BETA

Activities of Cornelia ERNST related to 2022/0047(COD)

Shadow opinions (1)

2023/02/02
Committee: LIBE
Dossiers: 2022/0047(COD)
Documents: PDF(375 KB) DOC(243 KB)
Authors: [{'name': 'Sergey LAGODINSKY', 'mepid': 197460}]

Amendments (63)

Proposal for a regulation
Recital 1

(1) In recent years, data-driven technologies have had transformative effects on all sectors of the economy. The proliferation in products connected to the Internet of Things in particular has increased the volume and potential value of data for consumers, businesses and society. High quality and interoperable data from different domains increase competitiveness and innovation and ensure sustainable economic growth. The same dataset may potentially be used and reused for a variety of purposes and to an unlimited degree, without any loss in its quality or quantity.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 2

(2) Barriers to data sharing prevent an optimal allocation of data to the benefit of society. These barriers include a lack of incentives for data holders to enter voluntarily into data sharing agreements, uncertainty about rights and obligations in relation to data, costs of contracting and implementing technical interfaces, the high level of fragmentation of information in data silos, poor metadata management, the absence of standards for semantic and technical interoperability, bottlenecks impeding data access, a lack of common data sharing practices and abuse of contractual imbalances with regards to data access and use.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 3

(3) In sectors characterised by the presence of micro~~, small and medium- sized~~ and small enterprises, there is often a lack of digital capacities and skills to collect, analyse and use data~~, and access is frequently restricted where one actor holds it in the system or due to a lack of interoperability between data, between data services or across borders~~.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 4

(4) I~~n order to respond to the needs of the digital economy and to remove barriers to a well-functioning internal market for data, i~~t is necessary to lay down a harmonised framework specifying who, other than the manufacturer or other data holder is entitled to access the data generated by products or related services, under which conditions and on what basis. Accordingly, Member States should not adopt or maintain additional national requirements on those matters falling within the scope of this Regulation, unless explicitly provided for in this Regulation, since this would affect the direct and uniform application of this Regulation.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 5

(5) This Regulation ensures that users of a product or related service in the Union can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. ~~Private law rules are key in the overall framework of data sharing.~~ Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a product or related service. ~~Instead, it takes as its starting point the control that the data holder effectively enjoys, de facto or de jure, over data generated by products or related services.~~

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 6

(6) Data generation is the result of the actions of at least two actors, the designer or manufacturer of a product and the user of that product. It gives rise to questions of the protection of privacy and fairness in the digital economy, because the data recorded by such products or related services are an important input for aftermarket, ancillary and other services. In order to realise the important economic benefits of data as a non-rival good for the economy and society, a general approach to assigning access and usage rights on data is preferable to awarding exclusive rights of access and use.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 8

(8) The principles of data minimisation and data protection by design and by default are essential wfor then processing involves significant risks to the fundamental rights of individuals. Taking into account the state of the art, all parties to data sharing, including where within scope of this Regulation, should implement technical and organisational measures to protect these rights. Such measures include not only pseudonymisation and encryption, but also the use of increasingly available technology that permits algorithms to be brought to the data and allow valuable insights to be derived without the transmission between parties or unnecessary copying of the raw or structured data themselvestection of privacy. All parties to data sharing, should implement technical and organisational measures to protect these rights. Such measures include, among others, pseudonymisation and anonymisation.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 8 a (new)

(8 a) The goal of anonymisation is to sever the link between personal data and the data subject and to prevent re- identification. Anonymised data is formerly personal data that has been processed in such a way as to remove its reference to a natural person. Anonymity is achieved where information that used to relate to an identified or identifiable natural person is highly improbable to be reattributed to said natural person in practice. In order to determine the probability of re-identification, the knowledge directly or indirectly available to the controller, a risk prognosis based on the state of the art of data processing and the foreseeable technical developments during the period of data storage as well as the likely time and effort of re-identification must be taken into account. The knowledge and capabilities of third parties are only to be taken into account insofar as their involvement is reasonably likely. Data is anonymous if the probability of attribution to a data subject is sufficiently low in view of the ratio of benefit to the effort of re-identification according to general life experience or the state of the art and in view of the respective threat to the rights and freedoms of the data subject. Anonymisation and de- anonymisation constitute processing of personal data as defined in Article 4 (2) of Regulation (EU) 2016/679. The principle of data minimisation requires that personal data must be anonymised where the purpose or purposes for which they are processed can be fulfilled without the use of personal data.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 10

(10) This Regulation is without prejudice to Union legal acts providing for the sharing of, the access to and the use of data for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, or for customs and taxation purposes, irrespective of the legal basis under the Treaty on the Functioning of the European Union on which basis they were adopted. Such acts include Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online, ~~the [e-evidence proposals [COM(2018) 225 and 226] once adopted]~~, the [Proposal for] a Regulation of the European Parliament and of the Council on a Single Market For Digital Services (Digital Services Act) and amending Directive 2000/31/EC, as well as international cooperation in this context in particular on the basis of the Council of Europe 2001 Convention on Cybercrime (“Budapest Convention”). This Regulation is without prejudice to the competences of the Member States regarding activities concerning public security, defence and national security, in ~~accordance with Union law, and activities from customs on risk management and in general, verification of compliance with the Customs Code by economic operators~~so far as these activities fall outside the scope of Union law.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 13

(13) This Regulation is without prejudice to the competences of the Member States regarding activities concerning public security, defence and national security in ~~accordance with Union law, and activities from customs on risk management and in general, verification of compliance with the Customs Code by economic operators~~so far as these activities fall outside the scope of Union.

2022/11/17
Committee: LIBE

(14) Physical products that obtain, generate or collect, by means of their components, data concerning their performance, use or environment and that are able to communicate that data via a publicly available electronic communications service (often referred to as the Internet of Things) should be covered by this Regulation. Electronic communications services include land- based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. The data represent the digitalisation of user actions and events and should accordingly be accessible to the user, while information derived or inferred from this data, where lawfully held, should not be considered within scope of this Regulation. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, in particular though facilitating the maintenance and repair of the products in question.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 18

(18) The user of a product should be understood as the legal or natural person, such as a business or consumer, which has purchased, rented or leased the product. Depending on the legal title under which he or she uses it, such a user bears the risks and enjoys the benefits of using the connected product and should enjoy also the access to the data it generates. The user should therefore be entitled to derive benefit from data generated by that product and any related service. A product or service may have been purchased, rented or leased by a business, and provided or otherwise made available to one or more employees. Where such provision of a product or service results in the data concerned to be personal data, such data are subject to applicable Union law, in particular on the protection of personal data, of privacy, and the protection of employees.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 18 a (new)

(18 a) Where the right to access data is exercised by a legal person, the notion of ‘right’ is understood to describe the claim to the obligation of the data holder to provide access to data to a recipient as laid down in this Regulation, subject to all conditions and limits of Union law on the protection of personal data.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 28

(28) The user should be free to use the data for any lawful purpose. This includes providing the data the user has received exercising the right under this Regulation to a third party offering an aftermarket service that may be in competition with a service provided by the data holder, or to instruct the data holder to do so. The data holder should ensure that the data made available to the third party is as accurate, complete, reliable, relevant and up-to-date as the data the data holder itself may be able or entitled to access from the use of the product or related service. Any trade secrets or intellectual property rights should be respected in handling the data. It is important to preserve incentives to invest in products with functionalities based on the use of data from sensors built into that product. The aim of this Regulation should accordingly be understood as to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulate the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of product from which the data are obtained, for instance, by the use of data to develop a competing product.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 30

(30) The use of a product or related service may, in particular when the user is a natural person, generate data that relates to an identified or identifiable natural person (the data subject). Processing of such data is subject to the rules established under Regulation (EU) 2016/679, including where personal and non-personal data in a data set are inextricably linked64 . The data subject may be the user or another natural person. Personal data may only be requested by a controller or a data subject. A user who is the data subject is under certain circumstances entitled under Regulation (EU) 2016/679 to access personal data concerning them, and such rights are unaffected by this Regulation. Under this Regulation, the user who is a natural person is further entitled to access all data generated by the product, personal and non-personal. Where the user is not the data subject but an enterprise, including a sole trader, and not in cases of shared household use of the product, the user will be a controller within the meaning of Regulation (EU) 2016/679. Accordingly, such a user as controller intending to request personal data generated by the use of a product or related service is required to have a legal basis for processing the data under Article 6(1) of Regulation (EU) 2016/679, such as the consent of the data subject or legitimate interest. This user should ensure that the data subject is appropriately informed of the specified, explicit and legitimate purposes for processing those data, and how the data subject may effectively exercise their rights. Where the data holder and the user are joint controllers within the meaning of Article 26 of Regulation (EU) 2016/679, they are required to determine, in a transparent manner by means of an arrangement between them, their respective responsibilities for compliance with that Regulation. It should be understood that such a user, once data has been made available, may in turn become a data holder, if they meet the criteria under this Regulation and thus become subject to the obligations to make data available under this Regulation.Where the user is a Union institution, agency or body, Regulation (EU) 2018/1725 should apply. _________________ 64 OJ L 303, 28.11.2018, p. 59–68.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 32

(32) Access to any data stored in and accessed from terminal equipment is subject to Directive 2002/58/EC and requires the consent of the subscriber or user within the meaning of that Directive unless it is strictly necessary for the provision of an information society service explicitly requested by the user or subscriber (or for the sole purpose of the transmission of a communication). Directive 2002/58/EC (‘ePrivacy Directive’) ~~(and the proposed ePrivacy Regulation)~~ protect the integrity of the user's terminal equipment as regards the use of processing and storage capabilities and the collection of information. Internet of Things equipment is considered terminal equipment if it is directly or indirectly connected to a public communications network.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 35

(35) The third party should also refrain from using the data to profile individuals ~~unless these processing activities are strictly necessary to provide the service requested by the user.~~ The requirement to delete data when no longer required for the purpose agreed with the user complements the right to erasure of the data subject pursuant to Article 17 of Regulation 2016/679. Where the third party is a provider of a data intermediation service within the meaning of [Data Governance Act], the safeguards for the data subject provided for by that Regulation apply. ~~The third party may use the data to develop a new and innovative product or related service but not to develop a competing product.~~

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 36

(36) ~~Start-ups, small and medium-sized~~Micro and small enterprises and companies from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data. This Regulation aims to facilitate access to data for these entities, while ensuring that the corresponding obligations are scoped as proportionately as possible to avoid overreach. At the same time, a small number of very large companies have emerged with considerable economic power in the digital economy through the accumulation and aggregation of vast volumes of data and the technological infrastructure for monetising them. These companies include undertakings that provide core platform services controlling whole platform ecosystems in the digital economy and whom existing or new market operators are unable to challenge or contest. The [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)] aims to redress these inefficiencies and imbalances by allowing the Commission to designate a provider as a “gatekeeper”, and imposes a number of obligations on such designated gatekeepers, including a prohibition to combine certain data without consent, and an obligation to ensure effective rights to data portability under Article 20 of Regulation (EU) 2016/679. Consistent with the [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)], and given the unrivalled ability of these companies to acquire data, it would not be necessary to achieve the objective of this Regulation, and would thus be disproportionate in relation to data holders made subject to such obligations, to include such gatekeeper undertakings as beneficiaries of the data access right. This means that an undertaking providing core platform services that has been designated as a gatekeeper cannot request or be granted access to users’ data generated by the use of a product or related service or by a virtual assistant based on the provisions of Chapter II of this Regulation. An undertaking providing core platform services designated as a gatekeeper pursuant to Digital Markets Act should be understood to include all legal entities of a group of companies where one legal entity provides a core platform service. Furthermore, third parties to whom data are made available at the request of the user may not make the data available to a designated gatekeeper. For instance, the third party may not sub-contract the service provision to a gatekeeper. However, this does not prevent third parties from using data processing services offered by a designated gatekeeper. This exclusion of designated gatekeepers from the scope of the access right under this Regulation does not prevent these companies from obtaining data through other lawful means.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 56

(56) In situations of exceptional need, it may be necessary for public sector bodies or Union institutions, agencies or bodies to use data held by an enterprise to respond to public emergencies or in other exceptional cases. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law. To limit the burden on businesses, micro and small enterprises should be exempted from the obligation to provide public sector bodies and Union institutions, agencies or bodies data in situations of exceptional need.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 57

(57) In case of public emergencies, such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters including those aggravated by climate change, as well as human-induced major disasters, such as major cybersecurity incidents, the public interest resulting from the use of the data will outweigh the interests of the data holders to dispose freely of the data they hold. In such a case, data holders should be placed under an obligation to make the data available to public sector bodies or to Union institutions, agencies or bodies upon their request. The existence of a public emergency is determined according to the respective procedures in the Member States or of relevant international organisations.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 58

(58) An exceptional need may also arise when a public sector body can demonstrate that the data are necessary either to prevent a public emergency, or to assist recovery from a public emergency, in circumstances that are reasonably proximate to the public emergency in question. Where the exceptional need is not justified by the need to respond to, prevent or assist recovery from a public emergency, the public sector body or the Union institution, agency or body should demonstrate that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task in the public interest that has been explicitly provided in law. Such exceptional need may also occur in other situations, for example in relation to the timely compilation of official statistics when data is not otherwise available or when the burden on statistical respondents will be considerably reduced. At the same time, the public sector body or the Union institution, agency or body should, outside the case of responding to, preventing or assisting recovery from a public emergency, demonstrate that no alternative means for obtaining the data requested exists and that the data cannot be obtained in a timely manner through the laying down of the necessary data provision obligations in new legislation.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 61

(61) A proportionate, limited and predictable framework at Union level is necessary for the making available of data by data holders, in cases of exceptional needs, to public sector bodies and to Union institution, agencies or bodies both to ensure legal certainty and to minimise the administrative burdens placed on businesses. To this end, data requests by public sector bodies and by Union institution, agencies and bodies to data holders should be transparent and proportionate in terms of their scope of content and their granularity. The purpose of the request and the intended use of the data requested should be specific and clearly explained, while allowing appropriate flexibility for the requesting entity to perform its tasks in the public interest. The request should also respect the legitimate interests of the businesses to whom the request is made. The burden on data holders should be minimised by obliging requesting entities to respect the once-only principle, which prevents the same data from being requested more than once by more than one public sector body or Union institution, agency or body where those data are needed to respond to a public emergency. To ensure transparency, data requests made by public sector bodies and by Union institutions, agencies or bodies should be made public without undue delay by the entity requesting the data and online public availability of all requests justified by a public emergency should be ensured.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 62

(62) The objective of the obligation to provide the data is to ensure that public sector bodies and Union institutions, agencies or bodies have the necessary knowledge to respond to, prevent or recover from public emergencies or to maintain the capacity to fulfil specific tasks explicitly provided by law. The data obtained by those entities may be commercially sensitive. Therefore, Directive (EU) 2019/1024 of the European Parliament and of the Council65 should not apply to data made available under this Regulation and should not be considered as open data available for reuse by third parties. This however should not affect the applicability of Directive (EU) 2019/1024 to the reuse of official statistics for the production of which data obtained pursuant to this Regulation was used, provided the reuse does not include the underlying data. In addition, it should not affect the possibility of sharing the data for conducting research or for the compilation of official statistics, provided the conditions laid down in this Regulation are met. Public sector bodies should also be allowed to exchange data obtained pursuant to this Regulation with other public sector bodies to address the exceptional needs for which the data has been requested. _________________ 65 Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re- use of public sector information (OJ L 172, 26.6.2019, p. 56).deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 63

(63) Data holders should have the possibility to either ask for a modification of the request made by a public sector body or Union institution, agency and body or its cancellation in a period of 5 or 15 working days depending on the nature of the exceptional need invoked in the request. In case of requests motivated by a public emergency, justified reason not to make the data available should exist if it can be shown that the request is similar or identical to a previously submitted request for the same purpose by another public sector body or by another Union institution, agency or body. A data holder rejecting the request or seeking its modification should communicate the underlying justification for refusing the request to the public sector body or to the Union institution, agency or body requesting the data. In case the sui generis database rights under Directive 96/6/EC of the European Parliament and of the Council66 apply in relation to the requested datasets, data holders should exercise their rights in a way that does not prevent the public sector body and Union institutions, agencies or bodies from obtaining the data, or from sharing it, in accordance with this Regulation. _________________ 66 Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 64

(64) Where it is strictly necessary to include personal data in the data made available to a public sector body or to a Union institution, agency or body the applicable rules on personal data protection should be complied with and the making available of the data and their subsequent use should and be accompanied by safeguards for the rights and interests of individuals concerned by those data. The body requesting the data should demonstrate the strict necessity and the specific and limited purposes for processing. The data holder should take reasonable efforts to anonymise the data or, where such anonymisation proves impossible, the data holder should apply technological means such as pseudonymisation and aggregation, prior to making the data available.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 65

(65) Data made available to public sector bodies and to Union institutions, agencies and bodies on the basis of exceptional need should only be used for the purpose for which they were requested, unless the data holder that made the data available has expressly agreed for the data to be used for other purposes. The data should be destroyed once it is no longer necessary for the purpose stated in the request, unless agreed otherwise, and the data holder should be informed thereof.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 67

(67) When the safeguarding of a significant public good is at stake, such as is the case of responding to public emergencies, the public sector body or the Union institution, agency or body should not be expected to compensate enterprises for the data obtained. Public emergencies are rare events and not all such emergencies require the use of data held by enterprises. The business activities of the data holders are therefore not likely to be negatively affected as a consequence of the public sector bodies or Union institutions, agencies or bodies having recourse to this Regulation. However, as cases of an exceptional need other than responding to a public emergency might be more frequent, including cases of prevention of or recovery from a public emergency, data holders should in such cases be entitled to a reasonable compensation which should not exceed the technical and organisational costs incurred in complying with the request and the reasonable margin required for making the data available to the public sector body or to the Union institution, agency or body. The compensation should not be understood as constituting payment for the data itself and as being compulsory.deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 80

(80) ~~To promote the interoperability of smart contracts in data sharing applications, i~~It is necessary to lay down essential requirements for smart contracts for professionals who create smart contracts for others or integrate such smart contracts in applications that support the implementation of agreements for sharing data. In order to facilitate the conformity of such smart contracts with those essential requirements, it is necessary to provide for a presumption of conformity for smart contracts that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council.

2022/11/17
Committee: LIBE

Proposal for a regulation
Recital 83

(83) Member States competent authorities should ensure that infringements of the obligations laid down in this Regulation are sanctioned by penalties. When doing so, they should take into account the nature, gravity, recurrence and duration of the infringement in view of the public interest at stake, the scope and kind of activities carried out, as well as the economic capacity of the infringer. They should take into account whether the infringer systematically or recurrently fails to comply with its obligations stemming from this Regulation. In order to help enterprises to draft and negotiate contracts, the Commission should develop and recommend non-mandatory model contractual terms for business-to-business data sharing contracts, where necessary taking into account the conditions in specific sectors and the existing practices with voluntary data sharing mechanisms. These model contractual terms should be primarily a practical tool to help in particular smaller enterprises to conclude a contract. When used widely and integrally, these model contractual terms should also have the beneficial effect of influencing the design of contracts about access to and use of data and therefore lead more broadly towards fairer contractual relations when accessing and sharing data. Insofar as these model contractual terms concern the processing of personal data, the Commission should adopt those terms in the form of a delegated act, in consultation with the EDPB.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 1

1. This Regulation lays down harmonised rules on making data lawfully obtained, collected, or generated by the use of a product or data lawfully obtained, collected, or generated during the provision of a related servic~~e availabl~~e to the user of that product, orn providers of related services, on the making data available by data holders to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest:upon request by a user or data subject to data recipients , and on contractual terms between users and data holder, and users and data recipients.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 2 – point a

(a) manufacturers of products and ~~suppli~~providers of related services placed on the market in the Union and the users o~~f such products or services~~r in the case of personal data, the data subject, with regard to the the information generated by the use of such products or related services relates to;

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 2 – point d

(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interest and the data holders that provide those data in response to such request;deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 3

3. Union law on the protection of personal data, privacy and confidentiality of communications and integrity of terminal equipment shall apply to personal data processed in connection with the rights and obligations laid down in this Regulation. Th~~is Regulation shall not affect the applicability of~~e obtaining, collection, or generation of personal data through the use of a product or related service requires a legal basis pursuant to data protection law. This Regulation does not create a legal basis for the processing of personal data, nor does it affect any of the rights and obligations set out in Regulations (EU) 2016/679 or (EU) 2018/1725 or Directives 2002/58/EC or (EU) 2016/680. The legitimate interest, as laid down in Article 6 paragraph 1 point f of Regulation (EU) 2016/679, of the manufacturer of a product or the provider of a related service shall not constitute a legal basis for this. This Regulation is without prejudice to Union law on the protection of personal data and privacy, in particular Regulation (EU) 2016/679 ~~and Directive 2002/58/EC, including the powers and competences of supervisory authorities~~, Regulation (EU) 2018/1725, Directive 2002/58/EC, and Directive (EU) 2016(680), including the powers and competences of supervisory authorities. In the event of a conflict between this Regulation and Union law on the protection of personal data or privacy or national law adopted in accordance with such Union law, the relevant Union or national law on the protection of personal data or privacy shall prevail. Insofar as the rights laid down in Chapter II of this Regulation are concerned, and where users are the data subjects of personal data subject to the rights and obligations under that Chapter, the provisions of this Regulation shall complement and particularise the right of data portability under Article 20 of Regulation (EU) 2016/679, and shall not adversely affect data protection rights of others. Insofar as the processing of personal data, which is made available to a data recipient pursuant to Article 5 of this Regulation, is restricted in accordance with Article 6 of this Regulation, the provisions contained in here shall take precedence over Article 6 of Regulation (EU) 2016/679.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 1 – paragraph 4

4. This Regulation shall not affect Union ~~and national~~ legal acts providing for the sharing, access and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including Regulation (EU) 2021/784 of the European Parliament and of the Council72 ~~and the [e-evidence proposals [COM(2018) 225 and 226] once adopted, and international cooperation in that area~~. This Regulation shall not affect the collection, sharing, access to and use of data under Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Regulation (EU) 2015/847 of the European Parliament and of the Council on information accompanying the transfer of funds. This Regulation shall not affect the competences of the Member States regarding activities concerning public security, defence, national security, customs and tax administration and the health and safety of citizens in accordance with Union law. _________________ 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – introductory part

1. For the purposes of this Regulation, the definitions of Regulation (EU) 2016/679 apply. 2. Without prejudice to paragraph 1, the following definitions apply:

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 1

(1) ‘data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording that may not be considered personal data within the meaning of Article 4 (1) Regulation (EU) 2016/679; as well as personal data within the meaning of Article 4 (1) Regulation (EU) 2016/679;

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)

(1 a) ’anonymised data’ means personal data that has been processed in such a way that the data subject can no longer be identified; taking into account all the means reasonably likely to be used, directly or indirectly, by the controller or by any other person to identifiy a natural person; in determining whether means are reasonably likely to be used to identify a natural person, account must be taken of all objective factors, in particular the cost of identification and the time required for it, the technology available at the time of the processing and the technological development; personal data can in particular be anonymised by deletion, generalisation, suppression or randomisation of data;

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 5

(5) ‘user’ means a natural or legal person that owns, rents or leases a product or receives arelated services;, and, where the product or related service involves the processing of personal data, the data subject

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 6

(6) ‘data holder’ means a legal or natural person that is not the user, who has access to data communicated to it, or accessed by it, including derived or inferred data during the provision of a related service, and who has the right or obligation, in accordance with ~~this Regulation,~~ applicable Union law or national legislation implementing Union law, or in the case of non-personal data ~~and through control of the technical design of the product and related services, the ability, to~~the contractually agreed right to process and make available certain data;

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 10

(10) ‘public emergency’ means an exceptional situation negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s);deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 12

(12) ‘data processing service’ means a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to ~~a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature;~~computing resources

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 16

~~(16) ‘smart contract’ means a computer program stored in an electronic ledger system wherein the outcome of the execution of the program is recorded on the electronic ledger;~~deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 2 – paragraph 1 – point 17

~~(17) ‘electronic ledger’ means an electronic ledger within the meaning of Article 3, point (53), of Regulation (EU) No 910/2014;~~deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 4 – paragraph 5

5. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available by the data holder to the user where there is a valid legal basis under Article 6~~(1)~~ of Regulation (EU) 2016/679 and, where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 5 – paragraph 6

6. Where the user is not a data subject, any personal data generated by the use of a product or related service shall only be made available where there is a valid legal basis under points (a) or (b) of Article 6(1) of Regulation (EU) 2016/679 and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 6 – paragraph 1

1. A third party shall process ~~the~~personal data made available to it pursuant to Article 5 only for the purposes and under the conditions agreed with the user, and where all conditions and rules provided by data protection legislation are complied with, notably where there is a valid legal basis under points (a) or (b) of Article 6(1) of Regulation (EU) 2016/679, and where relevant, the conditions of Article 9 of Regulation (EU) 2016/679 and Article 5(3) of Directive 2002/58/EC are fulfilled and subject to the rights of the data subject insofar as personal data are concerned~~, and~~. The third party shall delete the data when they are no longer necessary for the agreed purpose.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 6 – paragraph 2 – point b

(b) use the data it receives for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679~~, unless it is necessary to provide the service requested by the user;~~

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 14

Obligation to make data available based 1. Upon request, a data holder shall make data available to a public sector body or to a Union institution, agency or body demonstrating an exceptional need to use the data requested. 2. This Chapter shall not apply to small and micro enterprises as defined in Article 2 of the Annex to Recommendation 2003/361/EC.Article 14 deleted on exceptional need

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 15

An exceptional need to use data within the meaning of this Chapter shall be deemed to exist in any of the following circumstances: (a) where the data requested is necessary to respond to a public emergency; (b) where the data request is limited in time and scope and necessary to prevent a public emergency or to assist the recovery from a public emergency; (c) where the lack of available data prevents the public sector body or Union institution, agency or body from fulfilling a specific task in the public interest that has been explicitly provided by law; and (1) the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means, including by purchasing the data on the market at market rates or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or (2) obtaining the data in line with the procedure laid down in this Chapter would substantively reduce the administrative burden for data holders or other enterprises.rticle 15 deleted Exceptional need to use data

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 16

Relationship with other obligations to bodies and Union institutions, agencies 1. This Chapter shall not affect obligations laid down in Union or national law for the purposes of reporting, complying with information requests or demonstrating or verifying compliance with legal obligations. 2. The rights from this Chapter shall not be exercised by public sector bodies and Union institutions, agencies and bodies in order to carry out activities for the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal penalties, or for customs or taxation administration. This Chapter does not affect the applicable Union and national law on the prevention, investigation, detection or prosecution of criminal or administrative offences or the execution of criminal or administrative penalties, or for customs or taxation administration.Article 16 deleted make data available to public sector and bodies

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 17

Requests for data to be made available 1. Where requesting data pursuant to Article 14(1), a public sector body or a Union institution, agency or body shall: (a) specify what data are required; (b) demonstrate the exceptional need for which the data are requested; (c) explain the purpose of the request, the intended use of the data requested, and the duration of that use; (d) state the legal basis for requesting the data; (e) specify the deadline by which the data are to be made available or within which the data holder may request the public sector body, Union institution, agency or body to modify or withdraw the request. 2. A request for data made pursuant to paragraph 1 of this Article shall: (a) be expressed in clear, concise and plain language understandable to the data holder; (b) be proportionate to the exceptional need, in terms of the granularity and volume of the data requested and frequency of access of the data requested; (c) respect the legitimate aims of the data holder, taking into account the protection of trade secrets and the cost and effort required to make the data available; (d) concern, insofar as possible, non- personal data; (e) inform the data holder of the penalties that shall be imposed pursuant to Article 33 by a competent authority referred to in Article 31 in the event of non-compliance with the request; (f) be made publicly available online without undue delay. 3. A public sector body or a Union institution, agency or body shall not make data obtained pursuant to this Chapter available for reuse within the meaning of Directive (EU) 2019/1024. Directive (EU) 2019/1024 shall not apply to the data held by public sector bodies obtained pursuant to this Chapter. 4. Paragraph 3 does not preclude a public sector body or a Union institution, agency or body to exchange data obtained pursuant to this Chapter with another public sector body, Union institution, agency or body, in view of completing the tasks in Article 15 or to make the data available to a third party in cases where it has outsourced, by means of a publicly available agreement, technical inspections or other functions to this third party. The obligations on public sector bodies, Union institutions, agencies or bodies pursuant to Article 19 apply. Where a public sector body or a Union institution, agency or body transmits or makes data available under this paragraph, it shall notify the data holder from whom the data was received.Article 17 deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 18

Compliance with requests for data 1. A data holder receiving a request for access to data under this Chapter shall make the data available to the requesting public sector body or a Union institution, agency or body without undue delay. 2. Without prejudice to specific needs regarding the availability of data defined in sectoral legislation, the data holder may decline or seek the modification of the request within 5 working days following the receipt of a request for the data necessary to respond to a public emergency and within 15 working days in other cases of exceptional need, on either of the following grounds: (a) the data is unavailable; (b) the request does not meet the conditions laid down in Article 17(1) and (2). 3. In case of a request for data necessary to respond to a public emergency, the data holder may also decline or seek modification of the request if the data holder already provided the requested data in response to previously submitted request for the same purpose by another public sector body or Union institution agency or body and the data holder has not been notified of the destruction of the data pursuant to Article 19(1), point (c). 4. If the data holder decides to decline the request or to seek its modification in accordance with paragraph 3, it shall indicate the identity of the public sector body or Union institution agency or body that previously submitted a request for the same purpose. 5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to pseudonymise the data, insofar as the request can be fulfilled with pseudonymised data. 6. Where the public sector body or the Union institution, agency or body wishes to challenge a data holder’s refusal to provide the data requested, or to seek modification of the request, or where the data holder wishes to challenge the request, the matter shall be brought to the competent authority referred to in Article 31.Article 18 deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 19

Obligations of public sector bodies and Union institutions, agencies and bodies 1. A public sector body or a Union institution, agency or body having received data pursuant to a request made under Article 14 shall: (a) not use the data in a manner incompatible with the purpose for which they were requested; (b) implement, insofar as the processing of personal data is necessary, technical and organisational measures that safeguard the rights and freedoms of data subjects; (c) destroy the data as soon as they are no longer necessary for the stated purpose and inform the data holder that the data have been destroyed. 2. Disclosure of trade secrets or alleged trade secrets to a public sector body or to a Union institution, agency or body shall only be required to the extent that it is strictly necessary to achieve the purpose of the request. In such a case, the public sector body or the Union institution, agency or body shall take appropriate measures to preserve the confidentiality of those trade secrets.Article 19 deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 20

Compensation in cases of exceptional 1. Data made available to respond to a public emergency pursuant to Article 15, point (a), shall be provided free of charge. 2. Where the data holder claims compensation for making data available in compliance with a request made pursuant to Article 15, points (b) or (c), such compensation shall not exceed the technical and organisational costs incurred to comply with the request including, where necessary, the costs of anonymisation and of technical adaptation, plus a reasonable margin. Upon request of the public sector body or the Union institution, agency or body requesting the data, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin.Article 20 deleted need

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 21

Contribution of research organisations or statistical bodies in the context of 1. A public sector body or a Union institution, agency or body shall be entitled to share data received under this Chapter with individuals or organisations in view of carrying out scientific research or analytics compatible with the purpose for which the data was requested, or to national statistical institutes and Eurostat for the compilation of official statistics. 2. Individuals or organisations receiving the data pursuant to paragraph 1 shall act on a not-for-profit basis or in the context of a public-interest mission recognised in Union or Member State law. They shall not include organisations upon which commercial undertakings have a decisive influence or which could result in preferential access to the results of the research. 3. Individuals or organisations receiving the data pursuant to paragraph 1 shall comply with the provisions of Article 17(3) and Article 19. 4. Where a public sector body or a Union institution, agency or body transmits or makes data available under paragraph 1, it shall notify the data holder from whom the data was received.Article 21 deleted exceptional needs

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 22

Mutual assistance and cross-border 1. Public sector bodies and Union institutions, agencies and bodies shall cooperate and assist one another, to implement this Chapter in a consistent manner. 2. Any data exchanged in the context of assistance requested and provided pursuant to paragraph 1 shall not be used in a manner incompatible with the purpose for which they were requested. 3. Where a public sector body intends to request data from a data holder established in another Member State, it shall first notify the competent authority of that Member State as referred to in Article 31, of that intention. This requirement shall also apply to requests by Union institutions, agencies and bodies. 4. After having been notified in accordance with paragraph 3, the relevant competent authority shall advise the requesting public sector body of the need, if any, to cooperate with public sector bodies of the Member State in which the data holder is established, with the aim of reducing the administrative burden on the data holder in complying with the request. The requesting public sector body shall take the advice of the relevant competent authority into account.Article 22 deleted cooperation

2022/11/17
Committee: LIBE

Proposal for a regulation
Chapter VIII a (new)

VIII a ANONYMISATION Articel 30a Essential requirements regarding anonymisation 1. The data holder shall take reasonable efforts to anonymise personal data prior to making the data available, where the purpose or purposes for which they are processed can be fulfilled without the use of personal data. 2. The data holder making available anonymised data shall take appropriate steps to inform the public about the categories of anonymised data that are made available, the methods of anonymisation used in pre-processing and their transmission. The information must be provided in such a manner as to preclude the possibility to identify a natural person based on that information. 3.Processing anonymised data, such as the combination, consolidation and comparison of anonymised data with other information, with the intention to de-anonymise data subjects from anonymised datasets should be prohibited.This should not prejudice the possibility to conduct research into anonymisation techniques, in particular for the purpose of ensuring information security, improving existing anonymisation techniques and contributing to the overall robustness of anonymisation, undertaken in accordance with Regulation (EU) 2016/679.Infringements of this provision shall be subject to fines in accordance with Article 83(4) of Regulation (EU) 2016/679. 4. The European Data Protection Board, established under Article 68 of Regulation (EU) 2016/679, shall issue guidelines, recommendations and best practices for the purpose of further specifying the criteria and requirements for the anonymisation of personal data.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 31 – paragraph 1 a (new)

1 a. The independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The European Data Protection Supervisor shall be responsible for monitoring the application of this Regulation insofar as it concerns the Union institutions, bodies, offices and agencies. Where relevant, Article 62 of Regulation 2018/1725 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to the processing of personal data.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 31 – paragraph 2 – point a

(a) the independent supervisory authorities responsible for monitoring the application of Regulation (EU) 2016/679 shall be responsible for monitoring the application of this Regulation insofar as the protection of personal data is concerned. Chapters VI and VII of Regulation (EU) 2016/679 shall apply mutatis mutandis. The tasks and powers of the supervisory authorities shall be exercised with regard to the processing of personal data;deleted

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 31 – paragraph 2 – point b

~~(b) for specific sectoral data exchange issues related to the implementation of this Regulation, the competence of sectoral authorities shall be respec~~deleted;

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 31 – paragraph 2 – point c

(c) the national competent authority responsible for the application and enforcement of Chapter VI of this Regulation shall have experitise and competence in the field of data and electronic communications services.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 33 – paragraph 3

3. For infringements of the obligations laid down in Chapter II~~, III~~ and VIII of this Regulation, the supervisory authorities referred to in Article 51 of the Regulation (EU) 2016/679 may within their scope of competence impose administrative fines in line with Article 83 of Regulation (EU) 2016/679 and up to the amount referred to in Article 83(5) of that Regulation.

2022/11/17
Committee: LIBE

Proposal for a regulation
Article 34 – paragraph 1

The Commission shall develop and recommend non-binding model contractual terms on data access and use to assist parties in drafting and negotiating contracts with balanced contractual rights and obligations. The Commission shall consult the European Data Protection Board when developing such model contractual terms. Where such terms involve the processing of personal data, the Commission shall in consultation with the European Data Protection Board adopt a delegated act in accordance with Article 39 (2).

2022/11/17
Committee: LIBE