The EU’s Data Act: Joint Opinion of the EDPS and EDBP
At the 64th plenary meeting, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) published a Joint Opinion on the proposed Data Act.
The Data Act aims to establish harmonised rules on the access to, and use of, data generated from a broad range of products and services, including connected objects (‘Internet of Things’), medical or health devices and virtual assistants. The Data Act also aims to enhance data subjects’ right to data portability under Art. 20 of the General Data Protection Regulation.
The EDPS and EDPB welcome the efforts made to ensure that the Data Act does not affect the current data protection framework. As regards enforcement, they support in the opinion the designation of data protection supervisory authorities as competent authorities responsible for monitoring the application of the Data Act insofar as the protection of personal data is concerned. The EDPS and EDPB ask the co-legislators to designate national data protection authorities as coordinating competent authorities under the Data Act.
At the same time, since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects’ rights are duly protected. It is important that the access, use and sharing of personal data by entities other than data subjects should occur in full compliance with all data protection principles and rules. The possibility to use devices anonymously or in the least privacy intrusive way possible is equally important according to the EDPS and EDPB.
Therefore, the Joint Opinion advise the co-legislators to provide limitations or restrictions on the use of data generated by the use of a product or service by any entity other than data subjects. These limitations should relate in particular to the use of the relevant data for purposes of direct marketing or advertising; employee monitoring; calculating, modifying insurance premiums; credit scoring.