12 Amendments of Ivo HRISTOV related to 2020/0340(COD)
Amendment 137 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. While increased safeguards and requirements apply to the use of personal data, the same level of protection should be given to personal data which has been anonymised or pseudonymised as it will always be vulnerable to re-identification. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 159 #
Proposal for a regulation
Recital 14
Recital 14
(14) Companies and data subjects should be able to trust that the re-use of certain categories of protected data, which are held by the public sector, will take place in a manner that respects their rights and interests. Additional safeguards should thus be put in place for situations in which the re-use of such public sector data is taking place on the basis of a processing of the data outside the public sector. Highlighted in this regard is the need of prior consultation and negotiation with social partners, if data management and processing using artificial intelligence tools relate to the sphere of work. Such an additional safeguard could be found in the requirement that public sector bodies should take fully into account the rights and interests of natural and legal persons (in particular the protection of personal data, commercially sensitive data and the protection of intellectual property rights) in case such data is transferred to third countries.
Amendment 177 #
Proposal for a regulation
Recital 19
Recital 19
(19) In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non- personal data that have been identified as highly sensitive, as regards the transfer to third countries, if such transfer could jeopardise public policy objectives, in line with international commitments. For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data, including real world data, such as electronic health records, insurance claims data and data from patient registries. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law, for example in the context of the European Health Data Space or other sectoral legislation. Regarding the processing of data for health research purposes, the provisions of GDPR under Article 9 on the processing of special categories of data should apply. The conditions attached to the transfer of such data to third countries should be laid down in delegated acts. Conditions should be proportionate, non-discriminatory and necessary to protect legitimate public policy objectives identified, such as the protection of public health, public order, safety, the environment, public morals, consumer protection, privacy and personal data protection. The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re- identification of individuals. These conditions could include terms applicable for the transfer or technical arrangements, such as the requirement of using a secure processing environment, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or who can access the data in the third country. In exceptional cases they could also include restrictions on transfer of the data to third countries to protect the public interest.
Amendment 229 #
Proposal for a regulation
Recital 33
Recital 33
(33) The competent authorities under Regulation 2018/679 designated to monitor compliance of data sharing services with the requirements in this Regulation should be chosen on the basis of their capacity and expertise regarding horizontal or sectoral data sharing, and they should be independent as well as transparent and impartial in the exercise of their tasks. Member States should notify the Commission of the identity of the designated competent authorities.
Amendment 232 #
Proposal for a regulation
Recital 35
Recital 35
(35) There is a strong potential in the use of data made available voluntarily by data subjects based on their consent or, where it concerns non-personal data, made available by legal persons, for purposes of general interest. Such purposes would include healthcare, combating climate change, improving mobility, facilitating the establishment of official statistics or improving the provision of public services. Support to scientific research, including for example technological development and demonstration, fundamental research, applied research and privately funded research, should be considered as well purposes of general interest. This Regulation aims at contributing to the emergence of pools of data made available on the basis of data altruism that have a sufficient size in order to enable data analytics and machine learning, including across borders in the Union. The Regulation should ensure a high level of protection against misleading practices regarding initiatives by the industry which are presented as public purpose research aiming to promote "ethical" behaviour.
Amendment 348 #
Proposal for a regulation
Article 3 – paragraph 3
Article 3 – paragraph 3
(3) The provisions of this Chapter do not create any obligation on public sector bodies to allow re-use of data nor do they release public sector bodies from their confidentiality obligations. This Chapter is without prejudice to Union and national law or international agreements to which the Union or Member States are parties on the protection of categories of data provided in paragraph 1. This Chapter is without prejudice to Union and national law on access to documents, in particular with regard to register data, and to obligations of public sector bodies under Union and national law to allow the re-use of data.
Amendment 368 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
(3) Public sector bodies may impose an obligation to re-use only pre-processed data where such pre-processing aims to anonymize or pseudonymise personal data or delete commercially confidential information, including trade secrets. In the area of research, it must be ensured that the results of data processing remain traceable and reproducible even after anonymisation has taken place.
Amendment 374 #
Proposal for a regulation
Article 5 – paragraph 4 – point a
Article 5 – paragraph 4 – point a
(a) to access and re-use the data within a secure processing environment, including techniques for pseudonymisation, anonymisation, generalisation, suppression and randomisation of personal data, provided and controlled by the public sector ;
Amendment 434 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
(1) Member States shall designate one or more competent bodies under Regulation 2018/679, which may be sectoral, to support the public sector bodies which grant access to the re-use of the categories of data referred to in Article 3 (1) in the exercise of that task.
Amendment 533 #
Proposal for a regulation
Article 12 – paragraph 2
Article 12 – paragraph 2
(2) The designated competent authorities under Regulation 2018/679” shall comply with Article 23”..
Amendment 628 #
Proposal for a regulation
Article 20 – paragraph 1
Article 20 – paragraph 1
(1) Each Member State shall designate one or more competent authorities under Regulation 2018/679 responsible for the register of recognised data altruism organisations and for the monitoring of compliance with the requirements of this Chapter. The designated competent authorities shall meet the requirements of Article 23.
Amendment 651 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
(3) Where personal data are provided, the European data altruism consent form shall ensure that data subjects are able to give consent to and withdraw consent from a specific data processing operation in compliance with the requirements of Regulation (EU) 2016/679. Data subjects shall be informed of the purposes of any subsequent use before they give their consent.