On 19 February 2020, the European Commission published details of its data strategy (here), the aim of which is to “create a single European data space – a genuine single market for data, open to data from across the world – where personal as well as non-personal data, including sensitive business data, are secure and businesses also have easy access to an almost infinite amount of high-quality industrial data, boosting growth and creating value, while minimising the human carbon and environmental footprint.”
The European Data Protection Supervisor (EDPS) published its opinion on the data strategy on 16 June 2020 (here). In essence, the EDPS supports the Commission’s commitment to develop the strategy in full compliance with the General Data Protection Regulation (GDPR) and European fundamental rights and values, including the right to the protection of personal data provided under Article 8 of the Charter of Fundamental Rights of the EU. However, the EDPS took the opportunity in its opinion to remind the Commission of a few specific areas of EU data protection law which it will need to consider in relation to some of the proposals set out in the strategy.
We have set out below a summary of the four pillars that make up the data strategy, together with some of the EDPS’ remarks:
- The Commission wants to create a cross-sectoral governance framework for data access and use. It is aiming to achieve this through the following actions:
a. Putting in place an enabling legislative framework for the governance of common European data spaces, including making it easier for individuals to allow the use of their data for the public good if they wish to do so.
EDPS remarks: The EDPS states that ‘public good’ is interchangeable with the notion of ‘public interest’ and can be used as a legal basis for processing personal data (including sensitive or special category data). It reminds the Commission that in order to rely on ‘public interest’, there needs to be a basis in EU or member state law.
The EDPS also states that the creation of data spaces is likely to involve processing personal data on a large scale. Where such processing is likely to result in a high risk to individuals, the EDPS reminds the Commission that controllers will need to carry out a data protection impact assessment prior to conducting such processing.
b. Adopting an implementing act on high-value data sets to make more high-quality public sector data available for re-use.
c. Exploring the need for legislative action on issues that affect relations between actors in the data-agile economy to provide incentives for horizontal data sharing across sectors through, for example, the implementation of a ‘Data Act’.
2. The Commission will invest in data, and strengthen Europe’s capabilities and infrastructures for hosting, processing and using data, in an interoperable manner. It is aiming to achieve this through the following actions:
a. Investing in a high-impact project on European data spaces and federated cloud infrastructures, specifically funding infrastructures, data-sharing tools, architectures and governance mechanisms for thriving data-sharing and artificial intelligence ecosystems.
b. Funding the establishment of EU-wide common, interoperable data spaces in strategic sectors (including, most notably, transport, health and energy) to overcome legal and technical barriers to data sharing across organisations.
c. Facilitating a memorandum of understanding with member states to foster synergies between the work on European data-sharing initiatives and member states’ own initiatives.
d. Bringing together a coherent framework around the different applicable rules for cloud services, in the form of a cloud rulebook, which will offer a compendium of existing cloud codes of conduct and certification on security, energy efficiency, quality of service, data protection and data portability.
e. Facilitating the development of common European standards and requirements for the public procurement of data processing services.
f. Setting up a cloud services marketplace to put potential users (in particular the public sector and SMEs) in the position to select cloud processing, software and platform service offerings that comply with a number of requirements in areas like data protection, security, data portability, energy efficiency and market practice.
3. The Commission wants to empower individuals, and invest in skills and SMEs. It is aiming to achieve this through the following action:
a. Exploring the possibility of enhancing the portability right for individuals under Article 20 of the GDPR, giving individuals more control over who can access and use machine-generated data (possibly as part of the Data Act).
EDPS remarks: The EDPS reminds the Commission that in order to empower individuals to be in control of their data, they need to be made aware of what has been, and what will be, done with their data and by whom. In this regard, the EDPS reminds the Commission of the transparency requirement under the GDPR and suggests that this could be achieved using standardised and machine-readable icons, so that individuals can easily view and understand the intended processing operations.
4. The Commission wants to develop common European data spaces in strategic sectors and domains of public interest including transport, health and energy.
EDPS remarks: Although the Commission has committed to creating such data spaces in full compliance with the GDPR, the EDPS suggests that the Commission should consider sector-specific legislation, particularly in the area of health and for scientific research in general. The EDPS also suggested the need for more harmonisation of data protection rules with regard to health data. The EDPS was also concerned that the data spaces should only be populated with personal data which has been demonstrably obtained in compliance with relevant data protection legislation.
In general, the EDPS was happy to see the Commission taking account of data protection issues as part of its strategy. However, it is difficult to see how an open single market of data can truly be achieved when individuals have so much control over the use of their data under EU data protection laws. Would you be happy for your data to exist in a single market where businesses have easy access to it?