Data protection regulators have called on EU law makers to place tighter controls on how personal data generated by the use of products and services can be used.
The European Commission set out plans to help consumers and businesses access data generated by the products or related services they own, rent or lease in a new EU Data Act proposed earlier this year. However, the European Data Protection Board (EDPB), together with the European data protection supervisor (EDPS), which oversees EU institutions’ compliance with data protection laws, has said the draft legislation raises data protection concerns.
In a joint opinion, the EDPB and EDPS called for the draft Data Act to be amended. They said the proposals should include “clear limitations or restrictions on the use of personal data generated by the use of a product or service by any entity other than data subjects, in particular where the data at issue are likely to allow precise conclusions to be drawn concerning their private lives or would otherwise entail high risks for the rights and freedoms of the individuals concerned”.
The EDPB and EDPS cited specific examples of data processing activities the draft Data Act should prohibit.
“In particular, the EDPS and EDPB recommend to introduce clear limitations regarding use of personal data generated by the use of a product or related services for purposes of direct marketing or advertising, employee monitoring, credit scoring or to determine eligibility to health insurance, to calculate or modify insurance premiums,” they said. “This recommendation is without prejudice to any further limitations that may be appropriate, for example to protect vulnerable persons, in particular minors, or due to the particularly sensitive nature of certain categories of data (e.g. data concerning the use of a medical device or biometric data) and the protections offered by Union legislation on data protection.”
Frankfurt-based data protection law expert Ruth Maria Bousonville of Pinsent Masons said that the insistence by the EDPB and EDPS that data protection law prevails in case of conflict with the Data Act was “obvious” and that the draft the Commission has prepared already confirms this. She said the text “would not benefit from additional detail in this respect.”
However, Bousonville said general comments the EDPB and EDPS made in their joint opinion are worth noting.
“Against common perception, they are highlighting that data protection law ‘already allows for’ the unleashing of ‘the potential of information to be extracted from data in order to gain valuable knowledge for important common values and for health, science, research and climate action’,” Bousonville said.
“Practice shows that each of such use cases turns on its own facts, which is why the Data Act cannot add legal certainty in this respect. At the same time, data protection law will prevent plain commodification of personal data even if the Data Act would allow it. So, in essence, businesses will need to be prepared for additional regulation without any clear advantage,” she said.
The Commission’s plans for a new Data Act would have major implications for manufacturers of connected devices and other data holders as they would be required to make data generated by their products and services “available to third parties upon the request of the user” and do so “under fair, reasonable and non-discriminatory terms and in a transparent manner”.
The Commission’s draft includes proposed safeguards for SMEs, including the potential unfairness that can arise in data sharing contractual provisions as a consequence of the imbalance in bargaining power between micro, small or medium-sized enterprises and larger businesses: larger businesses would be prohibited from taking advantage of their stronger negotiating power under the draft Act. In this context, the draft introduces an unfairness test. It defines in what cases data sharing-related contractual terms are unfair and is complemented by a list of clauses “that are either always unfair or presumed to be unfair”.