In November 2020, the European Commission (“EC”) put forward a proposal for a regulation on data governance (“Act” or “Proposal”). As part of the process, EC asked the EDPB (European Data Protection Body) and the EDPS (European Data Protection Supervisor) for their comments to the Proposal. On 9 March, the EU data protection bodies reverted with their comments.
The draft Proposal and the comments from EDPB and EDPS are exemplary in understanding how business and data driven agendas risk colliding with data protection policies. As such, it is worth studying to better understand the friction between different policy areas.
Introduction to the Proposal
The Proposal followed the communication “A European Strategy for Data” (the “Strategy”) that was published in February 2020. The Strategy aims at “creating a single market for data that will ensure that Europe’s global competitiveness and data sovereignty” and that “[c]ommon European data spaces will ensure that more data becomes available for use in the economy and society, while keeping companies and individuals who generate the data in control”. Furthermore, the Strategy underlined that “citizens will trust and embrace data-driven innovation only if they are confident that any personal data sharing in the EU will be subject to full compliance with the EU’s strict data protection rules”.
Fast forward one and a half years and the Proposal is born. The Proposal “aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU”. The proposal includes provisions on making public sector data available for re-use, remunerated sharing of data among businesses. This allows the use of personal data in so-called ‘personal data-sharing intermediaries’. Further, the Proposal allows the use of personal data on ‘altruistic’ grounds.
To summarize, the European lawmakers understand that data holds value. Now they wish to implement mechanisms to allow for organisations to unleash this value – with respect of the data protection. The Strategy also makes references to AI and Big Data. In this, the Strategy highlights the importance of having data available for more sophisticated forecasting techniques and thus, better decisions. So, the Proposal gives leverage to these industries, where US, China and other economies outside EU are on the forefront.
The Proposal has a broad application; applying to non-personal data and personal data alike. With significant impact on both private and public organisations and not to forget, citizens.
The Proposal is supplemented by a Data Act that is put forward in 2021. Works this act, however, are not public yet.
The EDPB and EDPS comments
As noted initially, the EDPB and the EDPS are the core personal data protection bodies within the EU. The EDPB is essentially a representation of the national data protection authorities. The EDPS is employed by the European Commission. The scope of their comments is, thus, also limited to the proposed regulation of personal data that the Act entails.
Firstly, the data protection bodies acknowledge that the digital economy is important. Secondly, that data-sharing mechanisms may support this legitimate objective. They do, however, also stress the need for protection of personal data.
As part of the preparatory works for the Proposal, the Commission has also completed an impact assessment. The assessment justifies the need for regulation.
The EDPB and EDPS are clearly not impressed. The bodies state that “the Proposal, also having regard to the Impact Assessment accompanying it, does not duly take into account the need to ensure and guarantee the level of protection of personal data provided under EU law. The EDPB and the EDPS consider that this policy trend toward a data-driven economy framework without a sufficient consideration of personal data protection aspects raises serious concerns from a fundamental rights viewpoint”
Furthermore, the EDPB and EDPS underlines that EU data protection framework is considered as “an enabler, rather than an obstacle, to the development of a data economy that corresponds the Union values and principles”.
With these remarks, the bodies go more into detail with the Proposal and its supposed compliance with EU privacy regulations. While the Proposal stresses that GDPR is respected, the EDPB and EDPS find many instances where alignment is not made. For instance, that the introduced roles blur the legal interplay between GDPR, Open Data Directive and the Act.
What can privacy professionals and businesses learn from the legislative process?
Within any organisation, the collection and use of personal data play some role. For organisations with data driven agendas or business activities relying on the use of data for commercial use even more. It is a well-known struggle for the privacy professional to align existing and compulsory privacy standards and policies to new business initiatives within AI, big data and machine learning.
Often, the organisations will have adopted policies mirroring data protection principles and applying them to the organization. The privacy professional ensures the application of data protection policies to the organisation. Further, the privacy professional often also bears the responsibility of reviewing and aligning other policies impacted by data protection requirements.
In that respect, the legislative process is comparable to that of an internal, business-driven policy enabling or promoting data re-use and sharing. And as such, any privacy professional could benefit from reading the comments of the joint statement by EDPB and EDPS. It gives insight into some of the pitfalls that she/he may face when presented with a corresponding business initiative.
Having read the Proposal and the joint statement by the EDPB and EDPS some reflections are;
- Always consider your stakeholders when drafting new policies or procedures. Remember to engage and consult with them when relevant. If your policy has touch points to other business areas or requires the effort of other stakeholders, alignment is critical.
- References to other existing policies when drafting yours is fine and display knowledge of the existence of other governed areas. However, if your policy does not supersede or otherwise take priority over them, you also need to align the contents.
- Introducing defined terms and roles should also seek to respect already existing terms and roles. At the least, they should explain how they relate to such. In situ, data user, re-use, data altruism, permission are examples of some of the many terms the Proposal uses where clarification in relation to existing defined terms seems needed and risk create confusion and legal uncertainty.
The question from the headline – is GDPR a show-stopper or an enabler? – is also worth a reflection or two even if privacy professionals have had to answer this again and again since May 2018.
Taking the Act and the Proposal into consideration, if you choose to build your data driven business on mechanisms that do not materially consider the protection of individuals’ rights and freedoms, then you may easily find GDPR to be an unpleasant nuisance. However, my point and with me so many of fellow privacy professionals, including the EDPB and EDPS, if you choose to make use of mechanisms that are provided under GDPR, e.g., Data Protection Impact Assessments, Privacy-by-Design, then it will be easier to create sustainable, data driven business agendas.