Activities of Elena KOUNTOURA related to 2022/0047(COD)
Plenary speeches (1)
Data Act (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)
Amendments (102)
Amendment 98 #
Proposal for a regulation
Recital 1
Recital 1
(1) In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation in products connected to the Internet of Things in particular has increased the volume and potential value of data, as well as potential risks related to data for consumers, businesses and society. High quality and interoperable data from different domains has the potential to increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity.
Amendment 104 #
Proposal for a regulation
Recital 4
Recital 4
(4) In order to respond to the needs of the digital economytransition and digital economy, protect consumers and to remove unjustified barriers to a well-functioning internal market for data, it is necessary to lay down a harmonised framework specifying who, other than the manufacturer or other data holder is entitled to access the data generated by products or related services, under which conditions and on what basis. Accordingly, Member States should not adopt or maintain additional national requirements on those matters falling within the scope of this Regulation, unless explicitly provided for in this Regulation, since this would affect the direct and uniform application of this Regulation.
Amendment 108 #
Proposal for a regulation
Recital 5
Recital 5
(5) This Regulation ensures that users of a product or related service in the Union, including data subjects can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties and for the purposes of their choice. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a product or related service. Instead, it takes as its starting point the control that the data holduser effectively enjoys, de facto orand de jure, over data generated by products or related services.
Amendment 116 #
Proposal for a regulation
Recital 7
Recital 7
(7) The fundamental right to the protection of personal data is safeguarded in particular under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions to any personal and non- personal data storing in and access from terminal equipment. These instruments provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on data protection and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. This Regulation should not be read as creating a new legal basis for the processing of personal data for any of the regulated activities, or as amending the information requirements laid down in Regulation (EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail.
Amendment 119 #
Proposal for a regulation
Recital 8
Recital 8
(8) The principles of data minimisation and privacy and data protection by design and by default are essential whenas processing involvescan lead to significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including where within scope of this Regulation, should implement technical and organisational measures to protect these rights. Such measures include not only pseudonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselveseffectively protect and facilitate the exercise of data subjects' rights. Such measures include not only deletion and anonymisation where possible, and aggregation and pseudonymisation where the aforementioned are not possible to fulfil the purposes of the processing, as well as and encryption.
Amendment 129 #
Proposal for a regulation
Recital 14
Recital 14
(14) Physical products that obtain, generate or collect, by means of their components or operating system, data concerning their performance, use or environment and that are able to communicate that data via a publicly available electronic communications service (often referred to as the Internet of Things) should be covered by this Regulation. Electronic communications services include land- based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. The data represent the digitalisation of user actions and events and should accordingly be accessible to the user, while information derived or inferred from this data, where lawfully held, should not be considered within scope of this Regulation, with the exception of prototypes or unless that data are lawfully processed using the product’s own computing capacity. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, in particular though facilitating the maintenance and repair of the products in question. This Regulation applies to products placed on the market in the Union and thus does not apply to products in development stage such as prototypes.
Amendment 147 #
Proposal for a regulation
Recital 17
Recital 17
(17) Data generated by the use of a product or related service include data recorded intentionally by the user. Such data include also data generated as a by- product of the user’s action, such as diagnostics data, and without any action by the user, such as when the product is in ‘standby mode’, and data recorded during periods when the product is switched off. Such data should include data in the form and format in which they are generated by the product, but not pertain to data resulting from any software process that calculates derivative data from such data as such software process may be subject to intellectual property rightsincluding data processed using the product’s own computing capacity.
Amendment 155 #
Proposal for a regulation
Recital 18
Recital 18
(18) The user of a product should be understood as the legal or natural person, such as a business or consumer, as well as a public sector body which has purchased, rented or leased the product or receives a related service, or a natural person that uses a product or receives a related service, without necessarily having subscribed to this service. Depending on the legal title under which he uses it, such a user bears the risks and enjoys the benefits of using the connected product and should enjoy also the access to the data it generates. The user should therefore be entitled to derive benefit from data generated by that product and any related service. In the context of multiple users, each user may contribute in a different manner to the data generation and can have an interest in several forms of use.
Amendment 165 #
Proposal for a regulation
Recital 20
Recital 20
(20) In case several persons or entities own or use a product or are party to a lease or rent agreement and benefit from access to a related service, reasonable efforts should be made in the design of the product or related service or the relevant interface so that all persons using the product can have access to data they generate. Users of pProducts that generate data typicaldo not necessarily require a user account to be set up. Thisose that do should allows for identification of the user by the manufacturer as well as a means to communicate to exercise and process data access requests. Manufacturers or designers of a product that is typically used by several persons should put in place the necessary mechanism that allow separate user accounts for individual persons, where relevant, or the possibility for several persons to use the same user account. Account solutions should allow a user to delete their account and the data related to it, in particular taking into account situations when the ownership or the usage of the product changes. Access should be granted to the user upon simple request mechanisms granting automatic execution, not requiring examination or clearance by the manufacturer or data holder. This means that data should only be made available when the user actually wants this. Where automated execution of the data access request is not possible, for instance, via a user account or accompanying mobile application provided with the product or service, the manufacturer shouldor the data holder should duly justify why and immediately inform the user how the data may be accessed swiftly and no later than in one day.
Amendment 195 #
Proposal for a regulation
Recital 27
Recital 27
(27) The data holder may require appropriate user identification or authentication to verify the user’s entitlement to access the data. In the case of personal data processed by a processor on behalf of the controller, the data holder should ensure that the access request is received and handled by the processor.
Amendment 199 #
Proposal for a regulation
Recital 28
Recital 28
(28) The user should be free to use the data for any lawful purpose. This includes providing the data the user has received, in full compliance with this Regulation and any other Union and national related legislation. This includes exercising the right of the user under this Regulation to a third partyshare data with a third party of the user’s choice offering an aftermarket service that may be in competition with a service provided by the data holder, or to instruct the data holder to do so. TIn order to comply with the user’s request, the data holder should ensure that the data made available to the third party is as accurate, complete, reliable, relevant and up-to-date as the data the data holder itself may be able or entitled to access from the use of the product or related service. Any trade secrets or intellectual property rights should be respected in handling the data. It is important to preserve incentives to invest in products with functionalities based on the use of data from sensors built into that product. The aim of this Regulation should accordingly be understood as to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulate the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of product from which the data are obtained, for instance, by the use of data to develop a competing product.
Amendment 206 #
Proposal for a regulation
Recital 28 a (new)
Recital 28 a (new)
(28 a) As regards the protection of trade secrets, this Regulation should be interpreted in a manner to preserve the protection awarded to trade secrets under Directive (EU) 2016/943. For this reason, data holders can require the user or third parties of the user’s choice to preserve the secrecy of data considered as trade secrets, including through technical means. Also, the data holders can require that the confidentiality of a disclosure must be ensured by the user and any third party of the user's choice. Data holders, however, cannot refuse a data access request under this Regulation on the basis of certain data considered as trade secrets, as this would undo the intended effects of this Regulation. The aim of this Regulation should accordingly be understood as to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulate the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of product from which the data are obtained, for instance, by the use of data to develop a competing product. This Regulation provides for no prohibition to develop a related service as this would have a chilling effect on innovation.
Amendment 213 #
Proposal for a regulation
Recital 30 a (new)
Recital 30 a (new)
(30 a) The data holder shall ensure that it is not unduly difficult for the users to exercise their rights and make their choices by not offering choices to the users in a non-neutral manner, or coercing, deceiving or manipulating the user in any way, or subverting or impairing the autonomy, decision-making or free choices of the user, including by means of a digital interface or a part thereof, including its structure, design, function or manner of operation.
Amendment 216 #
Proposal for a regulation
Recital 31
Recital 31
(31) Data generated by the use of a product or related service should only be made available to a third party at the request of the user. This Regulation accordingly complements the right provided under Article 20 of Regulation (EU) 2016/679. That Article provides for a right of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, and to port those data to other controllers, where those data are processed on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b). Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where technically feasible. Article 20 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a product or related service by its design observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The right under this Regulation complements the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in several ways. It grants users the right to access and make available to a third party to any data generated by the use of a product or related service, irrespective of its nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike the technical obligations provided for in Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data coming within its scope, whether personal or non-personal. This Regulation also allows direct data sharing from users to third parties. This Regulation precludes the data holder or the third party from directly or indirectly charging consumers or data subjects a fee, compensation or costs for sharing data or for accessing it. This Regulation does not directly or indirectly incentivise the commercialisation or trade of personal data. It also allows the data holder to set reasonable compensation to be met by third parties, but not by the user, for any cost incurred in providing direct access to the data generated by the user’s product. If a data holder and third party are unable to agree terms for such direct access, the data subject should be in no way prevented from exercising the rights contained in this Regulation or Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with bothat Regulation. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contractual agreement does not allow for the processing of special categories of personal data by the data holder or the third party.
Amendment 255 #
Proposal for a regulation
Recital 43
Recital 43
(43) In justified cases, including the need to safeguard consumer participation and competition or to promote innovation in certain markets, Union law or national legislation implementing Union law may impose regulated compenThis Regulation does not directly or indirectly incentivise the commercialisation for making available specific data typestrade of personal data.
Amendment 272 #
(51) Where one party is in a stronger bargaining position, there is a risk that that party could leverage such position to the detriment of the other contracting party when negotiating access to data and make access to data commercially less viable and sometimes economically prohibitive. Such contractual imbalances particularly harm users and micro, small and medium-sized enterprises without a meaningful ability to negotiate the conditions for access to data, who may have no other choice than to accept ‘take- it-or-leave-it’ contractual terms. Therefore, unfair contract terms regulating the access to and use of data or the liability and remedies for the breach or the termination of data related obligations should not be binding on micro, small or medium-sized enterprises when they have been unilaterally imposed on them.
Amendment 280 #
Proposal for a regulation
Recital 56
Recital 56
(56) In situations of exceptional need, it may be necessary for public sector bodies or Union institutions, agencies or bodies in the performance of their statutory duties in the public interest to use data held by an enterprise as a data holder to respond to public emergencies or in other exceptional cases. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law. The principles of purpose limitation, and transparency, accountability and non- discrimination, as well as other principles of data protection law should also apply to business-to-government data sharing. To limit the burden on businesses, micro and small enterprises should be exempted from the obligation to provide public sector bodies and Union institutions, agencies or bodies data in situations of exceptional need.
Amendment 297 #
Proposal for a regulation
Recital 58
Recital 58
(58) An exceptional need may also arise when a public sector body can demonstrate that the data are necessary either to prevent a public emergency, or to assist recovery from a public emergency, in circumstances that are reasonably proximate to the public emergency in question. Where the exceptional need is not justified by the need to respond to, prevent or assist recovery from a public emergency, the public sector body or the Union institution, agency or body should demonstrate that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task in the public interest that has been explicitly provided in law. Such exceptional needlegitimate general interest that has been explicitly provided in law. Such specific task should aim at addressing a key challenge in order to improve the efficient provision of public services and policy making, in particular on healthcare, climate change, mobility, official statistics, as well as scientific research. It covers inter alia affordable housing, local transport or city planning (including sustainable tourism development), improving infrastructural services (such as energy, waste and water management), or producing reliable and up to date statistics. Those requirements on behalf of general interest are in line with the Data Governance Acta and should be in line with the principles of purpose limitation, and transparency, time limitation, accountability and non- discrimination, as well as other principles of data protection law. Such exceptional need to share data with public entities may also occur in other situations, for example in relation to the timely compilation of official statistics when data is not otherwise available or when the burden on statistical respondents will be considerably reduced. At the same time, the public sector body or the Union institution, agency or body should, outside the case of responding to, preventing or assisting recovery from a public emergency, demonstrate that no alternative means for obtaining the data requested exists and that the data cannot be obtained in a timely manner through the laying down of the necessary data provision obligations in new legislation.
Amendment 305 #
Proposal for a regulation
Recital 61
Recital 61
(61) A proportionate, limited and predictable framework at Union level is necessary for the making available of data by data holders, in cases of exceptional needs, to public sector bodies and to Union institution, agencies or bodies both to ensure legal certainty and to minimise the administrative burdens placed on businesses. To this end, data requests by public sector bodies and by Union institution, agencies and bodies to data holders should be transparent and proportionate in terms of their scope of content and their granularity. The purpose of the request and the intended use of the data requested should be specific and clearly explained, while allowing appropriate flexibility for the requesting entity to perform its tasks in the public interest. The principle of purpose limitation and other principles of data protection law should also apply to situations where the public sector body or EU institution, agency or body shares the data received under this Chapter with third parties to whom they have outsourced any function. The request should also respect the legitimate interests of the businesses to whom the request is made. The burden on data holders should be minimised by obliging requesting entities to respect the once-only principle, which prevents the same data from being requested more than once by more than one public sector body or Union institution, agency or body where those data are needed to respond to a public emergency. To ensure transparency, data requests made by public sector bodies and by Union institutions, agencies or bodies should be made public without undue delay by the entity requesting the data and online public availability of all requests justified by a public emergency should be ensured.
Amendment 321 #
Proposal for a regulation
Recital 66
Recital 66
(66) When reusing data provided by data holders, public sector bodies and Union institutions, agencies or bodies should respect both existing applicable legislation and contractual obligations to which the data holder is subject. Public sector bodies should coordinate their data requests and make every effort to guarantee that businesses are only required to provide the same data once. Where the disclosure of trade secrets of the data holder to public sector bodies or to Union institutions, agencies or bodies is strictly necessary to fulfil the purpose for which the data has been requested, confidentiality of such disclosure should be ensured to the data holder.
Amendment 338 #
Proposal for a regulation
Recital 79
Recital 79
(79) Standardisation and semantic interoperability should play a key role to provide technical solutions to ensure interoperability within the common European data spaces. This Regulation lays down certain essential requirements for interoperability. Data holders, and other operators within the data spaces facilitating or engaging in data sharing within the common European data spaces, should comply with these requirements. In order to facilitate the conformity with the requirements for interoperability, it is necessary to provide for a presumption of conformity for interoperability solutions that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council. The Commission should adopt common specifications in areas where no harmonised standards exist or where they are insufficient in order to further enhance interoperability for the common European data spaces, application programming interfaces, cloud switching as well as smart contracts. Additionally, common specifications in the different sectors could remain to be adopted, in accordance with Union or national sectoral law, based on the specific needs of those sectors. Reusable data structures and models (in form of core vocabularies), ontologies, metadata application profile, reference data in the form of core vocabulary, taxonomies, code lists, authority tables, thesauri should also be part of the technical specifications for semantic interoperability. Furthermore, the Commission in consultation with the European Data Innovation Board should be enabled to mandate the development of harmonised standards for the interoperability of data processing services.
Amendment 344 #
Proposal for a regulation
Recital 81
Recital 81
(81) In order to ensure the efficient implementation of this Regulation, Member States should designate one or more competent authorities with sufficient resources. If a Member State designates more than one competent authority, it should also designate a coordinating competent authority. Competent authorities should cooperate with each other effectively and in a timely manner, in line with the principles of good administration and mutual assistance to ensure the effective implementation and enforcement of this Regulation. The authorities responsible for the supervision of compliance with data protection and competent authorities designated under sectoral legislation should have the responsibility for application of this Regulation in their areas of competence. Competent authorities shall cooperate upon request of the authorities within the European Data Protection Board and the European Data Innovation Board.
Amendment 346 #
Proposal for a regulation
Recital 81 a (new)
Recital 81 a (new)
(81 a) In order to further enhance coordination in the enforcement of this Regulation, the European Data Protection Board and the European Data Innovation Board should foster the mutual exchange of information amongst competent authorities as well as advise and assist the Commission in matters falling under this Regulation that fall within their respective competences.
Amendment 355 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down harmonised rules on making data lawfully obtained, collected, or generated by the use of a product or data lawfully obtained, collected, or generated during the provision of a related service available to the data subjects and users of that product or service, on the making data available by data holders upon request by a user or data subject to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest and contractual terms between users and data holder, and users and data recipients:
Amendment 358 #
Proposal for a regulation
Article 1 – paragraph 1 a (new)
Article 1 – paragraph 1 a (new)
1 a. This Regulation covers personal and non-personal data, including the following types of data or in the following contexts: (a) Chapter II applies to data concerning the performance, use and environment of products and related services. (b) Chapter III applies to any private sector data subject to statutory data sharing obligations. (c) Chapter IV applies to any private sector data accessed and used on the basis of contractual agreements between businesses. (d) Chapter V applies to any private sector data with a focus on non-personal data. (e) Chapter VI applies to any data processed by data processing services. (f) Chapter VII applies to any non- personal data held in the Union by providers of data processing services.
Amendment 363 #
Proposal for a regulation
Article 1 – paragraph 2 – point a
Article 1 – paragraph 2 – point a
(a) manufacturers of products and suppliers of related services placed on the market in the Union, irrespective of their place of establishment, and the users of such products or servicesrelated services in the Union;
Amendment 367 #
Proposal for a regulation
Article 1 – paragraph 2 – point b
Article 1 – paragraph 2 – point b
(b) data holders, irrespective of their place of establishment, that make data available to data recipients in the Union;
Amendment 373 #
Proposal for a regulation
Article 1 – paragraph 2 – point e
Article 1 – paragraph 2 – point e
(e) providers of data processing services, irrespective of their place of establishment, offering such services to customers in the Union.
Amendment 377 #
Proposal for a regulation
Article 1 – paragraph 3
Article 1 – paragraph 3
3. Union law and national law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment shall apply to personal data including mixed data sets where personal and non-personal data are inextricably linked, processed in connection with the rights and obligations laid down in this Regulation. This Regulation shall not affect the applicability of Union law on the protection of is without prejudice to specific provisions in other Union legal acts regarding access to or re-use of certain categories of data, or requirements related to processing of personal or non-personal data, in particular Regulations (EU) 2016/679, (EU) 2018/1725, and Directive 2002/58/EC, including the powers and competences of supervisory authorities. Insofar as data subjects are concerned the rights laid down in Chapter II of this Regulation are concerned, and where users are the data subjects of personal data subject to the rights and obligations under that Chapter, theshall complement and particularise the right of data portability under Article 20 of Regulation (EU) 2016/679 and shall not adversely affect data protection rights of others. In the event of conflict between the provisions of this Regulation and Union law or national law on the protection of personal data adopted in accordance with Union law, the relevant Union law on the protection of personal data shall prevail. Insofar the processing of personal data, that is made available to a data recipient pursuant to Article 5 of this Regulation, is restricted in Article 6 of this Regulation, these provisions shall take precedence over Article 6 of Regulation (EU) 2016/679. This Regulation does not create a legal basis for the processing of personal data and no provisions of this Regulation shall complement the right ofould be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data portabilit the right to privacy uander Article 20 of Regulation (EU) 2016/679 confidentiality of communications.
Amendment 381 #
Proposal for a regulation
Article 1 – paragraph 3 a (new)
Article 1 – paragraph 3 a (new)
3 a. This Regulation complements and does not affect the applicability of Union law aiming to promote the interests of consumers and to ensure a high level of consumer protection, to protect their health, safety and economic interests, including Directive 2005/29/EC of the European Parliament and of the Council, Directive 2011/83/EU of the European Parliament and of the Council and Directive 93/13/EEC of the European Parliament and of the Council. No provision in this Regulation should be applied or interpreted in such a way as to diminish or limit a high level of consumer protection.
Amendment 383 #
Proposal for a regulation
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Regulation does not apply to, nor pre-empt, voluntary arrangements for the exchange of data between private and public entities. This Regulation shall not affect Union and national legal acts providing for the sharing, access and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, including Regulation (EU) 2021/784 of the European Parliament and of the Council72 and the [e-evidence proposals [COM(2018) 225 and 226] once adopted, and international cooperation in that area. This Regulation shall not affect the collection, sharing, access to and use of data under Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Regulation (EU) 2015/847 of the European Parliament and of the Council on information accompanying the transfer of funds. This Regulation shall not affect the competences of the Member States regarding activities concerning public security, defence, national security, customs and tax administration and shall be implemented with due consideration to the fundamental rights, the health and safety of citizens in accordance with Union law. _________________ 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).
Amendment 396 #
(1 a) ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 400 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) ‘non-personal data’ means data other than personal data;
Amendment 411 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 c (new)
Article 2 – paragraph 1 – point 1 c (new)
(1 c) ‘data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 412 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 d (new)
Article 2 – paragraph 1 – point 1 d (new)
(1 d) ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;
Amendment 414 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 e (new)
Article 2 – paragraph 1 – point 1 e (new)
(1 e) ‘anonymised data’ means personal data irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller, data holder alone or in collaboration with any other party;
Amendment 415 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘product’ means a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly availablen electronic communications service and whose primary function is noteither the storing and processing of datar transmission of data nor is it primarily designed to display or play content, or to record and transmit content;
Amendment 431 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person, including a data subject or public sector bodies, that owns, rents or leases a product or receives a related services;
Amendment 436 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data holder’ means a legal or natural person that is not the user, who has access to data communicated to it, or accessed by it, including derived or inferred data during the provision of a related service, and who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personalto make available certain data or can enable access to the data and through control of the technical design of the product and related services, the ability, to make available certainr means of access, in the case of non-personal data;
Amendment 445 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or a related service, to whom the data holder makes data available, including a third party following an explicit request by the user or the data subject to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law, and including a third party to whom the data is directly made available by the user or the data subject;
Amendment 456 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters, including those exacerbated by climate change, as well as human-induced major disasters, such as major cybersecurity incidents, negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic and financial stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s); and which is determined according to the respective procedures under Union or national law.
Amendment 460 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10 a (new)
Article 2 – paragraph 1 – point 10 a (new)
(10 a) ‘official statistics’ means statistics within the meaning of ‘European statistics’ under Regulation(EC) No 223/2009’.
Amendment 468 #
Proposal for a regulation
Article 2 – paragraph 1 – point 15 a (new)
Article 2 – paragraph 1 – point 15 a (new)
(15 a) 'operators within data spaces' mean legal persons that facilitate or engage in data sharing within and across the common European data spaces;
Amendment 481 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 a (new)
Article 2 – paragraph 1 – point 20 a (new)
(20 a) ‘trade secret’ means information which meets all the requirements of Article 2, point (1), of Directive (EU) 2016/943.
Amendment 484 #
(20 b) ‘Data intermediation service’ means a service as defined in Article 2(11) of Regulation (EU) 2022/868;
Amendment 486 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 c (new)
Article 2 – paragraph 1 – point 20 c (new)
(20 c) ‘Data altruism’ means the voluntary sharing of data as defined in Article 2(16)of Regulation (EU) 2022/868;
Amendment 489 #
Proposal for a regulation
Article 3 – title
Article 3 – title
Obligation to make data generated by the use of products or related services accessible to the user
Amendment 491 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data obtained, collected, or generated by their use are, by default, and free of charge, easily, securely and, where relevant and appropriate, directly accessible to the userdirectly accessible to the user in a structured, commonly used and machine-readable format. In the case that user is a data subject, products shall offer possibilities to directly exercise the data subjects’ rights. The user shall have the right to obtain a copy of the data generated by their use of the product and related services, from the data holder without hindrance and they shall be able to process the data outside the data holder’s control.
Amendment 501 #
Proposal for a regulation
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
1 a. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data subjects, irrespective of their legal title over the product, are offered the possibility to use the products covered by this Regulation anonymously or in the least privacy-intrusive way possible, such as by anonymising the data.
Amendment 506 #
Proposal for a regulation
Article 3 – paragraph 1 b (new)
Article 3 – paragraph 1 b (new)
1 b. Where users can reasonably expect it due to the nature of the product, products shall be designed and manufactured, and related services shall be provided, in such a manner that a basic set of functionalities is maintained when the product or related service is used offline.
Amendment 508 #
Proposal for a regulation
Article 3 – paragraph 1 c (new)
Article 3 – paragraph 1 c (new)
1 c. The data holder shall not use data shared for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679.
Amendment 509 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product or a related service, at least the following information shall be provided to the user, in ausers should be presented with granular, meaningful consent options for data processing, within the meaning of Article 4(11) of Regulation (EU) 2016/679, differentiating between data that is essential for the functioning of the product and a related service and other types of data. In addition, the data holder shall at least provide the following information to the user, in a timely and prominent manner, and in an easily accessible, clear and comprehensible format:
Amendment 515 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the nature an, the format and the estimated volume of the data likely to be generated by the use of the product or related service;
Amendment 524 #
(c) how the user may access and request a copy of those data;
Amendment 531 #
Proposal for a regulation
Article 3 – paragraph 2 – point c a (new)
Article 3 – paragraph 2 – point c a (new)
(c a) how the data holder will provide in a publicly available and consistent manner information on the data structures, data formats, vocabularies, classification schemes, taxonomies and code lists;
Amendment 535 #
Proposal for a regulation
Article 3 – paragraph 2 – point d
Article 3 – paragraph 2 – point d
(d) whether the manufacturer supplying the product or the service provider providing the related servicedata holder intends to use the data itself or allow a third party to use the data and, if so, which third party and the purposes for which those data will be used by the manufacturer, a different data holder or a third party;
Amendment 549 #
Proposal for a regulation
Article 3 – paragraph 2 – point g a (new)
Article 3 – paragraph 2 – point g a (new)
(g a) the foreseen duration of the agreement, as well as the modalities to terminate the agreement prematurely;
Amendment 560 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service swiftly, without undue delay, free of charge and, where applicable and in any case within a day, free of charge, easily, securely, in a structured, commonly used and machine-readable format, including access to derived or inferred data, and including the relevant metadata and, where applicable, of the same quality as is available to the data holder, continuously and in real-time. This shall be done on the basis of a simple request through electronic means w. Where this is not technically feasible, the data holder shall provide a functionally equivalent alternative.
Amendment 569 #
Proposal for a regulation
Article 4 – paragraph 2 a (new)
Article 4 – paragraph 2 a (new)
2 a. The data holder shall ensure that it is not unduly difficult for the users to exercise their rights and make their choices by not offering choices to the users in a non-neutral manner, or coercing, deceiving or manipulating the user in any way, or subverting or impairing the autonomy, decision-making or free choices of the user, including by means of a digital interface or a part thereof, including its structure, design, function or manner of operation.
Amendment 580 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Trade secrets shall only be disclosed provided that all specific necessary measures are taken to preserve the confidentiality of trade secrets in particular with respect to third parties. The data holder and the user can agree measures to preserve the confidentiality of the shared data, in particular in relation to third parties. The data holder shall identify the data which are protected as trade secrets.
Amendment 591 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
5. Where the user is not athe data subject whose personal data is requested, any personal data generated by the use of a product or related service shall only be made available by the data holder to the user where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 are fulfilled. This Regulation does not create a legal basis for the processing of personal data, nor does it affect any of the rights and obligations set out in Regulations (EU) 2016/679 or Directive 2002/58/EC.
Amendment 603 #
Proposal for a regulation
Article 5 – title
Article 5 – title
Right of the user to share data with third parties
Amendment 609 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon explicit request by a user or a data subject, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user or the data subject, of the same quality as is available to the data holder, easily, securely, in an interoperable, structured, commonly used and machine- readable format, and, where applicable, continuously and in real-time.
Amendment 627 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is strictly necessary to verify the quality as user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure.
Amendment 631 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
5. The data holder shall not use any non-personal data generated by the use of the product or related service to derive insights about the economic situation, assets and production methods of or use by the third party that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has consented to such use and has the technical possibility to withdraw that consent at any time. The data holder shall not use any data generated by the use of the product or related service to monitor the interactions between users and third parties except for objectively justified security considerations.
Amendment 634 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
6. Where the user is not athe data subject whose personal data is requested, any personal data generated by the use of a product or related service shall only be made available where there is a valid legal basis under Article 6(1) of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 are fulfillednd Article 5(3) of Directive 2002/58/EC are fulfilled. This Regulation does not create a legal basis for the processing of personal data, nor does it affect any of the rights and obligations set out in Regulations (EU) 2016/679 or Directive 2002/58/EC.
Amendment 637 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
6 a. The data holder shall not make the usability of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service.
Amendment 638 #
Proposal for a regulation
Article 5 – paragraph 6 b (new)
Article 5 – paragraph 6 b (new)
6 b. The data holder shall not incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 646 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A third party shall process the data made available to it pursuant to Article 5 only for the purposesspecific purposes mentioned in paragraph 3 and under the conditions agreed with the user, and where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under points (a) or (b) of Article 6(1) of Regulation (EU) 2016/679, and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled and subject to the rights of the data subject insofar as personal data are concerned, and shall immediately delete the data when they are no longer necessary for the agreed purposexplicitly requested purpose in line with paragraph 3 of this Article.
Amendment 649 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) coerce, deceive or manipulate the user in any way, bymake the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non- neutral manner, or coerce, deceive or manipulate in any way the user or the data subject where the user is not a data subject, or subverting or impairing the autonomy, decision-making or free choices of the user or the data subject, including by means of a digital interface with the useror a part thereof, including its structure, design, function or manner of operation;
Amendment 653 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is necessary to provide the service requested by the user;
Amendment 656 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) make the data available it receives to another third party, in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user, and the user has explicitly been made aware of this in a clear, easily accessible and prominent way and, in the case of personal data, the rights and obligations of Regulation (EU) 2016/679 are respected;
Amendment 668 #
Proposal for a regulation
Article 6 – paragraph 2 – point f a (new)
Article 6 – paragraph 2 – point f a (new)
(f a) make the usability of the product or related service dependent on the user allowing it to process data not required for the purposes or services explicitly requested by the user.
Amendment 671 #
Proposal for a regulation
Article 6 – paragraph 2 – point f b (new)
Article 6 – paragraph 2 – point f b (new)
(f b) incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 673 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
Amendment 698 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipient for making data available shall be reasonablein business-to- business relations shall be fair and reasonable and shall not disproportionally exceed the costs directly related to making the data available..
Amendment 701 #
Proposal for a regulation
Article 9 – paragraph 1 a (new)
Article 9 – paragraph 1 a (new)
1 a. This Regulation precludes the data holder or the third party from directly or indirectly charging consumers or data subjects a fee, compensation or costs for sharing data or for accessing it. Third parties are precluded from charging any potential cost of accessing the data to the user.
Amendment 760 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Upon request, a data holder shall make data, which could include relevant metadata, available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requestedor a legitimate public interest to use the data requested in order to carry out their statutory duties in the public interest.
Amendment 770 #
Amendment 773 #
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) where the data requested is necessary to respond tothat has been explicitly provided by law, including real-time data, is limited in time and scope and is necessary to prevent, respond or recover from a public emergency;
Amendment 778 #
Proposal for a regulation
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
Amendment 786 #
Proposal for a regulation
Article 15 – paragraph 1 – point c – introductory part
Article 15 – paragraph 1 – point c – introductory part
(c) where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task in the public interest, for efficient provision of public services and policy making, in particular on healthcare, climate change, mobility, official statistics, as well as scientific research. It covers inter alia affordable housing, local transport or city planning, including sustainable tourism development, improving infrastructural services, such as energy, waste and water management, or producing reliable and up to date statistics, that has been explicitly provided by law; and
Amendment 792 #
Proposal for a regulation
Article 15 – paragraph 1 – point c – point 1
Article 15 – paragraph 1 – point c – point 1
(1) the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means, including by purchasing the data on the market at market ratreasonable prices or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or
Amendment 811 #
Proposal for a regulation
Article 17 – paragraph 1 – point a
Article 17 – paragraph 1 – point a
(a) specify what data are required, including relevant metadata;
Amendment 823 #
Proposal for a regulation
Article 17 – paragraph 1 – point e
Article 17 – paragraph 1 – point e
(e) specify the deadline by which the data are to be made available orand the deadline within which the data holder may request the public sector body, Union institution, agency or body to modify or withdraw the request.
Amendment 843 #
Proposal for a regulation
Article 17 – paragraph 2 – point d
Article 17 – paragraph 2 – point d
(d) concern, insofar as possible, non- personal dataIn case of requests made pursuant to Article 15, point (a) concern, insofar as possible, non-personal data and in case personal data are requested, the request should justify the need for including personal data and set out the technical and organisational measures that will be taken to protect the data, including in particular the obligation to aggregate and anonymise the requested data set;
Amendment 850 #
Proposal for a regulation
Article 17 – paragraph 2 – point d a (new)
Article 17 – paragraph 2 – point d a (new)
(d a) indicate, insofar as possible, user- friendly data-sharing mechanisms that respect ethical guidelines on transparency, non discrimination, security and privacy;
Amendment 856 #
Proposal for a regulation
Article 17 – paragraph 4 – subparagraph 1
Article 17 – paragraph 4 – subparagraph 1
Paragraph 3 does not preclude a public sector body or a Union institution, agency or body to exchange data obtained pursuant to this Chapter with another public sector body, Union institution, agency or body, in view of completing the tasks in Article 15 or to make the data available to a third party in cases where it has outsourced, by means of a publicly available agreement, technical inspections or other functions to this third party. The obligations on public sector bodies, Union institutions, agencies or bodies pursuant to Article 19 apply. The principle of purpose limitation and other principles of data protection law should also apply to situations where the public sector body or EU institution, agency or body shares the data received under this Chapter with third parties to whom they have outsourced any function.
Amendment 865 #
Proposal for a regulation
Article 17 – paragraph 4 a (new)
Article 17 – paragraph 4 a (new)
Amendment 869 #
Proposal for a regulation
Article 17 – paragraph 4 b (new)
Article 17 – paragraph 4 b (new)
4 b. The competent authorities designated by each Member State according to Article 31 of this Regulation shall inform the public sector body or Union institution, agency or body if the data holder already provided the requested data in response to previously submitted request for the same purpose by another public sector body or Union institution, agency or body. In this context, public administration authorities should coordinate their requests for data and pursue best efforts to ensure that businesses are obliged to supply the same data only once.
Amendment 886 #
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
5. Where the dataset requested includes personal data, the data holder shall have the responsibility to aggregate and properly anonymise the data set. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to pseudonymise the data, insofar as the request can be fulfilled with pseudonymised data.
Amendment 906 #
Proposal for a regulation
Article 19 – paragraph 1 – point c
Article 19 – paragraph 1 – point c
(c) destroy the data as soon as they are no longer necessary for the stated purpose and inform the European Public Data Commons body data holder that the data have been destroyed.
Amendment 912 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Disclosure of trade secrets or alleged trade secrets to a public sector body or to a Union institution, agency or body shall only be required to the extent that it is strictly necessary to achieve the purpose of the request. In such a case, the public sector body or the Union institution, agency or body shall take appropriate measures to preserve the confidentiality of those trade secrets. The data holder shall identify the data which are protected as trade secrets.
Amendment 916 #
Proposal for a regulation
Article 19 a (new)
Article 19 a (new)
Amendment 924 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Where the data holder claims compensation for making data available in compliance with a request made pursuant to Article 15, points (b) or (c), such compensation shall not exceed the technical and organisational costs incurred to comply with the request including, where necessary, the costs of anonymisation and of technical adaptation, plus a reasonable margin. Upon request of the public sector body or the Union institution, agency or body requesting the data, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin.
Amendment 951 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. Where a public sector body intends to request data from a data holder established in another Member State, it shall first notify the competent authority of that Member State as referred to in Article 31, of that intention. This requirement shall also apply to requests by Union institutions, agencies and bodies. The request shall be evaluated inline by the competent authority of the Member State where the data holder is established.
Amendment 1103 #
Proposal for a regulation
Article 31 – paragraph 2 – point c
Article 31 – paragraph 2 – point c
(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have experience, sufficient technical and human resources and expertise in the field of data and electronic communications services.
Amendment 1112 #
Proposal for a regulation
Article 31 – paragraph 3 – point e
Article 31 – paragraph 3 – point e
(e) monitoring technological developments of relevance for the making available and use of data with a view of better enforcing this Regulation;
Amendment 1116 #
Proposal for a regulation
Article 31 – paragraph 3 – point h
Article 31 – paragraph 3 – point h
(h) cooperating with all relevant competent authorities and the European Data Protection Board and the European Data Innovation Board to ensure that the obligations of Chapter VIunder this Regulation are enforced consistently with other Union legislation and self-regulation applicable to providers of data processing service;
Amendment 1118 #
Proposal for a regulation
Article 31 – paragraph 3 – point i a (new)
Article 31 – paragraph 3 – point i a (new)
(i a) ensuring data sharing is free of charge for consumers; ordering data holders, third parties or data recipients to provide redress, including compensation for damages, to consumers in case of harm; imposing a temporary or definitive limitation including a ban on processing or mandate data sharing to comply with this Regulation;
Amendment 1125 #
Proposal for a regulation
Article 31 a (new)
Article 31 a (new)
Article 31 a The role of the European Data Protection Board and the European Data Innovation Board The European Data Protection Board and the European Data Innovation Board in cooperation with the European Public Data Commons body shall foster the mutual exchange of information amongst competent authorities as well as advise and assist the Commission in matters falling under this Regulation that fall within their respective competences.
Amendment 1138 #
Proposal for a regulation
Article 33 – paragraph 2
Article 33 – paragraph 2
2. Member States shall by [date of application of the Regulation] notify the Commission, the European Data Protection Board and the European Data Innovation Board of those rules and measures and shall notify ithem without delay of any subsequent amendment affecting them. The Commission shall regularly update and maintain an easily accessible public register of those measures.