“Big data comes with big responsibility”
Brussels, 16 June 2020. The aim of the Data Strategy is to create a single European data space and thus make it easier for businesses and public authorities to access high-quality data to boost growth and create value. Moreover, it should “enable the EU to become the most attractive, most secure and most dynamic data agile economy in the world”. A key element of the Data Strategy is the development of common European data spaces in strategic economic sectors and domains of public interest, such as the common European health data space.
The EDPS applauds the Commission’s commitment to ensure that European fundamental rights and values.
The EDPS underlines that one of the objectives of the Data Strategy should be to prove the viability and sustainability of an alternative data economy model – open, fair and democratic. Unlike the current predominant business model, characterized by unprecedented concentration of data in a handful of powerful players, as well as pervasive tracking, the European data space should serve as an example of transparency, effective accountability and proper balance between the interests of the individual data subjects and the shared interest of the society as a whole.
Application of the key data protection principles
The EDPS supports the Commission’s commitment to develop the Strategy in full compliance with the General Data Protection Regulation (“GDPR”). He is convinced that the GDPR provides a solid basis.
The EDPS recalls that, pursuant to Article 5 of the GDPR, the processing of personal data should always respect the principles of lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality.
These principles remain fully applicable when processing personal data for the “public good” purposes. Purpose limitation is an essential safeguard to provide individuals with the confidence that the data they provide will not be used against them in an unexpected manner.
In the context of the proposed future Data Act, the EDPS recommends to lay down requirements for producers of products, services and applications that are based on the processing of personal data.
The EDPS recalls that the adoption of the proposed ePrivacy Regulation is crucial to protect the fundamental rights to privacy and personal data protection in the digital age. Hence, the completion of the EU’s legal framework for data protection and confidentiality of communications is an important condition for the success of the Data Strategy.
The routine approach to transparency in the form of lengthy privacy notices phrased in abstract or ambivalent terms, still applied by some controllers, is contrary to the GDPR’s requirements to provide information “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. In this context, and especially in the light of technological developments the EDPS reminds that pursuant to Article 12(7) and (8) of the GDPR the information to data subjects could be provided with standardised and machine readable icons in order to offer an easily visible, intelligible and meaningful overview of the intended processing.
Personal information management systems (PIMS) are emerging as promising platforms to give data subjects more control over their personal data.
The EDPS emphasises the need of a clear distinction between the data intermediaries focussing exclusively on personal data and seeking to enhance individual agency, on the one hand, and those driven by economic incentives and aiming to support mainly Business to Business (B2B) data exchange, on the other hand.
Any use of data, collected and/or shared for a public good/public interest function (e.g. for improving transport/mobility or tackling serious cross-border threats to health), for commercial for-profit purposes (for instance insurance, marketing, etc.) should be avoided.
COMMON EUROPEAN DATA SPACES
General comments on the concept
A key element of the Data Strategy is the development of common European data spaces in strategic economic sectors and domains of public interest. The data spaces would combine large pools of data, technical tools and infrastructures necessary to use and exchange data, as well as governance mechanisms. They would be governed by a horizontal framework complemented, where appropriate, by sectoral legislation for data access and use.
European data spaces will be developed “in full compliance with data protection rules and according to the highest available cyber-security standards” and looks forward to examining the specific proposals and initiatives aimed at implementing this.
While the EDPS agrees that one-size-fits-all approach might not be appropriate, he nevertheless encourages the Commission to further clarify that the common European data spaces should be populated only with personal data which has been demonstrably obtained in compliance with data protection legislation, including in particular with the principles of lawfulness, purpose limitation and data minimisation. According to the Strategy, data spaces will be used for multiple purposes. Hence, it should be clearly defined from the onset for each data space what are the permitted purposes.
The success of the common European data spaces and the Strategy as a whole depends heavily on the ability to create a solid level of trust between the various stakeholder.
Compulsory data sharing
The EDPS takes note of the Commission’s intention to make data sharing compulsory in certain circumstances. There have been recent calls for regulated access across the EU to privately held personal data for research purposes that serve a public interest, such as improving healthcare provision and addressing the climate crisis. Such initiatives are expected to become even more prominent in the context of COVID-19 pandemic. the EDPS recommends an open and inclusive debate on this matter, which should involve all stakeholders, such as the research community, tech companies.
Today, the predominant business model of the digital economy is characterised by unprecedented concentration of data in the hands of a handful of powerful players, based outside the EU, and wide-scale pervasive tracking. The EDPS strongly believes that one of the most important objectives of the Data Strategy should be to prove the viability and sustainability of an alternative data economy model – open, fair and democratic.