Skip to content
Guidance · EDPB ·052021-on-the-data-governance-act-in-light-of EN LLM context A cited markdown file you can paste into your AI assistant (ChatGPT, Claude, a RAG or project knowledge base) to ground it in this document. Contains: this document’s text, its sections with their topics, and the full text of every law provision it applies. Everything links back to its source on overview.legal — legal information, not advice.

Statement 05/2021 on the Data Governance Act in light of the legislative developments

Summary

1 Statement 05/2021 on the Data Governance Act in light of the legislative developments Adopted on 19 May 2021 The European Data Protection Board has adopted the following statement: On 9 March 2021 the EDPS and the EDPB adopted the Joint Opinion on the Proposal for a Data Governance Act (DGA) 1 , which has also been presented at the European Parliament at the hearing of the LIBE Committee of 16 March 2021 2 . The EDPB is closely followin g the work of the co - legislators on this important…

How it connects

Full text 37 sections

Paragraphs carrying a topic or an applied provision show those connections inline Original at the source →
¶1

Statement 05/2021 on the Data Governance Act in light of the legislative developments Adopted on 19 May 2021 The European Data Protection Board has adopted the following statement: On 9 March 2021 the EDPS and the EDPB adopted the Joint Opinion on the Proposal for a Data Governance Act (DGA) 1 , which has also been presented at the European Parliament at the hearing of the LIBE Committee of 16 March 2021 2 . The EDPB is closely followin g the work of the co - legislators on this important legislative initiative, which - we recall - contains provisions concerning the processing of data, including personal data, in the context of the re - use of data held by public sector bodies, of “data sharing services” (which would also include so - called data brokers), and in the context of processing of data (including personal data concerning health) by “data altruism” organizations. The DGA will have serious impact on the rights and freedoms of individuals and civil society as a whole throughout the EU. In most cases, the processing of personal data would indeed be the core activity of the aforementioned entities 3 , and thus on the fundamental rights to privacy and to the protection of personal data, enshrine d in Article 7 and 8 of the Charter of Fundamental Rights of the European Union (the Charter), and in Article 16 of the Treaty on the Functioning of the European Union (TFEU). Those rights are a paramount expression of the values of the European Union. Wit hout robust data protection safeguards , there is a risk that the (trust in the) digital economy would not be sustainable . In other words, data re - use, sharing and availability may generate 1 EDPB - EDPS Joint Opinion 03/2021 on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act), available at : EDPB - EDPS Joint Opinion on the Proposal for a regulation of the European Parliament and of the Council on European data governance (Data Governance Act) | European Data Protection Supervisor ( europa.eu)

¶2

See the draft agenda of the hearing here .

¶3

If not the exclusive activity, in case for instance of providers of data sharing services under letter (b) of Article 9 (1) of the DGA, exclusively referring to personal data. 2 benefits, but also various types of risk of damages to the persons concerned and society as a whole, impacting individuals from an economic, political and social perspective 4 . To address and mitigate these risks, and to foster individuals trust, data protection principles and safeguards must be implemented from the early design of the data processing, especially when the latter concerns personal data which have not been obtained directly from the natural person/individual concerned. Moreover, the DGA must be consistent not only with the GDPR but also with other Union and n ational laws, notably the Open Data Directive 5 , thus responding to the overarching principle of rule of law, and provide legal certainty for public administrations, legal persons and individuals concerned. The explanatory memorandum of the DGA states, “the interplay with the legislation on personal data is particularly important. With the General Data Protection Regulation (GDPR) and ePrivacy Directive, the EU has put in place a solid and trusted legal framework for the protection of personal data and a sta ndard for the world. ” 6 Ensuring consistency between the DGA and the EU data protection acquis However, as highlighted in the Joint Opinion, the DGA entails several significant inconsistencies with the GDPR , notwithstanding the statement in the recital that it is “ without prejudice ” to the GDPR 7 . The EDPB notes that these inconsistencies have so far not been addressed in the ITRE Draft Report of 26 March 2021 8 . However, the EDPB welcomes that some criticalities raised in the Joint Opinion are addressed i n the Council Presidency compromise text of 30 March 2021 9 . To address these inconsistences, we urge the co - legislators to carefully consider 10 : • First, the ‘ interplay’ between the DGA and the GDPR should be clarified under Article 1 of the DGA, considerin g the GDPR as a regulation providing the ‘building blocks’ for any solid and trusted legal framework. • Second, the definitions/terminology used in the DGA need integrations and amendments so as to bring them in line with the GDPR. • Third, the DGA should clarify without any ambiguity that the processing of personal data shall always be based on an appropriate legal basis under Article 6 of the GDPR , and also on a specific derogation under Article 9 in case of processing of special categories of personal data.

¶4

As an example, in the absence of adequate data protection safeguards, the data collected could be used to build detail ed profiles of individuals and used in a way that undermines their interests (e.g. price discrimination or manipulation in the context of electoral campaigns). See at footnote 60 at page 31 of the Joint Opinion, on the risk of use of personal data for unre lated purposes.

¶5

Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re - use of public sector information, OJ L 172, 26.6.2019, p. 56.

¶6

Explanatory Memorandum, page 1.

¶7

See at Section 3.2 of the Joi nt Opinion .

¶8

Available here .

¶9

Available here .

¶10

See at S ection 3.2 of the Joint Opinion , where these critical aspects are recalled at the beginning as points further developed in the Joint Opinion . 3 • Fourth, as precondition for a clear legal framework, the provisions of the DGA should specify whether they refer to non - personal data, personal data or both , and also specify that in case of ‘mixed data sets’ the GDPR applies 11 . • Fifth , the constitutional requirement (under Article 16(2) TFEU), according to which the independent Supervisory Authorities established under the GDPR (the Data Protection Authorities) are ‘the’ designated authorities competent for the protection of personal d ata and for the facilitation of the free flow of personal data , should be mirrored in the DGA. This means that Data Protection Authorities must be the main competent authorities in the context of the DGA and inasmuch as personal data is involved, having re gard to public sector bodies, re - users, data sharing service providers, data users, data altruism organizations processing personal data, as well as for the development of guidelines on privacy enhancing technologies (PETs) or on Personal Information Manag ement Systems (PIMS) to foster responsible data innovation. As recalled in the Joint Opinion 12 , “[ A]s per their competence and tasks under the GDPR, data protection authorities have already specific expertise in the monitoring of the compliance of data processing, the auditing of specific data processing activities and data sharing, the assessment of the adequate measures to ensure a high level of security for the storage and transmission of personal data, as well as in promoting awareness among controllers and processors of their obligation related to the processing of personal data.” Of course, the effective performance of new tasks under the DGA, to be primarily assigned to independent data protection author ities, and to the European Data Protection Board, in compliance with Article 16(2) TFEU, requires the provision of appropriate human, financial, and information technology resources . The EDPB welcomes in this regard the additional wording in Article 1(3) o f the Council compromise text and the specific reference to the powers of the supervisory authorities. For the sake of clarity, and aware of the discretion enjoyed by the co - legislators, the EDPB recommends inserting in the legal text of the DGA (Article 1 ), the following wording of Article 1(3) of the Council compromise proposal (words in bold added: “ competences and ”): “ Union and national law on the protection of personal data shall apply to any personal data processed in connection with this Regulation. In particular, this Regulation shall be without prejudice to Regulation (EU) 2016/679 and Directive 2002/58/EC, including the competences and powers of supervisory authorities. In the event of conflict between the provisions of this Regulation and Union la w on the protection of personal data, the latter prevails . This Regulation does not create a legal basis for the processing of personal data .” The EDPB furthermore calls on the co - legislators to ensure that its overall recommendation in relation to the des ignated competent authorities and governance at Union level is reflected in the

¶11

Where data sets combine both personal and non - personal data , the Communication from the Commission to the European Parliament and the Council, Guidance on the Regulation on a framework for the free flow of non - personal data in the European Union , COM/2019/250 final, highlights that “ if the non - personal data part and the personal data parts are ‘inextricably linked’, the data protecti on rights and obligations stemming from the General Data Protection Regulation fully apply to the whole mixed dataset, also when personal data represent only a small part of the dataset .”

¶12

See para. 153 of the Joint Opinion. 4 development of their respective positions on the Commission proposal and thus explicitly included in the legal text of the DGA. In particular, having regard to the definitions laid down in the DGA The Joint Opinion points out that the definitions envisaged by the GDPR should apply and they should not be implicitly amended or removed by the DGA, as this would blur the definitions of both these legal frameworks, and thus create le gal uncertainty 13 . Furthermore, the new definitions introduced in the DGA, insofar as they relate to the processing of personal data, should not, as a matter of fact, contain ‘rules’ that are incompatible with the GDPR 14 . This is indeed a crucial point , to which the EDPB would urge the attention of the co - legislators. On the one hand, the DGA should contain the definitions of ‘personal data’, ‘data subject’, ‘consent’ and ‘processing’ referring to the definitions in the GDPR 15 ; on the other hand, the DGA’s de finitions of ‘metadata’, ‘data holder’, ‘data user’, ‘data sharing’, ‘data altruism’ should be amended to avoid inconsistencies and legal uncertainty, and to be in line with the ‘nature of the rights at stake’, namely the personal character of the right to the protection of personal data as right relating to each person 16 , and as inalienable right, which ‘cannot be waived’ , nor made object of property rights 17 . In this regard, the EDPB regrets the reference to the “exchange, pooling or trade of data” as added in the Council compromise text with regard to the definition of “data sharing service provider”, since as far as personal data are concerned, it suggests the idea of legitimizing their trading and is thus inconsistent with the personal character of the r ight to protection of personal data. Indeed, considering that data protection is a fundamental right guaranteed by Article 8 of the Charter, and taking into account that one of the main purposes of the GDPR is to provide data subjects with control over per sonal data relating to them, t he EDPB reiterates that personal data cannot be considered as a “tradeable commodity” . An important consequence of this is that , even if the data subject can agree to the processing of his or her personal data, he or she canno t waive his or her fundamental rights 18 . As a further consequence, the controller to whom consent has been provided by the data subject to the processing of her or his personal data is not entitled to 'exchange' or 'trade' personal data (as a so - called 'com modity') in a way that would result as not being in accordance with all applicable data protection principles and rules. As an example of a provision that might give rise to an interpretation not in line with the aforesaid ‘personal character’, Article 2(5 ) of the DGA defines the ‘ data holder ’ (including legal persons) as

¶13

See at Subsection 3.2.B. of the Joint Opinion .

¶14

See para 44 of the Joint Opinion.

¶15

See in this regard, Council compromise text of 30 March 2021.

¶16

See at para 34 of the Joint Opinion , referring to Article 8 of the Charter: “ 1 Everyone has the right to the protection of personal data concerning him or her. 2 Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law .”

¶17

In this regard , at para. 118 of the Joint Opinion: “the clear incentive to ‘monetize’ personal data also increases the importance on data protection compliance”, and footnote 54: “In this regard, the EDPB is developing guidance on the collection and use of personal data against financial remuneration.” See also footnote 61, at page 30 of the Joint Opinion.

¶18

See EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects availabl e at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines - art_6 - 1 - b - adopted_after_public_consultati on_en.pdf 5 having, among others, the right to grant access to or to share personal data under its control 19 . In this regard, the EDPB remarks that the GDPR guarantees each individual the right to the protection of personal data putting in place a system of checks and balances to protect the individual whenever her or his personal data are processed 20 . The processing of personal data must comply with principles (among which: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy) and rules, including on data subjects’ rights (for instance: the right to information, including about profiling concerning her or him; the right of access; to rectification; to e rasure; not to be subject to fully automated decision making significantly affecting her or him) which cannot be waived by the data subject. In this regard, the EDPB notes that, rather to referring to a legal person that “has the right to grant access or t o share” personal data, the definition of data holder should, if kept at all, refer to the processing of personal data and the conditions thereof in accordance with applicable data protection law 21 . As specified in the proposed wording for Article 1 DGA, in sofar as personal data are concerned, the data protection law prevails (on conflicting rules) 22 . Nevertheless, it is essential to avoid any conflicting rule or interpretation throughout the text of the regulation , also to improve the prompt readability of t he legal text. In this sense, a definition of the term ‘ permission ’ (by legal entities to the re - use of data) should be introduced to clarify without any ambiguity to what (kind of data) exactly it refers. As stated in the Joint Opinion, we consider that t he term should only refer to non - personal data, for the sake of clarity 23 . Concerns related to the sectorial chapters of the DGA The EDPB also has significant concerns regarding the ‘sectorial’ Chapters of the DGA (II, III and IV) and wishes to recall some of them hereafter : • Concerning Chapter II of the DGA, we recall that the Joint Opinion recommends including in the substantive part of the DGA the specification in recital 7 , namely that “[..] personal data fall outside scope of Directive (EU) 2019/1024 [our note: and fall under the scope of the DGA] insofar as the access regime excludes or restricts access to such data for reasons of privacy and the integrity of the individual , in particular in accord ance with data protection rules ” 24 . This means that the DGA would apply in particular to the scope carved out of the Open Data Directive pursuant to Article 1(2)(h), that is: “ documents, access to which is excluded or restricted by virtue of the access regimes on grounds of protection of personal data, and parts of documents accessible by

¶19

See p aras 29 - 31 of the Joint Opinion. See also the unclear reference to ‘ their ’ data under Article 11(6), Article 19, and 19(1)(a), also highlighted in the Joint Opinion.

¶20

See at paras 29 et seq. of the Joint Opinion .

¶21

See at para 31 of the Joint Opinion .

¶22

In the same sense, see Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services, OJ L 136, 22.5.2019, p. 1, Article 3(8): “Union law on the protection of personal data shall apply to any personal data processed in connection with contracts referred to in paragraph 1. In particular, this Directive shall be without prejudice to Regulation (EU) 2016/679 and Directive 2002/ 58/EC. In the event of conflict between the provisions of this Directive and Union law on the protection of personal data, the latter prevails.”

¶23

See at paras 47 et seq. of the Joint Opinion .

¶24

See at para 69 of the Joint Opinion . 6 virtue of those regimes which contain personal data the re - use of which has been defined by law as being incompatible with the law concerning the protection of individuals with regard to the processing of personal data or a s undermining the protection of privacy and the integrity of the individual , in particular in accordance with Union or national law regarding the protection of personal data”. Given the sensitivity of the personal data at stake, to ensure that the level o f personal data protection in the EU is not lowered, as well as for legal certainty, the Joint Opinion recommends aligning Chapter II of the Proposal with the existing rules on the protection of personal data laid down in the GDPR and with the Open Data Di rective . Alternatively, the Joint Opinion invites the co - legislators to consider excluding personal data from the scope of this Chapter 25 . In addition, due to the fact that the consent of the data subject might not be considered freely given due to the imba lance of power which is often present in the relationship between the data subject and the public authorities, the Joint Opinion expresses concerns on Article 5(6) of the DGA 26 , and, more broadly, invites the co - legislators to clearly define in the Proposal adequate models of ‘civic participation’, by which individuals may participate , in an open and collaborative manner, in the process of defining the scenarios allowing the re - use of their personal data, following a bottom - up approach to open data project s . The Joint Opinion also recommends amending the DGA to clarify that the re - use of personal data held by public sector bodies may only be allowed if it is grounded in Union or Member State law which lays down a list of clear compatible purposes for which the further processing may be lawfully authorised or constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23 of the GDPR 27 . The EDPB further recalls that the inclusion of data held by public sector bodies which are protected on grounds of statistical confidentiality in the scope of Chapter II of the DGA, according to Article 3(1)(b), risks to contradict the principle according to which personal data collected for statistical purpose shall only be used for that purpose 28 . Respect of this principle is key not to undermine trust of the person concerned when she or he provides her or his personal data for statistical purposes 29 . • With regard to Chapter III, the DGA should specify among th e conditions for providing the data sharing service (s), that the provider shall have procedures in place to ensure compliance with the Union and national law on the protection of personal data, including procedures for ensuring the exercise of data subject s’ rights . In particular, the provider shall make available to the data subject easily accessible tools allowing her or him not only to provide but also to withdraw consent; and

¶25

See at para 71 of the Joint Opinion .

¶26

Article 5(6): “Where the re - use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re - users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re - use, where it is feasible without disproportionate cost for the public sector. In that task they may be assisted by the competent bodies referred to in Article 7 (1).”

¶27

See at para 77 of the Joint Opinion . See also paras. 75 and 76 of the Joint Opinion .

¶28

See recital 27 of Regulation (EC) No 223/2009 of the European Parliament and of the Council of 1 1 March 2009 on European statistics; as well as Articles 4(1) and 4(2) of the Recommendation of the Council of Europe No R (97)18 concerning the protection of personal data collected and processed for statistical purposes.

¶29

See at footnote 36 of the Joint Opinion . 7 provide tools allowing a comprehensive view of how and for which specific purp ose her or his personal data are shared 30 . Moreover, the DGA shall recall the obligation where applicable to perform a data protection impact assessment pursuant to Article 35 of the GDPR , and, in case of residual high risks to the persons concerned, to con sult the data protection authority prior to the processing in accordance with Article 36 of the GDPR 31 . • The same requirements should be specified by the DGA in relation to data altruism organizations 32 . These data protection safeguards must be integrated i n the DGA also due to the labelling - as data sharing service provider or as “data altruism organization recognized in the Union” - which would be leveraged by these legal entities to obtain the consent to the processing of her or his personal data by the da ta subject, who would assume that a high level of protection of such data is ensured. In light of the above, as noted in the Joint Opinion, the EDPB considers that the declaratory regime for the notification/registration envisaged respectively by the DGA f or data sharing service providers and data altruism organisations does not provide for a sufficiently stringent vetting procedure , considering the possible impacts for data subjects of the personal data processing that may be undertaken by such entities. T herefore, the EDPB recommends exploring alternative procedures which should notably take into account a more systematic inclusion of accountability and compliance tools for the processing of personal data as per the GDPR, in particular the adherence to a c ode of conduct or certification mechanism 33 . The EDPB regrets that, in the Council compromise text of

¶30

March 2021, it is now (expressly) provided that the registration as a recognised data altruism organisation is not a precondition for exercising data al truism activities, thus further weakening the checks and safeguards for the data subjects with regard to the crucially important data protection aspects. These safeguards are particularly important also due to the vagueness of the definition of 'data altru ism' under the DGA. Moreover, the DGA should provide a precise definition of the ‘purposes of general interest’ that would be pursued by the data altruism organizations 34 . Besides, the ‘European data altruism consent form’ for the processing of personal data by data altruism organizations should be developed in consultation with the EDPB, rather than with the (to be established) European Data Innovation Board 35 . • The Joint Opinion noted the requirement of “independence” for data sharing service providers, as well as of “independence” of data altruism organizations in the DGA. Concerning data altruism organizations , the Joint Opinion recommends clarifying the independence from the for - profit entities of the data altruism organization (e.g. legal, organizati onal, economical) 36 . Having regard to data sharing service providers , the EDPB would now like to point out to recital 22 of the DGA: “[..] Specialised data intermediaries that are independent from both data holders and data users can have 30 See at Subsection 3.4.1 and para147 of the Joint Opinion .

¶31

See at para 147 of the Joint Opinion .

¶32

See at Subsection 3.5.1 of the Joint Opinion .

¶33

See at paras 140 and 180 of the Joint Opinion .

¶34

See at paras 159 - 160 and 170 - 171 of the Joint Opinion .

¶35

See at Subsection 3.5.5 of the Joint Opinion .

¶36

See at para. 1 78 of the Joint Opinion . 8 a facilitating rol e in the emergence of new data - driven ecosystems independent from any player with a significant degree of market power . [..] ” The EDPB underlines that this type of independence of data sharing service providers is key under both the competition and data pr otection viewpoints 37 . Conclusion To conclude, the EDPB urges the co - legislators to address the important criticalities explained in the Joint Opinion, thus avoiding that the DGA creates a parallel set of rules , not consistent with the GDPR, as well as wit h other Union law, which would result in insufficient safeguards for the individuals concerned and difficulties in the practical application . This statement, recalling some of the key points of the Joint Opinion, is without prejudice to a possible future more detailed statement or opinion on the co - legislators future positions. For the European Data Protection Board The Chair (Andrea Jelinek)

¶37

See, in particular: Statement of the EDPB on the data protection impacts of economic concentration, adopted on 27 August 2018, “Increased market concentrati on in digital markets has the potential to threaten the level of data protection and freedom enjoyed by consumers of digital services”; EDPB Statement on privacy implications of mergers, adopted on 19 February 2020.

Similar Content