Activities of Dragoş TUDORACHE related to 2020/0340(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)
Amendments (21)
Amendment 172 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Member States should provide support to public sector bodies to optimise data collection and data generation so as to make optimal use of such techniques, thus making as much data possible available for sharing. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 183 #
Proposal for a regulation
Recital 18
Recital 18
(18) In order to prevent unlawful access to non-personal data, public sector bodies, natural or legal persons to which the right to re-use data was granted, data sharing providers and entities entered in the register of recognised data altruism organisations should take all reasonable measures to preventensure a high level of cybersecurity that is minimally proportional to the sensitivity of the data they process and to prevent unauthorised access to the systems where non-personal data is stored, including encryption of data or corporate policies.
Amendment 187 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to incentivise the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. IThe single information point should seek to present relevant information on data held by public sector bodies in two additional wide-circulation European languages, in order to stimulate cross-border data re- use within the EU. The Commission should collect and make public and easily accessible information about all Member States’ single information points. The single information point should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data holders with management of the consent, including consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors.
Amendment 199 #
Proposal for a regulation
Recital 35
Recital 35
(35) There is a strong potential in the use of data made available voluntarily by data subjects based on their consent or, where it concerns non-personal data, made available by legal persons, for purposes of general interest. Such purposes would include healthcare, combating climate change, improving mobility, improving education, facilitating the establishment of official statistics or improving the provision of public services. Support to scientific research, including for example technological development and demonstration, fundamental research, applied research and privately funded research, should also be considered as well purposes of general interest. This Regulation aims at contributing to the emergence of pools of interoperable data made available on the basis of data altruism that have a sufficient size in order to enable data analytics and machine learning, including across borders in the Union.
Amendment 202 #
Proposal for a regulation
Recital 36
Recital 36
(36) Legal entities that seek to support purposes of general interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘Data Altruism Organisations recognised in the Union’. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. This should be done without prejudice to and in accordance with Regulation (EU) 2016/679. Legal persons could give permission to the processing of their non- personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a general interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available.
Amendment 206 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics). The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board. , the EU-level coordination board of supervisory authorities for artificial intelligence1a ,and the cybersecurity Cooperation Group 2a should be invited to appoint a representative to the European Data Innovation Board. _________________ 1a“European Artificial Intelligence Board” in the Proposal for a regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain union legislative acts 2aAs established in Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union
Amendment 259 #
Proposal for a regulation
Article 5 – paragraph 5 a (new)
Article 5 – paragraph 5 a (new)
(5 a) Public sector bodies shall ensure the re-use of data is in full compliance with Regulation (EU) 2016/679.
Amendment 261 #
Proposal for a regulation
Article 5 – paragraph 5 b (new)
Article 5 – paragraph 5 b (new)
(5 b) Public sector bodies shall ensure that data protection impact assessments required by Regulation (EU) 2016/679 for sharing anonymised data are duly conducted;
Amendment 267 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
(6 a) Where public sector bodies make available personal data for re-use pursuant to this Article, they shall do so in full compliance with Regulation(EU) 2016/679.
Amendment 274 #
Proposal for a regulation
Article 5 – paragraph 13
Article 5 – paragraph 13
(13) Where the re-user intends to transfer non-personal data to a third country, the public sector body shall inform the data holder about the intention to transfer ofthat data to that third country.
Amendment 279 #
Proposal for a regulation
Article 7 – paragraph 2 – point c a (new)
Article 7 – paragraph 2 – point c a (new)
(c a) assisting public sector bodies, where relevant, with formatting data for ensuring a higher level of interoperability with other data available for re-use, according to EU interoperability standards and without prejudice to the data itself or to Union law;
Amendment 280 #
Proposal for a regulation
Article 8 – paragraph 2
Article 8 – paragraph 2
(2) The single information point shall receive requests for the re-use of the categories of data referred to in Article 3 (1) and shall transmit them to the competent public sector bodies, or the competent bodies referred to in Article 7 (1), where relevant. The single information point shall make available by electronic means a register of available data resources containing relevant information describing the nature of available data. To stimulate cross-border data re-use within the EU, Member States shall ensure that the information on available data resources is presented in two additional wide- circulation EU languages.
Amendment 281 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
(2 a) The Commission shall collect and make public and easily accessible information about all Member States’ single information points.
Amendment 287 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in Regulation (EU) 2016/679; the data sharing services shall not themselves process personal data;
Amendment 297 #
Proposal for a regulation
Article 10 – paragraph 6 – point f
Article 10 – paragraph 6 – point f
(f) a description of the service or services the provider intends to provide and a declaration of compliance with Regulation (EU) 2016/679 when the data sharing service involves personal data;
Amendment 314 #
Proposal for a regulation
Article 11 – paragraph 1 – point 9 a (new)
Article 11 – paragraph 1 – point 9 a (new)
(9 a) the provider shall have procedures in place to ensure compliance with the Union and national rules on the protection of personal data;
Amendment 321 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
(3) The designated competent authorities, the data protection authorities, the national supervisory authorities for artificial intelligence, the national competition authorities, the national authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers. Particular attention shall be dedicated to ensuring compliance with the provisions of Regulation (EU) 2016/679 and with Union law.
Amendment 340 #
Proposal for a regulation
Article 16 – paragraph 1 – point c a (new)
Article 16 – paragraph 1 – point c a (new)
(c a) have procedures in place that ensure compliance with the Union and national rules on the protection of personal data.
Amendment 355 #
Proposal for a regulation
Article 19 – paragraph 2 a (new)
Article 19 – paragraph 2 a (new)
(2 a) The entity shall also ensure that data processing is conducted according to the provisions of Regulation (EU) 2016/679.
Amendment 362 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
(1) Each Member State shall designate one or more competent authorities responsible for the publicly-available register of recognised data altruism organisations and for the monitoring of compliance with the requirements of this Chapter. The designated competent authorities shall meet the requirements of Article 23.
Amendment 369 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
(1) The Commission shall establish a European Data Innovation Board (“the Board”) in the form of an Expert Group, consisting of the representatives of competent authorities of all the Member States, the European Data Protection Board, the EU-level coordination board of supervisory authorities for artificial intelligence, the cybersecurity Cooperation Group, the Commission, and relevant data spaces and other representatives of competent authorities in specific sectors.