer protection, privacy and personal data protection. The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re- identification of individuals. These conditions could include terms applicable for the transfer or technical arrangements, such as the requirement of using a secure processing environment, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or who can access the data in the third country. In exceptional cases they could also include restrictions on transfer of the data to third countries to protect the public interest.
Amendment 183 #
Proposal for a regulation
Recital 20
Recital 20
(20) Public sector bodies should be able to charge fees for the re-use of data to cover the costs of providing for such data re-use, but should also be able to decide to make the data available at lower or no cost, for example for certain categories of re- uses such as non-commercial re-use, or re- use by small and medium-sized enterprises, so as to incentivise such re-use in order to stimulate research and innovation and support companies that are an important source of innovation and typically find it more difficult to collect relevant data themselves, in line with State aid rules. Such fees should be reasonableproportionate to the cost incurred, transparent, published online and, non- discriminatory and not constrain competition.
Amendment 191 #
Proposal for a regulation
Recital 22
Recital 22
(22) Providers of data sharing services (data intermediaries) are expected to play a key role in the data economy, as a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjects, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an indefinite number of data holders and data users, excluding data sharing services that are meant to be used by a closed group of data holders and users. Providers of cloud services should be excluded, as well as service providers that obtain data from data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright-protected content, should not be covered by this Regulation. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providers for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not- for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of general interest by increasing the volume of data available for such purposes. _________________ 42Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173/349. 43Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/ECfacilitate bi- or multilateral data sharing. To ensure fair, non- discriminatory and transparent access for all actors to the data economy there is a need to support the role of neutral and trusted data intermediaries, whose pricing and terms of service do not depend on whether or not a potential data holder or data user is using other services provided by the same enterprise, including, cloud storage, analytics, Artificial Intelligence or other data-based applications. Data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power, while allowing for non- discriminatory access to the data economy for actors of all sizes, especially small actors with limited financial, legal or administrative means. These ecosystems can address the threat of market concentration and imbalances of market power between individual actors and data- driven platform providers, which are a threat to the competitiveness of the European data economy. In particular, market concentration in data markets risks to be perpetuated into markets for machine-learning-based applications. This Regulation covers the provision of data sharing services that have as an objective the establishment of a business, a legal and potentially also technical relation between an indefinite number of data holders, on the one hand, and potential users on the other hand, and assist the parties in transactions in which a access to or a transfer of data takes place between them, including any payment or other compensation from data users to data holders in exchange for access to or transfer of data. Where actors offer multiple data-related services, only the activities which directly concern the provision of such data sharing services should be covered by this Regulation. Services, which are aimed at a closed group of data holders or data users, for the purpose of exchanging data in the context of a contractually-defined collaboration or joint undertaking should not be covered by this obligation. Such services may include supply or customer relationships with the main objective of ensuring functionalities of connected objects or devices, including for the provision of products or services connected to the Internet-of-Things. Auxiliary technical, legal, financial or administrative support services which enable data holders or data users to prepare data exchanges, for example by providing legal advice, technical conversion or financial services in the context of an exchange, without providing the data sharing service itself, shall not be covered by the Regulation. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats.
Amendment 203 #
Proposal for a regulation
Recital 24
Recital 24
(24) Data cooperatives seek to strengthen the position of individuals in making informed choices before consenting to data use, influencing the pricing terms and conditions of data user organisations attached to data use or potentially solving disputes between members of a group on how data can be used when such data pertain to several data subjects within that group. In this context it is important to acknowledge that the rights under Regulation (EU) 2016/679 can only be exercised by each individual and cannot be conferred or delegated to a data cooperative. Data cooperatives could also provide a useful means for one-person companies, micro, small and medium-sized enterprises that in terms of knowledge of data sharing, are often comparable to individuals.
Amendment 206 #
Proposal for a regulation
Recital 25
Recital 25
(25) In order to increase trust in such data sharing services, in particular related to the use of data and the compliance with the conditions imposed by data holders, it is necessary to create a Union-level regulatory framework, which would set out highly harmonised requirements related to the trustworthy, open and non-discriminatory provision of such data sharing services. This will contribute to ensuring that data holders and data users have better control over the access to and use of their data, in accordance with Union law. Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to- consumer context, data sharing providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. Providers of data sharing services may also make available specific technical infrastructure for the interconnection of data holders and data users.
Amendment 207 #
Proposal for a regulation
Recital 26
Recital 26
(26) A key element to bring trust and more control for data holder and data users in data sharing services is the neutrality of data sharing service providers as regards the data exchanged between data holders and data users. It is therefore necessary that data sharing service providers act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose. This will also require structural separation between the data sharing service and any other services provided, so as to avoid issues of conflict of interest. This means that the data sharing service should be provided through a legal entity that is separate from the other activities of that data sharing provider. Where an actor provides other data-related services, in addition to data sharing services, the pricing and terms of services for the data sharing service should not be dependent on whether and to what degree a data holder or data user uses other data- related services from the same actor. Data sharing providers that intermediate the exchange of data between individuals as data holders and legal persons should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data holders.
Amendment 216 #
Proposal for a regulation
Recital 27
Recital 27
(27) In order to ensure the compliance of the providers of data sharing services with the conditions set out in this Regulation, such providers should have a place of establishment in the Union. Alternatively, where a provider of data sharing services not established in the Union offers services within the Union, it should designate a representative. Designation of a representative is necessary, given that such providers of data sharing services handle personal data as well as commercially confidential data, which necessitates the close monitoring of the compliance of such service providers with the conditions laid out in this Regulation. In order to determine whether such a provider of data sharing services is offering services within the Union, it should be ascertained whether it is apparent that the provider of data sharing services is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the website or of an email address and of other contact details of the provider of data sharing services, or the use of a language generally used in the third country where the provider of data sharing services is established, should be considered insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of users who are in the Union, may make it apparent that the provider of data sharing services is planning to offer services within the Union. The representative should act on behalf of the provider of data sharing services and it should be possible for competent authorities to contact the representative. The representative should be designated by a written mandate of the provider of data sharing services to act on the latter's behalf with regard to the latter's obligations under this Regulation.
Amendment 223 #
Proposal for a regulation
Recital 29
Recital 29
(29) Providers of data sharing services should also take effective measures to ensure compliance with competition law. Data sharing may generate various types of efficiencies but may also lead to restrictions of competition, in particular where it includes the sharing of competitively sensitive information. This applies in particular in situations where data sharing enables businesses to become aware of market strategies of their actual or potential competitors. Competitively sensitive information typically includes information on future prices, production costs, quantities, turnovers, sales or capacities.
Amendment 228 #
Proposal for a regulation
Recital 31
Recital 31
(31) In order to support effective cross- border provision of services, the data sharing provider should be requested to send a notification only to the designated competent authority from the Member State where its main establishment is located or where its legal representative is located. Such a notification should not entail more than a mere declaration of the intention to provide such services and. Such a notification should be completed only by the information set out in this Regulation.
Amendment 230 #
Proposal for a regulation
Recital 35
Recital 35
Amendment 234 #
(36) Legal entities that seek to support purposes of generalpublic interest by making available relevant data based on data altruismvoluntary data sharing in the public interest at scale and meet certain requirements, should be able required to register as ‘Data Altruism Organisations recognauthorised in the Union’. This could lead to the establishment of data repositories. As registrauthorisation in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non-personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registerThe compliance of such authorised entities with a set of requirements should bring trust that the data made available on altruistic purposvoluntary data sharing in the public interest is serving a generalpublic interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. The protection of the rights and interests of data subjects should notably include representative actions for the protection of the collective interests of consumers referred to as data subjects according to Directive 2020/1828. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available.
Amendment 239 #
Proposal for a regulation
Recital 37
Recital 37
(37) This Regulation is without prejudice to the establishment, organisation and functioning of entities that seek to engage in data altruismvoluntary data sharing in the public interest pursuant to national law. It builds on national law requirements to operate lawfully in a Member State as a not-for-profit organisation. Entities which meet the requirements in this Regulation should be able to use the title of ‘Data Altruism Organisations recognauthorised in the Union’.
Amendment 242 #
Proposal for a regulation
Recital 38
Recital 38
(38) Data Altruism Organisations recognauthorised in the Union should be able to collect relevant data directly from natural and legal persons or to process data collected by others. Typically, data altruismvoluntary data sharing in the public interest would rely on consent of data subjects in the sense of Article 6(1)(a) and 9(2)(a) and in compliance with requirements for lawful consent in accordance with Article 7 of Regulation (EU) 2016/679. In accordance with Regulation (EU) 2016/679, scientific research purposes can be supported by consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research or only to certain areas of research or parts of research projects. Article 5(1)(b) of Regulation (EU) 2016/679 specifies that further processing for scientific or historical research purposes or statistical purposes should, in accordance with Article 89(1) of Regulation (EU) 2016/679, not be considered to be incompatible with the initial purposes. For non-personal data the usage limitations should be found in the permission given by the data holder.
Amendment 245 #
Proposal for a regulation
Recital 39
Recital 39
(39) To bring additional legal certainty to granting and withdrawing of consent, in particular in the context of scientific research and statistical use of data made available on an altruistic basisthe basis of voluntary data sharing in the public interest, a European data altruism consent form should be developed and used in the context of altruisticvoluntary data sharing in the public interest. Such a form should contribute to additional transparency for data subjects that their data will be accessed and used in accordance with their consent and also in full compliance with the data protection rules. It cshould also be used to streamline data altruism performed by companies and provide a mechanism allowing such companies to withdraw their permission to use the datafacilitate the granting and withdrawing of consent. In order to take into account the specificities of individual sectors, including from a data protection perspective, there should be a possibility for sectoral adjustments of the European data altruism consent form.
Amendment 248 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics), as well as representatives of academia, research and standard setting organisations. The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board. The Board shall establish a Data Innovation Advisory Council (the “Advisory Council”). The Advisory Council shall be proportionally composed of a number between 15 to 30 representatives from industry including SMEs, research, civils society, standardisation organisations and other relevant stakeholders or third parties appointed by the Board. The Advisory Council shall nominate a representative to attend meetings of the Board and to participate in its work.
Amendment 258 #
Proposal for a regulation
Recital 41
Recital 41
(41) The Board should support the Commission in coordinating national practices and policies on the topics covered by this Regulation, and in supporting cross- sector data use by adhering to the European Interoperability Framework (EIF) principles and through the utilisation of standards and specifications (such as the Core Vocabularies44 and the CEF Building Blocks45 ), without prejudice toand take into account standardisation work taking place in specific sectors or domains. Work on technical standardisation may include the identification of priorities for the development of standards and establishing and maintaining a set of technical and legal standards for transmitting data between two processing environments that allows data spaces to be organised without making recourse to an intermediary, in particular in clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral. The Board should assist and advise the EU institutions and the emerging data spaces, including on financial assistance through European programmes such as the Digital Europe Programme. The Board should cooperate with sectoral bodies, networks or expert groups, or other cross-sectoral organisations dealing with re-use of data. Regarding data altruismvoluntary data sharing in the public interest, the Board should assist the Commission in the development of the data altruism consent form, in consultation with the European Data Protection Board. _________________ 44 https://joinup.ec.europa.eu/collection/sema ntic-interoperability-community- semic/core-vocabularies 45 https://joinup.ec.europa.eu/collection/conn ecting-europe-facility-cef
Amendment 266 #
Proposal for a regulation
Recital 42
Recital 42
Amendment 278 #
Proposal for a regulation
Article 1 – paragraph 1 – point c
Article 1 – paragraph 1 – point c
(c) a framework for voluntary registrauthorisation of entities which collect and process data made available for altruistic purposes.the purposes of voluntary data sharing in the public interest;
Amendment 279 #
Proposal for a regulation
Article 1 – paragraph 1 – point c a (new)
Article 1 – paragraph 1 – point c a (new)
(c a) a framework for the establishment of a European Data Innovation Board.
Amendment 286 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2 a) Union law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation shall be without prejudice to Regulation (EU) 2016/679 and Directive 2002/58/EC. In the event of conflict between the provisions of this Regulation and Union law on the protection of personal data, the latter prevails. This Regulation does not create a legal basis for the processing of personal data.
Amendment 295 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘re-use’ means the use by natural persons or legal personentities of data held by public sector bodies, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;
Amendment 302 #
Proposal for a regulation
Article 2 – paragraph 1 – point 4
Article 2 – paragraph 1 – point 4
(4) ‘'metadata’' means data collected on any activity of a natural or legal person for the purposes of the provision of a data sharing service, including the date , time and geolocation data, duration of activity, connecbasic information about data, including the description of data and information about data properties, locations, to other natural or legal persons established by the person who uses the serviceime, context or purpose of data collection;
Amendment 305 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘data holder’ means a legal entity, natural person or, data subject, public body or international organisation, who, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal or non- personal data under its control;
Amendment 308 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data user’ means a natural or legal personperson, legal entity or public body who has lawful access to certain personal or non-personal data and is authorised to use that data for commercial or non-commercial purposes; in accordance with applicable Union or national law a data processor can also have the role of data user.
Amendment 314 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data sharing’ means the provision by a data holder of data to a data user f service’ means a service, which intermediates between an indefinite number of potential data holders and potential data users by making available technical, legal, or othe purpose of joint or individual use of the shared data, based on voluntary agreements, directly or through an intermediaryr means to enable or facilitate the exchange, pooling or licensing of data between data holders and data users;
Amendment 317 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
(7 a) ‘data intermediary’ means an undertaking, or related commercial entity, which provides data sharing services to intermediate between an indefinite number of potential data holders and potential data users by making available technical, legal, or other means to enable or facilitate the exchange, pooling or licensing of data between data holders and data users;
Amendment 319 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 b (new)
Article 2 – paragraph 1 – point 7 b (new)
(7 b) 'data cooperative' means an organisation or service, which: (a) supports members, who are data subjects, to exercise the rights provided in Regulation (EU) 2016/679, by offering services including, but not limited to, collectively negotiating terms and conditions for data processing, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would represent their interest, or; (b) enables small and medium-sized enterprises, not-for-profit or academic institutions to collectively negotiate terms for sharing non-personal data.
Amendment 322 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
Amendment 340 #
Proposal for a regulation
Article 3 – paragraph 1 – introductory part
Article 3 – paragraph 1 – introductory part
(1) This Chapter applies, without prejudice to the legal regime of open data set by the Directive on open data and the re-use of public sector information (Directive (EU) 2019/1024), to other categories of data held by public sector bodies and public undertakings to data held by public sector bodies which are protected on grounds of:
Amendment 342 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
Amendment 343 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) data held by cultural establishments and educational establishments when protected by fundamental rights provisions or third party intellectual property rights;
Amendment 347 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
(3) The provisions of this Chapter do not create any obligation on public sector bodies to allow re-use of data beyond the Open Data Directive nor do they release public sector bodies from their confidentiality obligations, but sets a framework for such reuse when data is made available. This Chapter is without prejudice to Union and national law or international agreements to which the Union or Member States are parties on the protection of categories of data provided in paragraph 1. This Chapter is without prejudice to Union and national law on access to documents and to obligations of public sector bodies under Union and national law to allow the re-use of data.
Amendment 349 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
(2) By way of derogation from paragraph 1, an exclusive right to re-use data referred to in that paragraph may be granted for a limited duration and to the extent necessary for the provision of a service or a product in the general interestpublic interest that would have otherwise not be possible without such derogation.
Amendment 351 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
(3) Such exclusive right shall be granted in the context of a relevant service or concession contract in compliance with applicable Union and national public procurement and concession award rules, or, in the case of a contract of a value for which neither Union nor national public procurement and concession award rules are applicable, in compliance with the principles of transparency, equal treatment and non- discrimination on grounds of nationality.
Amendment 352 #
Amendment 355 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
(5) The period of exclusivity of the right to re-use data shall not exceed three yearssix months, and shall be subject to approval by the competent authority referred to in Article 7(1). Where a contract is concluded, the duration of the contract awarded shall be as aligned with the period of exclusivity.
Amendment 358 #
Proposal for a regulation
Article 4 – paragraph 6
Article 4 – paragraph 6
(6) The decision to award of an exclusive right pursuant to paragraphs (2) to (5), including the reasons why it is necessary to grant such a right, shall be transparent and be made publicly available online, regardless of a possible publication of an award of a public procurement and concessions contract.
Amendment 360 #
Proposal for a regulation
Article 4 – paragraph 7 a (new)
Article 4 – paragraph 7 a (new)
(7 a) Where an exclusive right to re-use data does not meet the conditions set out in paragraphs 2, 3 and 4, the exclusive right shall be void.
Amendment 363 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
(2) Conditions for re-use shall be non- discriminatory, proportionate and objectively justified with regard to categories of data and purposes of re-use and the nature of the data for which re-use is allowed. These conditions shall not be constructed in a way to pose restrictions to participate for SMEs, start-ups or civil society actors or otherwise be used to restrict competition.
Amendment 369 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) Public sector bodies may impose an obligation to re-use only pre-processhall only grant access to re-used data, where such pre-processing aims toany personal data is effectively anonymizesed or pseudonymise personal data or deleted and commercially confidential information, including trade secrets is effectively removed from the data unless the scope of processing is inextricably linked to the personal or confidential character of the data.
Amendment 373 #
Proposal for a regulation
Article 5 – paragraph 4 – introductory part
Article 5 – paragraph 4 – introductory part
(4) Public sector bodies may also impose obligaconditions
Amendment 376 #
Proposal for a regulation
Article 5 – paragraph 4 – point a
Article 5 – paragraph 4 – point a
(a) to access and re-use the data within a remote secure processing environment provided and controlled by the public sector ;
Amendment 382 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
(5) The public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public sector body shall be able to verifyreserve the right to verify the process, the means and any results of processing of data undertaken by the re- user to preserve the integrity of the protection of the data and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties. The public sector body shall make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place.
Amendment 391 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
(6) Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seekingeek consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 393 #
Proposal for a regulation
Article 5 – paragraph 7
Article 5 – paragraph 7
(7) Re-use of data shall only be allowed in compliance with intellectual property rights. The right of the maker of a database as provided for in Article 7(1) of Directive 96/9/EC shall not be exercised by public sector bodies or those who benefit from the data available for reuse in order to prevent the re-use of data or to restrict re-use beyond the limits set by this Regulation.
Amendment 394 #
Proposal for a regulation
Article 5 – paragraph 8
Article 5 – paragraph 8
(8) When data requested is considered confidential, in accordance with Union or national law on commercial confidentiality, the public sector bodies shall ensure that the confidential information is not disclosed as a result of the re-use.
Amendment 397 #
Proposal for a regulation
Article 5 – paragraph 9 – introductory part
Article 5 – paragraph 9 – introductory part
(9) The Commission may adopt implementing acts declaring that the legal, supervisory and enforcement arrangements of a third country, without prejudice to the adequacy requirements defined in Article 45 of Regulation (EU) 2016/679:
Amendment 405 #
Proposal for a regulation
Article 5 – paragraph 10 – introductory part
Article 5 – paragraph 10 – introductory part
(10) Public sector bodies shall only transmit confidential data or data protected by intellectual property rights to a re-user which intends to transfer the datablige the re-user not to transfer non-personal data protected on grounds set out in Article 3 to a third country other than a country designated in accordance with paragraph 9 ifunless the re-user undertakes:
Amendment 406 #
Proposal for a regulation
Article 5 – paragraph 10 a (new)
Article 5 – paragraph 10 a (new)
(10 a) Public sector bodies or the competent bodies referred to in Article 7(1) shall provide guidance and legal and administrative support to re-users, where relevant, for the purpose of supporting them in complying with the obligations referred to in paragraph 10(a).
Amendment 413 #
Proposal for a regulation
Article 5 – paragraph 11
Article 5 – paragraph 11
(11) Where sSpecific Union acts adopted in accordance with a legislative procedure establish thatmay deem certain non-personal data categories held by public sector bodies shall be deemed to be highly sensitive for the purposes of this Article, twhere their transfer to third countries may put at risk Union policy objectives, such as safety and public health, or may lead to the risk of re- identification of anonymised data. The Commission shall be empowered to adopt delegated acts in accordance with Article 28 supplementing this Regulation by laying down special conditions applicable for transfers to third-countries. Those conditions for the transfer to third-countries shall be based on the nature of data categories identified in the Union act and on the grounds for deeming them highly sensitive, non-discriminatory and limited to what is necessary to achieve the public policy objectives identified in the Union law act, such as safety and public health, as well as risks of re-identification of anonymized data for data subjects, in accordance with the Union’s international obligations. They conditions may include terms applicable for the transfer or technical arrangements in this regard, limitations as regards the re- use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or, in exceptional cases, restrictions as regards transfers to third-countries.
Amendment 416 #
Proposal for a regulation
Article 5 – paragraph 13
Article 5 – paragraph 13
(13) Where the re-user intends to transfer non-personal data to a third country, it shall inform the public sector body shall inform the data holder about theof such intent. The public sector body shall inform the data holder and, where relevant, legal entity to which the data relates about the intention to transfer ofthe data to that third country.
Amendment 421 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
(2) Any fees shall be non- discriminatory, proportionate andto the cost of providing data for re-use, objectively justified and shall not restrict competition.
Amendment 427 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
(4) Where they apply fees, public sector bodies shall take measures to incentivise the re-use of the categories of data referred to in Article 3 (1) for non- commercial purposes and by small and medium-sized enterprises in line with State aid rules. This may include allowing re- use at lower or no cost.
Amendment 431 #
Proposal for a regulation
Article 6 – paragraph 5
Article 6 – paragraph 5
(5) Fees shall be derived from the costs related to the processing of requests for re- use of the categories of data referred to in Article 3 (1). TheAny fees shall be limited to the necessary costs incurred for the reproduction, provision and dissemination of data, costs for anonymisation or other forms or preparation of personal and confidential data as provided in Article 5(3), costs for the maintenance of the secure processing environment, as well as any costs in relation to supporting re- users in seeking consent of from data subjects and permission from data holders whose rights and interests may be affected by such re-use. The criteria and methodology for calculating fees shall be published in advance.
Amendment 439 #
Proposal for a regulation
Article 7 – paragraph 2 – point b
Article 7 – paragraph 2 – point b
(b) providing technical support in the application of tested techniques ensuring data processing in a manner that effectively preserves privacy of the information contained in the data for which re-use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data;
Amendment 442 #
Proposal for a regulation
Article 7 – paragraph 2 – point c
Article 7 – paragraph 2 – point c
(c) assisting the public sector bodies, where relevant, to support re-users in obtaining consent for permission by re-users for re-use for altruistic and other purposere-use from data subjects or permission from data holders in line with their specific decisions of data holders, including on the jurisdiction or jurisdictions in which the data processing is intended to take place;
Amendment 457 #
Proposal for a regulation
Article 9 – paragraph 1 – introductory part
Article 9 – paragraph 1 – introductory part
(1) The provision of the following data sharing services shall be subject to a notification procedureis Chapter applies to the provision of data sharing services. These services include, but are not limited to:
Amendment 458 #
Proposal for a regulation
Article 9 – paragraph 1 – point a
Article 9 – paragraph 1 – point a
(a) intermediation services between data holders which are legal persons and potential data users, including making available the technical or other means to enable such services; those services may include bilateral or multilateral exchanges of data or the creation of platformsoperation of specific infrastructure, platforms or databases and enabling data sharing through bilateral or multilateral exchanges, characterized by, among others: (i) the technical means to effectuate data access or transfer or; (ii) the provision of a register or dcatabases enabling the exchalogue of data available for sharinge or joint exploitation of data, as well as the establishment of a specific infrastructure for the interconnect; (iii) the facilitation of payment or other forms of compensation by data users in exchange for the provision of data holders andby data usholders;
Amendment 461 #
Proposal for a regulation
Article 9 – paragraph 1 – point c
Article 9 – paragraph 1 – point c
(c) services of data cooperatives, that is to say services supporting data subjects or one-person companies or micro, small and medium-sized enterprises, who are members of the cooperative or who confer the power to the cooperative to negotiate terms and conditions for data processing before they consent, in making informed choices before consenting to data processing, and allowing for mechanisms to exchange views on data processing purposes and conditions that would best represent the interests of data subjects or legal persons.
Amendment 465 #
Proposal for a regulation
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
(1 a) This chapter does not apply to the following activities:
Amendment 466 #
Proposal for a regulation
Article 9 – paragraph 1 b (new)
Article 9 – paragraph 1 b (new)
(1 b) (a) services, which are aimed at a closed group of data holders or data users, including those operated between two companies or a limited group of legal entities for the purpose of exchanging data in the context of a contractually- defined collaboration or joint undertaking;
Amendment 467 #
Proposal for a regulation
Article 9 – paragraph 1 c (new)
Article 9 – paragraph 1 c (new)
(1 c) (b) value-added data services, which aggregate data, transform or combine data with other data, or analyse it for the purpose of adding substantial value to it and make available the use of the resulting data to data users, unless they have a direct relationship with data holders for the purpose of data sharing services or reshare the unprocessed data received from the data holder;
Amendment 468 #
Proposal for a regulation
Article 9 – paragraph 1 d (new)
Article 9 – paragraph 1 d (new)
(1 d) (c) auxiliary technical, legal, financial or administrative support services offered to either data holder or data users for the purpose of preparing an exchange of data;
Amendment 469 #
Proposal for a regulation
Article 9 – paragraph 1 e (new)
Article 9 – paragraph 1 e (new)
(1 e) (d) not-for-profit online encyclopedias, not-for-profit educational and scientific repositories, and open source software-developing and-sharing platforms;
Amendment 470 #
Proposal for a regulation
Article 9 – paragraph 1 f (new)
Article 9 – paragraph 1 f (new)
(1 f) (e) ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council;
Amendment 471 #
Proposal for a regulation
Article 9 – paragraph 1 g (new)
Article 9 – paragraph 1 g (new)
(1 g) (f) ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council;
Amendment 472 #
Proposal for a regulation
Article 9 – paragraph 1 h (new)
Article 9 – paragraph 1 h (new)
(1 h) (g) providers of data sharing services, which have been available to the public in the Union for less than 12 months and which have either a consolidated annual turnover at the group level below EUR 10 million, calculated in accordance with Commission Recommendation 2003/361/EC, or, where no consolidated annual turnover can be established less, than one hundred users, who are legal entities, or less than one thousand users who are natural persons.
Amendment 474 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
(1) Any provider of dData sharing services who intends to provide the services referred to in Article 9 (1) shall submit a notification to the competent authority referred to in Article 12.
Amendment 476 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
(3) A provider of data sharing services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representativeoperate its services through a legal entity established in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representativeentity is established.
Amendment 478 #
Proposal for a regulation
Article 10 – paragraph 6 – point b
Article 10 – paragraph 6 – point b
(b) the provider’s legal status, formownership structure, form, relevant subsidiaries or related entities, and registration number, where the provider is registered in trade or in another similar public register;
Amendment 479 #
Proposal for a regulation
Article 10 – paragraph 6 – point c
Article 10 – paragraph 6 – point c
(c) the address of the provider’s main establishment in the Union, if any, and, where applicable, any secondary branch in another Member State or that of the legal representativeentity designated pursuant to paragraph 3;
Amendment 480 #
Proposal for a regulation
Article 10 – paragraph 6 – point d
Article 10 – paragraph 6 – point d
(d) a website where information on the provider and the activities can be found, where applicableincluding as a minimum the information as referred to in letters a, b, c and f of this paragraph;
Amendment 482 #
Proposal for a regulation
Article 10 – paragraph 6 – point g
Article 10 – paragraph 6 – point g
(g) the estimated date for starting the activity, or the date the activity has started;
Amendment 485 #
Proposal for a regulation
Article 10 – paragraph 6 a (new)
Article 10 – paragraph 6 a (new)
(6 a) The competent authority shall ensure that the notification procedure does not impose undue hurdles for small and medium-sized enterprises and organisations and ensures non- discrimination and competition.
Amendment 496 #
Proposal for a regulation
Article 10 – paragraph 10
Article 10 – paragraph 10
Amendment 498 #
(10 a) Providers shall submit any changes of the information provided pursuant to paragraph 6 to the competent authority within 14 calendar days from the day on which the change takes place;
Amendment 500 #
Proposal for a regulation
Article 11 – paragraph 1 – point 1
Article 11 – paragraph 1 – point 1
(1) the provider may not use the data for which it provides services for other purposes than to put them at the disposal of data users and; data sharing services shall be placed in a separate legal entity;
Amendment 501 #
Proposal for a regulation
Article 11 – paragraph 1 – point 1 a (new)
Article 11 – paragraph 1 – point 1 a (new)
(1 a) the provider may not make the commercial terms, including pricing, for the provision of data sharing services to a data holder or data user dependent upon whether or to what degree the data holder or data user uses other services from the same provider or a related enterprise;
Amendment 504 #
Proposal for a regulation
Article 11 – paragraph 1 – point 2
Article 11 – paragraph 1 – point 2
(2) the metadata collected from the provision of the data sharing service may be used only for the developimprovement of that service;
Amendment 505 #
Proposal for a regulation
Article 11 – paragraph 1 – point 3
Article 11 – paragraph 1 – point 3
(3) the provider shall ensure that the procedure for access to its service is fair, transparent and non-discriminatory for both data holders and data users, including as regards to terms of service and prices;
Amendment 507 #
Proposal for a regulation
Article 11 – paragraph 1 – point 3 a (new)
Article 11 – paragraph 1 – point 3 a (new)
(3 a) the provider shall avoid lock-in effects and ensure interoperability with other data sharing services, in particular by providing openly accessible application programming interfaces and using open data formats, where technically feasible; (i) Within 12 months of the entry into force of this law, the Commission shall issue guidance on interoperability standards; (ii) The Commission shall consult Member States and relevant stakeholders for the purpose of issuing such guidance.
Amendment 518 #
Proposal for a regulation
Article 11 – paragraph 1 – point 7
Article 11 – paragraph 1 – point 7
(7) the provider shall put in place adequate technical, legal and organisational measures in order to prevent transfer or access to non-personal data that is unlawful under Union law;
Amendment 524 #
Proposal for a regulation
Article 11 – paragraph 1 – point 8
Article 11 – paragraph 1 – point 8
(8) the provider shall take measures to ensure a high level of security for the storage and transmission of non-personal data;
Amendment 525 #
Proposal for a regulation
Article 11 – paragraph 1 – point 10
Article 11 – paragraph 1 – point 10
(10) the providers offering services to data subjects shall act in the data subjects’ best interest when facilitating the exercise of their rights, in particular by advising data subjects on potential data uses and standard terms and conditions attached to such uses;
Amendment 527 #
(11) where a provider provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place and provide to the data subject tools for tracking the use of that data and consent withdrawal.
Amendment 546 #
Proposal for a regulation
Article 13 – paragraph 4 – point b
Article 13 – paragraph 4 – point b
(b) to requirimpose immediate cessation or postponement of the provision of the data sharing service.
Amendment 549 #
Amendment 555 #
Proposal for a regulation
Chapter IV – title
Chapter IV – title
IV data altruismvoluntary data sharing in the public interest
Amendment 556 #
Proposal for a regulation
Article 15 – title
Article 15 – title
Register of recognauthorised data altruism organisations
Amendment 557 #
Proposal for a regulation
Article 15 – paragraph -1 (new)
Article 15 – paragraph -1 (new)
(-1) The collection of data based on voluntary data sharing in the public interest, as referred to in Article 6(1)(e) of Regulation (EU) 2016/679 is subject to general authorisation by a competent authority, referred to in Article 20. Such authorisation shall be valid in all Member States of the European Union.
Amendment 560 #
Proposal for a regulation
Article 15 – paragraph 1
Article 15 – paragraph 1
(1) Each competent authority designated pursuant to Article 20 shall keep a public register of recognauthorised data altruism organisations.
Amendment 563 #
Proposal for a regulation
Article 15 – paragraph 2
Article 15 – paragraph 2
(2) The Commission shall maintain a public Union register of recognauthorised data altruism organisations.
Amendment 566 #
Proposal for a regulation
Article 15 – paragraph 3
Article 15 – paragraph 3
(3) AnOnly entity registered in the register in accordance with Article 16 may refer to itselfies authorised in accordance with Article 16 may collect data made available by natural or legal persons on the basis of voluntary data sharing in the public interest, as referred to in paragraph -1, perform the activities linked to the data processing in public interest and refer to themselves as a ‘data altruism organisation recognauthorised in the Union’ in itstheir written and spoken communication.
Amendment 567 #
Proposal for a regulation
Article 16 – title
Article 16 – title
General requirements for registrauthorisation
Amendment 568 #
Proposal for a regulation
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
1. In order to qualify for registration, the data altruism organisation shall:
Amendment 569 #
Proposal for a regulation
Article 16 – paragraph 1 – introductory part
Article 16 – paragraph 1 – introductory part
In order to qualify for registrauthorisation, the data altruism organisation shall:
Amendment 570 #
Proposal for a regulation
Article 16 – paragraph 1 – point a
Article 16 – paragraph 1 – point a
(a) be a legal entity constituted to meet objectives of generalpublic interest and recognised as such according to the applicable law;
Amendment 573 #
Proposal for a regulation
Article 16 – paragraph 1 – point b
Article 16 – paragraph 1 – point b
(b) operate on a not-for-profit basis and be independent from any entity that operates on a for-profit basis; in case the entity undertakes other activities on a not- for-profit basis, it shall ensure the legal and functional separation of such activities from the activities related to the collection of data based on voluntary data sharing in the public interest. The entity may not use the data collected based on voluntary data sharing in the public interest for other activities;
Amendment 575 #
Proposal for a regulation
Article 16 – paragraph 1 – point c
Article 16 – paragraph 1 – point c
(c) perform the activities related to data altruism take placevoluntary data sharing in the public interest through a legally independent structure, separate from other activities it has undertaken, including for-profit activities.
Amendment 578 #
Proposal for a regulation
Article 16 – paragraph 1 – point c a (new)
Article 16 – paragraph 1 – point c a (new)
(c a) provide to the competent authority an operational data security plan;
Amendment 581 #
Proposal for a regulation
Article 16 – paragraph 1 a (new)
Article 16 – paragraph 1 a (new)
In case personal data is processed in the context of voluntary data sharing in the public interest, such processing shall be compliant with the requirements laid down in Regulation (EU) 2016/679, including the provisions on transfers of personal data to third countries or international organisations
Amendment 583 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
(1) Any entity which meets the requirements of Article 16 may request to be entered in the register of recognauthorised data altruism organisations referred to in Article 15 (1).
Amendment 584 #
Proposal for a regulation
Article 17 – paragraph 2
Article 17 – paragraph 2
(2) For the purposes of this Regulation, an entity engaged in activities based on data altruismvoluntary data sharing in the public interest with establishments in more than one Member State, shall register in the Member State in which it has its main establishment.
Amendment 587 #
Proposal for a regulation
Article 17 – paragraph 3
Article 17 – paragraph 3
(3) An entity that is not established in the Union, but meets the requirements in Article 16, shall appoint a legal representative in one of the Member States where it intends to collect data based on data altruismvoluntary data sharing in the public interest. For the purpose of compliance with this Regulation, that entity shall be deemed to be under the jurisdiction of the Member State where the legal representative is located.
Amendment 589 #
Proposal for a regulation
Article 17 – paragraph 4 – point f
Article 17 – paragraph 4 – point f
(f) a public website where information on the entity and the activities can be found including as a minimum the information as referred to in letters a, b, d, e and h of this paragraph;
Amendment 591 #
Proposal for a regulation
Article 17 – paragraph 4 – point h
Article 17 – paragraph 4 – point h
(h) the purposes of generalpublic interest it intends to promote when collecting data;
Amendment 593 #
Proposal for a regulation
Article 17 – paragraph 5
Article 17 – paragraph 5
(5) Where the entity has submitted all necessary information pursuant to paragraph 4 and the competent authority considers that the entity complies with the requirements of Article 16, it shall register the entity in the register of recognauthorised data altruism organisations within twelve weeks from the date of application. The registration shall be valid in all Member States. Any registration shall be communicated to the Commission, for inclusion in the Union register of recognauthorised data altruism organisations.
Amendment 595 #
Proposal for a regulation
Article 17 – paragraph 6
Article 17 – paragraph 6
(6) The information referred to in paragraph 4, points (a), (b), (f), (g), and (h) shall be published in the national register of recognauthorised data altruism organisations.
Amendment 598 #
Proposal for a regulation
Article 17 – paragraph 7
Article 17 – paragraph 7
(7) Any entity entered in the register of recognauthorised data altruism organisations shall submit any changes of the information provided pursuant to paragraph 4 to the competent authority within 14 calendar days from the day on which the change takes place.
Amendment 600 #
Proposal for a regulation
Article 18 – paragraph 1 – introductory part
Article 18 – paragraph 1 – introductory part
(1) Any entity entered in the national register of recognauthorised data altruism organisations shall keep full and accurate public records concerning:
Amendment 601 #
Proposal for a regulation
Article 18 – paragraph 2 – introductory part
Article 18 – paragraph 2 – introductory part
(2) Any entity entered in the register of recognauthorised data altruism organisations shall draw up and transmit to the competent national authority an annual activity report which shall contain at least the following:
Amendment 602 #
Proposal for a regulation
Article 18 – paragraph 2 – point b
Article 18 – paragraph 2 – point b
(b) a description of the way in which the generalpublic interest purposes for which data was collected have been promoted during the given financial year;
Amendment 604 #
Proposal for a regulation
Article 18 – paragraph 2 – point c
Article 18 – paragraph 2 – point c
(c) a list of all natural and legal persons that were allowed to use data it holds, includingtheir contact details, a summary description of the generalpublic interest purposes pursued by such data use and the description of the technical means used for it, including a description of the techniques used to preserve privacy and data protection;
Amendment 608 #
Proposal for a regulation
Article 19 – paragraph 1 – introductory part
Article 19 – paragraph 1 – introductory part
(1) Any entity entered in the register of recognauthorised data altruism organisations shall inform data holders, prior to any processing of their data :
Amendment 611 #
Proposal for a regulation
Article 19 – paragraph 1 – point a
Article 19 – paragraph 1 – point a
(a) about the purposes of generalpublic interest for which it permits the processing of their data by a data user in an easy-to- understand manner;
Amendment 617 #
Proposal for a regulation
Article 19 – paragraph 1 – point b
Article 19 – paragraph 1 – point b
(b) about any processing outside the Union and the location of such processing.
Amendment 618 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) the effective means and tools for withdrawal of consent according to Article 7 of GDPR.
Amendment 622 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
(2) The entity shall also ensure that the data is not be used for other purposes than those of generalpublic interest for which it permits the processing.
Amendment 623 #
Proposal for a regulation
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
(2 a) The entity shall take measures to ensure a high level of security for the storage and processing of data that it has collected based on voluntary data sharing in the public interest or is responsible for in the exercise of its activities.
Amendment 624 #
Proposal for a regulation
Article 19 – paragraph 3
Article 19 – paragraph 3
(3) Where an entity entered in the register of recognauthorised data altruism organisations provides tools for obtaining consent from data subjects or permissions to process data made available by legal persons, it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place and provide tools for withdrawal of the consent.
Amendment 630 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
(1) Each Member State shall designate one or more competent authorities responsible for the register of recognauthorised data altruism organisations and for the monitoring of compliance with the requirements of this Chapter. The designated competent authoritiesy shall meet the requirements of Article 23.
Amendment 631 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
(2) Each Member State shall inform the Commission of the identity of the designated authoritiesy.
Amendment 635 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
(1) The competent authority shall monitor and supervise compliance of entities entered in the register of recognauthorised data altruism organisations with the conditions laid down in this Chapter.
Amendment 636 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
(2) The competent authority shall have the power to request information from entities included in the register of recognauthorised data altruism organisations that is necessary to verify compliance with the provisions of this Chapter. Any request for information shall be proportionate to the performance of the task and shall be reasonedand all natural or legal persons that were given the possibility to process data held by data altruism organisations, that is necessary to verify compliance with the provisions of this Chapter.
Amendment 638 #
Proposal for a regulation
Article 21 – paragraph 5 – point a
Article 21 – paragraph 5 – point a
(a) lose its right to collect data made available by natural or legal persons on the basis of data altruism, perform the activities linked to the realisation of the data altruism purpose and refer to itself as a ‘data altruism organisation recognauthorised in the Union’ in any written and spoken communication and are obliged to delete the data collected;
Amendment 639 #
Proposal for a regulation
Article 21 – paragraph 5 – point b
Article 21 – paragraph 5 – point b
(b) be removed from the national and Union registers of recognauthorised data altruism organisations.
Amendment 641 #
Proposal for a regulation
Article 21 – paragraph 5 a (new)
Article 21 – paragraph 5 a (new)
(5 a) In this regard, the competent authorities shall be able, where appropriate: (a) to impose dissuasive financial penalties which may include periodic penalties with retroactive effect; (b) to impose immediate cessation or postponement of the provision of the data sharing service.
Amendment 643 #
Proposal for a regulation
Article 21 – paragraph 6
Article 21 – paragraph 6
(6) If an entity included in the register of recognauthorised data altruism organisations has its main establishment or legal representative in a Member State but is active in other Member States, the competent authority of the Member State of the main establishment or where the legal representative is located and the competent authorities of those other Member States shall cooperate and assist each other as necessary. Such assistance and cooperation may cover information exchanges between the competent authorities concerned and requests to take the supervisory measures referred to in this Article.
Amendment 644 #
Proposal for a regulation
Article 22 – title
Article 22 – title
European data altruism consent formtools
Amendment 645 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
(1) In order to facilitate the collection of data based on data altruismvoluntary data sharing in the public interest, the Commission mayshall adopt implementingdelegated acts developing a European data altruism consent form. Thetools, including a standardised form and requirements for online consent tools. The standardised form shall allow the collection of consent across Member States in a uniform format. Those implementingdelegated acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2)8.
Amendment 650 #
Proposal for a regulation
Article 22 – paragraph 2
Article 22 – paragraph 2
(2) The European data altruism consent formtools shall use a modular approach allowing customisation for specific sectors and for different purposes.
Amendment 652 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
(3) Where personal data are provided, the European data altruism consent formtools shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation in compliance with the requirements of Regulation (EU) 2016/679. Agreement to non personal data processing shall be facilitated in a similar manner.
Amendment 655 #
Proposal for a regulation
Article 22 – paragraph 4 a (new)
Article 22 – paragraph 4 a (new)
(4 a) The online consent tools shall include a minimal list of checks and balances allowing consent to be given and withdrawn in an easy to understand, timely and modular manner and a set of standardised visual indicators.
Amendment 658 #
Proposal for a regulation
Article 23 – paragraph 1
Article 23 – paragraph 1
(1) The competent authorities designated pursuant to Article 12 and Article 20 shall be legally distinct from, and functionally independent of any provider of data sharing services or entity included in the register of recognauthorised data altruism organisations.
Amendment 659 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
(2) Competent authorities shall exercise their tasks in an impartial, transparent, consistent, reliable and timely manner and safeguard fair competition and non-discriminatory access for individuals and small actors at all times.
Amendment 662 #
Proposal for a regulation
Article 24 – paragraph 1
Article 24 – paragraph 1
(1) Natural and legal persons shall have the right to lodge a complaint, individually or by the representatives of one or more natural persons, with the relevant national competent authority against a provider of data sharing services or an entity entered in the register of recognauthorised data altruism organisations.
Amendment 663 #
Proposal for a regulation
Article 24 – paragraph 2
Article 24 – paragraph 2
(2) The authority with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken, take immediate measures to prevent further infringements and shall inform the complainant of the right to an effective judicial remedy provided for in Article 25.
Amendment 664 #
Proposal for a regulation
Article 25 – paragraph 1 – point -a (new)
Article 25 – paragraph 1 – point -a (new)
(-a) a breach of obligations stemming from the current Regulation, including but not limited to the purposes of data processing, consent mechanisms and exercise of voluntary data sharing for public interest activities by organisations that are not listed in the national data altruism registry.
Amendment 665 #
Proposal for a regulation
Article 25 – paragraph 1 – point b
Article 25 – paragraph 1 – point b
(b) decisions of the competent authorities referred to in Articles 13, 17 and 21 taken in the management, control and enforcement of the notification regime for providers of data sharing services and the monitoring of entities entered into the register of recognauthorised data altruism organisations.
Amendment 666 #
Proposal for a regulation
Article 25 – paragraph 2
Article 25 – paragraph 2
(2) Proceedings pursuant to this Article shall be brought before the courts of the Member State in which the authority against which the judicial remedy is sought is located individually or by the representatives of one or more natural persons.
Amendment 672 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
(1) The Commission shall establish a European Data Innovation Board (“the Board”) in the form of an Expert Group, consisting of the representatives of competent authorities of all the Member States, the European Data Protection Board, the Commission, relevant data spaces and other representatives of competent authorities in specific sectors , as well as standardisation organisations.
Amendment 676 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
(2) Stakeholders and relevant third parties may be invitedThe Board shall establish a Data Innovation Advisory Council (the “Advisory Council”). The Advisory Council shall be proportionally composed of a number between 15 to 30 representatives from industry including SMEs, research, civils society, standardisation organisations and other relevant stakeholders or third parties appointed by the Board. The Advisory Council shall nominate a representative to attend meetings of the Board and to participate in its work.
Amendment 685 #
Proposal for a regulation
Article 26 – paragraph 4 a (new)
Article 26 – paragraph 4 a (new)
Amendment 696 #
Proposal for a regulation
Article 27 – paragraph 1 – point c
Article 27 – paragraph 1 – point c
(c) to advise the Commission on the prioritisation of cross-sector standards to be used and developed for data use and cross-sector data sharing, cross-sectoral comparison and exchange of best practices with regards to sectoral requirements for security, access procedures, while taking into account sector-specific standardisations activities, in particular in clarifying and distinguishing which standards and practices are cross-sectoral and which are sectoral;
Amendment 698 #
Proposal for a regulation
Article 27 – paragraph 1 – point d
Article 27 – paragraph 1 – point d
(d) to assist the Commission in enhancing the interoperability of data as well as data sharing services between different sectors and domains, building on existing European, international or national standards and to assist and advice the EU institutions and the emerging data spaces, including on financial assistance through European programmes such as the Digital Europe Programme;
Amendment 710 #
Proposal for a regulation
Article 27 – paragraph 1 – point e
Article 27 – paragraph 1 – point e
(e) to facilitate the cooperation between national competent authorities under this Regulation through capacity- building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to the notification procedure for data sharing service providers and the registration and monitoring of recognauthorised data altruism organisations.
Amendment 719 #
Proposal for a regulation
Article 30 – paragraph 1
Article 30 – paragraph 1
(1) The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider or the entity entered in the register of recognauthorised data altruism organisations, as the case may be, shall take all reasonable technical, legal and organisational measures in order to prevent transfer or access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the law of the relevant Member State, unless the transfer or access are in line with paragraph 2 or 3.
Amendment 722 #
Proposal for a regulation
Article 30 – paragraph 2
Article 30 – paragraph 2
(2) Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a public sector body, a natural or legal person to which the right to re-use data was granted under Chapter 2, a data sharing provider or entity entered in the register of recognauthorised data altruism organisations to transfer from or give access to non- personal data subject to this Regulation in the Union may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State concluded before [the entry into force of this Regulation].
Amendment 724 #
Proposal for a regulation
Article 30 – paragraph 3 – introductory part
Article 30 – paragraph 3 – introductory part
(3) Where a public sector body, a natural or legal person to which the right to re-use data was granted under Chapter 2, a data sharing provider or entity entered in the register of recognauthorised data altruism organisations is the addressee of a decision of a court or of an administrative authority of a third country to transfer from or give access to non-personal data held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only:
Amendment 728 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
(4) If the conditions in paragraph 2, or 3 are met, the public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider or the entity entered in the register of recognauthorised data altruism organisations, as the case may be, shall, provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of the request.
Amendment 730 #
Proposal for a regulation
Article 30 – paragraph 5
Article 30 – paragraph 5
(5) The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing services provider and the entity providing data altruismvoluntary data sharing in the public interest shall inform the data holder about the existence of a request of an administrative authority in a third-country to access its data, except in cases where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.
Amendment 733 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
Amendment 736 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
By [fourthree years after the data of application of this Regulation], the Commission shall carry out an evaluation of this Regulation, and submit a report on its main findings to the European Parliament and to the Council as well as to the European Economic and Social Committee. Member States shall provide the Commission with the information necessary for the preparation of that report.
Amendment 738 #
Proposal for a regulation
Article 34 – paragraph 1
Article 34 – paragraph 1
Entities providing the data sharing services provided in Article 9(1) on the date of entry into force of this Regulation shall comply with the obligations set out in Chapter III by [date - 2 year6 months after the start date of the application of the Regulation] at the latest.