The implementation of the General Data Protection Regulation (GDPR) was not easy for many companies and website operators. With the planned Data Act, with which the EU Commission intends to leverage the dormant potential in data, additional requirements are likely to come up and, on top of that, there will be problems with the delimitation of the two laws. This became clear on Monday at a conference of the Professional Association of Data Protection Officers in Germany (BvD), the Association of German Chambers of Industry and Commerce (DIHK) and the Foundation for Data Protection in Berlin.
Interaction with GDPR does not work
Hamburg’s data protection officer, Thomas Fuchs, spoke of an impending “paradigm shift”. He thinks it’s great that the Data Act is trying to regulate a new world with foresight. However, the interaction with the GDPR does not work: both regulations stand side by side like altarpieces “tell different stories”.
For example, the consent model from the GDPR for the “mass data sharing” outlined with the Data Act does not make sense, said Fuchs and asked: “Do we want cookie banners for autonomous driving?” In addition, the information requirements, the right to complain and the sanctions are not congruent. “Sectoral authorities” would also be involved in supervision, and there would be no coordination mechanism. For the inspector one thing is certain: “It won’t be fun.”
Christian Dürschmied, a lawyer at Eversheds Sutherland, identified a high degree of imponderability in the gray area between the Data Act and the GDPR. The applicability of the two regulations and, above all, the associated roles of data processors and data subjects are often “not very clearly delimitable”, he pointed out. According to the draft under discussion, for example, in the case of “joint responsibility” it must be specified in a transparent form in an agreement “who fulfills which obligations to comply with this regulation”. Such vague formulas were “astonished” by observers.
Information obligations as a “particular challenge”
In general, according to Dürschmied, the “optimal use of data” is the focus of the Data Act, not the protection of personal information. The provisions of the GDPR should remain “unaffected”, including the principles of data minimization and privacy by design, for example via pseudonymization and anonymization. On the other hand, a personal reference can be made via the outlined access to data from the Internet of Things via user accounts. At the latest when measuring values are linked, one “inevitably comes into contact with data protection law” and has to balance both areas.
As an example, the lawyer cited the question of whether companies should rely on consent or a legitimate interest in data use. At the latest when third parties access, there should be simple options for refusal. Design tricks such as “dark patterns” should not be used. On the other hand, the Data Act allows profiling if such a combination is “absolutely necessary” in order to provide the service desired by the user: “It confuses companies when it comes to tracking.”
Affected rights such as information obligations are also a “particular challenge”, reported Dürschmied. Here many already reached their limits with the GDPR, now additional requirements are threatened. Processors wanted the most comprehensive approach possible. With the right to data access and the account comes an additional right to information, which “demands something” from the companies again. And that in a legal framework “in which much is unclear”. With regard to processors and the planned “data portability 2.0”, the puzzle “can no longer be put together perfectly”.
facilitate data exchange
Should the Commission largely get its draft through, the lawyer advised companies to try to transfer the new specifications into their existing data protection management system. New compliance processes need to be introduced and existing ones updated. Those responsible would have to “pick up everyone” and make the specifications universally understandable. Previously, the European data protection commissioner had also been unhappy about the project.
The core concern of the initiative from Brussels is to advance the exchange of data between companies and with the public sector, to introduce new data access rights for networked products and to make international data transfer more secure. Every user should have access to all information that he has contributed to the creation of. Providers of networked products and associated services such as virtual language assistants would have to make the corresponding data available to the user in an easily accessible form in real time free of charge.
Klemens Gutmann from the communications and IT service provider Regiocom complained that the commission wanted to create a huge hat that would provide universal protection against the sun, rain and lightning. In this way, very different areas of application would be lumped together. The IT industry or engine manufacturers, for example, have completely different requirements when it comes to handling data. For example, compulsory disclosure could be useful for contract workshops or disaster relief workers, but not for a start-up that evaluates large amounts of data from sensors in large buildings or the Internet of Things.
Hat still too big
Mike Gahn from the software developer Ownsoft also had a hard time with the impending obligation to release data: “I don’t know what could be done without affecting personal rights.” Even in the business customer environment, there is ultimately a relationship with the end user who could make relevant claims. Small companies would be disproportionately burdened by this. Customers are already demanding an export function. So far, however, databases have not been interoperable. To do this, every industry would have to define standards, which he cannot imagine.
The hat is still too big, confirmed Vera Demary from the Institute of German Economics: 72 percent of German companies are not yet able to manage data efficiently. In view of the gas, energy and climate crisis, it is becoming increasingly important to use and share measured values. However, this is already necessary in principle today, but the biggest stumbling block is the lack of knowledge about the existing legal framework. A duty could even discourage many companies from launching data-based services and products if network effects are lost or if competitors from China request data. It would therefore make more sense to limit the Data Act to aspects such as easy switching between cloud providers.
Benjamin Brake from the Federal Ministry for Digital and Transport also warned of a bureaucratic burden on the economy and a “perfect storm” together with other EU digital laws. It is true that more and better data are available. However, the conditions under which companies would have to make data available to the state remain open.
Anna Ludin from the Commission’s Directorate-General for Communications Networks, Content and Technologies referred to “extraordinary situations” such as emergencies, pandemics and climate catastrophes. Overall, there is a certain continuity, especially in the approach of not establishing any new exclusivity rights for data. She hoped that a compromise would soon be reached in the Council of Ministers and that the EU Parliament would tighten its negotiating mandate at the beginning of 2023.
(mho)
