Activities of Andrzej HALICKI related to 2020/0340(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)
Amendments (27)
Amendment 162 #
Proposal for a regulation
Recital 3
Recital 3
(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges. Sector- specific legislation can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the envisaged legislation on the European health data space25 and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law that include rules relating to cross-border or Union wide sharing or access to data26 . T but it should respect the rules and principles defined in applicable Union law. For this reason, this Regulation is therefore without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (27 ), and in particular the implementation of this Regulation shall not p26a, Directive 2002/58/EC of the European Parliament and the Council27a and Directive (EU) 2016/680 of the European Parliament and of the Council28a. Moreovent cross border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place, Directive (EU) 2016/680 of the European Parliament and of the Council (28 ),r, certain sectors of the economy are already regulated by sector-specific Union law that include rules relating to cross-border or Union wide sharing or access to data26 . This Regulation is therefore without prejudice to Directive (EU) 2016/943 of the European Parliament and of the Council (29 ), Regulation (EU) 2018/1807 of the European Parliament and of the Council (30 ), Regulation (EC) No 223/2009 of the European Parliament and of the Council (31 ), Directive 2000/31/EC of the European Parliament and of the Council (32 ), Directive 2001/29/EC of the European Parliament and of the Council (33 ), Directive (EU) 2019/790 of the European Parliament and of the Council (34 ), Directive 2004/48/EC of the European Parliament and of the Council (35 ), Directive (EU) 2019/1024 of the European Parliament and of the Council (36 ), as well as Regulation 2018/858/EU of the European Parliament and of the Council (37 ), Directive 2010/40/EU of the European Parliament and of the Council (38 ) and Delegated Regulations adopted on its basis, and any other sector-specific Union legislation that organises the access to and re-use of data. This Regulation should be without prejudice to the access and use of data for the purpose of international cooperation in the context of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data sharing services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act should also apply. _________________ 25 See: Annexes to the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Commission Work Programme 2021 (COM(2020) 690 final). 26For example, Directive 2011/24/EU in the context of the European Health Data Space, and relevant transport legislation such as Directive 2010/40/EU, Regulation 2019/1239 and Regulation (EU) 2020/1056, in the context of the European Mobility Data Space. 276aRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p.1) 287aDirective 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201,31.7.2002, p. 37). 28a Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. (OJ L 119, 4.5.2016, p.89) 29Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. (OJ L 157, 15.6.2016, p.1) 30 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. (OJ L 303, 28.11.2018, p. 59) 31Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities. (OJ L 87, 31.03.2009, p. 164) 32Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce). (OJ L 178, 17.07.2000, p. 1) 33Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society. (OJ L 167, 22.6.2001, p. 10) 34 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC. (OJ L 130, 17.5.2019, p. 92) 35Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (OJ L 157, 30.4.2004). 36Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information. (OJ L 172, 26.6.2019, p. 56). 37 Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018). 38 Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport. (OJ L 207, 6.8.2010, p. 1)
Amendment 168 #
Proposal for a regulation
Recital 4
Recital 4
(4) Action at Union level is necessary in order to foster trust in data sharing, address the barriers to a well- functioning data-driven economy and to create a Union-wide governance framework for data access and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharing providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons.
Amendment 170 #
Proposal for a regulation
Recital 5
Recital 5
(5) The idea that data that has been generated at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 as well as sector-specific legislation ensure that the public sector makes more of the data it produces or holds easily available for use and re-use. However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data not accessible on the basis of specific national or Union legislation, such asin public databases is often not made available despite this being possible in accordance with the applicable Union law, notably Regulation (EU) 2016/679 and, Directive (EU) 201602/680) in public databases is often not made available and Directive (EU) 2002/58, not even for research or innovativeon activities. Due to the sensitivity of this data, certain technical and legal procedural requirements must be met before they are made available, not at last in order to ensure the respect of rights others have over such data. Such requirements are usually time- and knowledge-intensive to fulfil. This has led to the underutilisation of such data. While some Member States are setting up structures, processes and sometimes legislate to facilitate this type of re-use, this is not the case across the Union.
Amendment 174 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and, randomisation. A or other state- of-the-art privacy preserving methods. The application of these privacy-enhancing technologiiques, together with other comprehensive data protection approachesafeguards should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place andand subject to supervisedion by the public sector body. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, this Regulation should not be read as creating a new legal basis for processing of such data. The processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 and 9 of Regulation (EU) 2016/679. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 178 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data provided in Union or national law, should be laid down. Those conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competition. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate effortburden for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where the provision of anonymised or modified data would not respond to the needs of the re-user, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. In the event of any data breach resulting in the re-identification of the individuals concerned the re-users should report the breach to the competent supervisory authority in accordance with Regulation (EU) 2016/679 and inform the public sector body. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons onn the re-use of data pertaining to them or permissions of data holders to allow the re-use of data pertaining to themtheir non-personal data through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent or permission by establishing technical mechanisms that permit transmitting requests for consent or permission from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or companies directly. data holders directly. When transmitting the request for consent or permission, the public sector body should ensure that the data subject or data holder, as appropriate, is informed of the possibility to refuse such request.
Amendment 189 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to incentivise the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data holders with management of the consent, including consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors while fully respecting the powers of supervisory authorities under Regulation (EU) 2016/679.
Amendment 192 #
Proposal for a regulation
Recital 23
Recital 23
(23) A specific category of data intermediaries includes providers of data sharing services that offer their services to data subjects in the sense of Regulation (EU) 2016/679. Such providers focus exclusively on personal data and seek to enhance individual agency and the individuals’ control over the data pertainrelating to them. They would assist individuals in exercising their rights under Regulation (EU) 2016/679, in particular managing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right ‘to be forgotten’, the right to restrict processing and the data portability right, which allows data subjects to move their personal data from one controller to the other. In this context, it is important that their business model ensures that there are no misaligned incentives that encourage individuals to make more data available for processing than what is in the individuals’ own interest. This could include advising individuals on uses of their data they could allow and making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices. In certain situations, it could be desirable to collate actual data within a personal data storage space, or ‘personal data space’ so that processing can happen within that space without personal data being transmitted to third parties in order to maximise the protection of personal data and privacy.
Amendment 198 #
Proposal for a regulation
Recital 28
Recital 28
(28) This Regulation should be without prejudice to the obligation of providers of data sharing services to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. Where the data sharing service providers are data controllers or processors in the sense of Regulation (EU) 2016/679 they are bound by the rules of that Regulation. This Regulation should not affect the protection of personal data under Regulation (EU) 2016/679. This Regulation should be also without prejudice to the application of competition law.
Amendment 211 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2 a) This Regulation is without prejudice to Union and national law as regards the processing of personal data, in particular Regulation (EU) 2016/679 of the European Parliament and the Council(52a) and Directive 2002/58/EC of the European Commission and the Council (53a) and the corresponding provisions in national law. This Regulation does not create a legal basis for the processing of personal data. In the case of conflict between the provisions of this Regulation and Union law on the protection of personal data the latter shall prevail. _________________ 52aRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p.1) 53aDirective 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).
Amendment 218 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2 a (new)
Article 2 – paragraph 1 – point 2 a (new)
(2 a) ‘personal data’ means data as defined in point (1) ofArticle 4 of Regulation (EU) 2016/679;
Amendment 229 #
Proposal for a regulation
Article 2 – paragraph 1 – point 4 a (new)
Article 2 – paragraph 1 – point 4 a (new)
(4 a) ‘data subject’ means a natural person as referred in point (1) of Article 4 of Regulation (EU) 2016/679;
Amendment 233 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6 a (new)
Article 2 – paragraph 1 – point 6 a (new)
(6 a) ‘consent’ means agreement to data processing as defined in point (1) of Article 4 of Regulation (EU) 2016/679;
Amendment 238 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7 a (new)
Article 2 – paragraph 1 – point 7 a (new)
(7 a) ‘processing’ means any operation or set of operations as defined in point (2) of Article 4 of Regulation (EU)2016/679;
Amendment 240 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non-personal data without seekvoluntary sharing of data by data holders or the consent to data sharing by data subjects without seeking or receiving a reward, for purposes of general interest, such as scientific research purposes, policy making or improving public services;
Amendment 242 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘secure processing environment’ means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner that ensures compliance with applicable legislation, in particular the preservation of data subject rights under Regulation (EU) 2016/679, and that allows for the operator of the secure processing environment to determine and supervise all data processing actions, including to display, storage, download, export of the data and calculation of derivative data through computational algorithms.
Amendment 250 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) Public sector bodies shall comply with the obligations under Union law for preserving the protection of data. To this end, public sector bodies may impose an obligation to re-use only pre-processed data where such pre-processing aims tothat has been anonymizesed or pseudonymised in the case of personal data , or delete commercially confidential information, including trade secrets.
Amendment 257 #
Proposal for a regulation
Article 5 – paragraph 5 a (new)
Article 5 – paragraph 5 a (new)
(5 a) The re-identification of any data subjects by re-users shall be prohibited. The re-users shall be obliged to assess on an on-going basis the risk of re- identification and to report any data breach resulting in the re-identification of the individuals concerned to the competent supervisory authority in accordance with Regulation (EU) 2016/679 and the public sector body.
Amendment 266 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
(6) Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seeking consent of the data subjects and/or permission from the legal entitiedata holders whose rights and interests may be affected by such re- use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 290 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
(2) This ChapterRegulation shall be without prejudice to the application of other Union and national law to providers of data sharing services, including powers of supervisory authorities to ensure compliance with applicable law, in particular as regard the protection of personal data and competition law.
Amendment 318 #
Proposal for a regulation
Article 11 – paragraph 1 – point 11
Article 11 – paragraph 1 – point 11
(11) where a provider provides tools for obtaining consent from data subjects or permissions to process data made available by legal personsdata holders , it shall specify the jurisdiction or jurisdictions in which the data use is intended to take place and provide data subjects with tools to withdraw consent.
Amendment 320 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
(1) Each Member State shall designate in its territory one or more authorities competent to carry out the tasks related to the notification framework and shall communicate to the Commission the identitynames of those designated authorities by [date of application of this Regulation]. It shall also communicate to the Commission any subsequent modification.
Amendment 324 #
Proposal for a regulation
Article 12 – paragraph 3 a (new)
Article 12 – paragraph 3 a (new)
(3 a) The competent authorities shall undertake their tasks in cooperation with the data protection authority, where such tasks are related to processing of personal data, and with relevant sectoral bodies of the same Member State.
Amendment 326 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
(2) The competent authority shall have the power to request from providers of data sharing services all the information that is necessary to verify compliance with the requirements laid down in Articles 10 and 11this Chapter. Any request for information shall be proportionate to the performance of the task and shall be reasoned.
Amendment 328 #
Proposal for a regulation
Article 13 – paragraph 3
Article 13 – paragraph 3
(3) Where the competent authority finds that a provider of data sharing services does not comply with one or more of the requirements laid down in Article 10 or 11this Chapter, it shall notify that provider of those findings and give it the opportunity to state its views, within a reasonable time limit.
Amendment 363 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
(2) Each Member State shall inform the Commission of the identityname of the designated authorities.
Amendment 364 #
Proposal for a regulation
Article 20 – paragraph 3
Article 20 – paragraph 3
(3) The competent authorityies shall undertake itstheir tasks in cooperation with the data protection authority, where such tasks are related to processing of personal data, and with relevant sectoral bodies of the same Member State. For any question requiring an assessment of compliance with Regulation (EU) 2016/679, the competent authority shall first seek an opinion or decision by the competent supervisory authority established pursuant to that Regulation and comply with that opinion or decision.
Amendment 366 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
(1) In order to facilitate the collection of data based on data altruism, the Commission may adopt implementing acts developing a European data altruism consent form, following consultation of the European Data Protection Board. The form shall allow the collection of consent across Member States in a uniform format. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2).