National privacy authorities are calling on Europe’s member states and parliament to amend the Data Act. According to the authorities, the bill risks violations of the GDPR.
All European privacy authorities are part of the EDPB. The organization disagrees with the Data Act, a bill recently presented by the European Commission. Hence, the EDPB urged Europe’s member states and parliament to amend the Data Act. According to the EDPB, the bill conflicts with the AVG.
What does the Data Act entail?
The European Commission wants organizations to share more data with customers and governments. The Data Act is designed to achieve this goal.
If you’re currently selling a product and tracking user behaviour, some of the data is your property. Think of the steps taken to log into a software program, or the way a customer holds a toothbrush.
Hardly anyone can force you to share the data. Personal data is an exception, as this is the property of persons. A criminal investigation also makes a difference, because European and Dutch laws stipulate that data must be provided in some cases.
Beyond that, you’re in control. If a customer switches to a competitor and the competitor asks you for customer data, you’re free to refuse the request. That’s what the European Commission hopes to change. The Data Act can oblige organizations to share customer data with competitors. In the case of a health crisis or natural disaster, governments may demand access as well.
Update | The Data Act has been greenlit. It’s no longer a bill, but official regulation. The rules were confirmed on 23 June 2022. Companies have 15 months to prepare. The new rules take effect in September 2023.
Why is that a problem?
The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) are concerned about the bill. As mentioned earlier, the EDPB consists of all national privacy authorities. The EDPS is responsible for supervising the European Commission. The Data Act underlines why such supervision is important. The Commission’s proposal does not take the AVG into account.
The Data Act describes why and when organizations should share their data, but fails to mention that personal data may not be shared. In addition, the regulators believe that the Data Act may give governments too much access to personal data from companies. The Data Act requires organizations to share data with governments in ‘exceptional circumstances’. It’s not exactly clear when this obligation is supposed to take effect. Moreover, the Data Act does specifiy what data is involved.
The Data Act will shortly be discussed by all member states and the European Parliament. Only their agreement can make the proposal law. The EDPB and EDPS called upon all Member States and the European Parliament to amend the proposal. The call is expected to be heard.