Activities of Marisa MATIAS related to 2020/0340(COD)
Plenary speeches (1)
Data Governance Act (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act)
Amendments (79)
Amendment 111 #
Proposal for a regulation
Recital 1 a (new)
Recital 1 a (new)
(1 a) Both Article 6(2) of the Treaty on European Union and Article 51 of the EU Charter of Fundamental Rights require the Union to respect fundamental rights, observe the principles and promote the application thereof.
Amendment 125 #
Proposal for a regulation
Recital 3
Recital 3
(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges and developing relocation of data in the Union. Sector- specific legislation can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the envisaged legislation on the European health data space25 and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector- specific Union law that include rules relating to cross-border or Union wide sharing or access to data26 . This Regulation is therefore without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (27 ), and in particular the implementation of this Regulation shall not prevent cross border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place, Directive (EU) 2016/680 of the European Parliament and of the Council (28 ), Directive (EU) 2016/943 of the European Parliament and of the Council (29 ), Regulation (EU) 2018/1807 of the European Parliament and of the Council (30 ), Regulation (EC) No 223/2009 of the European Parliament and of the Council (31 ), Directive 2000/31/EC of the European Parliament and of the Council (32 ), Directive 2001/29/EC of the European Parliament and of the Council (33 ), Directive (EU) 2019/790 of the European Parliament and of the Council (34 ), Directive 2004/48/EC of the European Parliament and of the Council (35 ), Directive (EU) 2019/1024 of the European Parliament and of the Council (36 ), as well as Regulation 2018/858/EU of the European Parliament and of the Council (37 ), Directive 2010/40/EU of the European Parliament and of the Council (38 ) and Delegated Regulations adopted on its basis, and any other sector-specific Union legislation that organises the access to and re-use of data. This Regulation should be without prejudice to the access and use of data for the purpose of international cooperation in the context of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data sharing services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act should also apply. _________________ 25 See: Annexes to the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Commission Work Programme 2021 (COM(2020) 690 final). 26For example, Directive 2011/24/EU in the context of the European Health Data Space, and relevant transport legislation such as Directive 2010/40/EU, Regulation 2019/1239 and Regulation (EU) 2020/1056, in the context of the European Mobility Data Space. 27Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p.1) 28 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. (OJ L 119, 4.5.2016, p.89) 29Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. (OJ L 157, 15.6.2016, p.1) 30 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. (OJ L 303, 28.11.2018, p. 59) 31Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities. (OJ L 87, 31.03.2009, p. 164) 32Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce). (OJ L 178, 17.07.2000, p. 1) 33Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society. (OJ L 167, 22.6.2001, p. 10) 34 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC. (OJ L 130, 17.5.2019, p. 92) 35Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (OJ L 157, 30.4.2004). 36Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information. (OJ L 172, 26.6.2019, p. 56). 37 Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018). 38 Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport. (OJ L 207, 6.8.2010, p. 1)
Amendment 135 #
Proposal for a regulation
Recital 5
Recital 5
(5) The idea that data that has been generated at the expense of public budgets should benefit society has been part of Union policy for a long time. Directive (EU) 2019/1024 as well as sector-specific legislation ensure that the public sector makes more of the data it produces easily available for use and re-use. However, certain categories of data (commercially confidential data, data subject to statistical confidentiality, data protected by intellectual property rights of third parties, including trade secrets and personal data not accessible on the basis of specific national or Union legislation, such as Regulation (EU) 2016/679 and Directive (EU) 2016/680) in public databases is often not made available, not even for research or innovative activitiactivities on behalf of general public interest. Due to the sensitivity of this data, certain technical and legal procedural requirements must be met before they are made available, in order to ensure the respect of rights others have over such data. Such requirements are usually time- and knowledge-intensive to fulfil. This has led to the underutilisation of such data. While some Member States are setting up structures, processes and sometimes legislate to facilitate this type of re-use, this is not the case across the Union.
Amendment 140 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques yet to be fully trustable, enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place within the internal market and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 152 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competition. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate effort for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-user, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body of a Member State, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons on the re-use of data pertaining to them through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. No contact or any sufficient information should be given that allows re-users to trace back, de-anonymise and contact data subjects or companies directly.
Amendment 158 #
Proposal for a regulation
Recital 14
Recital 14
(14) Companies and data subjects should be able to trust that the re-use of certain categories of protected data, which are held by the public sector, will take place in a manner that respects their rights and interests. Additional safeguards should thus be put in place for situations in which the re-use of such public sector data is taking place on the basis of a processing of the data outside the public sector. Such an additional safeguard could be found in the requirement that public sector bodies should take fully into account the rights and interests of natural and legal persons (in particular the protection of personal data, commercially sensitive data and the protection of intellectual property rights) in case such data is transferred to third countries.
Amendment 161 #
Proposal for a regulation
Recital 15
Recital 15
(15) Furthermore, it is important to protect commercially sensitive data of non- personal nature, notably trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage. In order to ensure the protection of fundamental rights or interests of data holders, non-personal data which is to be protected from unlawful or unauthorised access under Union or national law, and which is held by public sector bodies, should be transferred only to third-countries where appropriate safeguards for the use of data are provided. Such appropriate safeguards should be considered to exist when in that third-country there are equivalent measures in place which ensure that non- personal data benefits from a level of protection similar to that applicable by means of Union or national law in particular as regards the protection of trade secrets and the protection of intellectual property rights. To that end, the Commission may adopt implementing acts that declare that a third country provides a level of protection that is essentially equivalent to those provided by Union or national law. The assessment of the level of protection afforded in such third-country should, in particular, take into consideration the relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law concerning the access to and protection of non-personal data, any access by the public authorities of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, or the third countries’ international commitments regarding the protection of data the third country concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems. The existence of effective legal remedies for data holders, public sector bodies or data sharing providers in the third country concerned is of particular importance in the context of the transfer of non-personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remed and personal data, even anonymised, should not be transferred to third-countries.
Amendment 163 #
Proposal for a regulation
Recital 16
Recital 16
Amendment 168 #
Proposal for a regulation
Recital 17
Recital 17
Amendment 176 #
Proposal for a regulation
Recital 19
Recital 19
(19) In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non- personal data that have been identified as highly sensitive, as regards the transfer to third countries, if such transfer could jeopardise public policy objectives, in line with international commitments. For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law before allowing data transfer, for example in the context of the European Health Data Space or other sectoral legislation. The conditions attached to the transfer of such data to third countries should be laid down in delegated acts. Conditions should be proportionate, non-discriminatory and necessary to protect legitimate public policy objectives identified, such as the protection of public health, public order, safety, the environment, public morals, consumer protection, privacy and personal data protection. The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re- identification of individuals. These conditions could include terms applicable for the transfer or technical arrangements, such as the requirement of using a secure processing environment, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or who can access the data in the third country. In exceptional cases they could also include restrictions oInsurance companies or any other service provider should not be allowed to use data from e-health applications for the purpose of discriminating in the setting of prices, as this would run counter to the fundamental right of access to health.1a The transfer of such data to third countries should be strictly forbidden. _________________ 1aEuropean Parliament resolution of 25 March 2021 on a European stransfer of the data to third countries to protect the public interest.tegy for data https://www.europarl.europa.eu/doceo/doc ument/TA-9-2021-0098_EN.html
Amendment 182 #
Proposal for a regulation
Recital 20
Recital 20
(20) Public sector bodies should be able to charge fees for the re-use of data but should also be able to decide to make the data available at lower or no cost, for example for certain categories of re-uses such as non-commercial re-use for research, or re-use by small and medium- sized enterprises, so as to incentivise such re-use in order to stimulate research and innovation and support companiesgeneral objectives of the Union in the framework of the Green Deal, the twin transition or other legal commitments for the Union’s strategic autonomy that are an important source of innovation and typically find it more difficult to collect relevant data themselves, in line with State aid rules. Such fees are intended to cover the costs incurred by public sector bodies in collecting, storing and sharing of data and should be reasonable, transparent, published online and non- discriminatory.
Amendment 190 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to incentivise the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments in the Union, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data holders with management of the consent, including consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors.
Amendment 195 #
Proposal for a regulation
Recital 22
Recital 22
(22) Providers of data sharing services (data intermediaries) are expected to play a key role in the data economy, as a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharing services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjects, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an indefinite number of data holders and data users, excluding data sharing services that are meant to be used by a closed group of data holders and users. Providers of cloud services should be exincluded, as well as service providers that obtain data from data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providers should be allowed to make adaptations to the data exchanged, to the extent that this improves the usability of the data by the data user, where the data user desires this, such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright-protected content, should not be covered by this Regulation. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providers for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not-for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of general interest by increasing the volume of data available for such purposes. _________________ 42Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173/349. 43Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Amendment 197 #
Proposal for a regulation
Recital 23
Recital 23
(23) A specific category of data intermediaries includes providers of data sharing services that offer their services to data subjects in the sense of Regulation (EU) 2016/679. Such providers focus exclusively on personal data and seek to enhance individual agency and the individuals’ control over the data pertaining to them. They would assist individuals in exercising their rights under Regulation (EU) 2016/679, in particular managing their consent to data processing, the right of access to their own data, the right to the rectification of inaccurate personal data, the right of erasure or right ‘to be forgotten’, the right to withdraw their consent, the right to restrict processing and the data portability right, which allows data subjects to move their personal data from one controller to the other. In this context, it is important that their business model ensures that there are no misaligned incentives that encourage individuals to make more data available for processing than what is in the individuals’ own interest. This could include advising individuals on uses of their data they could allow and making due diligence checks on data users before allowing them to contact data subjects, in order to avoid fraudulent practices. In certain situations, it could be desirable to collate actual data within a personal data storage space, or ‘personal data space’ so that processing can happen within that space without personal data being transmitted to third parties in order to maximise the protection of personal data and privacy.
Amendment 236 #
Proposal for a regulation
Recital 36
Recital 36
(36) Legal entities that seek to support purposes of general interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘Data Altruism Organisations recognised in the Union’. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non-personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a general interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. Further safeguards should include making it possible to process relevant data within a secure processing environment within the Union and operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available.
Amendment 241 #
Proposal for a regulation
Recital 37 a (new)
Recital 37 a (new)
(37 a) This Regulation is without prejudice to the establishment, organisation and functioning of entities other than Public Sector bodies that engage in the sharing of data and content on the basis of open licenses, thereby contributing to the creation of commons resources available to all. This includes open collaborative knowledge sharing platforms, open access scientific and academic repositories, open source software development platforms and Open Access content aggregation platforms. Organisations building such open Access commons knowledge repositories play an important role in the online infrastructure. Nothing in this Regulation should therefore be interpreted to limit the ability of non-profit organisations to make data and content available to the public under open licenses.
Amendment 243 #
Proposal for a regulation
Recital 38
Recital 38
(38) Data Altruism Organisations recognised in the Union should be able to collect relevant data directly from natural and legal persons established in the Union or to process data collected by others. Typically, data altruism would rely on consent of data subjects in the sense of Article 6(1)(a) and 9(2)(a) and in compliance with requirements for lawful consent in accordance with Article 7 of Regulation (EU) 2016/679. In accordance with Regulation (EU) 2016/679, scientific research purposes can be supported by consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research or only to certain areas of research or parts of research projects. Article 5(1)(b) of Regulation (EU) 2016/679 specifies that further processing for scientific or historical research purposes or statistical purposes should, in accordance with Article 89(1) of Regulation (EU) 2016/679, not be considered to be incompatible with the initial purposes.
Amendment 254 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board shcould be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission, European social partners, and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics), including civil society organisations. The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board.
Amendment 261 #
Proposal for a regulation
Recital 41
Recital 41
(41) The Board should support the Commission in coordinating national practices and policies on the topics covered by this Regulation, and in supporting cross- sector data use by adhering to the European Interoperability Framework (EIF) principles and through the utilisation of open standards and specifications (such as the Core Vocabularies44 and the CEF Building Blocks45 ), without prejudice to standardisation work taking place in specific sectors or domains. Work on technical standardisation may include the identification of priorities for the development of standards and establishing and maintaining a set of technical and legal standards for transmitting data between two processing environments that allows data spaces to be organised without making recourse to an intermediary. The Board should cooperate with sectoral bodies, networks or expert groups, or other cross- sectoral organisations dealing with re-use of data. Regarding data altruism, the Board should assist the Commission in theEuropean Data Protection Board (EDPB) should development of the data altruism consent form, in consultation with the European Data ProtectionCommission and the Board. _________________ 44 https://joinup.ec.europa.eu/collection/sema ntic-interoperability-community- semic/core-vocabularies 45 https://joinup.ec.europa.eu/collection/conn ecting-europe-facility-cef
Amendment 269 #
Proposal for a regulation
Recital 43
Recital 43
(43) In order to take account of the specific nature of certain categories of data, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to lay down special conditions applicable forprinciple of strategic autonomy of the Union, the transfers to third-countries of certain non- personal data categories deemed to be highly sensitive in specific Union acts adopted though a legislative procedureand personal data is forbidden. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Amendment 270 #
Proposal for a regulation
Recital 44
Recital 44
(44) This Regulation should not affect the application of the rules on competition, and in particular Articles 101 and 102 of the Treaty on the Functioning of the European Union. TUnless for general interest, the measures provided for in this Regulation should not be used to restrict competition and GDPR in a manner contrary to the Treaty on the Functioning of the European Union. This concerns in particular the rules on the exchange of competitively sensitive information between actual or potential competitors through data sharing services.
Amendment 272 #
Proposal for a regulation
Recital 45 a (new)
Recital 45 a (new)
(45 a) The European Data Protection Supervisor and the European Data Protection Board have expressed serious concerns in their Joint opinion from 10th March 2021, underlying that the proposal “does not duly take into account the need to ensure and guarantee the level of protection of personal data provided under EU law” and “raises serious concerns from a fundamental rights viewpoint”. Following this opinion, the institutions committed to reinforce disposition in the Regulation to protect GDPR enforcement.
Amendment 274 #
Proposal for a regulation
Recital 46
Recital 46
(46) This Regulation respects the fundamental rights and observes the principles recognised in particular by the CharterEuropean Charter of Fundamental Rights, including the right to privacy, the protection of personal data, the freedom to conduct a business, the right to property and the integration of persons with disabilities,
Amendment 275 #
Proposal for a regulation
Recital 46 a (new)
Recital 46 a (new)
(46 a) In the event of any doubt over the interpretation of the provisions of this Regulation or any contradiction or conflict relating to personal data protection, the provisions of the General Data Protection Regulation shall take precedence.
Amendment 280 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
(2) This Regulation is without prejudice to specific provisions in other Union legal acts regarding access to or re- use of certain categories of data, or requirements related to processing of personal or non-personal data. Where a sector-specific Union legal act requires public sector bodies, providers of data sharing services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act shall also apply. The Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) applies to any form of further use of data. In this respect, sensitive personal data shall not be re-used for security reasons.
Amendment 288 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2 a) The re-use of employee data shall be prohibited. To this end, it must be ensured that public service data do not contain employee data, such as in the area of mobility. The full respect of Article 88 of GDPR must be upheld.
Amendment 289 #
Proposal for a regulation
Article 1 a (new)
Article 1 a (new)
Article 1 a This Regulation leaves intact and in no way affects the level of protection of individuals with regard to the processing of personal data under the provisions of Union and national law. The Regulation does not alter any obligations and rights set out in the data protection legislation.
Amendment 294 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘re-use’ means the use by natural or legal persons of data held by public sector bodies established in the Union, for commercial or non-commercial purposes other than the initial purpose within the public task for which the data were produced, except for the exchange of data between public sector bodies purely in pursuit of their public tasks;
Amendment 303 #
Proposal for a regulation
Article 2 – paragraph 1 – point 4
Article 2 – paragraph 1 – point 4
(4) ‘metadata’ means non personal or anonymised data collected on any activity of a natural or legal person for the purposes of the provision of a data sharing service, including the date , time and geolocation data, duration of activity, connections to other natural or legal persons established by the person who uses the service;
Amendment 306 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘data holder’ means a legal person or data subject who, in accordance with applicable Union or national law, has the right to grant access to or to share certain personal or non-personal data under its control;
Amendment 312 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data sharing’ means the provision by a data holder of data to a data user for the purpose of joint or individual use of the shared data, based on voluntary agreements, directly or through an intermediary;. Insofar as personal data are concerned, their processing must always be based on an adequate legal basis under Article 6 of the GDPR.
Amendment 320 #
Proposal for a regulation
Article 2 – paragraph 1 – point 8
Article 2 – paragraph 1 – point 8
(8) ‘access’ means processing by a data user of data established in the Union that has been provided by a data holder, in accordance with specific technical, legal, or organisational requirements, without necessarily implying the transmission or downloading of such data;
Amendment 324 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consent by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non- personal data without seeking a reward, for purposes of general interest, such as the Green Deal and Paris Agreement, via scientific research purposes or improving public services and services of general interest ;
Amendment 328 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10 a (new)
Article 2 – paragraph 1 – point 10 a (new)
(10 a) ‘Consent’ means, as provided by the GDPR, consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. A data subject has the right to withdraw consent at any time. The processing of personal data shall be lawful only if and to the extent that at least one of the legal basis under Article 6(1) of the GDPR applies.
Amendment 330 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10 b (new)
Article 2 – paragraph 1 – point 10 b (new)
(10 b) ‘General interest’ means the best interest of the community as a whole in the pursuit of common good and core objectives and values of the Union, supported and limited by citizens' rights and guarantees enshrined in the Treaties and other European or international legislation such as the Green Deal or Paris Agreement;
Amendment 335 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘secure processing environment’ means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner that allows for the operator of the secure processing environment to determine and supervise all data processing actions within the Union, including to display, storage, download, export of the data and calculation of derivative data through computational algorithms as well as protection against cyber-attacks.
Amendment 341 #
Proposal for a regulation
Article 3 – paragraph 1 – point d
Article 3 – paragraph 1 – point d
Amendment 345 #
Proposal for a regulation
Article 3 – paragraph 2 – point e a (new)
Article 3 – paragraph 2 – point e a (new)
(e a) (f) data processed in the context of employment.
Amendment 346 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
(2 a) personal data
Amendment 365 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
(2) Conditions for re-use shall be lawful, transparent, non- discriminatory, proportionate and objectively justified with regard to categories of data and purposes of re-use and the nature of the data for which re-use is allowed. These conditions shall not be used to restrict competition.
Amendment 367 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) Public sector bodies mayshall impose an obligation to re-use only pre-processed data where such pnon-personal data and that data containing trade secrets are- processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secretsed accordingly. It must be ensured that companies do not have direct access to protected data and that, as a consequence, anonymisation or pseudonymisation cannot be carried out by them.
Amendment 372 #
Proposal for a regulation
Article 5 – paragraph 4 – introductory part
Article 5 – paragraph 4 – introductory part
(4) Public sector bodies mayshall impose obligations in all circumstances to both
Amendment 375 #
Proposal for a regulation
Article 5 – paragraph 4 – point a
Article 5 – paragraph 4 – point a
(a) to access and re-use the data within a secure processing environment provided and controlled by the public sector within the Union ;
Amendment 380 #
Proposal for a regulation
Article 5 – paragraph 4 – point b
Article 5 – paragraph 4 – point b
(b) to access and re-use the data within the physical premises in which the secure processing environment is located, if remote access cannot be allowed without jeopardising the rights and interests of third partiesn accordance with high security standards to be established and continuously monitored.
Amendment 381 #
Proposal for a regulation
Article 5 – paragraph 4 – point b a (new)
Article 5 – paragraph 4 – point b a (new)
(b a) (c) to consult DPAs and/or the European Data Protection Board (EDPB) to guarantee anonymisation or pseudonymise personal data.
Amendment 383 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
(5) The public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public sector body shall be able to verify any results of processing of data undertaken by the re- user and reserve the right to prohibit the use of results that contain information jeopardising the rights and interests of third parties. To this end, the public sector bodies shall be equipped with the necessary human and financial resources for monitoring and law enforcement.
Amendment 396 #
Proposal for a regulation
Article 5 – paragraph 9
Article 5 – paragraph 9
Amendment 403 #
Proposal for a regulation
Article 5 – paragraph 10
Article 5 – paragraph 10
Amendment 408 #
Proposal for a regulation
Article 5 – paragraph 11
Article 5 – paragraph 11
Amendment 414 #
Proposal for a regulation
Article 5 – paragraph 12
Article 5 – paragraph 12
Amendment 415 #
Proposal for a regulation
Article 5 – paragraph 13
Article 5 – paragraph 13
Amendment 418 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
(1) Public sector bodies which allow re-use of the categories of data referred to in Article 3 (1) may charge fees for allowing the re-use of such data, to the exception of personal data that belongs solely to data subjects.
Amendment 420 #
Proposal for a regulation
Article 6 – paragraph 2
Article 6 – paragraph 2
(2) Any fees shall be non- discriminatory, proportionate and objectively justified and shall not restrict competitionat least cover the costs of monitoring and enforcement. They shall not create incentives to sell or lower the protection of sensitive data.
Amendment 423 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
(3) Public sector bodies shall ensure that any fees can be paid online through widely available cross-border payment services, without discrimination based on the place of establishment of the payment service provider within the internal market, the place of issue of the payment instrument or the location of the payment account within the Union.
Amendment 426 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
(4) Where they apply fees, public sector bodies shall take measures to incentivise the re-use of the categories of data referred to in Article 3 (1) for non- commercial purposes and by small and medium-sized enterprises in line with State aid rules. In that regard, public sector bodies are encourage to make the data available at a discounted fee or free of charge for all actors, in particular cooperatives.
Amendment 435 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
(1) Member States shall designate one or more competent bodies, which may be sectoraldata protection authorities, to support the public sector bodies which grant access to the re-use of the categories of data referred to in Article 3 (1) in the exercise of that task.
Amendment 441 #
Proposal for a regulation
Article 7 – paragraph 2 – point c
Article 7 – paragraph 2 – point c
(c) assisting the public sector bodies, where relevant, in obtaining consent or permission by re-users for re-use for altruistic and other purposes in line with specific decisions of data holdersGDPR rules on consent, including on the jurisdiction or jurisdictions in which the data processing is intended to take place;
Amendment 444 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
(4) The competent body or bodies shall have adequate human resources as well as legal and technical capacities and expertise to be able to comply with relevant Union or national law concerning the access regimes for the categories of data referred to in Article 3 (1), so that data protection, privacy and confidentiality are fully respected. The competences and resources of the competent body or bodies shall prohibit unjustifiable outsourcing.
Amendment 473 #
Proposal for a regulation
Article 9 – paragraph 2 a (new)
Article 9 – paragraph 2 a (new)
(2 a) A mandatory certification system shall be provided for data intermediaries in order to limit the risks associated with the central role of data intermediaries and thus increase trust in these organisations and their activities.
Amendment 511 #
Proposal for a regulation
Article 11 – paragraph 1 – point 5
Article 11 – paragraph 1 – point 5
(5) the provider must ensure and shall have procedures in place to prevent fraudulent or abusive practices in relation to access to data from parties seeking access through their services and is liable for damages resulting from security breaches;
Amendment 532 #
Proposal for a regulation
Article 12 – paragraph 1
Article 12 – paragraph 1
(1) Each Member State shall designate in its territory one or more authorities competent, including its data protection authority, to carry out the tasks related to the notification framework and shall communicate to the Commission the identity of those designated authorities by [date of application of this Regulation]. It shall also communicate to the Commission any subsequent modification.
Amendment 537 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
(2) The competent authority shall have the power to request from providers of data sharing services all the information that is necessary to verify compliance with the requirements laid down in Articles 10 and 11. Any request for information shall be proportionate to the performance of the task and shall be reasoned. In case a data sharing service does not submit a notification, he is submitted to Article 31.
Amendment 551 #
Proposal for a regulation
Article 14 – paragraph 1
Article 14 – paragraph 1
This Chapter shall not apply to not-for- profit entities whose activities consist only in seeking to collect data for objectives of general interest, made available by natural or legal persons on the basis of data altruismorganisations that collect data which is released under non- exclusive free licenses for the benefit of any users and hence should explicitly be recognised as compatible with general interest.
Amendment 572 #
Proposal for a regulation
Article 16 – paragraph 1 – point a a (new)
Article 16 – paragraph 1 – point a a (new)
(a a) fit definition of data altruism under article 2-10
Amendment 582 #
Proposal for a regulation
Article 17 – paragraph 1
Article 17 – paragraph 1
(1) Any entity which meets the requirements of Article 2 (10) and 16 may request to be entered in the register of recognised data altruism organisations referred to in Article 15 (1).
Amendment 585 #
Proposal for a regulation
Article 17 – paragraph 3
Article 17 – paragraph 3
Amendment 606 #
Proposal for a regulation
Article 19 – paragraph 1 – introductory part
Article 19 – paragraph 1 – introductory part
(1) A mandatory authorisation framework for data altruistic organisations shall be provided to ensure a higher level of trust. Any entity entered in the register of recognised data altruism organisations shall inform data holders:
Amendment 613 #
Proposal for a regulation
Article 19 – paragraph 1 – point b
Article 19 – paragraph 1 – point b
Amendment 619 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
(2) The entity shall also ensure that the data is not be used for other purposes than those of general interest for which it permits the processing. Safeguards shall be provided to ensure that misleading marketing practices are not used to solicit donations of data. Possibilities for sanctions shall be provided for when acting against public interests, according to national laws.
Amendment 629 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
(1) Each Member State shall designate one or more competentits data protection authorities responsible for the register of recognised data altruism organisations and for the monitoring of compliance with the requirements of this Chapter. The designated competent authorities shall meet the requirements of Article 23.
Amendment 634 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
(1) The competentdata protection authorityies shall monitor and supervise compliance of entities entered in the register of recognised data altruism organisations with the conditions laid down in this Chapter.
Amendment 646 #
Proposal for a regulation
Article 22 – paragraph 1
Article 22 – paragraph 1
(1) In order to facilitate the collection of data based on data altruism, the Commission may adopt implementing actsEuropean Data Protection Board (EDPB) may developing a European data altruism consent form. The Commission may be consulted. The form shall allow the collection of consent across Member States in a uniform format. Those implementing acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2).
Amendment 671 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
(1) The Commission shall establish a European Data Innovation Board (“the Board”) in the form of an Expert Group, consisting of the representatives of competent authorities of all the Member States, the European Data Protection Board, the Commission, relevant data spaceEuropean social partners, civil society organisations and other representatives of competent authorities in specific sectors.
Amendment 674 #
Proposal for a regulation
Article 26 – paragraph 1 a (new)
Article 26 – paragraph 1 a (new)
(1 a) The composition shall guarantee a fair distribution of the different third parties between public actors including the Commission, private actors as well as civil society and social partners;
Amendment 680 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
(2) Stakeholders and relevant third parties may be invited to attend meetings of the Board and to participate in its work provided a public report of their communication to the Board.
Amendment 716 #
Proposal for a regulation
Article 28 – paragraph 6
Article 28 – paragraph 6
(6) A delegated act adopted pursuant to Article 5 (11) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of three months of notification of that act to the European Parliament and to the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by three months at the initiative of the European Parliament or of the Council.
Amendment 718 #
Proposal for a regulation
Article 30 – paragraph 1
Article 30 – paragraph 1
(1) The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider or the entity entered in the register of recognised data altruism organisations, as the case may be, shall take all reasonable technical, legal and organisational measures in order to preventforbid transfer or access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the law of the relevant Member State, unless the transfer or access are in line with paragraph 2 or 3.
Amendment 727 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
(4) If the conditions in paragraph 2, or 3 are met, the public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing provider or the entity entered in the register of recognised data altruism organisations, as the case may be, shall, provide the minimum amount of non-personal data permissible in response to a request, based on a reasonable interpretation of the request.
Amendment 735 #
Proposal for a regulation
Article 32 – paragraph 1
Article 32 – paragraph 1
By [fourtwo years after the data of application of this Regulation], the Commission shall carry out an evaluation of this Regulation, and submit a report on its main findings to the European Parliament and to the Council as well as to the European Economic and Social Committee, DPAs and the European Data Protection Board (EDPB). Member States shall provide the Commission with the information necessary for the preparation of that report.