The EDPB and EDPS adopted a joint opinion on the proposal for a Data Governance Act. The Act aims to foster the availability of data by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU.

The EDPB and the EDPS consider the legitimate objective of the Regulation to improve the conditions for data sharing in the internal market. At the same time, the protection of personal data is an essential and integral part of trust in the digital economy. In particular, the Act intends to promote the availability of public sector data for reuse, sharing of data among businesses and allowing personal data to be used with the help of a ‘personal data-sharing intermediary’. The Act also seeks to enable the use of data for altruistic purposes.

With this joint opinion, the EDPB and the EDPS invite the co-legislators to ensure that the future Act is fully in line with the EU personal data protection legislation, thus fostering trust in the digital economy and upholding the level of protection provided by EU law under the supervision of the EU Member States’ supervisory authorities.

The EDPB and EDPS consider that the EU legislator should ensure that the wording of the Act clearly and unambiguously state that this act will not affect the level of protection of individuals’ personal data, nor will any rights and obligations set out in the data protection legislation be altered.

The reuse of personal data in the public sector

Concerning the reuse of personal data held by public sector bodies, the EDPB and EDPS recommend aligning the Act with the existing rules on the protection of personal data laid down in the GDPR and with the Open Data Directive (Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information ).

The reuse of personal data held by public sector bodies may only be allowed if it is grounded in EU or Member State law. Such laws should include a list of clear compatible purposes for which further processing may be lawfully authorised or constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23 of the GDPR.

The service’s provider informs

On data sharing service providers, the joint opinion highlights the need to ensure prior information and controls for individuals, taking into account the principles of data protection by design and by default, transparency and purpose limitation.  Furthermore, the modalities upon which such service providers would effectively assist individuals in exercising their rights as data subjects should be clarified.

What is a data altruistic approach?

As for data altruism, the EDPB and the EDPS recommend that the Act should better define the purposes of general interest of such “data altruism”. Data altruism should be organised in such a way that it allows individuals to easily give, but also, withdraw their consent.

In light of the possible risks for data subjects when their personal data might be processed by data sharing service providers or data altruism organisations, the EDPB and EDPS consider that the declaratory registration regimes for these entities, as laid down in the Act, do not provide for a sufficiently stringent vetting procedure applicable to such services. Therefore, the EDPB and EDPS recommend exploring alternative procedures that foresee a more systematic inclusion of accountability tools, in particular the adherence to a code of conduct or certification mechanism.

The joint opinion also includes recommendations on the designation of the supervisory authorities as main competent authorities for the control of the compliance with the Act provisions, in consultation with other relevant sectorial authorities.

SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI POLONIA – UODO