Activities of Stéphanie YON-COURTIN related to 2023/0205(COD)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on a framework for Financial Data Access and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010, (EU) No 1095/2010 and (EU) 2022/2554
Amendments (23)
Amendment 170 #
Proposal for a regulation
Recital 10
Recital 10
(10) The sharing of theaccess of customer data in the scope of this Regulation should be based on the explicit permission of the customer. The client’s permission to give access to his or her data should be obtained through an explicit consent, which should not be based solely on a “tick-the-box” approach or the use of generalising phrases. In seeking the explicit permission of the customer to use his or her data, the data users should specify what use they intend to make of the customer’s data, should the customer provide permission. The legal obligation on data holders to share customer data should be triggered once the customer has explicitly requested their data to be shared with a data user. This request can be submitted bye data user should be able to demonstrate how the best interest of the customer will be served and preserved. In accordance with Regulation (EU) [XXXX/XXXX] of the European Parliament of the Council (Data Act), an undertaking providing core platform services that has been designated as a gatekeeper under Regulation (EU) 2022/19251) cannot be eligible as data user acting on behalf of the customerunder this Regulation. The limitation on granting access to gatekeepers would not exclude them from the market and prevent them from offering its services, as voluntary agreements between them and the data holders remain unaffected. Where the processing of personal data is involved, a data user should have a valid lawful basis for processing under Regulation (EU) 2016/679. The customers data can be processed only for the agreed purposes in the context of the service provided. Under this Regulation, these purposes should be strictly limited to the provision of a financial product, a financial service or a financial information service. The processing of personal data must respect the principles of personal data protection, including lawfulness, fairness and transparency, purpose limitation and data minimisation. A customer has the right to withdraw the permission given to a data user. W at any time and free of charge. For example, when data processing is necessary for the performance of a contract, a customer should be able to withdraw permissions according to the contractual obligations to which the data subject is party. WSimilarly, when personal data processing is based on consent, a data subject has the rightshould be able to withdraw his or her consent at any time, as provided for in Regulation (EU) 2016/679. It should not be possible for the data user to transfer customer data to a third-party actor without this explicit permission, or even to another entity within the same group.
Amendment 215 #
Proposal for a regulation
Recital 33
Recital 33
(33) In order to enable effective supervision and to eliminate the possibility of evading or circumventing supervision, financial information service providers must be either legally incorporated in the Union or in case they are incorporaonly be provided by legal persons that have a registered office in a Member State in which they intend in a third country appoint a legal represento carry out or do carry out substantive in the Union.business activities An effective supervision by the competent authorities is necessary for the enforcement of requirements under this Regulation to ensure integrity and stability of the financial system and to protect consumers. The requirement of legal incorporation of financial information service providers in the Union or the appointment of a legal representative in the Union does not amount to data localisation since this Regulation does not entail any further requirement on data processing including storage to be undertaken in Union.
Amendment 219 #
Proposal for a regulation
Recital 34
Recital 34
(34) A financial information service provider should be authorised in the jurisdiction of the Member State where its main establishment is located, that is, where the financial information service provider intends to carry out substantive business activities and where it has its head office or registered office within which the principal functions and operational control are exercised. In respect of financial information service providers that do not have an establishment in the Union but require access to data in the Union and therefore fall within the scope of this Regulation, the Member State where those financial information service providers have appointed their legal representative should have jurisdiction, considering the function of legal representatives under this Regulation.
Amendment 318 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6 a (new)
Article 3 – paragraph 1 – point 6 a (new)
(6 a) “financial information services” means the online services of collecting, consolidating, storing and processing customer data in order to provide a financial service to customers;
Amendment 321 #
Proposal for a regulation
Article 3 – paragraph 1 – point 6 b (new)
Article 3 – paragraph 1 – point 6 b (new)
(6 b) "financial service" means any service of a banking, credit, insurance, personal pension, investment or payment nature;
Amendment 339 #
Proposal for a regulation
Article 3 – paragraph 1 – point 29
Article 3 – paragraph 1 – point 29
Amendment 348 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. The data holder shall, upon explicit request from a customer submitted by electronic means, make available to a data user the customer data listed in Article 2(1) for the purposes for which the customer has granted permission to the data user. Any request from a customer shall state explicitly the specific service for the purpose of which the customer consents to the use of his data by the data user. The customer data shall be made available to the data user without undue delay, continuously and in real-time.
Amendment 355 #
Proposal for a regulation
Article 5 – paragraph 1 a (new)
Article 5 – paragraph 1 a (new)
1 a. Any undertaking designated as a gatekeeper, pursuant to Article 3 of Regulation (EU) 2022/1925, shall not be an eligible data user under this Regulation.
Amendment 364 #
Proposal for a regulation
Article 5 a (new)
Article 5 a (new)
Article5a Customer permission 1. Any permission granted by a customer shall be given for a period of time not exceeding 6 months. 2. Any permission granted by a customer shall not be renewed tacitly. 3. A customer may withdraw the permission it has granted to a data user at any time and free of charge. When processing is necessary for the performance of a contract, a customer may withdraw the permission it has granted to make customer data available to a data user according to the contractual obligations to which it is subject.
Amendment 366 #
Proposal for a regulation
Article 6 – paragraph 1
Article 6 – paragraph 1
1. A data user shall only be eligible to access customer data pursuant to Article 5(1) if that data user is subject to prior authorisation by a competent authority as a financial institution provide financial information services within the Union if that data user is a financial institution or a legal person established in the Union that has been author ised as financial information service provider pursuant to Article 14.
Amendment 373 #
Proposal for a regulation
Article 6 – paragraph 3
Article 6 – paragraph 3
Amendment 379 #
Proposal for a regulation
Article 6 – paragraph 4 – point e
Article 6 – paragraph 4 – point e
(e) not process customer data for advertising purposes, except for direct marketing in accordance with Union and national law;
Amendment 384 #
Proposal for a regulation
Article 6 – paragraph 4 – point e a (new)
Article 6 – paragraph 4 – point e a (new)
(e a) not transfer customer data to any third party, including in an outsourcing scheme, without the customer’s explicit permission;
Amendment 385 #
Proposal for a regulation
Article 6 – paragraph 4 – point e b (new)
Article 6 – paragraph 4 – point e b (new)
(e b) not make the data it receives available to an undertaking designated as a gatekeeper pursuant to Article 3 of Regulation (EU) 2022/1925;
Amendment 418 #
Proposal for a regulation
Article 8 – paragraph 2 – point a – introductory part
Article 8 – paragraph 2 – point a – introductory part
(a) provide the customer with an overview of each ongoing permission given to data users at any time, including:
Amendment 422 #
Proposal for a regulation
Article 8 – paragraph 2 – point a – point v a (new)
Article 8 – paragraph 2 – point a – point v a (new)
(v a) the date on which the customer has granted access to a data user;
Amendment 423 #
Proposal for a regulation
Article 8 – paragraph 2 – point a – point v b (new)
Article 8 – paragraph 2 – point a – point v b (new)
(v b) the storage location of data being shared.
Amendment 424 #
Proposal for a regulation
Article 8 – paragraph 2 – point b
Article 8 – paragraph 2 – point b
(b) allow the customer to withdraw a permission given to a data user at any time, and free of charge;
Amendment 493 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
4. A financial data sharing scheme set up in accordance with this Article shall be notified to the competent authority of establishment of the three most significant data holders which are members of that scheme at the time of establishment of the scheme. Where the three most significant data holders are established in different Member States, or where there is more than one competent aEuropean Banking Authority, the European Insurance and Occupational Pensions Authority inand the Member State of establishment of the three most significant data holders, the scheme shall be notified to all of these authorities which shall agree among themselves which authority shall carry out the assessment referred to in paragraph 6European Securities and Markets Authority.
Amendment 494 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 1
Article 10 – paragraph 6 – subparagraph 1
Within 1 month of receipt of the notification pursuant to paragraph 4, the competent athree European Supervisory Authorityies shall assess whether the financial data sharing scheme’s governance modalities and characteristics are in compliance with paragraph 1. When assessing the compliance of the financial data sharing scheme with paragraph 1, the competent authority may consult other competent authorities.
Amendment 497 #
Proposal for a regulation
Article 10 – paragraph 6 – subparagraph 2
Article 10 – paragraph 6 – subparagraph 2
Upon completion of ithis assessment, the competent authority shall inform EBA of a notified financial data sharing scheme that satisfies the provisions of paragraph 1. A scheme notified to EBA in accordance with this paragraph shall be recognised in all the Member States for the purpose of accessing data pursuant to Article 5(1) and shall not require further notification in any other Member Statenotified financial data sharing scheme shall be made available on the register defined in Article 15.
Amendment 525 #
Proposal for a regulation
Article 13
Article 13
Amendment 530 #
Proposal for a regulation
Article 14 – paragraph 2
Article 14 – paragraph 2