Activities of Kateřina KONEČNÁ related to 2022/0047(COD)
Shadow opinions (1)
OPINION on the proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)
Amendments (96)
Amendment 88 #
Proposal for a regulation
Recital 1
Recital 1
(1) In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation in products connected to the Internet of Things in particular has increased the risks, volume and potential value of data for consumers, businesses and society. High quality and interoperable data from different domains has potential to increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity, while respecting users’ choices and applicable legislation to protect them.
Amendment 91 #
Proposal for a regulation
Recital 2
Recital 2
(2) Barriers to data sharing prevent an optimal allocation of data to the benefit of society. These barriers include a lack of incentives for data holders to enter voluntarily into data sharing agreements, uncertainty about rights and obligations in relation to data, costs of contracting and implementing technical interfaces, the high level of fragmentation of information in data silos, poor metadata management, the absence of standards for semantic and technical interoperability, bottlenecks impeding data access, a lack of common data sharing practices and abuse of contractual imbalances with regards to data access and use.
Amendment 94 #
Proposal for a regulation
Recital 4
Recital 4
(4) In order to respond to the needs of the digital economy, protect consumers and to remove unjustified barriers to a well-functioning internal market for data, it is necessary to lay down a harmonised framework specifying who, other than the manufacturer or other data holder is entitled to access the data generated by products or related services, under which conditions and on what basis. Accordingly, Member States should not adopt or maintain additional national requirements on those matters falling within the scope of this Regulation, unless explicitly provided for in this Regulation, since this would affect the direct and uniform application of this Regulation.
Amendment 98 #
Proposal for a regulation
Recital 5
Recital 5
(5) This Regulation ensures that users of a product or related service in the Union including data subjects and consumers, can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties and for the purposes of their choice. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a product or related service. Instead, it takes as its starting point the control that the data user shoulder effectively enjoys, de facto orand de jure, over data generated by products or related services.
Amendment 100 #
Proposal for a regulation
Recital 7
Recital 7
(7) The fundamental right to the protection of personal data is safeguarded in particular under Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. Directive 2002/58/EC additionally protects private life and the confidentiality of communications, including providing conditions to any personal and non- personal data storing in and access from terminal equipment. These instruments provide the basis for sustainable and responsible data processing, including where datasets include a mix of personal and non-personal data. This Regulation complements and is without prejudice to Union law on data protection and privacy, in particular Regulation (EU) 2016/679 and Directive 2002/58/EC. No provision of this Regulation should be applied or interpreted in such a way as to diminish or limit the right to the protection of personal data or the right to privacy and confidentiality of communications. This Regulation should not be read as creating anew legal basis for the processing of personal data for any of the regulated activities, or as amending the information requirements laid down in Regulation(EU) 2016/679. In the event of a conflict between this Regulation and Union law on the protection of personal data or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data should prevail, except where explicitly foreseen otherwise under the body of this Regulation.
Amendment 103 #
Proposal for a regulation
Recital 8
Recital 8
(8) The principles of data minimisation and data protection by design and by default are essential when processing involves significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including where within scope of this Regulation, should implement technical and organisational measures to protect these rights. Such measures include not only pseudanonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselves.
Amendment 104 #
Proposal for a regulation
Recital 8 a (new)
Recital 8 a (new)
(8a) Anonymisation of data is a technique applied to personal data to irreversibly prevent the identification or re-identification of the data subject. Anonymity is achieved where information that used to relate to an identified or identifiable natural person is highly improbable to be reattributed to said natural person in practice. To determine the probability of re-identification, the knowledge directly or indirectly available to the data controller, a risk prognosis based on the state of the art of data processing and the foreseeable technical developments during the period of data storage as well as the likely time and effort of re-identification must be taken into account. The knowledge and capabilities of third parties are only to be taken into account insofar as their involvement is reasonably likely. Data is anonymous if the probability of attribution to a data subject is sufficiently low in view of the ratio of benefit to the effort of re-identification according to general life experience or the state of the art and in view of the respective threat to the rights and freedoms of the data subject. Anonymisation and de- anonymisation constitute processing of personal data as defined in Article 4 (2) of Regulation (EU)2016/679. The principle of data minimisation requires that personal data must be anonymised where the purpose or purposes for which they are processed can be fulfilled without the use of personal data.
Amendment 123 #
Proposal for a regulation
Recital 23
Recital 23
(23) Before concluding a contract for the purchase, use, rent, or lease of a product or the provision of a related service, clear and sufficient information should be provided to the user on how the data generated may be accessed. This obligation provides transparency over the data generated and enhances the easy access for the user. This obligation to provide information does not affect the obligation for the controller to provide information to the data subject pursuant to Article 12, 13 and 14 of Regulation 2016/679.
Amendment 129 #
Proposal for a regulation
Recital 25
Recital 25
(25) In sectors characterised by the concentration of a small number of manufacturers supplying end users, there are only limited options available to users with regard to sharing data with those manufacturers. In such circumstances, contractual agreements may be insufficient to achieve the objective of user empowerment. The data tends to remain under the control of the manufacturers, making it difficult for users to obtain value from the data generated by the equipment they purchase, use, rent or lease. Consequently, there is limited potential for innovative smaller businesses to offer data- based solutions in a competitive manner and for a diverse data economy in Europe. This Regulation should therefore build on recent developments in specific sectors, such as the Code of Conduct on agricultural data sharing by contractual agreement. Sectoral legislation may be brought forward to address sector-specific needs and objectives. Furthermore, the data holder should not use any data generated by the use of the product or related service in order to derive insights about the economic situation of the user or its assets or production methods or the use in any other way that could undermine the commercial position of the user on the markets it is active on. This would, for instance, involve using knowledge about the overall performance of a business or a farm in contractual negotiations with the user on potential acquisition of the user’s products or agricultural produce to the user’s detriment, or for instance, using such information to feed in larger databases on certain markets in the aggregate (,e.g. databases on crop yields for the upcoming harvesting season) as such use could affect the user negatively in an indirect manner. The user should in all circumstances be given the necessary technical interface to manage permissions, preferably with granular permission options (such as “allow once” or “allow while using this app or service”), including the option to withdraw permission, including the option to withdraw permissions, which should be given at equal prominence level to accepting all.
Amendment 131 #
Proposal for a regulation
Recital 26
Recital 26
(26) In contracts between a data holder and a consumer as a user of a product or related service generating data, EU consumer law applies, including Directive 2005/29/EC, which applies against unfair commercial practices, and Directive 93/13/EEC applies to the terms of the contract to ensure that a consumer is not subject to unfair contractual terms. For unfair contractual terms unilaterally imposed on a micro, small or medium- sized enterprise as defined in Article 2 of the Annex to Recommendation 2003/361/EC63 , this Regulation provides that such unfair terms should not be binding on that enterprise. _________________ 63 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium- sized enterprises
Amendment 137 #
Proposal for a regulation
Recital 31
Recital 31
(31) Data generated by the use of a product or related service should only be made available to a third party at the request of the user. This Regulation accordingly complements the right provided under Article 20 of Regulation (EU) 2016/679. That Article provides for a right of data subjects to receive personal data concerning them in a structured, commonly used and machine-readable format, and to port those data to other controllers, where those data are processed on the basis of Article 6(1), point (a), or Article 9(2), point (a), or of a contract pursuant to Article 6(1), point (b). Data subjects also have the right to have the personal data transmitted directly from one controller to another, but only where technically feasible. Article 20 specifies that it pertains to data provided by the data subject but does not specify whether this necessitates active behaviour on the side of the data subject or whether it also applies to situations where a product or related service by its design observes the behaviour of a data subject or other information in relation to a data subject in a passive manner. The right under this Regulation complements the right to receive and port personal data under Article 20 of Regulation (EU) 2016/679 in several ways. It grants users the right to access and make available to a third party to any data generated by the use of a product or related service, irrespective of its nature as personal data, of the distinction between actively provided or passively observed data, and irrespective of the legal basis of processing. Unlike the technical obligations provided for in Article 20 of Regulation (EU) 2016/679, this Regulation mandates and ensures the technical feasibility of third party access for all types of data coming within its scope, whether personal or non-personal. It also allows the data holder to set reasonable compensation to be met by third parties, but not by the user, for any cost incurred in providing direct access to the data generated by the user’s product. If a data holder and third party are unable to agree terms for such direct access, theThis Regulation also allows direct data sharing from users to third parties. This Regulation precludes the data holder or the third party from directly or indirectly charging consumers or data subjects a fee, compensation or costs for sharing data or for accessing it. This Regulation does not directly or indirectly incentivise the commercialisation or trade of personal data. In any case, the consumer and data subject should be in no way prevented from exercising the rights contained in this Regulation or Regulation (EU) 2016/679, including the right to data portability, by seeking remedies in accordance with bothat Regulations. It is to be understood in this context that, in accordance with Regulation (EU) 2016/679, a contractual agreement does not allow for the processing of special categories of personal data by the data holder or the third party.
Amendment 141 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to prevent the exploitation of users, third parties to whom data has been made available upon request of the user should only process the data for the purposes agreed withexplicitly requested by the user and share it with another third party only if this is necessary to provide the service requested by the user.
Amendment 144 #
Proposal for a regulation
Recital 34
Recital 34
(34) In line with the data minimisation principle, the third party should only access additional information that is necessary for the provision of the service requested by the user. Having received access to data, the third party should process it exclusively for the purposes agreed with the user, without interference from the data holder. It should be as easy for the user to refuse or discontinue access by the third party to the data as it is for the user to authorise access. The data holder or the third party should not make the exercise of the right or choices of users unduly difficult including by offering choices to users in a non- neutral manner, or coerce, deceive or manipulate the user in any way, by or subverting or impairing the autonomy, decision-making or free choices of the user, including by means of a digital interface with the user. in this context,or a part thereof, including its structure, design, function or manner of operation. In this context, data holders and third parties should not rely on so-called dark patterns in designing their digital interfaces. Dark patterns are design techniques that push or deceive consumers into decisions that have negative consequences for them. These manipulative techniques can be used to persuade users, particularly vulnerable consumers, to engage in unwanted behaviours, and to deceive users by nudging them into decisions on data disclosure transactions or to unreasonably bias the decision-making of the users of the service, in a way that subverts and impairs their autonomy, decision-making and free choice. Common and lLegitimate commercial practices that are in compliance with Union law should not in themselves be regarded as constituting dark patterns. TData holders and third parties should comply with their obligations under relevant Union law, in particularcluding the requirements set out in Directive 2005/29/EC, Directive 2011/83/EU, Directive 2000/31/EC and Directive 98/6/EC.
Amendment 148 #
Proposal for a regulation
Recital 37
Recital 37
Amendment 153 #
Proposal for a regulation
Recital 42
Recital 42
(42) In order to incentivise the continued investment in generating valuable data, including investments in relevant technical tools, this Regulation contains the principle that the data holder may request reasonable compensation when legally obliged to make data available to the data recipient. These provisions should not be understood as paying for the data itself, but in the case of micro, small or medium-sized enterprises, for the costs incurred and investment required for making the data availableThis Regulation precludes the data holder or the third party from directly or indirectly charging consumers or data subjects a fee, compensation or costs for sharing data or for accessing it.
Amendment 157 #
Proposal for a regulation
Recital 43
Recital 43
(43) In justified cases, including the need to safeguard consumer participation and competition or to promote innovation in certain markets, Union law or national legislation implementing Union law may impose regulated compenThis Regulation does not directly or indirectly incentivise the commercialisation for making available specific data typestrade of personal data.
Amendment 160 #
Proposal for a regulation
Recital 44
Recital 44
(44) To protect micro, or small or medium-sized enterprises from excessive economic burdens which would make it commercially too difficult for them to develop and run innovative business models, the compensation for making data available to be paid by them should not exceed the direct cost of making the data available and be non-discriminatory.
Amendment 161 #
Proposal for a regulation
Recital 47
Recital 47
(47) Transparency is an important principle to ensure that the compensation requested by the data holder is reasonable, or, in case the data recipient is a micro, or small or medium-sized enterprise, that the compensation does not exceed the costs directly related to making the data available to the data recipient and is attributable to the individual request. In order to put the data recipient in the position to assess and verify that the compensation complies with the requirements under this Regulation, the data holder should provide to the data recipient the information for the calculation of the compensation with a sufficient degree of detail.
Amendment 164 #
Proposal for a regulation
Recital 51
Recital 51
(51) Where one party is in a stronger bargaining position, there is a risk that that party could leverage such position to the detriment of the other contracting party when negotiating access to data and make access to data commercially less viable and sometimes economically prohibitive. Such contractual imbalances particularly harm micro, small and medium-sized enterprises without a meaningful ability to negotiate the conditions for access to data, who may have no other choice than to accept ‘take- it-or-leave-it’ contractual terms. Therefore, unfair contract terms regulating the access to and use of data or the liability and remedies for the breach or the termination of data related obligations should not be binding on consumers, micro, or small or medium- sized enterprises when they have been unilaterally imposed on them.
Amendment 201 #
Proposal for a regulation
Recital 81
Recital 81
(81) In order to ensure the efficient implementation of this Regulation, Member States should designate one or more competent authorities. If a Member State designates more than one competent authority, it should also designate a coordinating competent authority. Competent authorities should cooperate with each other effectively and in a timely manner, in line with the principles of good administration and mutual assistance to ensure the effective implementation and enforcement of this Regulation. . The authorities responsible for the supervision of compliance with data protection and competent authorities designated under sectoral legislation should have the responsibility for application of this Regulation in their areas of competence.
Amendment 203 #
Proposal for a regulation
Recital 82
Recital 82
(82) In order to enforce their rights under this Regulation, natural and legal persons should be entitled to seek redress for the infringements of their rights under this Regulation by lodging complaints with competent authorities. Those authorities should be obliged to cooperate to ensure the complaint is appropriately handled and resolved. In order to make use of the consumer protection cooperation network mechanism and to enable representative actions, this Regulation amends the Annexes to the Regulation (EU) 2017/2394 of the European Parliament and of the Council68 and Directive (EU) 2020/1828 of the European Parliament and of the Council69 . Authorities competent to enforce this Regulation shall cooperate with the Consumer Protection Cooperation network in relation to consumer protection matters, but not on data processing matters. Any referral to the Consumer Protection Cooperation network should not result in a lack of efficient or swift enforcement of the Data Act. _________________ 68 Regulation (EU) 2017/2394 of the European Parliament and of the Council of 12 December 2017 on cooperation between national authorities responsible for the enforcement of consumer protection laws and repealing Regulation (EC) No 2006/2004 (OJ L 345, 27.12.2017, p. 1). 69 Directive (EU) 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC (OJ L 409, 4.12.2020, p. 1).
Amendment 205 #
Proposal for a regulation
Recital 83
Recital 83
(83) Member States competent authorities should ensure that infringements of the obligations laid down in this Regulation are sanctioned by penaltiesdissuasive and effective penalties, including imposing a temporary or definitive limitation including a ban on processing. When doing so, they should take into account the nature, gravity, recurrence and duration of the infringement in view of the public interest at stake, the scope and kind of activities carried out, as well as the economic capacity of the infringer. They should take into account whether the infringer systematically or recurrently fails to comply with its obligations stemming from this Regulation. Those penalties must also allow for the deprivation of the profits obtained through infringements of this Regulation. In order to help enterprises to draft and negotiate contracts, the Commission should develop and recommend non-mandatory model contractual terms for business-to-business data sharing contracts, where necessary taking into account the conditions in specific sectors and the existing practices with voluntary data sharing mechanisms. These model contractual terms should be primarily a practical tool to help in particular smaller enterprises to conclude a contract. When used widely and integrally, these model contractual terms should also have the beneficial effect of influencing the design of contracts about access to and use of data and therefore lead more broadly towards fairer contractual relations when accessing and sharing data.
Amendment 212 #
Proposal for a regulation
Article 2 – paragraph -1 (new)
Article 2 – paragraph -1 (new)
-1 1. For the purposes of this Regulation, the definitions of Regulation (EU) 2016/679 apply to terms used in both regulations.
Amendment 213 #
Proposal for a regulation
Article 2 – paragraph 1 – introductory part
Article 2 – paragraph 1 – introductory part
Amendment 219 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1a) ‘anonymised data’ means personal data irreversibly altered in such a way that a data subject can no longer be identified directly or indirectly, either by the data controller, data holder alone or in collaboration with any other party;
Amendment 233 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or, leases a product or receives a services, and the data subject as referred to in Article 4(1) of Regulation (EU)2016/679;
Amendment 234 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or lea, leases a product, receives a services or a consumer or data subject that uses a product or receives a services;
Amendment 239 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5 a (new)
Article 2 – paragraph 1 – point 5 a (new)
(5a) ‘consumer’ means any natural person who is acting for purposes which are outside their trade, business, craft or profession;
Amendment 245 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data holder’ means a legal or natural person who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, to make available certainincluding public sector bodies and international organisations, or a natural person who is not a data subject with respect to the specific data in question, which, in accordance with this Regulation, applicable Union law has the right to grant access to or to share certain personal or non-personal data;
Amendment 246 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following an explicit request by the user to the data holder or to a third party to whom the data is directly made available by the user, or in accordance with a legal obligation under Union law or national legislation implementing Union law;
Amendment 249 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8 a (new)
Article 2 – paragraph 1 – point 8 a (new)
(8a) ‘added value service’ means any service provided to the consumer or data subject that can be enabled or improved by access and use of data generated by the use of the product or related service, including personalised services which mean services that, based on the processing of data of the consumer or data subject, offer individualised services to the consumer or data subject such as diet plans, route planning, fitness training, electricity consumption optimisation. They do not include purposes of direct marketing or advertising, credit scoring or determining eligibility to insurances, to calculate or modify insurance premiums or the services of a data broker, even if the data broker shares data with others that provide personalised services;
Amendment 274 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 a (new)
Article 2 – paragraph 1 – point 20 a (new)
(20a) ‘Data intermediation service’ means a service as defined in Article 2(11) of Regulation (EU) 2022/868;
Amendment 276 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 b (new)
Article 2 – paragraph 1 – point 20 b (new)
(20b) ‘Data altruism’ means the voluntary sharing of data as defined in Article 2(16)of Regulation (EU) 2022/868;
Amendment 281 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user directly accessible to the user. The user shall be able to process the data outside the data holder’s control.
Amendment 285 #
Proposal for a regulation
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
1 a. Consumers shall have the right to obtain a copy of the data generated by their use of the product and related services, from the data holder without hindrance, in a structured, commonly used and machine-readable format, free of charge.
Amendment 287 #
Proposal for a regulation
Article 3 – paragraph 1 b (new)
Article 3 – paragraph 1 b (new)
1b. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data subjects, irrespective of their legal title over the product, are offered the possibility to use the products covered by this Regulation anonymously or in the least privacy-intrusive way possible, such as by anonymising the data.
Amendment 291 #
Proposal for a regulation
Article 3 – paragraph 1 c (new)
Article 3 – paragraph 1 c (new)
1c. The data holder shall not use data shared for the profiling of natural persons within the meaning of Article4(4) of Regulation (EU) 2016/679, unless it is strictly necessary to provide the specific service explicitly requested by the user.
Amendment 292 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product or a related service, consumers should be presented with granular, meaningful consent options for data processing, within the meaning of Article 4(11) of Regulation (EU)2016/679, differentiating between data that is essential for the functioning of the product and a related service and other types of data. In addition, at least the following information shall be provided to the user, in a timely and prominent manner, in an easily accessible, clear and comprehensible format:
Amendment 300 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) how the user may access those data; and request a copy of those data free of charge;
Amendment 305 #
Proposal for a regulation
Article 3 – paragraph 2 – point e
Article 3 – paragraph 2 – point e
(e) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder, such as its trading name, contact details and the geographical address at which it is established;
Amendment 308 #
Proposal for a regulation
Article 3 – paragraph 2 – point g
Article 3 – paragraph 2 – point g
(g) how the user may request that the data are shared with a third-party free of charge;
Amendment 309 #
Proposal for a regulation
Article 3 – paragraph 2 – point h
Article 3 – paragraph 2 – point h
(h) the user’s right to lodge a complaint alleging a violation of the provisions of this Chapter with the competent authority referred to in Article 31, including a list of competent authorities per Member State.
Amendment 312 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2a. The data holder shall not make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non-neutral manner, or coerce, deceive or manipulate the user in any way, or subvert or impair the autonomy, decision-making or free choices of the user, including by means of a digital interface or a part thereof, including its structure, design, function or manner of operation.
Amendment 314 #
Proposal for a regulation
Article 3 a (new)
Article 3 a (new)
Amendment 326 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, in an interoperable, structured, commonly used and machine-readable format, of the same quality as is available to the data holder and, where applicable, continuously and in real-time.
Amendment 335 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
6a. The data holder shall not make the usability of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service.
Amendment 336 #
Proposal for a regulation
Article 5 – paragraph 6 b (new)
Article 5 – paragraph 6 b (new)
6b. The data holder shall not incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 337 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A third party shall process the data made available to it pursuant to Article 5 only for the purposesspecific purposes mentioned in paragraph 2a and under the conditions agreed with the user, and subject to the rights of the data subject insofar as personal data are concerned, and shall delete the data when they are no longer necessary for the agreed purposexplicitly requested purpose in line with paragraph 2a of this Article.
Amendment 341 #
Proposal for a regulation
Article 6 – paragraph 2 – point a
Article 6 – paragraph 2 – point a
(a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non- neutral manner, or coerce, deceive or manipulate the user in any way, byor subverting or impairing the autonomy, decision-making or choices of the user, including by means of a digital interface with the useror a part thereof, including its structure, design, function or manner of operation;
Amendment 344 #
Proposal for a regulation
Article 6 – paragraph 2 – point c
Article 6 – paragraph 2 – point c
(c) make the data available it receives to another third party, in raw, aggregated or derived form, unless this is necessary to provide the service requested by the user, , and the user has explicitly been made aware of this in a clear, easily accessible and prominent way and, in the case of personal data, the rights and obligations of Regulation(EU) 2016/679 are respected;
Amendment 348 #
Proposal for a regulation
Article 6 – paragraph 2 – point f a (new)
Article 6 – paragraph 2 – point f a (new)
(fa) make the usability of the product or related service dependent on the user allowing it to process data not required for the purposes or services explicitly requested by the user.
Amendment 350 #
Proposal for a regulation
Article 6 – paragraph 2 – point f b (new)
Article 6 – paragraph 2 – point f b (new)
(fb) incentivise, directly or indirectly, the commercialisation and trade of personal data.
Amendment 351 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2a. A third party should only use personal data for one of the following specific purposes: (a) the provision of aftermarket services, such as the maintenance and repair of the product or related service or the provision of an aftermarket service that may be in competition with a product or related service provided by the data holder; (b) the provision of an added value service explicitly requested by the consumer or data subject; (c) specific data intermediation services recognised in the Union or specific services provided by data altruism organisations recognised in the Union under the conditions and requirements of Chapters III and IV of Regulation (EU) 2022/868; (d) purposes of non-profit organisations in the public interest; (e) research and innovation in the public interest.
Amendment 356 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
Amendment 367 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. Any compensation agreed between a data holder and a data recipientThis Regulation precludes the data holder or the third party from directly or indirectly charging consumers or data subjects a fee, compensation or costs for maksharing data available shall be reasonableor for accessing it. Third parties are precluded from charging any potential cost of accessing the data to the user.
Amendment 374 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Where the data recipient is a micro, or small or medium enterprise, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly.
Amendment 376 #
Proposal for a regulation
Article 9 – paragraph 4
Article 9 – paragraph 4
4. The data holder shall provide the data recipient with information setting out the basis for the calculation of the compensation in sufficient detail so that the data recipient can verify that the requirements of paragraph 1 and, where applicable, paragraph 2 are met.
Amendment 384 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right to access data, obtain a copy or effectively provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1).
Amendment 388 #
Proposal for a regulation
Article 11 – paragraph 2 – introductory part
Article 11 – paragraph 2 – introductory part
2. A data recipient that has, for the purposes of obtaining data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the datalegally-protected trade secrets, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holduser’'s authorisationconsent, shall without undue delay, unless the data holder or the user instruct otherwise:
Amendment 389 #
Proposal for a regulation
Article 11 – paragraph 3 – point b
Article 11 – paragraph 3 – point b
(b) it would be disproportionate in light of the interests of the data holduser.
Amendment 398 #
Proposal for a regulation
Article 14 – title
Article 14 – title
14 Obligation to make data available based on exceptional needpublic interest use of data
Amendment 402 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
1. Upon request, a data holder shall make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested in the public interest.
Amendment 405 #
Proposal for a regulation
Article 15 – title
Article 15 – title
15 Exceptional need toPublic interest use of data
Amendment 410 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
An exceptional needobjective of public interest to use data within the meaning of this Chapter shall be deemed to exist in any of the following circumstances:
Amendment 411 #
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) where the data requested is limited in time and scope and necessary to prevent, respond to or to assist in the recovery from a public emergency;
Amendment 413 #
Proposal for a regulation
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
Amendment 417 #
Proposal for a regulation
Article 15 – paragraph 1 – point c – introductory part
Article 15 – paragraph 1 – point c – introductory part
(c) where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task data is necessary to achieve an objective of public interest and the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means, including by purchasing the public interest that has been explicitly provided by law; anddata on the market at market rates or by relying on existing obligations to make data available.
Amendment 418 #
Proposal for a regulation
Article 15 – paragraph 1 – point c – point 1
Article 15 – paragraph 1 – point c – point 1
Amendment 422 #
Proposal for a regulation
Article 15 – paragraph 1 – point c – point 2
Article 15 – paragraph 1 – point c – point 2
Amendment 427 #
Proposal for a regulation
Article 16 – paragraph -1 (new)
Article 16 – paragraph -1 (new)
-1. This Chapter shall not apply to types of data for which more specific sectoral rules have been laid down in Union law.
Amendment 430 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) demonstrate the exceptional needobjective of public interest for which the data are requested;
Amendment 438 #
Proposal for a regulation
Article 17 – paragraph 2 – point b
Article 17 – paragraph 2 – point b
(b) be proportionate to the exceptional needidentified objective of public interest, in terms of the granularity and volume of the data requested and frequency of access of the data requested;
Amendment 447 #
Proposal for a regulation
Article 18 – paragraph 2 – introductory part
Article 18 – paragraph 2 – introductory part
2. Without prejudice to specific needs regarding the availability of data defined in sectoral legislation, the data holder may decline or seek the modification of the request within 5 working days following the receipt of a request for the data necessary to respond to a public emergency and within 15 working days in other cases of exceptional need, on either of the following grounds:
Amendment 453 #
Proposal for a regulation
Article 19 – paragraph 1 – point c
Article 19 – paragraph 1 – point c
(c) destroy the data as soon as they are no longer necessary for the stated purpose and inform the data holderEuropean Public Data Commons body that the data have been destroyed.
Amendment 455 #
Proposal for a regulation
Article 19 a (new)
Article 19 a (new)
Amendment 456 #
Proposal for a regulation
Article 20 – title
Article 20 – title
Compensation in cases of exceptional need
Amendment 458 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Where the data holder claims compensation for making data available in compliance with a request made pursuant to Article 15, points (b) or (c), such compensation shall not exceed the technical and organisational costs incurred to comply with the request including, where necessary, the costs of anonymisation and of technical adaptation, plus a reasonable margin. Upon request of the public sector body or the Union institution, agency or body requesting the data, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin.
Amendment 462 #
Proposal for a regulation
Article 21 – title
Article 21 – title
21 Contribution ofAccess by research organisations orand statistical bodies in the context of exceptional needs
Amendment 463 #
Proposal for a regulation
Article 21 – paragraph -1 (new)
Article 21 – paragraph -1 (new)
-1. Upon request from: (a) a not-for-profit research organisation; (b) an individual and other entity acting on a not-for-profit basis or in the context of a public-interest mission recognised in Union or Member State law; (c) a small-to-medium enterprises undertaking research in the public interest; (d) a national statistical institute or Eurostat for the compilation of official statistics; or (e) another public sector body or to a Union institution, agency or body demonstrating a need to use the data requested in the public interest, the European Public Data Commons body shall make data contained in its repository available to the requesting entity in a secure processing environment, provided that the requirements contained in Article 17(1) and (2) are met. To this end, the European Public Data Commons body shall: (a) maintain a public information system to make publicly available and easily searchable the conditions under which the data is made available to third parties; (b) Maintain a management system to record and process data access requests from third parties, providing at least information on the name of the applicant, the purpose of access, the data of issuance, the duration of the data permit, and a description of the data request; Subparagraph 1 shall not apply to organisations upon which commercial undertakings have a decisive influence.
Amendment 465 #
Proposal for a regulation
Article 21 – paragraph 4 a (new)
Article 21 – paragraph 4 a (new)
4a. Where a public sector body intends to request data under Article 15 (b)of this Chapter from a data holder established in another Member State the request shall be evaluated in line with the requirements established in article 18(a) by the competent authority of the Member State where the public sector body is established. Where the requesting public sector body is a Union institution, agency or body the request shall be evaluated by the competent authority of the Member State where the data holder is established.
Amendment 650 #
Proposal for a regulation
Article 31 – paragraph 1
Article 31 – paragraph 1
1. Each Member State shall designate one or more competent authoritiesy as responsible for the application and enforcement of this Regulation. Member States may establish one or more new authorities or rely on existing authorities.
Amendment 652 #
Proposal for a regulation
Article 31 – paragraph 2 – point c
Article 31 – paragraph 2 – point c
(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have experience in the field of, sufficient technical and human resources and expertise in the field of consumer protection, data and electronic communications services.
Amendment 654 #
Proposal for a regulation
Article 31 – paragraph 3 – point d
Article 31 – paragraph 3 – point d
(d) imposing, through administrative or judicial procedures, dissuasive financial penalties which may include periodic penalties and penalties with retroactive effect, or initiating legal proceedings for the imposition of fines;
Amendment 655 #
Proposal for a regulation
Article 31 – paragraph 3 – point i a (new)
Article 31 – paragraph 3 – point i a (new)
(i a) ensuring data sharing is free of charge for consumers;
Amendment 656 #
Proposal for a regulation
Article 31 – paragraph 3 – point i b (new)
Article 31 – paragraph 3 – point i b (new)
(i b) ordering data holders, third parties or data recipients to provide redress, including compensation for damages, to consumers in case of harm;
Amendment 657 #
Proposal for a regulation
Article 31 – paragraph 3 – point i c (new)
Article 31 – paragraph 3 – point i c (new)
(i c) imposing a temporary or definitive limitation including a ban on processing or mandate data sharing to comply with this Regulation;
Amendment 658 #
Proposal for a regulation
Article 31 – paragraph 7
Article 31 – paragraph 7
7. Member States shall ensure that the designated competent authorities are provided with the necessary technical and human resources to adequately carry out their tasks in accordance with this Regulation.
Amendment 663 #
Proposal for a regulation
Article 32 – paragraph 3
Article 32 – paragraph 3
3. Competent authorities shall cooperate to handle and resolve complaints, including by setting reasonable deadlines for adopting formal decisions, ensuring equality of the parties, ensuring the right to be heard from complainants and access to the file throughout the process, exchanging all relevant information by electronic means, without undue delay. This cooperation shall not affect the specific cooperation mechanism provided for by Chapters VI and VII of Regulation (EU) 2016/679.
Amendment 664 #
Proposal for a regulation
Article 32 a (new)
Article 32 a (new)
Article 32 a Collective Representation Without prejudice to Directive (EU) 2020/1828 or to any other type of representation under national law, recipients of intermediary services shall at least have the right to mandate a body, organisation or association to exercise the rights conferred by this Regulation on their behalf, provided the body, organisation or association meets all of the following conditions: (a) it operates on a not-for-profit basis; (b) it has been properly constituted in accordance with the law of a Member State; (c) its statutory objectives include a legitimate interest in ensuring that this Regulation is complied with.
Amendment 670 #
Proposal for a regulation
Article 33 – paragraph 1
Article 33 – paragraph 1
1. Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive, including administrative fines against enterprises of a minimum of 20 000 000 EUR or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Amendment 673 #
Proposal for a regulation
Article 34 a (new)
Article 34 a (new)
Article 34 a Procedural aspects regarding cross- border enforcement of this Regulation 1. Before [one year after the entry into force of this Regulation], the Commission shall adopt a Delegated Act with the view to harmonise procedural aspects of cross- border enforcement to ensure effective and swift redress for consumers and enforcement of this Regulation. These should at least include the following elements: a) Right to lodge a complaint; b) Jurisdiction; c) Definition of "handling a complaint”; d) Deadlines for different stages of the procedure; e) Right to be heard, access to the file and equality of the parties; f) Temporal and material scope of investigations; g) Dispute settlement between authorities in cross-border cases; h) Cooperation with other enforcement networks or regulators at national and EU level, including the European Data Protection Board; i) Any other element identified that ensures effective and swift redress for consumers and enforcement. 2. The Commission shall evaluate whether this Delegated Act should be amended every two years after its adoption.
Amendment 674 #
Proposal for a regulation
Article 41 – paragraph 1 – point a
Article 41 – paragraph 1 – point a
(a) other categories or types of data to be restricted or made accessible;
Amendment 675 #
Proposal for a regulation
Article 41 – paragraph 1 – point a a (new)
Article 41 – paragraph 1 – point a a (new)
(a a) whether additional protections are needed for users;
Amendment 676 #
Proposal for a regulation
Article 41 – paragraph 1 – point b
Article 41 – paragraph 1 – point b
(b) whether the exclusion of certain categories of enterprises as beneficiaries under Article 5from the scope of business to consumer data sharing obligations under Article 7 undermines consumer protection;
Amendment 678 #
Proposal for a regulation
Article 41 – paragraph 1 – point e a (new)
Article 41 – paragraph 1 – point e a (new)
(e a) the efficiency and swiftness of enforcement;
Amendment 679 #
Proposal for a regulation
Article 41 – paragraph 1 – point e b (new)
Article 41 – paragraph 1 – point e b (new)
(e b) whether amendments to this Regulation would be advisable.