Activities of Catherine STIHLER related to 2017/0228(COD)
Plenary speeches (1)
Free flow of non-personal data in the European Union (debate)
Amendments (25)
Amendment 41 #
Proposal for a regulation
Recital 1
Recital 1
(1) The digitisation of the economy is accelerating. Information and Communications Technology (ICT) is no longer a specific sector but the foundation of all modern innovative economic systems and societies. Electronic data is at the centre of those systems and can generate great value when analysed or combined with services and products. At the same time, cybersecurity represents one of the major threats to our societies. Securing network and information systems in the European Union is essential for the further development of the online economy, as well as for ensuring that there is trust in the digital economy as a whole. Consequently, this Regulation and the ENISA Regulation [2017/0225(COD)] need to be fully consistent with one another.
Amendment 46 #
Proposal for a regulation
Recital 3
Recital 3
(3) The freedom of establishment and the freedom to provide services under the Treaty on the Functioning of the European Union apply to data storage or other processing services. However, the provision of those services is hampered or sometimes prevented by certain national or federal requirements to locate data in a specific territory.
Amendment 53 #
Proposal for a regulation
Recital 4
Recital 4
(4) Such obstacles to the free movement of data storage or other processing services and to the right of establishment of data storage or other processing providers originate from requirements in the national or federal laws of Member States to locate data in a specific geographical area or territory for the purpose of storage or other processing. Other rules or administrative practices have an equivalent effect by imposing specific requirements which make it more difficult to store or otherwise process data outside a specific geographical area or territory within the Union, such as requirements to use technological facilities that are certified or approved within a specific Member State. Legal uncertainty as to the extent of legitimate and illegitimate data localisation requirements further limits the choices available to market players and to the public sector regarding the location of data storage or other processing.
Amendment 59 #
Proposal for a regulation
Recital 7
Recital 7
(7) In order to create a framework for the free movement of non-personal data in the Union and the foundation for developing the data economy and enhancing the competitiveness of European industry in compliance with European data protection rules, it is necessary to lay down a clear, comprehensive and predictable legal framework for storage or other processing of data other than personal data in the internal market. A principle-based approach providing for cooperation among Member States as well as self-regulation should ensure that the framework is flexible so that it can take into account the evolving needs of users, providers and national authorities in the Union. In order to avoid the risk of overlaps with existing mechanisms and hence to avoid higher burdens both for Member States and businesses, detailed technical rules should not be established.
Amendment 65 #
Proposal for a regulation
Recital 9
Recital 9
(9) The legal framework on the protection of natural persons with regard to the processing of personal data, in particular Regulation (EU) 2016/67930, and Directive (EU) 2016/68031 and Directive 2002/58/EC32s well as the legal framework on the respect for private life and the protection of personal data in electronic communications, in particular Directive 2002/58/EC32 to be repealed by new regulation 2017/003 (COD)32a should not be affected by this Regulation. _________________ 30 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1). 31 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89). 32 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37). 32aRegulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC.
Amendment 68 #
Proposal for a regulation
Recital 9 a (new)
Recital 9 a (new)
(9a) This Regulation should not apply to the storage or other processing of electronic data in the case of any intermixture of non-personal data and personal data, or in the case of any combination of non-personal data that could lead to personal data or to identify a person.
Amendment 78 #
Proposal for a regulation
Recital 10 a (new)
Recital 10 a (new)
(10a) Whereas data that is neither personal nor non-personal does not exist by definition, new technological advancements in big data analytics have opened up for the possibility to turn anonymised non-personal data into personal data by comparing and aggregating large quantities of non- personal data. In this case, the line between personal data and non-personal data is not fixed but rather depends upon technological developments and new uses of technologies. In these instances, where non-personal data has become personalised, the data should be treated as such and the provisions laid down in Regulation (EU) 2016/679 should apply accordingly.
Amendment 82 #
Proposal for a regulation
Recital 10 b (new)
Recital 10 b (new)
(10b) The growing availability of Internet of Things (IoT) and the development of machine learning and Artificial Intelligence (AI) goes hand in hand with the proliferation of devices that collect non-personal data. These new technologies are already used in farm productivity, translation, manufacturing robots and navigation systems among others. However, data collected within certain industries could contain both personal and non-personal data and should be treated under the Regulation (EU) 2016/679 and this regulation respectively.
Amendment 83 #
Proposal for a regulation
Recital 10 c (new)
Recital 10 c (new)
(10c) The Commission should provide clear and easily accessible guidelines on the legal treatment of mixed data sets in order for especially SMEs to handle the interaction between this Regulation and Regulation (EU) 2016/679.
Amendment 88 #
Proposal for a regulation
Recital 12
Recital 12
(12) Data localisation requirements represent a clear barrier to the free provision of data storage or other processing services across the Union and to the internal market. As such, they should be banned unless they are justified based on the grounds of public security, as defined by Union law, in particular Article 52 of the Treaty on the Functioning of the European Union, and satisfy the principle of proportionality enshrined in Article 5 of the Treaty on European Union. Regardless of this data storage or other processing of authorities and political bodies of national or federal governments and parliaments should be always considered to be justified for grounds of public security. In order to give effect to the principle of free flow of non-personal data across borders, to ensure the swift removal of existing data localisation requirements and to enable for operational reasons storage or other processing of data in multiple locations across the EU, and since this Regulation provides for measures to ensure data availability for regulatory control purposes, Member States should not be able to invoke justifications other than public security.
Amendment 93 #
Proposal for a regulation
Recital 12 a (new)
Recital 12 a (new)
(12a) The concept of ‘public security’, is understood within the meaning of Article 52 of the TFEU and as interpreted by the European Court of Justice. The concept of ‘public security’ covers both the internal and external security of a Member State. Public security presupposes the existence of a genuine and sufficiently serious threat affecting one of the fundamental interests of society, such as a threat to the functioning of institutions and essential public services and the survival of the population, as well as by risk of a serious disturbance to foreign relations or the peaceful coexistence of nations, or a risk of military interest.
Amendment 102 #
Proposal for a regulation
Recital 14
Recital 14
(14) Moreover, in order to eliminate potential existing barriers, during a transitional period of 12 months, Member States should carry out a review of existing national or federal data localisation requirements and notify to the Commission, together with a justification, any data localisation requirement that they consider being in compliance with this Regulation. These notifications should enable the Commission to assess the compliance of any remaining data localisation requirements.
Amendment 124 #
Proposal for a regulation
Recital 26
Recital 26
(26) Security requirements set at national or federal level should be necessary and proportionate to the risks posed to the security of data storage or other processing in the area in scope of the national law in which these requirements are set.
Amendment 128 #
Proposal for a regulation
Recital 28
Recital 28
(28) The Commission should periodically review this Regulation, in particular with a view to determining the need for modifications in the light of technological or market developments, especially with regards to the development of artificial intelligence, machine learning, Internet of Things, big data analysis among others.
Amendment 141 #
Proposal for a regulation
Article 2 – paragraph 1 a (new)
Article 2 – paragraph 1 a (new)
1a. This Regulation shall not apply to the storage or other processing of electronic data in the case of any intermixture of non-personal data and personal data, or in the case of any combination of non-personal data that can lead to personal data or to identify a person.
Amendment 142 #
Proposal for a regulation
Article 2 – paragraph 1 a (new)
Article 2 – paragraph 1 a (new)
1a. In the case of mixed data sets, this Regulation shall apply to the non- personal data part of the set. Where personal and non-personal data are inextricably linked, this Regulation shall apply without prejudice to Regulation (EU) 2016/679.
Amendment 150 #
Proposal for a regulation
Article 3 – paragraph 1 – point 1 a (new)
Article 3 – paragraph 1 – point 1 a (new)
1a. ‘mixed data set’ means a data set composed of both personal and non- personal data.
Amendment 178 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
2. Where a competent authority has exhausted all applicable means to obtain access to the datadoes not receive access to the data after having contacted the provider of the data storage or processing service, it may request the assistance of a competent authority in another Member State in accordance with the procedure laid down in Article 7, and the requested competent authority shall provide assistance in accordance with the procedure laid down in Article 7, unless it would be contrary to the public order of the requested Member State.
Amendment 203 #
Proposal for a regulation
Article 6 – paragraph 1 a (new)
Article 6 – paragraph 1 a (new)
1a. The Commission shall ensure that the codes of conduct are developed in close cooperation with all relevant stakeholders, including associations of small and medium-sized enterprises and start-ups, users and providers of cloud services.
Amendment 212 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
3. The Commission shall reviewsubmit a report to the European Parliament and to the Council on the development and effective implementation of such codes of conduct and the effective provision of information by providers no later than two years after the start of application of this Regulation. The report shall be accompanied, if appropriate, by legislative proposals.
Amendment 216 #
Proposal for a regulation
Article 7 – paragraph 4 – subparagraph 1 (new)
Article 7 – paragraph 4 – subparagraph 1 (new)
Amendment 218 #
Proposal for a regulation
Article 9 – paragraph 1
Article 9 – paragraph 1
1. No later than [53 years after the date mentioned in Article 10(2)], the Commission shall carry out a review of this Regulation and present a report on the main findings to the European Parliament, the Council and the European Economic and Social Committee. The Commission shall review the implementation of this Regulation in particular in respect of:
Amendment 223 #
Proposal for a regulation
Article 9 – paragraph 1 – point a (new)
Article 9 – paragraph 1 – point a (new)
(a) The application of this Regulation to mixed data sets especially taking into account the development of new technologies such as Internet of Things, artificial intelligence, big data analysis and the process of deanonymising data.
Amendment 226 #
Proposal for a regulation
Article 9 – paragraph 1 – point b (new)
Article 9 – paragraph 1 – point b (new)
(b) The use of the public security exception by Member States as defined in Article 4(1).
Amendment 229 #
Proposal for a regulation
Article 9 – paragraph 2 a (new)
Article 9 – paragraph 2 a (new)
2a. By 6 months after the date of publication of this Regulation the Commission shall provide guidelines on the legal treatment of mixed data sets and the interaction between this Regulation and Regulation (EU) 2016/679.