Activities of Alin MITUȚA related to 2022/0047(COD)
Plenary speeches (1)
Data Act (debate)
Shadow reports (1)
REPORT on the proposal for a regulation of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)
Amendments (277)
Amendment 95 #
Proposal for a regulation
Citation 1
Citation 1
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 and Article 103 thereof,
Amendment 110 #
Proposal for a regulation
Recital 5
Recital 5
(5) This Regulation ensures that users of a connected product or related service in the Union can access, in a timely manner, the data generated by the use of that connected product or related service and that those users can use the data, including by sharing them with third parties of their choice, either directly or through data intermediation services. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a connected product or related service. Instead, it takes as its starting point the control that the data holder effectively enjoys, de facto or de jure, over data generated by connected products or related services.
Amendment 114 #
Proposal for a regulation
Recital 6
Recital 6
(6) Data generation is the result of the actions of at least two actors, the designer or manufacturer of a product, and where different from the manufacturer the provider of related services for the connected product and the user of that connected product. It gives rise to questions of fairness in the digital economy, because the data recorded by such connected products or related services are an important input for aftermarket, ancillary and other services. In order to realise the important economic benefits of data as a non-rival good for the economy and society, a general approach to assigning access and usage rights on data is preferable to awarding exclusive rights of access and use.
Amendment 116 #
Proposal for a regulation
Recital 21
Recital 21
(21) Products may be designed to make certain data directly available from an on- device data storage or from a remote server to which the data are communicated. Access to the on-device data storage may be enabled via cable-based or wireless local area networks connected to a publicly available electronic communications service or a mobile network. The server may be the manufacturer’s own local server capacity or that of a third party or a cloud service provider who functions as data holder. Data processors as defined in Regulation (EU) 2016/679 are by default not considered to act as data holders, unless specifically tasked by the data controller. They may be designed to permit the user or a third party to process the data on the product or on a computing instance of the manufacturer.
Amendment 118 #
Proposal for a regulation
Recital 5
Recital 5
(5) This Regulation ensures that users of a product or related service in the Union can access, in a timely manner, the data generated by the use of that product or related service and that those users can use the data, including by sharing them with third parties of their choice. It imposes the obligation on the data holder to make data available to users and third parties nominated by the users in certain circumstances. It also ensures that data holders make data available to data recipients in the Union under fair, reasonable and non-discriminatory terms and in a transparent manner. Private law rules are key in the overall framework of data sharing. Therefore, this Regulation adapts rules of contract law and prevents the exploitation of contractual imbalances that hinder fair data access and use for micro, small or medium-sized enterprises within the meaning of Recommendation 2003/361/EC. This Regulation also ensures that data holders make available to public sector bodies of the Member States and to Union institutions, agencies or bodies, where there is an exceptional need, the data that are necessary for the performance of tasks carried out in the public interest. In addition, this Regulation seeks to facilitate switching between data processing services and to enhance the interoperability of data and data sharing mechanisms and services in the Union. This Regulation should not be interpreted as recognising or creating any legal basis for the data holder to hold, have access to or process data, or as conferring any new right on the data holder to use data generated by the use of a product or related service. Instead, it takes as its starting point the control that the data holder effectively enjoys, de facto or de jure, over data generated by products or related services.
Amendment 119 #
Proposal for a regulation
Recital 10 a (new)
Recital 10 a (new)
(10 a) Data collected or generated by defence products or services or in the context of defence-related activities, including data collected or generated by dual-use products such as satellites, aircraft and drones when used in a defence context, should be excluded from the scope of this Regulation as the disclosure of such data would create strategic vulnerabilities for European security and defence.
Amendment 122 #
Proposal for a regulation
Recital 11
Recital 11
(11) Union law setting physical design and data requirements for connected products to be placed on the Union market should not be affecbe complemented by this Regulation.
Amendment 125 #
Proposal for a regulation
Recital 14
Recital 14
(14) Physical products that obtain, generate or collect, by means of their components, including sensors, or embedded operating systems, data concerning their performance, use or environment and that are able to communicate that data via a publiclyn available electronic communications service (often referred to as the Internet of Things) should be covered by this Regulation. Electronic communications services include land- based telephone networks, television cable networks, satellite-based networks and near-field communication networks. Such products may include vehicles, home equipment and consumer goods, medical and health devices or agricultural and industrial machinery. The data represent the digitalisation of user actions and events and should accordingly be accessible to the user, while information derived or inferred from this data, where lawfully held, should not be considered within scope of this Regulation. Such data are potentially valuable to the user and support innovation and the development of digital and other services protecting the environment, health and the circular economy, in particular though facilitating the maintenance and repair of the products in question.
Amendment 133 #
Proposal for a regulation
Recital 14 a (new)
Recital 14 a (new)
(14 a) The data represent the digitalisation of user actions and events. These data are potentially valuable to the user and should accordingly always be accessible to the user. Data generated by the use of a connected product or related service include data recorded intentionally by the user or as a by- product of the users’ actions and events. Such data can also be generated or recorded without any action by the user, such as when the product is in ‘standby mode’ or switched off, including diagnostics data and data captured by embedded applications of sensors. Such data should include data in the form and format in which they are generated by the product, and made available in a comprehensible, structured and machine- readable format, including the relevant metadata. This Regulation should cover only raw data, that is either collected or intended to be collected by the data holder. The data resulting from any software process that calculates derivative data shall be excluded from the scope, as such data and software process may be subject to intellectual property rights.
Amendment 137 #
Proposal for a regulation
Recital 15
Recital 15
(15) In contrast, certain products that are primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service should not be covered by this Reguand are often covered by intellectual property rights and electronic communications services legislation. Such products include, for example, personal computers, servers, tablets and smart phones, smart televisions, cameras, webcams, sound recording systems and text scanners. They require human input to produce various forms of content, such as text documents, sound files, video files, games, digital maps. All these connected products have also a strong element of collection of data on how the products operate, such as proximity sensors, accelerometer or gyroscope, the collection of these data being of potential value in improving the performance of the connected products or related services. These non-personal data referring to the functionality of connected products should be included in the scope of this Regulation and should exclude all content data regulated by Union and national law and data concerning intellectual property and electronic communications services.
Amendment 137 #
Proposal for a regulation
Recital 19 a (new)
Recital 19 a (new)
(19 a) Products that use Mobile Networks to transmit data often do not allow the user to access the data locally, and rely on related services. Manufacturers regularly shut down related services prematurely, rendering their products unusable. As the popularity of connected devices grows, this risks significantly increasing the amount of e-Waste we produce, in contradiction with the principles of the Circular Economy. Hence manufacturers should provide guarantees on the minimum duration of the provision of related services, and give users the means to switch to alternative services.
Amendment 137 #
Proposal for a regulation
Recital 24 a (new)
Recital 24 a (new)
(24 a) After the data has been made available to a user or data recipient according to the provisions of this Regulation, the data holder should not be liable for any direct or indirect damages arising from, relating to, or in connection with the processing of the data by the user or by the third party.
Amendment 141 #
Proposal for a regulation
Recital 26
Recital 26
(26) In contracts between a data holder and a consumer as a user of a product or related service generating data, Directive 93/13/EEC applies to the terms of the contract to ensure that a consumer is not subject to unfair contractual terms. For unfair contractual terms unilaterally imposed on a micro, small or medium- sized enterprise as defined in Article 2 of the Annex to Recommendation 2003/361/EC63 , this Regulation provides that such unfair terms should not be binding on that enterprise. _________________ 63 Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises
Amendment 144 #
Proposal for a regulation
Recital 28 a (new)
Recital 28 a (new)
(28 a) In some cases, when manufacturers are compelled to provide both raw and processed data to users, the combination of this data could be misused by a competitor in order to understand how data is processed by the manufacturer, and in a why that may reveal trade secrets of the manufacturer. Therefore care should be taken to ensure manufacturers can protect their trade secrets all while maximising the amount of data available to the user.
Amendment 145 #
Proposal for a regulation
Recital 16
Recital 16
(16) It is necessary to lay down rules applying to connected products that incorporate or are interconnected with a service in such a way that the absence of the service would prevent the product from performing its functions. Such related services can be part of the sale, rent or lease agreement, or such services are normally provided for products of the same type and the user could reasonably expect them to be provided given the nature of the product and taking into account any public statement made by or on behalf of the seller, renter, lessor or other persons in previous links of the chain of transactions, including the manufacturer. These related services may themselves generate data of value to the user independently of the data collection capabilities of the connected product with which they are interconnected. This Regulation should also apply to a related service that is not supplied by the seller, renter or lessor itself, but is supplied, under the sales, rental or lease contract, by a third party. In the event of doubt as to whether the supply of service forms part of the sale, rent or lease contract, this Regulation should apply.
Amendment 146 #
Proposal for a regulation
Recital 17
Recital 17
Amendment 154 #
Proposal for a regulation
Recital 18
Recital 18
(18) The user of a connected product should be understood as the legal or natural person, such as a business or, consumer, which has purchased, rented or leased the product the product, or to whom the owner of the connected product has transferred, on the basis of a rental or lease agreement, temporary rights to use the connected product or receive related services. Depending on the legal title under which he uses it, such a user bears the risks and enjoys the benefits of using the connected product and should enjoy also the access to the data it generates. The user should therefore have an active role in the data economy and be entitled to derive benefit from non-personal data generated by thate use of that connected product and any related service.
Amendment 159 #
Proposal for a regulation
Recital 19
Recital 19
(19) In practice, not all data generated by connected products or related services are easily accessible to their users, and there are often limited possibilities for the portability of data generated by products connected to the Internet of Things. Users are unable to obtain data necessary to make use of providers of repair and other services, and businesses are unable to launch innovative, more efficient and convenient services. In many sectors, manufacturers, who are also providing related services are often able to determine, through their control of the technical design of the connected product or related services, what data are generated and how they can be accessed, even though they have no legal right to the data. It is therefore necessary to ensure that products are designed and manufactured and related services are provided in such a manner that data generated by their use are always easily accessible to the usernd securely accessible in a format that allows the user to view, retrieve and process it, either directly on the connected product or, where not technically possible, on a separate device from the connected product. This Regulation should not be interpreted as an additional obligation for data holders to store data on-device or on a remote server, that are necessary for the immediate functioning of the connected product but the data holder does not intend to extract. Upon an explicit and voluntary agreement between the data holder and the user, such data could be collected and stored.
Amendment 160 #
Proposal for a regulation
Recital 58
Recital 58
(58) An exceptional need may also arise when a public sector body can demonstrate that the data are necessary either to prevent a public emergency, or to assist recovery from a public emergency, in circumstances that are reasonably proximate to the public emergency in question. Where the exceptional need is not justified by the need to respond to, prevent or assist recovery from a public emergency, the public sector body or the Union institution, agency or body should demonstrate that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task in the public interest that has been explicitly provided in law. Such exceptional need may also occur in other situations, for example in relation to the timely compilation of official statistics when data is not otherwise available or when the burden on statistical respondents will be considerably reduced. At the same time, the public sector body or the Union institution, agency or body should, outside the case of responding to, preventing or assisting recovery from a public emergency, demonstrate that no alternative means for obtaining the data requested exists and that the data canHowever, when a public emergency is caused by and could reasonably be addressed by policy decisions of the requesting public sector body, then the request should not be obtained in a timely manner through the laying down of the necessary data provision obligations in new legislationdeemed an exceptional need.
Amendment 164 #
Proposal for a regulation
Recital 20
Recital 20
(20) In cases of co-ownership of the connected product and related services provided, where several persons or entities own a product or are party to a lease or rent agreement and benefit from access to a related service, reasonable efforts should be made in, the design of the connected product or related service or the relevant interface so thathall enable all persons canto have access to data they generate. Users of products that generate data typically require a user account to be set up. This allows for identification of the user by the manufacturer or related service provider as well as a means to communicate to exercise and process data access requests. For identification and authentication purposes, manufacturers and providers of related services should enable users to use European Digital Identity Wallets, issued pursuant to Regulation (EU) XXX/XXXX establishing a framework for a European Digital Identity. Manufacturers or designers of a product that is typically used by several persons should put in place the necessary mechanism that allow separate user accounts for individual persons, where relevant, or the possibility for several persons to use the same user account. Access should be granted to the user upon simple request mechanisms granting automatic execution, not requiring examination or clearance by the manufacturer or data holder. This means that data should only be made available when the user actually wants this. Where automated execution of the data access request is not possible, for instance, via a user account or accompanying mobile application provided with the product or service, the manufacturer should inform the user how the data may be accessed. User accounts should enable users to revoke consent for processing and data sharing, as well as request deletion of the data generated through the use of the connected product, particularly in cases when the users of the product intend to transfer the ownership of the product to another party.
Amendment 166 #
Proposal for a regulation
Recital 56
Recital 56
(56) In situations of exceptional need, it may be necessary for public sector bodies or Union institutions, agencies or bodies to use data held by an enterprise to respond to public emergencies or in other exceptional cases. Research-performing organisations and research-funding organisations could also be organised as public sector bodies or bodies governed by public law. To limit the burden on businesses, micro and small enterprises should be exempted from the obligation to provide public sector bodies and Union institutions, agencies or bodies data in situations of exceptional need.
Amendment 169 #
Proposal for a regulation
Recital 65 a (new)
Recital 65 a (new)
(65 a) Requests by public bodies that concern the personal data of citizens pose a disproportionate risk to citizens fundamental rights, therefore such requests should be prohibited.
Amendment 170 #
Proposal for a regulation
Recital 65 b (new)
Recital 65 b (new)
(65 b) Requests by public bodies that concern the personal data of citizens pose a disproportionate risk to citizens fundamental rights, therefore such requests should be subject to the consent of relevant Data Protection Authorities.
Amendment 170 #
Proposal for a regulation
Recital 57
Recital 57
(57) In case of public emergencies, such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters including those aggravated by climate change, as well as human-induced major disasters, such as major cybersecurity incidents, the public interest resulting from the use of the data will outweigh the interests of the data holders to dispose freely of the data they hold. In such a case, data holders should be placed under an obligation to make the data available to public sector bodies or to Union institutions, agencies or bodies upon their request. The existence of a public emergency is determined according to the respective procedures in the Member States or of relevant international organisations. In the case of major cybersecurity incidents, this should not result in the duplication of requirements for firms such as those under Regulation XXXX/XXXX on Digital Operational Resilience for the financial sector and the Directive XXXX/XXXX on measures for a high common level of cybersecurity across the union, repealing Directive (EU) 2016/1148.
Amendment 171 #
Proposal for a regulation
Recital 65 c (new)
Recital 65 c (new)
(65 c) Requests by public bodies that concern the personal data of citizens pose a disproportionate risk to citizens human rights, therefore any personal data in those requests should be anonymised and public bodies or entities with which public bodies share data from the request should be prohibited from reversing anonymisation.
Amendment 172 #
Proposal for a regulation
Recital 21
Recital 21
(21) PConnected products may be designed to make certain data directly available from an on- device data storage or from a remote server to which the data are communicated. Access to the on-device data storage may be enabled via cable- based or wireless local area networks connected to a publicly available electronic communications service or a mobile network. The server may be the manufacturer’s own local server capacity or that of a third party or a cloud service provider who functions as data holder. TheyConnected products may be designed to permit the user or a third party to process the data on the product or on a computing instance of the manufacturer as well as enable the user to retrieve the data.
Amendment 174 #
Proposal for a regulation
Recital 69
Recital 69
(69) The ability for customers of data processing services, including cloud and edge services, to switch from one data processing servicecloud service provider to another, while maintaining a minimum functionality of service, is a key condition for a more competitive market with lower entry barriers for new service providers. Facilitating a multi-cloud approach for customers of cloud services also contributes to increase their digital operational resilience, as recognised for financial service institutions in the Digital Operational Resilience Act (DORA).
Amendment 174 #
Proposal for a regulation
Recital 58
Recital 58
(58) An exceptional need may also arise when a public sector body can demonstrate that the data are necessary either to prevent a public emergency, or to assist recovery from a public emergency, in circumstances that are reasonably proximate to the public emergency in question. Where the exceptional need is not justified by the need to respond to, prevent or assist recovery from a public emergency, the public sector body or the Union institution, agency or body should demonstrate that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task in the public interest that has been explicitly provided in law. Such exceptional need may also occur in other situations, for example in relation to the timely compilation of official statistics when data is not otherwise available or when the burden on statistical respondents will be considerably reduced. At the same time, the public sector body or the Union institution, agency or body should, outside the case of responding to, preventing or assisting recovery from a public emergency, demonstrate that no alternative means for obtaining the data requested exists and that the data cannot be obtained in a timely manner through the laying down of the necessary data provision obligations in new legislation.
Amendment 175 #
Proposal for a regulation
Recital 22
Recital 22
(22) Virtual assistants play an increasing role in digitising consumer environments and serve as an easy-to-use interface to play content, obtain information, or activate physical objects connected to the Internet of Things. Virtual assistants can act as a single gateway in, for example, a smart home environment and record significant amounts of relevant data on how users interact with products connected to the Internet of Things, including those manufactured by other parties and can replace the use of manufacturer-provided interfaces such as touchscreens or smart phone apps. The user may wish to make available such data with third party manufacturers and enable novel smart home services. Such virtual assistants should be covered by the data access right provided for in this Regulation also regarding data recorded before the virtual assistant’s activation by the wake word and data generated when a user interacts with a product via a virtual assistant provided by an entity other than the manufacturer of the product. However, only the data stemming from the interaction between the user and product through the virtual assistant falls within the scope of this Regulation. Data produced by the virtual assistant unrelated to the use of a product is not the object of this Regulation.
Amendment 178 #
Proposal for a regulation
Recital 23
Recital 23
(23) Before concluding a contract for the purchase, rent, or lease of a product or the provision of a related service, clear and sufficient information should be provided to the user on how the data generated may be accesthe data holder shall provide to the user clear and sufficient information that would enable the user to effectively exercise its rights upon the data they generate through the use of connected products and related services. The data holder shall develop mechanisms to keep the user up to date when the information changes during the lifetime of the connected product or when the purpose for which the data will be used changes from the originally specified purposed. This obligation provides transparency over the data generated and enhances the easy and secure access for the user, as well as the right to retrieve, process and further harness the value of non-personal data. This obligation to provide information does not affect the obligation for the controller to provide information to the data subject pursuant to Article 12, 13 and 14 of Regulation (EU) 2016/679.
Amendment 178 #
Proposal for a regulation
Recital 69 a (new)
Recital 69 a (new)
(69a) Unnecessarily high data egress fees, or data transfer costs have the potential to restrict competition and cause lock-in effects for the customers of data processing services, by reducing incentives to choose a different or additional service provider. Therefore, the gradual withdrawal of the charges associated with switching data processing services shall specifically include withdrawing any “egress fees” charged by the data processing service to a customer.
Amendment 181 #
Proposal for a regulation
Recital 71
Recital 71
(71) Data processCloud computing services should cover services that allow on-demand and broad remote access to a scalable and elastic pool of shareable and distributed computing resources. Those computing resources include resources such as networks, servers or other virtual or physical infrastructure, operating systems, software, including software development tools, storage, applications and services. The deployment models of cloud computing should include private, community, public and hybrid cloud. The aforementioned service and deployment models have the same meaning as the terms of service and deployment models defined under ISO/IEC 17788:2014 standard. The capability of the customer of the data processing service to unilaterally self- provision computing capabilities, such as server time or network storage, without any human interaction by the service provider of cloud computing services could be described as on-demand administration. The term ‘broad remote access’ is used to describe that the computing capabilities are provided over the network and accessed through mechanisms promoting the use of heterogeneous thin or thick client platforms (from web browsers to mobile devices and workstations). The term ‘scalable’ refers to computing resources that are flexibly allocated by the data processprovider of cloud computing service providers, irrespective of the geographical location of the resources, in order to handle fluctuations in demand. The term ‘elastic pool’ is used to describe those computing resources that are provisioned and released according to demand in order to rapidly increase or decrease resources available depending on workload. The term ‘shareable’ is used to describe those computing resources that are provided to multiple users who share a common access to the service, but where the processing is carried out separately for each user, although the service is provided from the same electronic equipment. The term ‘distributed’ is used to describe those computing resources that are located on different networked computers or devices and which communicate and coordinate among themselves by message passing. The term ‘highly distributed’ is used to describe data processing services that involve data processing closer to where data are being generated or collected, for instance in a connected data processing device. Edge computing, which is a form of such highly distributed data processing, is expected to generate new business models and cloud service delivery models, which should be open and interoperable from the outset.
Amendment 184 #
Proposal for a regulation
Recital 24
Recital 24
(24) This Regulation imposes the obligation on data holders to make data available in certain circumstances. Insofar as personal data are processed, the data holder should be a controller under Regulation (EU) 2016/679. Where users are data subjects, data holders should be obliged to provide them access to their data and to make the data available to third parties of the user’s choice in accordance with this Regulation. However, this Regulation does not create a legal basis under Regulation (EU) 2016/679 for the data holder to provide access to personal data or make it available to a third party when requested by as user that is not a data subject and should not be understood as conferring any new right on the data holder to use data generated by the use of a connected product or related service. This applies in particular where the manufacturer is the data holder. In that caseWhen the manufacturer is also the party providing related services and qualifies as a data holder, the basis for the manufacturer to use non-personal data should be a contractual agreement between the manufacturer and the user. This agreement may be part of the sale, rent or lease agreement relating to the productIn such cases, the contract for purchase and provision of related services can be merged. Any contractual term in the agreement stipulating that the data holder may use the data generated by the user of a connected product or related service should be transparent to the user, including as regards the purpose for which the data holder intends to use the data. This Regulation should not prevent contractual conditions, whose effect is to exclude or limit the use of the data, or certain categories thereof, by the data holder. Where a data holder intends to share data with third parties for the fulfilment of the contractual obligations, it should inform the user of the nature and volume of the shared data and, where relevant, contractually bind the third party not to use the data for any other purposes. This Regulation should also not prevent sector- specific regulatory requirements under Union law, or national law compatible with Union law, which would exclude or limit the use of certain such data by the data holder on well- defined public policy grounds.
Amendment 184 #
Proposal for a regulation
Recital 72
Recital 72
(72) This Regulation aims to facilitate switching between data processing services, which encompasses all conditions and actions that are necessary for a customer to terminate a contractual agreement of a data processing service, to conclude one or multiple new contracts with different providers of data processing services, to port all its digital assets, including data, to the concerned other providers and to continue to use them in the new environment while benefitting from functional equivalence. It should be noted that the data processing services in scope are those where data processing, as defined under the Regulation, forms part of the core-business of a provider. Digital assets refer to elements in digital format for which the customer has the right of use, including data, applications, virtual machines and other manifestations of virtualisation technologies, such as containers. Functional equivalence means the maintenance of a minimum level of functionality of a service after switching, and should be deemed technically feasible whenever both the originating and the desSwitching is an operation consisting in three main successive steps: i) data extraction, i.e downloading data from a originating provider’s ecosystem; ii) transformation, when the data is structured in a way that matches the schema of the target location iii) load of the data in a new destination location. Obstacles of different natures may occur during the different steps of the switching process. Cloud service providers and clients have different levels of responsibilities, depending on the steps of the process referred to. Obstacles to switching are of different nature, depending on the step of the switching process it is referred to. Functional equivalence means a definition as agreed upon by a customer and provider of data processing services, or the maintenance of a minimum level of pre-defined functionality during the switching process, to such an extent that the service will deliver comparable minimum level functionality, such as the same output at the same performance and with the same level of security, operational resilience and quality of service as agreed at the time of termination of the contract, where both the original and destination service providers independently offer the same core functionation data processing services cover (in part or in whole) the same service type. Meta-data, generated by the customer’s use of a service, should also be portable pursuant to this Regulation’s provisions on switching. lity; Services can only be expected to facilitate functional equivalence for the functionalities that both the originating and destination service offer. The Regulation does not instance an obligation of facilitating functional equivalence for data processing services of the PaaS and/or SaaS delivery model. Meta-data, generated by the customer’s use of a service, should also be portable pursuant to this Regulation’s provisions on switching. Data processing services are used across sectors and vary in complexity and service type; this is an important consideration with regards to the porting process and the timeframes.
Amendment 189 #
Proposal for a regulation
Article 1 – paragraph 3 a (new)
Article 1 – paragraph 3 a (new)
3 a. This Regulation shall not affect the applicability of Union law aiming to ensure a high level of consumer protection, to protect their health, safety and economic interests, including Directive 2005/29/EC of the European Parliament and of the Council, Directive 2011/83/EU of the European Parliament and of the Council and Directive 93/13/EEC of the European Parliament and of the Council.
Amendment 190 #
Proposal for a regulation
Recital 74
Recital 74
(74) Data processProviders of cloud computing service providers should be required to remove all relevant obstacles, offer all assistance and support that is required to make the switching process successful, safe and effective and in line with the industry best practices, without requiring those data processing servicecloud computing providers to develop new categories of services within or on the basis of the IT-infrastructure of different data processing service providers to guarantee functional equivalence in an environment other than their own systems. Nevertheless, service providers are required to offer all assistance and support that is required to make the switching process effective. Providers of cloud computing services should support development of customer’s exit strategy relevant to the contracted services, including through providing information such as procedures for initiating switching from the cloud computing service, the machine-readable data formats that user’s data can be exported to, the tools, including at least one open standard data portability interface, foreseen to export data, information on known technical restrictions and limitations that could impact switching process, estimated time necessary to complete the switching process and additional services offered to facilitate the switching process, including the ability of the customer to test its switching process. Existing rights relating to the termination of contracts, including those introduced by Regulation (EU) 2016/679 and Directive (EU) 2019/770 of the European Parliament and of the Council67 should not be affected. Any mandatory period under this Regulation shall not affect the compliance with goals under sectoral legislation. _________________ 67 Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 22.5.2019, p. 1).
Amendment 192 #
Proposal for a regulation
Recital 75 a (new)
Recital 75 a (new)
(75a) In order to facilitate switching between cloud computing services, providers of destination cloud computing services should cooperate in good faith with the provider of source cloud computing services with a view to enable the timely transfer of necessary items such as data or applications.
Amendment 194 #
Proposal for a regulation
Recital 27
Recital 27
(27) The data holder may require appropriate user identification and authentication to verify the user’s entitlement to access the data. Where there is a legal obligation for identification and authentication, data holders should provide users the possibility to use European Digital Identity Wallets pursuant to Regulation (EU) XXX/XXXX establishing a framework for a European Digital Identity. In the case of personal data processed by a processor on behalf of the controller, the data holder should ensure that the access request is received and handled by the processor.
Amendment 194 #
Proposal for a regulation
Recital 75 b (new)
Recital 75 b (new)
(75b) Certain cloud computing services, such as cloud computing services, which have been custom built to facilitate a specific customer’s need, or cloud computing services that operate on a trial basis or only supply a testing and evaluation service for business product offerings, should be exempted from the obligations applicable to cloud computing service switching.
Amendment 195 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 a (new)
Article 2 – paragraph 1 – point 1 a (new)
(1 a) ‘personal data’ means personal data as defined in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 196 #
Proposal for a regulation
Recital 76
Recital 76
(76) Open interoperability specifications and standards developed in accordance with paragraph 3 and 4 of Annex II of Regulation (EU) 1025/2021 in the field of interoperability and portability enable a seamless multi-vendor cloud environment, which is a key requirement for open innovation in the European data economy. As market-driven processes have not demonstrated the capacity to establish technical specifications or standards that facilitate effective cloud computing service interoperability at the PaaS (platform-as-a- service) and SaaS (software-as-a-service) levels, the Commission should be able, on the basis of this Regulation and in accordance with Regulation (EU) No 1025/2012, to request European standardisation bodies to develop such standards, particularly forfor equivalent service types where such standards do not yet exist. In addition to this, the Commission will encourage parties in the market to develop relevant open interoperability specifications. TFollowing consultation with stakeholders and taking into account relevant international and European standards and self-regulating initiatives, the Commission, by way of delegated acts, can mandate the use of European standards for interoperability or open interoperability specifications for specific equivalent service types through a reference in a central Union standards repository for the interoperability of data processcloud computing services. European standards and open interoperability specifications will only be referenced if in compliance with the criteria specified in this Regulation, which have the same meaning as the requirements in paragraphs 3 and 4 of Annex II of Regulation (EU) No 1025/2021 and the interoperability facets defined under the ISO/IEC 19941:2017.
Amendment 197 #
Proposal for a regulation
Recital 27 a (new)
Recital 27 a (new)
Amendment 197 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 b (new)
Article 2 – paragraph 1 – point 1 b (new)
(1 b) ‘non-personal data’ means data other than personal data;
Amendment 198 #
Proposal for a regulation
Recital 79
Recital 79
(79) Standardisation and semantic interoperability should play a key role to provide technical solutions to ensure interoperability. In order to facilitate the conformity with the requirements for interoperability, it is necessary to provide for a presumption of conformity for interoperability solutions that meet harmonised standards or parts thereof in accordance with Regulation (EU) No 1025/2012 of the European Parliament and of the Council. The Commission should adopt common specifications in areas where no harmonised standards exist or where they are insufficient in order to further enhance interoperability for the common European data spaces, application programming interfaces, cloud switching as well as smart contracts. Additionally, common specifications in the different sectors could remain to be adopted, in accordance with Union or national sectoral law, based on the specific needs of those sectors. Reusable data structures and models (in form of core vocabularies), ontologies, metadata application profile, reference data in the form of core vocabulary, taxonomies, code lists, authority tables, thesauri should also be part of the technical specifications for semantic interoperability. Furthermore, following consultation with stakeholders and taking into account relevant international and European standards and self-regulating initiatives the Commission should be enabled to mandate the development of harmonised standards for the interoperability of data processcloud computing services.
Amendment 199 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 c (new)
Article 2 – paragraph 1 – point 1 c (new)
(1 c) ‘consent’ means consent as defined in Article 4, point (11), of Regulation (EU) 2016/679;
Amendment 200 #
Proposal for a regulation
Recital 28
Recital 28
(28) TWhen the user should be free to use the data for any lawful purpose. This includes providing the data the user has received exercising the right under this Regulationhas requested the data holder to make data available to a third party offering an aftermarket service that may be in competition with a service provided by the data holder, or to instruct the data holder to do so. Ties for the user's commercial purposes, the data holder should ensure that the data made available to the third party is as accurate, complete, reliable, relevant and up-to-date as the data the data holder itself may be able or entitled to access from the use of the product or related service. Any trade secrets or intellectual property rights should be respected in handling the data. It is important to preserve incentives to invest in connected products with functionalities based on the use of data from sensors built into that connected product. The aim of this Regulation should accordingly be understood as to foster the development of new, innovative products or related services, stimulate innovation on aftermarkets, but also stimulatefoster the development of entirely novel services making use of the data, including based on data from a variety of products or related services. At the same time, it aims to avoid undermining the investment incentives for the type of connected product from which the data are obtained, for instance, by the use of data to develop a competing connected product.
Amendment 201 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 d (new)
Article 2 – paragraph 1 – point 1 d (new)
(1 d) ‘data subject’ means data subject as referred to in Article 4, point (1), of Regulation (EU) 2016/679;
Amendment 202 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1 e (new)
Article 2 – paragraph 1 – point 1 e (new)
(1 e) 'Micro, small or medium enterprise', means a Micro, small or medium enterprise as defined in Article 2 of the Annex to Recommendation 2003/361/EC1a; _________________ 1a Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises
Amendment 207 #
Proposal for a regulation
Article 1 – paragraph 2 – point d
Article 1 – paragraph 2 – point d
(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interestresponse to or recovery from a public emergency and the data holders that provide those data in response to such request;
Amendment 210 #
Proposal for a regulation
Recital 29 a (new)
Recital 29 a (new)
(29 a) The data generated by the use of a connected product is a materialisation of the users’ actions and events. The user as a generator of data should have a central role in the data economy, have the right to control and decide how to harness the value of these data and be free to use the data for any lawful purpose. The user should have the right to share non- personal data with third parties for commercial purposes. Such data sharing, could be performed directly by the user, upon the request of the user by the data holder or through data intermediation services. Data intermediation services, as regulated by Regulation (EU) 2022/868 could facilitate a data economy by establishing commercial relationships between users, data holders and data recipients and may support users in exercising their right to use data, such as ensuring the proper anonymisation of data or aggregation of access to data from multiple individual users.
Amendment 211 #
Proposal for a regulation
Recital 29 b (new)
Recital 29 b (new)
(29 b) In order to facilitate the creation of fair and efficient data markets for non- personal data with an active involvement of users, data holders should not be able to monetise and share non-personal data from individual users, unless this is necessary for the fulfilment of contractual obligations to the user. Data holders, due to the investments in data collection and processing infrastructure should have the right to further manipulate, aggregate and enrich the data obtained from multiple users, and monetise aggregated data sets from multiple users.
Amendment 211 #
Proposal for a regulation
Article 1 – paragraph 4 a (new)
Article 1 – paragraph 4 a (new)
4 a. The obligations on 'data holders' laid down in Chapters II, V and VI in this Regulation shall not apply to public sector bodies.
Amendment 216 #
Proposal for a regulation
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Regulation shall not affect Union and national legal acts providing for the sharing, access and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including Regulation (EU) 2021/784 of the European Parliament and of the Council72 and the [e-evidence proposals [COM(2018) 225 and 226] once adopted, and international cooperation in that area. This Regulation shall not affect the collection, sharing, access to and use of data under Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Regulation (EU) 2015/847 of the European Parliament and of the Council on information accompanying the transfer of funds. This Regulation shall not affect the competences of the Member States regarding activities concerning public security, defence, national security, customs and tax administration and the health and safety of citizens in accordance with Union law. This Regulation shall not affect data collected or generated by defence activities, products, or services or by products or services deployed and used for defence purposes, and it shall not affect product design data, insofar as the product manufacturer has demonstrated that such data is of no significant interest to the user. _________________ 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).
Amendment 221 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means a legally declared state of emergency by the Union or a Member State due to an exceptional situation negativwhich adversely affectings the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditionshealth, safety or economic stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s);
Amendment 226 #
Proposal for a regulation
Recital 35
Recital 35
(35) The third partyData holders and data recipients should also refrain from using the data to profile individuals unless these processing activities are strictly necessary to provide the service requested by the user. The requirement to delete data when no longer required for the purpose agreed with the user complements the right to erasure of the data subject pursuant to Article 17 of Regulation 2016/679. Where the third party is a provider of a data intermediation service within the meaning of [Data Governance Act], the safeguards for the data subject provided for by that Regulation apply. The third partydata recipient may use the data to develop a new and innovative connected product or related service but not to develop a competing product.
Amendment 230 #
Proposal for a regulation
Recital 36
Recital 36
(36) Start-ups, small and medium-sized enterprises and companies from traditional sectors with less-developed digital capabilities struggle to obtain access to relevant data. This Regulation aims to facilitate access to data for these entities, while ensuring that the corresponding obligations are scoped as proportionately as possible to avoid overreach. At the same time, a small number of very large companies have emerged with considerable economic power in the digital economy through theby either manufacturing of connected products and provision of related services in certain sectors or accumulation and aggregation of vast volumes of data and the technological infrastructure for monetising them. These companies include undertakings which hold a dominant position in certain sectors in manufacturing connected devices and providing related services and undertakings that provide core platform services controlling whole platform ecosystems in the digital economy and whom existing or new market operators are unable to challenge or contest. The [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)](EU) 2022/1925 aims to redress these inefficiencies and imbalances by allowing the Commission to designate a provider as a “gatekeeper”, and imposes a number of obligations on such designated gatekeepers, including a prohibition to combine certain data without consent, and an obligation to ensure effective rights to data portability under Article 20 of Regulation (EU) 2016/679. Consistent with the [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)](EU) 2022/1925, and given the unrivalled ability of these companies to acquire data, it would not be necessary to achieve the objective of this Regulation, and would thus be disproportionate in relation to data holders made subject to such obligations, to include such gatekeeper undertakings as beneficiaries of the data access right. This means that an undertaking providing core platform services that has been designated as a gatekeeper cannot request or be granted access to users’ data generated by the use of a product or related service or by a virtual assistant based on the provisions of Chapter II of this Regulation. An undertaking providing core platform services designated as a gatekeeper pursuant to Digital Markets Act should be understood to include all legal entities of a group of companies where one legal entity provides a core platform service. Furthermore, third parties to whom data are made available at the request of the user may not make the data available to a designated gatekeeper. For instance, the third party may not sub-contract the service provision to a gatekeeper. However, this does not prevent third parties from using data processing services offered by a designated gatekeeper. This exclusion of designated gatekeepers from the scope of the access right under this Regulation of undertakings manufacturing connected products or providing related services, which have been determined to have a dominant position on the market pursuant national or Union competition law and any designated gatekeepers does not prevent these companies from obtaining data through other lawful means.
Amendment 232 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that any transmissible data they generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the user and retrievable in a structured, commonly used, machine- readable format along with the relevant metadata as well as any data strictly necessary for the servicing and repairing of the product.. Where technically feasible, the user should be able to choose to access and retrieve such data directly from the device without recourse to related services.
Amendment 234 #
Proposal for a regulation
Recital 37
Recital 37
(37) Given the current state of technology, it is overly burdensome to impose further design obligations in relation to products manufactured or designed and related services provided by micro and small enterprisefor data holders that are micro and small enterprises to fulfill the obligations to make data available to data recipients. That is not the case, however, where a micro or small enterprise is sub-contracted to manufacture or design a productconnected product or provide a related service. In such situations, the enterprise, which has sub-contracted to the micro or small enterprise, is able to compensate the sub- contractor appropriately. A micro or small enterprise may nevertheless be subject to the requirements laid down by this Regulation as data holder, where it is not the manufacturer of the product or a provider of related services.
Amendment 235 #
1 a. Products that use cloud based related services for data processing shall be designed and manufactured in such a way that the user can freely switch between related services for data processing, and, where technically feasible, access data locally.
Amendment 236 #
Proposal for a regulation
Article 3 – paragraph 1 b (new)
Article 3 – paragraph 1 b (new)
Amendment 237 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product or arovision of related services, at least the following information shall be provided to the user, in a clear and comprehensible format:
Amendment 239 #
Proposal for a regulation
Recital 38
Recital 38
(38) This Regulation contains general access rules, whenever a data holder is obliged by law to make data available to a data recipient. Such access should be based on fair, reasonable, non-discriminatory and transparent conditions to ensure consistency of data sharing practices in the internal market, including across sectors, and to encourage and promote fair data sharing practices even in areas where no such right to data access is provided. These general access rules do not apply to obligations to make data available under Regulation (EU) 2016/679. Voluntary data sharing remains unaffected by these rules. The Commission should develop a framework aimed at preventing and mitigating distortions on the data market.
Amendment 239 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the nature and average volume of the data likely to be generated by the use of the product or related servicetransmitted to the provider of related services from the product, and the modalities for the user to access or retrieve such data, including the period for which it shall be stored;
Amendment 242 #
Proposal for a regulation
Recital 39
Recital 39
(39) Based on the principle of contractual freedom, the parties should remain free to negotiate the precise conditions for making data available in their contracts, within the framework of the general access rules for making data available. Where no international or Union standards on the cybersecurity of data sharing exist, parties are encouraged to indicate any technical and organisational aspects in the terms of the contract, including in relation to data security.
Amendment 246 #
Proposal for a regulation
Article 3 – paragraph 2 – point d
Article 3 – paragraph 2 – point d
(d) whether the manufacturer supplying the product or the service provider providing the related service intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used;
Amendment 250 #
Proposal for a regulation
Recital 42
Recital 42
(42) In order to incentivise the continued investment in generating valuable data, including investments in relevant technical tools, this Regulation contains the principle that the data holder may request reasonable compensation when legally obliged to make data available to the data recipient. These provisions should not be understood as paying for the data itself, but in the case of micro, small or medium-sized enterprises, for the costs incurred and investment required for making the data available. The Commission should develop guidance detailing what qualifies as a reasonable compensation in the data economy.
Amendment 252 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation such as public health emergencies, emergencies resulting from natural disasters, as well as human- induced major disasters, such as major cybersecurity incidents, negatively affecting the population of the Union, a Member State or part of it, with a risk of serious and lasting repercussions on living conditions or economic stability, or the substantial degradation of economic assets in the Union or the relevant Member State(s) and which is determined according to the respective procedures under Union or national law;
Amendment 254 #
Proposal for a regulation
Article 2 – paragraph 1 – point 12
Article 2 – paragraph 1 – point 12
(12) ‘data process'cloud computing service’ means a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remoservice enabling ubiquitous, scalable, elastic and on-demand network access to a shared pool of configurable computing resources of a centralised, distributed or highly distributed nature provided to a customer that can be rapidly provisioned and released with minimal management effort or service provider inte raccess to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature;tion; (This amendment applies throughout the text [cloud computing service] shall replace [data processing service]. Adopting it will necessitate corresponding changes throughout.)
Amendment 255 #
Proposal for a regulation
Article 3 – paragraph 2 a (new)
Article 3 – paragraph 2 a (new)
2 a. The data holder shall not use data shared for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is strictly necessary to provide the specific service explicitly requested by the user.
Amendment 256 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘functional equivalence’ means the maintenance of a minimum level of functionality in the environment of a new data processing service after the switching process, to such an extent that, in response to an input action by the user on core elements of the service, the destination service will deliver the same output at the same performance and with the same level of security, operational resilience and quality of service as the originating service at the time of termination of the contract, , insofar as the originating and the destination data processing services cover (in part or in whole) the same service type;
Amendment 261 #
Proposal for a regulation
Article 2 – paragraph 1 – point 13 a (new)
Article 2 – paragraph 1 – point 13 a (new)
(13a) ‘cloud computing service data portability’ means the ability of the cloud service to move and suitably adapt its data between the customer’s cloud services, including in different deployment models;
Amendment 263 #
Proposal for a regulation
Article 2 – paragraph 1 – point 13 b (new)
Article 2 – paragraph 1 – point 13 b (new)
(13b) 'cloud computing service switching’ means the process where a cloud service customer suitably changes from using one cloud computing service to using a second equivalent or other service offered by a different provider of cloud computing services, involving the provider of source cloud computing services, the customer and the provider of destination cloud computing services.
Amendment 263 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely, safely, and, where relevant and appropriate, directly accessible to the user, in a structured, commonly used and machine-readable format.
Amendment 266 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Trade secrets shall only be disclosed provided that all specific necessary measures are taken to preserve the confidentiality of trade secrets in particular with respect to third parties. The data holder and the user can agree measures to preserve the confidentiality of the shared data, in particular in relation to third parties. The data holder shall identify the data which are protected as trade secrets, and, in the event that this classification is contested by a third-party or user, shall be obliged to produce evidence proving that the data in question are trade secrets.
Amendment 266 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘functional equivalence’ means a definition as agreed upon by a customer and provider of data processing services, or the maintenance of a minimum level of pre-defined functionality in the environment of a new data processing service after the switching process, to such an extent that, in response to an input action by the user on core elements of the service, the desduring the switching process, to such an extent that the service will deliver comparable minimum level functionation service will deliverlity, such as the same output at the same performance and with the same level of security, operational resilience and quality of service as the originating service at the time of termination of the contractagreed at the time of termination of the contract, where both the original and destination service providers independently offer the same core functionality;
Amendment 267 #
Proposal for a regulation
Recital 50
Recital 50
(50) Parties to dDispute settlement proceedings are an alternative mean for dispute resolution and should not be prevented parties from exercising their fundamental rights to an effective remedy and to a fair trial. Therefore, the decision to submit a dispute to a dispute settlement body should not deprive those parties of their right to seek redress before a court or a tribunal of a Member State.
Amendment 269 #
Proposal for a regulation
Recital 50 a (new)
Recital 50 a (new)
(50 a) In order to avoid misuse of the new data access rights, the data holder may apply protective measures in relation to the data made available to the data recipient to prevent unauthorised access and ensure compliance with the framework of data access pursuant to this Regulation. However, those technical measures should not hinder the effective access and use of data for the data recipient. In the case of abusive practices such as misleading the data holder with inaccurate information or developing a competing connected product, the data holder can, resort to remedies such as requesting the deletion of data and the end of production of connected products based on the data received.
Amendment 270 #
Proposal for a regulation
Article 4 – paragraph 3 a (new)
Article 4 – paragraph 3 a (new)
Amendment 271 #
Proposal for a regulation
Article 4 – paragraph 3 b (new)
Article 4 – paragraph 3 b (new)
3 b. Where data is processed and stored remotely by a related service, the related service shall make available all processed data as well as any raw data that does not risk disclosing trade secrets. Where technically feasible the user shall be able to deactivate remote data processing and retrieve all raw data either directly from the device or, where that is not possible, through the related service.
Amendment 271 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the nature and volumtype of the data likely to be generated by the use of the product or related service;
Amendment 272 #
Proposal for a regulation
Article 2 – paragraph 1 – point 20 a (new)
Article 2 – paragraph 1 – point 20 a (new)
(20a) ‘Switching’ shall be understood as the process enabling, for any client of a cloud service provider, to extract, transform and load their data to another provider(s). By extension, switching also applies to configurations where data transfers occur when clients of cloud service providers are using several providers simultaneously.
Amendment 272 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) how the user may access, retrieve, and request the deletion of those data;
Amendment 282 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge, easily, securely, in as structured, commonly used and machine-readable format and, where applicable, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasible.
Amendment 285 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon explicit request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a product or related service to a third party, without undue delay, free of charge to the user, retrievable in a structured, commonly used, machine-readable format, of the same quality as is available to the data holder and, where applicable, continuously and in real-time.
Amendment 287 #
Proposal for a regulation
Recital 57
Recital 57
(57) In case of public emergencies, such as public health emergencies, emergencies resulting from environmental degradation and major natural disasters including those aggravated by climate change, as well as human-induced major disasters, such as major cybersecurity incidents, the public interest resulting from the use of the data will outweigh the interests of the data holders to dispose freely of the data they hold. In such a case, data holders should be placed under an obligation to make the data available to public sector bodies or to Union institutions, agencies or bodies upon their request. The existence of a public emergency is determinshould be determined and declared according to the respective procedures in the Member States or of relevant international organisations. In cases of major cybersecurity incidents, this Regulation should be complementary but not create a duplication of requirements deriving from Directive (EU) XXXX/XXXX on measures for a high common level of cybersecurity across the union [NIS2] and Regulation (EU) XXX/XXXX on Digital Operational Resilience for financial entities [DORA].
Amendment 290 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is strictly necessary to verify the quality as user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure. Where possible, users shall be able to use products anonymously.
Amendment 296 #
Proposal for a regulation
Recital 58
Recital 58
(58) An exceptional need may alsowould arise when a public sector body can demonstrate that the data are necessary either to prevent a public emergency, or to assist recovery from a public emergency, in circumstances that are reasonably proximate to the public emergency in question. Where the exceptional need is not justified by the need to respond to, prevent or assist recovery from a public emergency, the public sector body or the Union institution, agency or body should demonstrate that the lack of timely access to and the use of the data requested prevents it from effectively fulfilling a specific task in the public interest that has been explicitly provided in law. Such exceptional need may also occur in other situations, for example in relation to the timely compilation of official statistics when data is not otherwise available or when the burden on statistical respondents will be considerably reduced. At the same time, the public sector body or the Union institution, agency or body should, outside the case of responding to, preventing or assisting recovery from a public emergency, demonstrate that noit has exhausted all other alternative means for obtaining the data requested exists and that the data cannot be obtained in a timely manner through the laying down of the necessary data provision obligations in new legislation.
Amendment 296 #
Proposal for a regulation
Article 3 – paragraph 2 – point a a (new)
Article 3 – paragraph 2 – point a a (new)
(aa) How long time the data holder shall store such data and thus make it available for the data user.
Amendment 299 #
Proposal for a regulation
Article 5 – paragraph 6 a (new)
Article 5 – paragraph 6 a (new)
6 a. The data holder shall not make the usability of the product or related service dependent on the user allowing it to process data not required for the functionality of the product or provision of the related service.
Amendment 300 #
Proposal for a regulation
Recital 59
Recital 59
(59) This Regulation should not apply to, nor pre-empt, voluntary arrangements for the exchange of non-personal data between private and public entities. Obligations placed on data holders to provide data that are motivated by needs of a non-exceptional nature, notably where the range of data and of data holders is known and where data use can take place on a regular basis, as in the case of reporting obligations and internal market obligations, should not be affected by this Regulation. Requirements to access data to verify compliance with applicable rules, including in cases where public sector bodies assign the task of the verification of compliance to entities other than public sector bodies, should also not be affected by this Regulation.
Amendment 303 #
Proposal for a regulation
Recital 60
Recital 60
(60) For the exercise of their tasks in the areas of prevention, investigation, detection or prosecution of criminal and administrative offences, the execution of criminal and administrative penalties, as well as the collection of data for taxation or customs purposes, public sector bodies and Union institutions, agencies and bodies should rely on their powers under sectoral legislation. This Regulation accordingly does not affect instruments for the sharing, access and use of data in those areas. This Regulation should not apply to connected products and related services provided for public security, defence and national security.
Amendment 304 #
Proposal for a regulation
Recital 61
Recital 61
(61) A proportionate, limited and predictable framework at Union level is necessary for the making available of data by data holders, in cases of exceptional needs, to public -sector bodies and to Union institution, agencies or bodies both to ensure legal certainty and, to minimise the administrative burdens placed on businesses and to avoid misuse of data. To this end, data requests by public sector bodies and by Union institution, agencies and bodies to data holders should be transparent, limited in time, and proportionate in terms of their scope of content and their granularity. The purpose of the request and the intended use of the data requested should be specific and clearly explained, while allowing appropriate flexibility for the requesting entity to perform its tasks in the public interest. The request should also respect the legitimate interests of the businesses to whom the request is made. In order to ensure a higher degree of coordination and avoid additional burden on private companies, Member States should designate one competent authority to act as a single point of contact between public entities requesting access to data and private entities providing access to these data. The competent authority should receive the requests from the public sector bodies or Union institutions, agencies or bodies, analyse whether the requests comply with the requirements set by this Regulation and further direct them to the data holders for execution. The burden on data holders should be minimised by obliging requesting entities to respect the once-only principle, which prevents the same data from being requested more than once by more than one public sector body or Union institution, agency or body where those data are needed to respond to a public emergency. To ensure transparency, data requests made by public sector bodies and by Union institutions, agencies or bodies should be made public without undue delay by the entity requesting the datacompetent authority and online public availability of all requests justified by a public emergency should be ensured.
Amendment 305 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
5. The data holder shall not use any non-personal data generated by the use of the product or related service to derive insights about the economic situation, assets and production methods of or use by the third party that could undermine the commercial position of the third party on the markets in which the third party is active, unless the third party has consented to such use and has the technical possibility to withdraw that consent at any time.
Amendment 309 #
Proposal for a regulation
Recital 62
Recital 62
(62) The objective of the obligation to provide the data is to ensure that public sector bodies and Union institutions, agencies or bodies have the necessary knowledge to respond to, prevent or recover from public emergencies or to maintain the capacity to fulfil specific tasks explicitly provided by law. The data obtained by those entities may be commercially sensitive. Therefore, Directive (EU) 2019/1024 of the European Parliament and of the Council65 should not apply to data made available under this Regulation and should not be considered as open data available for reuse by third parties. This however should not affect the applicability of Directive (EU) 2019/1024 to the reuse of official statistics for the production of which data obtained pursuant to this Regulation was used, provided the reuse does not include the underlying data. In addition, it should not affect the possibility of sharing the data for conducting research or for the compilation of official statistics, provided the conditions laid down in this Regulation are met. Public sector bodies should also be allowed to exchange data obtained pursuant to this Regulation with other public sector bodies to address the exceptional needs for which the data has been requested only with the prior explicit consent of the data holder. _________________ 65 Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).
Amendment 311 #
Proposal for a regulation
Article 6 – paragraph 2 – point a a (new)
Article 6 – paragraph 2 – point a a (new)
(a a) make the exercise of the rights or choices of users unduly difficult including by offering choices to the users in a non- neutral manner or through the use of Dark Patterns as defined in recital 67 of Regulation (EU) 2022/2065.
Amendment 312 #
Proposal for a regulation
Recital 63
Recital 63
(63) Data holders should have the possibility to either ask for a modification of the request made by a public sector body or Union institution, agency and body or its cancellation in a period of 5 or 15 working days depending on the nature of the exceptional need invoked in the requestwithout undue delay, but no longer than 5 working days. In case of requests motivated by a public emergency, justified reason not to make the data available should exist if it can be shown that the data is unavailable, the request does not meet the criteria laid down in Chapter V of this Regulation or the request is similar or identical to a previously submitted request for the same purpose by another public sector body or by another Union institution, agency or body and the data holder has not been notified regarding the destruction of such data. A data holder rejecting the request or seeking its modification should communicate the underlying justification for refusing the request to the public sector body or to the Union institution, agency or body requesting the datacompetent authority. In case the sui generis database rights under Directive 96/6/EC of the European Parliament and of the Council66 apply in relation to the requested datasets, data holders should exercise their rights in a way that does not prevent the public sector body and Union institutions, agencies or bodies from obtaining the data, or from sharing it, in accordance with this Regulation. _________________ 66 Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases (OJ L 77, 27.3.1996, p. 20).
Amendment 316 #
Proposal for a regulation
Recital 64
Recital 64
(64) Where it is strictly necessary to include personal data in the data made available to a public sector body or to a Union institution, agency or body the applicable rules on personal data protection should be complied with and the making available of the data and their subsequent use should and be accompanied by safeguards for the rights and interests of individuals concerned by those data. The body requesting the data should demonstrate the strict necessity and the specific and limited purposes for processing. The data holder should take reasonable effortPrior to making the data available, the data holder should apply all necessary means to anonymise the data or, where such anonymisation proves impossible, the data holder should apply technological means such as pseudonymisation and aggregation, prior to making the data available.
Amendment 318 #
Proposal for a regulation
Recital 65
Recital 65
(65) Data made available to public sector bodies and to Union institutions, agencies and bodies on the basis of exceptional need should only be used for the purpose for which they were requested, unless the data holder that made the data available has expresslicitly agreed for the data to be used for other purposes. The data should be destroyedpublic sector bodies and Union institutions, agencies and bodies should take all necessary legal, technical and organisational measures to ensure the integrity and security of the data and should destroy the data once it is no longer necessary for the purpose stated in the request, unless agreed otherwise, and the data holder should be informed thereof.
Amendment 318 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The obligations of this Chapter concerning business to business data sharing shall not apply to data generated by the use of products manufactured or related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
Amendment 322 #
Proposal for a regulation
Recital 66
Recital 66
(66) When reusing data provided by data holders, public sector bodies and Union institutions, agencies or bodies should respect both existing applicable legislation and contractual obligations to which the data holder is subject. Where the disclosure of trade secrets of the data holder to public sector bodies or to Union institutions, agencies or bodies is strictly necessary to fulfil the purpose for which the data has been requested, confidentiality of such disclosure shouldall be ensured to the data holder.
Amendment 325 #
Proposal for a regulation
Recital 67
Recital 67
(67) When the safeguarding of a significant public goodinterest is at stake, such as is the case of responding to public emergencies, the public sector body or the Union institution, agency or body should not be expected to compensate enterprises for the data obtained. Public emergencies are rare, temporary events and not all such emergencies require the use of data held by enterprises. The business activities of the data holders are therefore not likely to be negatively affected as a consequence of the public sector bodies or Union institutions, agencies or bodies having recourse to this Regulation. However, as cases of an exceptional need other than responding to a public emergency might be more frequent, including cases of prevention of or recovery from a public emergency, data holders should in such cases be entitled to a reasonable compensation which should not exceed the technical and organisational costs incurred in complying with the request and the reasonable margin required for making the data available to the public sector body or to the Union institution, agency or body. The compensation should not be understood as constituting payment for the data itself and as being compulsory.
Amendment 325 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Where the data recipient is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly.
Amendment 326 #
Proposal for a regulation
Recital 68
Recital 68
(68) The public sector body or Union institution, agency or body may share the data it has obtained pursuant to the request with other entities or persons when this is needed to carry out scientific research activities or analytical activities it cannot perform itself. Data holders should be notified regarding such data sharings, providing the data holder with all necessary information regarding the identity of the data recipient and the activities that will be carried out by the data recipient. The data holder should have the right to object to the sharing of data by a public sector body or a Union institution, agency or body to the competent authority, when such data sharing does not meet the requirements of this Regulation. Such data may also be shared under the same circumstances with the national statistical institutes and Eurostat for the compilation of official statistics. Such research activities should however be compatible with the purpose for which the data was requested and the data holder should be informed about the further sharing of the data it had provided. Individuals conducting research or research organisations with whom these data may be shared should act either on a not-for- profit basis or in the context of a public- interest mission recognised by the State. Organisations upon which commercial undertakings have a decisive influence allowing such undertakings to exercise control because of structural situations, which could result in preferential access to the results of the research, should not be considered research organisations for the purposes of this Regulation.
Amendment 328 #
Proposal for a regulation
Article 10 – paragraph 1 a (new)
Article 10 – paragraph 1 a (new)
1 a. When the Data holder is not a micro, small or medium enterprise, the Burden of proof shall be reversed in dispute settlements. The Data Holder shall be responsible for proving before the dispute settlement body that the terms are reasonable and non-discriminatory.
Amendment 331 #
Proposal for a regulation
Article 6 – paragraph 2 a (new)
Article 6 – paragraph 2 a (new)
2 a. The third party shall implement adequate organizational, technical and cybersecurity measures to preserve the integrity of the data and to ensure its protection against unauthorised disclosure.
Amendment 332 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right to access data, obtain a copy or effectively provide data to third parties pursuant to Article 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1).
Amendment 334 #
Proposal for a regulation
Article 7 – paragraph 2 a (new)
Article 7 – paragraph 2 a (new)
2 a. The data holder shall not be liable towards the user for any direct or indirect damages arising from, relating to, or in connection with the processing of the data by the user after the data has been made available.
Amendment 342 #
Proposal for a regulation
Article 13 – paragraph 1
Article 13 – paragraph 1
Amendment 348 #
Proposal for a regulation
Article 13 – paragraph 3 – point c a (new)
Article 13 – paragraph 3 – point c a (new)
(c a) impose the unilateral choice of the competent jurisdiction or the payment of the costs related to the procedure
Amendment 349 #
Proposal for a regulation
Article 13 – paragraph 3 – point c b (new)
Article 13 – paragraph 3 – point c b (new)
(c b) enable the party that unilaterally imposed the contract to reduce its liability for infringement or breaches of its confidentiality duties.
Amendment 352 #
Proposal for a regulation
Recital 89
Recital 89
(89) In order to allow the economic actors to adapt to the new rules laid out in this Regulation, they should apply from a year after18 months after entry into force of the Regulation. The obligations related to the design of the connected products and provision of the related services placed on the market within the last five years from the entry into force of theis Regulation, should apply retroactively, only when the manufacturer or provider of related service is able to remotely deploy mechanisms to ensure the fulfilment of the requirements pursuant to Article 3(1) and only when the deployment of such mechanisms would not place a disproportionate burden on the manufacturer or provider of related services.
Amendment 353 #
Proposal for a regulation
Article 13 – paragraph 8 a (new)
Article 13 – paragraph 8 a (new)
8 a. This article shall apply to all new contracts following the entering into force of this Regulation. Businesses shall be given a 5-year grace period following the entering into force of this regulation to review existing contractual obligations that are subject to the data act.
Amendment 355 #
Proposal for a regulation
Article 11 – paragraph 2 – point b a (new)
Article 11 – paragraph 2 – point b a (new)
(b a) inform the user of the unauthorised use or disclosure of the data and measures taken to put an end to the unauthorised use or disclosure of the data.
Amendment 356 #
Proposal for a regulation
Article 1 – paragraph 1
Article 1 – paragraph 1
1. This Regulation lays down harmonised rules on making data generated by the use of a connected product or related service available to the user of that connected product or related service, on the making data available by a user to a data recipient or by the data holders to data recipients, and on the making data available by data holders to public sector bodies or Union institutions, agencies or bodies, where there is an exceptional need, for the performance of a task carried out in the public interest:
Amendment 357 #
Proposal for a regulation
Article 12 – paragraph 1 a (new)
Article 12 – paragraph 1 a (new)
1 a. The data holder shall not be liable for any direct or indirect damages arising from, relating to, or in connection with the processing of the data by the data recipient after the data has been made available.
Amendment 360 #
Proposal for a regulation
Article 1 – paragraph 1 a (new)
Article 1 – paragraph 1 a (new)
1 a. Where this Regulation refers to connected products that are primarily designed to display or play content, or to record and transmit content, amongst others for the use by an online service, the data generated by them shall be covered by this Regulation, insofar it does not overlap with the scope of the national and Union law referring to electronic communications services.
Amendment 364 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
3. A data holder shall not discriminate between comparable categories of data recipients, including partner enterprises or linked enterprises, as defined in Article 3 of the Annex to Recommendation 2003/361/EC, of the data holder, when making data available. Where a data recipient considershas a reasonable doubt that the conditions under which data has been made available to it to be discriminatory, it shall be for the data holder and the data recipient to demonstrate thatwhether there has been no discrimination.
Amendment 365 #
Proposal for a regulation
Article 1 – paragraph 2 – point a
Article 1 – paragraph 2 – point a
(a) manufacturers of connected products and suppliproviders of related services placed on the market in the Union and the users of such products or services, irrespective of their place of establishment;
Amendment 367 #
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) where the data requested is necessary to respond urgently to a public emergency that cannot be reasonably addressed by policy measures;
Amendment 367 #
Proposal for a regulation
Article 14 – paragraph 2 a (new)
Article 14 – paragraph 2 a (new)
2 a. This Chapter is without prejudice to Regulation (EU) 2016/679 and Regulation (EU) 2018/1725.
Amendment 369 #
Proposal for a regulation
Article 1 – paragraph 2 – point b a (new)
Article 1 – paragraph 2 – point b a (new)
Amendment 370 #
Proposal for a regulation
Article 1 – paragraph 2 – point d
Article 1 – paragraph 2 – point d
(d) public sector bodies and Union institutions, agencies or bodies that request data holders to make data available where there is an exceptional need to that data for the performance of a task carried out in the public interestrevention, response or recovery from a public emergency and the data holders that provide those data in response to such request;
Amendment 372 #
Proposal for a regulation
Article 15 – paragraph 1 – point c
Article 15 – paragraph 1 – point c
Amendment 373 #
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) where the data requested is strictly necessary to respond to a public emergency;
Amendment 374 #
Proposal for a regulation
Article 1 – paragraph 2 – point e
Article 1 – paragraph 2 – point e
(e) providers of data processing services offer, irrespective of their place of establishment, providing such services to customers in the Union.
Amendment 379 #
Proposal for a regulation
Article 15 – paragraph 1 – point c – point 1
Article 15 – paragraph 1 – point c – point 1
(1) the public sector body or Union institution, agency or body has been unable to obtain such data by alternative means, including by purchasing the data on the market at market rates or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or.
Amendment 380 #
Proposal for a regulation
Article 9 – paragraph 4 a (new)
Article 9 – paragraph 4 a (new)
4a. The data holder should be allowed to charge the data user for a value-added data service irrespective of article 4.1.
Amendment 381 #
Proposal for a regulation
Article 17 – paragraph 1 – point c a (new)
Article 17 – paragraph 1 – point c a (new)
(c a) where the request concerns personal data, forward their request to, and obtain the approval of the relevant Data Protection Authority following the procedure in Article 17a;
Amendment 382 #
Proposal for a regulation
Article 1 – paragraph 4
Article 1 – paragraph 4
4. This Regulation shall not apply to, nor pre-empt, voluntary arrangements for the exchange of non-personal data between private and public entities. It shall not affect Union and national legal acts providing for the sharing, access and use of data for the purpose of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including Regulation (EU) 2021/784 of the European Parliament and of the Council72 and the [e- evidence proposals [COM(2018) 225 and 226] once adopted, and international cooperation in that area. This Regulation shall not affect the collection, sharing, access to and use of data under Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering and terrorist financing and Regulation (EU) 2015/847 of the European Parliament and of the Council on information accompanying the transfer of funds. This Regulation shall not affect the competences of the Member States regarding activities concerning public security, defence, national security, customs and tax administration and the health and safety of citizens in accordance with Union law. This Regulation shall not apply to the data generated by connected products and related services provided for public security, defence and national security. _________________ 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79).
Amendment 386 #
Proposal for a regulation
Article 17 – paragraph 2 – point d
Article 17 – paragraph 2 – point d
(d) concern, insofar as possible,be limited to non- personal data;
Amendment 392 #
Proposal for a regulation
Article 2 – paragraph 1 – point 1
Article 2 – paragraph 1 – point 1
(1) ‘data’ means any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audio-visual recording;, that is generated by the use of a connected product and can be transmitted via electronic communications services.
Amendment 392 #
Proposal for a regulation
Article 17 – paragraph 1 – point c
Article 17 – paragraph 1 – point c
(c) explain the purpose of the request, the intended use of the data requested, and the duration of that use, and which third parties the data may be disclosed to;
Amendment 393 #
Proposal for a regulation
Article 17 – paragraph 4 – subparagraph 2
Article 17 – paragraph 4 – subparagraph 2
Where a public sector body or a Union institution, agency or body transmits or makes data available under this paragraph, it shall: i. notify the data holder from whom the data was received.; ii. ensure that the entity to which the data is transmitted makes no attempts to reverse the anonymisation of the data;
Amendment 394 #
Proposal for a regulation
Article 17 – paragraph 1 – point e a (new)
Article 17 – paragraph 1 – point e a (new)
(e a) where the request is made by a public sector body to a data holder established in another Member State, confirm that the public sector body has notified the competent authority of that Member State in conformity with Article 22(3);
Amendment 395 #
Proposal for a regulation
Article 17 a (new)
Article 17 a (new)
Article 17 a Procedure for Requests involving personal data 1. Where requests for data concern the personal data of European Citizens, the public body requesting the data shall seek approval from the responsible Data Protection Authority. 2. The Data Protection Authority shall assess in an expedited manner if the request meets the requirements of necessity, and if it is proportional to the exceptional need of the public body. The Data Protection Authority shall render any of the following binding decisions: (a). Rejection of the public body’s request. (b). Partial Rejection of public body’s request. (c). Approval of the public body’s request with binding safeguards. (d). Approval of the public body’s request with guidelines. (e). Approval of the public body’s request in full. 3. The assessments of the Data Protection Authority shall be published and made public. 4. If the assessment approves the public bodies requests, the data subjects concerned by the request shall be notified.
Amendment 396 #
Proposal for a regulation
Article 17 – paragraph 1 – point e b (new)
Article 17 – paragraph 1 – point e b (new)
(e b) where the data requested concerns personal data, consult the competent supervisory authority under Article 51 of Regulation (EU)2016/679 or under Article 52 under Regulation (EU) 2018/1725, abide by its recommendations, and confirm the conformity of the request with Regulation (EU)2016/679 or Regulation (EU) 2018/1725.
Amendment 400 #
Proposal for a regulation
Article 17 – paragraph 4 – subparagraph 1
Article 17 – paragraph 4 – subparagraph 1
Paragraph 3 does not preclude a public sector body or a Union institution, agency or body to exchange data obtained pursuant to this Chapter with another public sector body, Union institution, agency or body, in view of completing the tasks in Article 15 or to make the data available to a third party in cases where it has outsourced, by means of a publicly available agreement, technical inspections or other functions to this third party. The obligations on public sector bodies, Union institutions, agencies or bodies pursuant to Article 19 applylso apply to such third parties.
Amendment 401 #
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to pseudonymise the data, insofar as the request can be fulfilled with pseudonymisedanonymise the data.
Amendment 401 #
Proposal for a regulation
Article 17 – paragraph 4 a (new)
Article 17 – paragraph 4 a (new)
4 a. The third party shall not use the data it receives from a public sector body or a Union institution, agency or body to develop a product or a related service that competes with the product or related service from which the data originate.
Amendment 404 #
Proposal for a regulation
Article 19 – paragraph 1 – point a a (new)
Article 19 – paragraph 1 – point a a (new)
(a a) not combine or process data in any way that would revert the anonymisation of that data;
Amendment 407 #
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the applicable rules on personal data protection shall be fully complied with. The data holder shall take reasonable efforts to pseudonymise the datapersonal data made available, insofar as the request can be fulfilled with pseudonymised data.
Amendment 411 #
Proposal for a regulation
Article 18 – paragraph 6 a (new)
Article 18 – paragraph 6 a (new)
6 a. A data holder complying with a request to make data available pursuant to this article shall not be liable for any direct or indirect damages arising from, relating to, or in connection with the processing or the unauthorised disclosure of the data by the public sector body or a Union institution, agency or body, after the data has been made available.
Amendment 416 #
Proposal for a regulation
Article 19 – paragraph 1 – point b
Article 19 – paragraph 1 – point b
(b) implement, insofar as the processing of personal data is necessary, technical, cybersecurity, and organisational measures that safeguard the rights and freedoms of data subjects;
Amendment 417 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) implement adequate administrative, technical and cybersecurity measures to prevent the unauthorised disclosure of the data;
Amendment 418 #
Proposal for a regulation
Article 2 – paragraph 1 – point 2
Article 2 – paragraph 1 – point 2
(2) ‘connected product’ means a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or environment, and that is able to communicate data via a publicly availablen electronic communications service and whose primary function is not the storing and processing of data;
Amendment 418 #
Proposal for a regulation
Article 19 – paragraph 1 – point b b (new)
Article 19 – paragraph 1 – point b b (new)
(b b) inform without undue delay the data holder when a security incident has occurred that is affecting the confidentiality,integrity, or availability of the data it holds that was provided by the data holder;
Amendment 420 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Disclosure of trade secrets or alleged trade secrets to a public sector body or to a Union institution, agency or body shall only be required to the extent that it is strictly necessary to achieve the purpose of the request. In such a case, the public sector body or the Union institution, agency or body shall take appropriate technical, cybersecurity, and organizational measures to preserve the confidentiality of those trade secrets and to ensure the security of the data and the prevention of its unauthorised disclosure.
Amendment 424 #
Proposal for a regulation
Article 2 – paragraph 1 – point 3
Article 2 – paragraph 1 – point 3
(3) ‘related service’ means a digital service, including software, which is incorporated in orbut excluding electronic communications services, which is inter-connected with a product in such a way that its absence would prevent the product from performing one or more of its functions;
Amendment 429 #
Proposal for a regulation
Article 2 – paragraph 1 – point 5
Article 2 – paragraph 1 – point 5
(5) ‘user’ means a natural or legal person that owns, rents or leases a a product and receives a related service from a data holder or a lawful user to whom the owner of the connected product has transferred, pursuant to a rental or lease agreement, the right to use the connected product or receives a related services from a data holder;
Amendment 429 #
Proposal for a regulation
Article 21 – paragraph 1
Article 21 – paragraph 1
1. A public sector body or a Union institution, agency or body shall be entitled to share data received under this Chapter with individuals or organisations or national statistical institutes and Eurostat in view of carrying out scientific research or analytics compatible withfor the purpose for which the data was requested, or to national statistical institutes and Eurostat for the compilation of official statistics.
Amendment 430 #
Proposal for a regulation
Article 21 – paragraph 4
Article 21 – paragraph 4
4. Where a public sector body or a Union institution, agency or body transmits or makes data available under paragraph 1, it shall notify the data holder from whom the data was received, providing all necessary information regarding the identity of the data recipient and the activities to be carried out by the data recipient, and shall ensure all organizational,technical, and cybersecurity measures to preserve the integrity of the data and to prevent its unauthorised disclosure.
Amendment 438 #
Proposal for a regulation
Article 2 – paragraph 1 – point 6
Article 2 – paragraph 1 – point 6
(6) ‘data holder’ means a legal or natural person, other than the user, who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case ofto make available non-personal data and through control of the technical design of thegenerated by the use of a connected product andor a related services, the ability, to make available certain and who has the control over these data;
Amendment 439 #
1. The rights of the customer and the obligations of the provider of a data processing service in relation to switching between providers of such services shall be clearly set out in a written contract. Without prejudice to Directive (EU) 2019/770, that contract shall be clear and transparent to the customer and shall include at least the following:
Amendment 446 #
Proposal for a regulation
Article 2 – paragraph 1 – point 7
Article 2 – paragraph 1 – point 7
(7) ‘data recipient’ means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a connected product or related service, to whom the data holduser makes the data available either directly, or through data intermediation services, or the data holder, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law;
Amendment 451 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Providers of data processing services that concern scalable and elastic computing resources limited to infrastructural elements such as servers, networks and the virtual resources necessary for operating the infrastructure, but that do not provide access to the operating services, software and applications that are stored, otherwise processed, or deployed on those infrastructural elements, shall ensure that the customer, after switching to a service covering the same service type offered by a different provider of data processing services, enjoys functional equivalence in the use of the new service. This provision applies to the original provider only insofar as the measures are related to the services,contractual agreements or commercial practices of the original provider.
Amendment 454 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘public emergency’ means an exceptional situation negativ legally declared state of emergency by the Union or a Member State for an exceptional and immediate situation caused by natural or man-made disasters, adversely affecting the population of the Union, a Member State or part of it, with a risk of seriousignificant and lasting repercussions on living conditionsthe health, safety or economic stability of citizen, or the substantial degradation of economic assets in the Union or the relevant Member State(s);
Amendment 456 #
Proposal for a regulation
Article 28 – paragraph 4
Article 28 – paragraph 4
4. The Commission mayshall, in accordance with Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards that satisfy the essential requirements under paragraph 1 of this Article
Amendment 457 #
Proposal for a regulation
Article 28 – paragraph 5
Article 28 – paragraph 5
5. The Commission shallmay, by way of implementing acts, adopt common specifications, where harmonised standards referred to in paragraph 4 of this Article do not exist or in case it considers that the relevant harmonised standards are insufficient to ensure conformity with the essential requirements in paragraph 1 of this Article, where necessary, with respect to any or all of the requirements laid down in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). Common specifications shall be developed in an open, transparent, technology-neutral manner, in consultation with industry and relevant stakeholders.
Amendment 458 #
Proposal for a regulation
Article 29 – paragraph 4
Article 29 – paragraph 4
4. The Commission mayshall, in accordance with Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft European standards applicable to specific service types of data processing services.
Amendment 460 #
Proposal for a regulation
Article 30 – paragraph 5
Article 30 – paragraph 5
5. The Commission mayshall, in accordance with Article 10 of Regulation (EU) No 1025/2012, request one or more European standardisation organisations to draft harmonised standards that satisfy the essential the requirements under paragraph 1 of this Article.
Amendment 461 #
Proposal for a regulation
Article 30 – paragraph 6
Article 30 – paragraph 6
6. Where harmonised standards referred to in paragraph 4 of this Article do not exist or where the Commission considers that the relevant harmonised standards are insufficient to ensure conformity with the essential requirements in paragraph 1 of this Article in a cross- border context, the Commission may, by way of implementing acts, adopt common specifications in respect of the essential requirements set out in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2). Common specifications shall be developed in an open, transparent, technology-neutral manner, in consultation with industry and relevant stakeholders.
Amendment 470 #
Proposal for a regulation
Article 23 – paragraph 1 – introductory part
Article 23 – paragraph 1 – introductory part
1. Providers of a data processcloud computing service shall take the measures provided for in Articles 24, 25 and 26 to ensure that customers of their service canable customers switching to another data processcloud computing service, covering the sameequivalent service type, which is provided by a different service provider of cloud computing services. In particular, providers of data processa cloud computing service shall removnot impose commercial, technical, contractual and organisational obstacles, which inhibit customers from:
Amendment 473 #
Proposal for a regulation
Article 23 – paragraph 1 – point a
Article 23 – paragraph 1 – point a
(a) terminating, after a maximum notice period of 30 calendar days or after a notice period agreed in the contractual agreement between the customer and the provider of cloud computing services, the contractual agreement of the service;
Amendment 474 #
Proposal for a regulation
Article 2 – paragraph 1 – point 17
Article 2 – paragraph 1 – point 17
(17) ‘electronic ledger’ means an electronic ledger within the meaning of Article 3, point (53), of Regulation (EU) No 910/2014XXX/XXXX [establishing a European Digital Identity framework];
Amendment 479 #
Proposal for a regulation
Article 23 – paragraph 1 – point b
Article 23 – paragraph 1 – point b
(b) concluding new contractual agreements with a different provider of data processcloud computing services covering the sameequivalent service type;
Amendment 480 #
Proposal for a regulation
Article 23 – paragraph 1 – point c
Article 23 – paragraph 1 – point c
(c) porting ithe customer's data, applications and other digital assets to another provider of data processing services; and receiving its data, applications, depending on the service type, and other digital assets from the cloud computing provider;
Amendment 486 #
Proposal for a regulation
Article 23 – paragraph 1 – point d
Article 23 – paragraph 1 – point d
(d) maintaining functional equivalence of the service in the IT-environment of the different provider or providers of data processing servicecloud computing providers covering the same service type, in accordance with Article 26. , without requiring those cloud computing providers to develop or copy new categories of services within or on the basis of the IT-infrastructure of different cloud computing providers to guarantee functional equivalence in an environment other than their own systems.
Amendment 488 #
Proposal for a regulation
Article 3 – title
Article 3 – title
3 Obligation of the manufacturer or a provider of related services to make data generated by the use of connected products or related services accessible to the user
Amendment 488 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
Amendment 489 #
Proposal for a regulation
Article 35 – paragraph 1
Article 35 – paragraph 1
In order not to hinder the exercise of the right of users to access and use such data in accordance with Article 4 of this Regulation or of the right to share such data with third parties in accordance with Article 5 of this Regulation, the sui generis right provided for in Article 7 of Directive 96/9/EC does not apply to databases containing data obtained from or generated by the use of a product or a related service when this right is invoked to deny or obstruct the sharing of data with a user or data recipient in accordance with Article 4 and 5.
Amendment 490 #
Proposal for a regulation
Article 3 – paragraph 1
Article 3 – paragraph 1
1. Products shall be designed and manufactured, and related services shall be provided, in such a manner that data generated by their use are, by default, easily, securely and, where relevant and appropriate, directly accessible to the userthat the data holder can readily obtain from the product on to an existing interface, or data that are collected or aimed to be collected by the data holder, are by default, easily, securely and, where relevant and appropriate, directly accessible to the user in a structured, commonly used and machine- readable format along with the relevant metadata, on a free of charge basis and retrievable by the user. Where technically feasible, the user should be able to access and retrieve such data directly from the device, without recourse to related services.
Amendment 490 #
Proposal for a regulation
Article 23 – paragraph 2
Article 23 – paragraph 2
2. Paragraph 1 shall only apply to obstacles that are related to the services, contractual agreements or commercial practices provided by the original providerprovider of source cloud computing services.
Amendment 496 #
Proposal for a regulation
Article 24 – paragraph 1 – introductory part
Article 24 – paragraph 1 – introductory part
1. The rights of the customer and the obligations of the provider of a data processcloud computing service in relation to switching between providers of such services shall be clearly set out in a written contract. Without prejudice to Directive (EU) 2019/770, that contrace provider of cloud computing services shall ensure that contractual agreement shall include at least the following:
Amendment 499 #
Proposal for a regulation
Article 3 – paragraph 1 a (new)
Article 3 – paragraph 1 a (new)
1 a. Before concluding a contract for the purchase, rent or lease of a connected product, the manufacturer shall provide to the user, in the form of a standardised label at least the following information: (a) the nature, format and estimated volume of data that the connected product is capable of generating; (b) the means by which the connected product can transmit data, including whether the data will be stored on-device or on a remote server; (c) whether the seller, renter or lessor is the data holder and, if not, the identity of the data holder, such as its trading name, the geographical address at which it is established and where applicable the legal entity identifier; (d) how the user of the connected product can access, retrieve or request erasure of the generated data from the connected product; (e) the on-device storage capacity, including the duration for which data collected by the connected product can be stored on it; (f) the period for which the device is guaranteed to receive functionality updates according to the Regulation (EU) XXX/XXXX [Cyber resilience Act].
Amendment 501 #
Proposal for a regulation
Article 24 – paragraph 1 – point a – introductory part
Article 24 – paragraph 1 – point a – introductory part
(a) clauses allowing the customer, upon request, to switch to a data processing service offered by another provider of data processing service or to port all data, applications and digital assets generated directly or indirectly by the customer to an on-premise system, in particular the establishment of a mandatory maximum transition period of 30 calendar days, to be initiated after the maximum notice period referred to in Article 23, during which the data processing service provider shall:
Amendment 512 #
Proposal for a regulation
Article 3 – paragraph 2 – introductory part
Article 3 – paragraph 2 – introductory part
2. Before concluding a contract for the purchase, rent or lease of a product orrovision of a related service, at least the following information shall be provided to the user, in a simple manner, clear and comprehensible format:
Amendment 512 #
Proposal for a regulation
Article 24 – paragraph 1 – point a – point 1
Article 24 – paragraph 1 – point a – point 1
(1) assist and, where technically feasible, complethrough and facilitate the switching process;
Amendment 514 #
Proposal for a regulation
Article 3 – paragraph 2 – point a
Article 3 – paragraph 2 – point a
(a) the nature an, format, frequency and estimated volume of the data likely to be generated by the use of the connected product orand related service;
Amendment 514 #
Proposal for a regulation
Article 24 – paragraph 1 – point a – point 2
Article 24 – paragraph 1 – point a – point 2
(2) ensure fullact with due care to maintain business continuity and security of the service and, taking into account the advancement in the switching process, ensure, to the greatest extent possible, continuity in the provision of the respectivelevant functions or services within the provider of source cloud computing services’ infrastructure capacity and according to the contractual obligations.
Amendment 518 #
Proposal for a regulation
Article 3 – paragraph 2 – point b
Article 3 – paragraph 2 – point b
(b) whether the data is likely towill be generated continuously and in real-time;
Amendment 518 #
Proposal for a regulation
Article 24 – paragraph 1 – point a – point 2 a (new)
Article 24 – paragraph 1 – point a – point 2 a (new)
(2 a) provide clear information concerning known risks to continuity in the provision of the respective functions or services from the side of provider of source cloud computing services during the switching process.
Amendment 520 #
Proposal for a regulation
Article 3 – paragraph 2 – point b a (new)
Article 3 – paragraph 2 – point b a (new)
(b a) whether the data will be stored on- device or on a remote server;
Amendment 522 #
Proposal for a regulation
Article 24 – paragraph 1 – point a – point 2 b (new)
Article 24 – paragraph 1 – point a – point 2 b (new)
(2 b) obligation to complete the switching process within the period which may not exceed 6 months. The customer shall retain the right to extend this period, if needed, prior to or during the switching process;
Amendment 523 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) how the user may access, retrieve and request de erasure of those data;
Amendment 527 #
Proposal for a regulation
Article 24 – paragraph 1 – point b
Article 24 – paragraph 1 – point b
(b) an exhaustive specification of all data and application categories exportable during the switching process, including, at minimum, all data imported by the customer at the inception of the service agreement and all data and metadata related to the customer's services and created by the customer and by the use of the service during the period the service was provided, including, but not limited to, configuration parameters, security settings, access rights and access logs to the service; being understood that cloud service providers shall not be required to disclose trade secrets or other proprietary information.
Amendment 534 #
Proposal for a regulation
Article 24 – paragraph 1 – point b a (new)
Article 24 – paragraph 1 – point b a (new)
(b a) support for development of the customer’s exit strategy relevant to the contracted services, including through providing information such as procedures for initiating switching from the cloud computing service, the machine-readable data formats that user’s data can be exported to, the tools, including at least one open standard data portability interface, foreseen to export data, known technical restrictions and limitations that could impact switching process, estimated time necessary to complete the switching process, costs indication related to the data transfers and additional services offered to facilitate the switching process, including the ability of the customer to test its switching process.
Amendment 536 #
Proposal for a regulation
Article 3 – paragraph 2 – point d
Article 3 – paragraph 2 – point d
(d) whether the manufacturer supplying the product or the service provider providing the related service intends to use the data itself or allow a third party to use the data and, if so, the purposes for which those data will be used;
Amendment 536 #
Proposal for a regulation
Article 24 – paragraph 1 – point c
Article 24 – paragraph 1 – point c
(c) a minimum period for data retrieval of at least 30 calendar days, starting after the termination of the transition period that was agreed between the customer and the service provider of cloud computing services, in accordance with paragraph 1, point (a) and paragraph 2.
Amendment 540 #
Proposal for a regulation
Article 3 – paragraph 2 – point e
Article 3 – paragraph 2 – point e
(e) whether the seller, renter or lessorprovider of the related service is the only data holder and, if not, the identity of the other data holders, such as its trading name and, the geographical address at which it is established; and where applicable the legal entity identifier;
Amendment 545 #
Proposal for a regulation
Article 3 – paragraph 2 – point f a (new)
Article 3 – paragraph 2 – point f a (new)
(f a) where relevant, the type of data likely to be generated by the use of the connected product or related service that may contain or contains any trade secrets or may reveal or reveals any other relevant information concerning intellectual property rights and thus requires prior explicit written consent of the data holder before providing access to, using or sharing it;
Amendment 547 #
Proposal for a regulation
Article 3 – paragraph 2 – point g
Article 3 – paragraph 2 – point g
(g) how the user may request that the data are shared with a third-party and withdraw the consent for data sharing;
Amendment 547 #
Proposal for a regulation
Article 24 – paragraph 2 a (new)
Article 24 – paragraph 2 a (new)
2 a. Following a successful switch to another provider or back on-premises by the customer, the provider of the cloud computing service should be required to permanently delete the user data, unless otherwise expressly agreed.
Amendment 548 #
Proposal for a regulation
Article 24 a (new)
Article 24 a (new)
Amendment 553 #
Proposal for a regulation
Article 25 – paragraph 1
Article 25 – paragraph 1
1. From [date X+3yrs, the date of entry into force of this Regulation] onwards, providers of data processcloud computing services shall not impose any charges on the customers who are consumers for the switching process.
Amendment 557 #
Proposal for a regulation
Article 4 – paragraph 1
Article 4 – paragraph 1
1. Where data cannot be directly accessed by the user from the product, the data holder shall make available to the user the data generated by its use of a product or related service without undue delay, free of charge and, where applicable, continuously and in real-time. This shall be done on the basis of a simple request through electronic means where technically feasiblin a structured, commonly used and machine- readable format, free of charge and, where technically feasible, continuously and in real-time.
Amendment 565 #
Proposal for a regulation
Article 25 – paragraph 2
Article 25 – paragraph 2
2. From [date X, the date of entry into force of the Data Act] until [date X+3yrsis Regulation], providers of data processcloud computing services mayshall impose reduced charges on theall customers for the switching process.
Amendment 567 #
Proposal for a regulation
Article 4 – paragraph 2
Article 4 – paragraph 2
2. The data holder shall not require the user to provide any information beyond what is strictly necessary to verify the quality as a user pursuant to paragraph 1. The data holder shall not keep any information on the user’'s access to the data requested beyond what is necessary for the sound execution of the user’s access request and for the security and the maintenance of the data infrastructure. Where identification is legally required, data holders shall enable the possibility for users to identify and authenticate through the European Digital Identity Wallets, pursuant to Regulation (EU) XXX/XXXX [European Digital Identity framework].
Amendment 570 #
Proposal for a regulation
Article 25 – paragraph 3
Article 25 – paragraph 3
3. The charges referred to in paragraph 2 shall not exceed the costs incurred by the provider of data processcloud computing services that are directly linked to the switching process and shall be associated with mandatory operations that the provider of cloud computing processing services must perform as part of the switching process concerned.
Amendment 573 #
Proposal for a regulation
Article 25 – paragraph 4
Article 25 – paragraph 4
4. The Commission is empowered to adopt delegated acts in accordance with Article 38 to supplement this Regulation in order to introduce a monitoring mechanism for the Commission to monitor switching charges imposed by data processproviders of cloud computing service providers on the market to ensure that the withdrawal of switching charges as described in paragraph 1 of this Article will be attained in accordance with the deadline provided in the same paragraph.
Amendment 575 #
Proposal for a regulation
Article 26 – title
Article 26 – title
Technical aspects of switching and interoperability
Amendment 579 #
Proposal for a regulation
Article 26 – paragraph 1
Article 26 – paragraph 1
1. Providers of data processcloud computing services that concern scalable and elastic computing resources limited to infrastructural elements such as servers, networks and the virtual resources necessary for operating the infrastructure, but that do not provide access to the operating services, software and applications that are stored, otherwise processed, or deployed on those infrastructural elements, shall ensureto the extend possible support that the customer, after switching to a service covering the same service type offered by a different provider of data processcloud computing services, enjoysis well equipped to achieve functional equivalence in the use of the new service.
Amendment 583 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
2. For data processing services other than those covered by paragraph 1, providers of data processProviders of cloud computing services, including providers of destination cloud computing services shall make open interfaces publicly available and free of charge for the purpose of portability and interoperability.
Amendment 584 #
Proposal for a regulation
Article 4 – paragraph 3
Article 4 – paragraph 3
3. Trade secrets shall only be disclosed provided that all specifiche data holder can take all necessary measures are taken, in advance to preserve the confidentiality of its trade secrets, in particular wisofar this is not hampering the respect to third partiesights of the users or third parties to access data. The data holder and the user can agree on measures to preserve the confidentiality of the shared data, in particular in relation to third parties.
Amendment 585 #
Proposal for a regulation
Article 4 – paragraph 3 a (new)
Article 4 – paragraph 3 a (new)
3 a. The user shall have the right to either directly share, through a data holder or through providers of data intermediation services as set in the Regulation (EU) 2022/868, their non- personal data to any data recipient for commercial purposes. The data sharing between a user and a data recipient shall be done through contractual agreements, the provisions of Chapter IV on fair, reasonable and non-discriminatory terms shall apply mutatis mutandis to the contractual agreements between users and data recipients.
Amendment 586 #
Proposal for a regulation
Article 4 – paragraph 3 b (new)
Article 4 – paragraph 3 b (new)
3 b. Data holders shall not make available non-personal data transmitted to them from the connected product of the individual user, to third parties for commercial or non-commercial purposes other than the fulfilment of their obligations to the user. Where relevant, data holders shall contractually bind third parties not to monetise or further share data received from them.
Amendment 587 #
Proposal for a regulation
Article 26 – paragraph 3
Article 26 – paragraph 3
3. For data processing services other than those covered by paragraph 1, providers of data processing services shallAll providers of cloud computing services shall, where technically feasible, ensure compatibility with open interoperability specifications or European standards for interoperability that are identified in accordance with Article 29(5) of this Regulation.
Amendment 589 #
Proposal for a regulation
Article 26 – paragraph 4
Article 26 – paragraph 4
4. Where the open interoperability specifications or European standards referred to in paragraph 3 do not exist for the equivalent service type concerned, the provider of data processcloud computing services shall, at the request of the customer, export where technically feasible, all data generated or co-generated, including the relevant data formats and data structures, and metadata in a structured, commonly used and machine- readable format as indicated to the customer in accordance with Article 24 (1 ab), unless other format is accepted by the customer.
Amendment 594 #
Proposal for a regulation
Article 26 – paragraph 4 a (new)
Article 26 – paragraph 4 a (new)
4 a. Where the open interoperability specifications or European standards referred to in paragraph 3 do not exist for the service type concerned, the provider of data processing services shall make APIs available for the purpose of interoperability. These APIs shall ensure, where technically feasible, that third-party services can enjoy the same functional equivalence as first-party services.
Amendment 597 #
Proposal for a regulation
Article 26 – paragraph 4 b (new)
Article 26 – paragraph 4 b (new)
4 b. The requirements set out in this chapter shall not require a provider of cloud computing services to: a) develop new technologies or services; b) disclose or transfer proprietary or confidential data or technology that is protected as a trade secret or by other property rights, to the customer or to another provider of cloud computing services;or c) engage in, facilitate or enable anti- competitive behaviour.
Amendment 598 #
Proposal for a regulation
Article 26 a (new)
Article 26 a (new)
Article 26 a Withdrawal of interoperability charges 1. From [date X] onwards, providers of data processing services shall not impose charges for the interoperability process in excess of the costs incurred by the provider of data processing services that are directly linked to the interoperability process concerned. 2. The Commission is empowered to adopt delegated acts in accordance with Article 38 to supplement this Regulation in order to introduce a monitoring mechanism for the Commission to monitor interoperability charges imposed by data processing service providers on the market to ensure that the limitation of interoperability charges as described in paragraph 1 of this Article will be attained in accordance with the deadline provided in the same paragraph.
Amendment 599 #
Proposal for a regulation
Article 26 b (new)
Article 26 b (new)
Article 26 b Exemptions for certain cloud computing services The obligations set out in this Chapter shall not apply to: a) cloud computing services, which have been custom-built to facilitate a specific customer’s need; b) cloud computing services that operate on a trial basis or only supply a testing and evaluation service for business product offerings.
Amendment 602 #
Proposal for a regulation
Article 5 – title
Article 5 – title
5 Right of the user to share data with third parties
Amendment 608 #
Proposal for a regulation
Article 27 – paragraph 3 – subparagraph 1 – point c a (new)
Article 27 – paragraph 3 – subparagraph 1 – point c a (new)
(c a) or where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection according to Article 45 of the Regulation (EU) 2016/679.
Amendment 610 #
Proposal for a regulation
Article 5 – paragraph 1
Article 5 – paragraph 1
1. Upon request by a user, or by a party acting on behalf of a user, the data holder shall make available the data generated by the use of a connected product or related service to a third party, in accordance with Articles 8 and 9, without undue delay, free of charge to the user, of the same quality as is available to the data holder and, where applicaeasily, securely, in a structured, commonly used and machine- readable format and, where technically feasible, continuously and in real-time.
Amendment 613 #
Proposal for a regulation
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Article 28 – paragraph 1 – subparagraph 1 – introductory part
Amendment 616 #
Proposal for a regulation
Article 5 – paragraph 2 – introductory part
Article 5 – paragraph 2 – introductory part
2. Any undertaking manufacturing connected products or providing related services which has been determined to have a dominant position on the market pursuant to national or Union competition law and any undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper, pursuant to Article […] of [Regulation XXX on contestable and fair markets in the digital sector (Digital Markets Act)73 ], shall not be an eligible third party under this Article and therefore shall not: _________________ 73 OJ […].
Amendment 625 #
Proposal for a regulation
Article 5 – paragraph 3
Article 5 – paragraph 3
3. The user or third party shall not be required to provide any information beyond what is strictly necessary to verify the quality as user or as third party pursuant to paragraph 1. The data holder shall not keep any information on the third party’s access to the data requested beyond what is necessary for the sound execution of the third party’s access request and for the security and the maintenance of the data infrastructure. Where identification is not legally required, users should be able to use products anonymously.
Amendment 625 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
Amendment 629 #
Proposal for a regulation
Article 29 – title
Article 29 – title
Interoperability and portability for data processing services
Amendment 630 #
Proposal for a regulation
Article 29 – paragraph 1 – introductory part
Article 29 – paragraph 1 – introductory part
1. Open interoperability and portability specifications and European standards for the interoperability of data processing services shall:
Amendment 634 #
Proposal for a regulation
Article 29 – paragraph 1 – point a
Article 29 – paragraph 1 – point a
(a) be performance oriented towards achieving interoperability and portability between different data processing services that cover the same service type;
Amendment 636 #
Proposal for a regulation
Article 29 – paragraph 1 – point b
Article 29 – paragraph 1 – point b
(b) enhance interoperability and portability of digital assets between different data processing services that cover the same service type;
Amendment 643 #
Proposal for a regulation
Article 29 – paragraph 2 – introductory part
Article 29 – paragraph 2 – introductory part
2. Open interoperability specifications and European standards for the interoperability and portability of data processing services shall address:
Amendment 647 #
Proposal for a regulation
Article 29 – paragraph 5
Article 29 – paragraph 5
5. For the purposes of Article 26(3) of this Regulation, the Commission shall be empowered to adopt delegated acts, in accordance with Article 38, to publish the reference of open interoperability specifications and European standards for the interoperability and portability of data processing services in central Union standards repository for the interoperability and portability of data processing services, where these satisfy the criteria specified in paragraph 1 and 2 of this Article.
Amendment 652 #
Proposal for a regulation
Article 6 – paragraph 2 – point b
Article 6 – paragraph 2 – point b
(b) use the data it receives for purposes of direct marketing or advertising, credit scoring, including for the profiling of natural persons within the meaning of Article 4(4) of Regulation (EU) 2016/679, unless it is necessary to provide the service requested by the user, and with the user’s explicit consent;
Amendment 665 #
Proposal for a regulation
Article 6 – paragraph 2 – point d
Article 6 – paragraph 2 – point d
(d) make the data available it receives to an undertaking manufacturing connected products or providing related services which has been determined to have a dominant position on the market pursuant to national or Union competition law and to an undertaking providing core platform services for which one or more of such services have been designated as a gatekeeper pursuant to Article […] of [Regulation on contestable and fair markets in the digital sector (Digital Markets Act)];
Amendment 680 #
Proposal for a regulation
Article 7 – paragraph 1
Article 7 – paragraph 1
1. The obligations pursuant to Articles 4, 5, and 6 of this Chapter shall not apply to data generated by the use of connected products manufactured ord related services provided by enterprises that qualify as micro or small enterprises, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro or small enterprise.
Amendment 684 #
Proposal for a regulation
Article 7 – paragraph 2
Article 7 – paragraph 2
2. Where this Regulation refers to products or related services, such reference shall also be understood to include virtual assistants, insofar as they are used to access or control a product or related serviceconnected product.
Amendment 695 #
6 a. Data holders and data recipients shall take all necessary legal, organisational and technical measures to ensure the cybersecurity of the data transfers and security and integrity of the data.
Amendment 703 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
2. Where the data recipient is a micro, small or medium enterprise, as defined in Article 2 of the Annex to Recommendation 2003/361/EC, provided those enterprises do not have partner enterprises or linked enterprises as defined in Article 3 of the Annex to Recommendation 2003/361/EC which do not qualify as a micro, small or medium enterprise, any compensation agreed shall not exceed the costs directly related to making the data available to the data recipient and which are attributable to the request. Article 8(3) shall apply accordingly.
Amendment 713 #
Proposal for a regulation
Article 9 – paragraph 4 a (new)
Article 9 – paragraph 4 a (new)
4 a. The Commission shall develop guidelines to determine what are the criteria for a reasonable compensation according to paragraph 1, set between data holders and data recipients.
Amendment 716 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
1. DUsers, data holders and data recipients shall have access to dispute settlement bodies, certified in accordance with paragraph 2 of this Article, to settle disputes in relation to the determination of fair, reasonable and non-discriminatory terms for and the transparent manner of making data available in accordance with Articles 8 and 9.
Amendment 722 #
Proposal for a regulation
Article 11 – paragraph 1
Article 11 – paragraph 1
1. The data holder may apply appropriate technical protection measures, including smart contracts, to prevent unauthorised access to the data and to ensure compliance with Articles 5, 6, 9 and 10, as well as with the agreed contractual terms for making data available. Such technical protection measures shall not be used as a means to hinder the user’s right todiscriminate between data recipients or to hinder the user’s right to access data, retrieve the data or effectively provide data to third parties pursuant to Article 4 and 5 or any right of a third party under Union law or national legislation implementing Union law as referred to in Article 8(1).
Amendment 726 #
Proposal for a regulation
Article 11 – paragraph 1 a (new)
Article 11 – paragraph 1 a (new)
1 a. Where the data recipient has acted in violation of Article 6(2)(a) and 6(2)(b), users shall have the same rights as data holders under paragraph 2 of this Article. Paragraph 3 shall apply mutatis mutandis.
Amendment 728 #
Proposal for a regulation
Article 11 – paragraph 2 – introductory part
Article 11 – paragraph 2 – introductory part
2. A data recipient that has, for the purposes of obtaining non-personal data, provided inaccurate or false information to the data holder, deployed deceptive or coercive means or abused evident gaps in the technical infrastructure of the data holder designed to protect the data, has used the data made available for unauthorised purposes or has disclosed those data to another party without the data holder’s authorisation, shall without undue delay, unless the data holder or the user instruct otherwise:
Amendment 743 #
Proposal for a regulation
Article 13 – paragraph 2
Article 13 – paragraph 2
2. A contractual term is unfair if it is of such a nature that its use grossly deviates from good commercial practice in data access and use, contrary to good faith and fair dealing and creates a significant imbalance between the rights and obligations of the parties to the contract.
Amendment 751 #
Proposal for a regulation
Article 13 – paragraph 8 a (new)
Article 13 – paragraph 8 a (new)
8 a. Within 12 months from the entry into force of this Regulation, the Commission shall by means of implementing acts further develop guidelines on the reasonable prices for the compensation for data sharing and measures to prevent and mitigate data market distortion practices provided in Chapters III and IV.
Amendment 771 #
Proposal for a regulation
Article 15 – paragraph 1 – introductory part
Article 15 – paragraph 1 – introductory part
An exceptional need to use data within the meaning of this Chapter shall be limited in time and scope and deemed to exist in any ofonly in the following circumstances:
Amendment 777 #
Proposal for a regulation
Article 15 – paragraph 1 – point a
Article 15 – paragraph 1 – point a
(a) where the data requested is strictly necessary to respond to a public emergency;
Amendment 781 #
Proposal for a regulation
Article 15 – paragraph 1 – point b
Article 15 – paragraph 1 – point b
(b) where the data request is limited in time and scope andstrictly necessary to prevent a public emergency or to assist the recovery from a public emergency; and only if all of the following conditions are fulfilled:
Amendment 782 #
Proposal for a regulation
Article 15 – paragraph 1 – point b – point i (new)
Article 15 – paragraph 1 – point b – point i (new)
i) the public sector body or Union institution, agency or body has exhausted all other means to obtain such data, including by purchasing the data on the market at market rates or by relying on existing obligations to make data available, and the adoption of new legislative measures cannot ensure the timely availability of the data; or
Amendment 783 #
Proposal for a regulation
Article 15 – paragraph 1 – point b – point ii (new)
Article 15 – paragraph 1 – point b – point ii (new)
ii) obtaining the data in line with the procedure laid down in this Chapter would substantively reduce the administrative burden for data holders or other enterprises.
Amendment 785 #
Proposal for a regulation
Article 15 – paragraph 1 – point c
Article 15 – paragraph 1 – point c
Amendment 809 #
Proposal for a regulation
Article 17 – paragraph 1 – introductory part
Article 17 – paragraph 1 – introductory part
1. WherIn the requestings for data pursuant to Article 14(1), a public sector body or a Union institution, agency or body shall:
Amendment 813 #
Proposal for a regulation
Article 17 – paragraph 1 – point b
Article 17 – paragraph 1 – point b
(b) demonstrate the exceptional need for which the data are requested, laying down the circumstance justifying the request and demonstrating that all the conditions mentioned in Article 15 are met;
Amendment 817 #
Proposal for a regulation
Article 17 – paragraph 1 – point c a (new)
Article 17 – paragraph 1 – point c a (new)
(c a) justify the choice of data holder;
Amendment 818 #
Proposal for a regulation
Article 17 – paragraph 1 – point c b (new)
Article 17 – paragraph 1 – point c b (new)
(c b) mention the other public sector bodies, Union institutions, agencies or bodies, including where applicable third parties to which the data obtained will be made available to;
Amendment 822 #
Proposal for a regulation
Article 17 – paragraph 1 – point e
Article 17 – paragraph 1 – point e
(e) specify tha reasonable deadline by which the data are to be made available or within which the data holder may request the public sector body, Union institution, agency or body to modify or withdraw the request.;
Amendment 827 #
Proposal for a regulation
Article 17 – paragraph 1 – point e a (new)
Article 17 – paragraph 1 – point e a (new)
Amendment 831 #
Proposal for a regulation
Article 17 – paragraph 1 – point e b (new)
Article 17 – paragraph 1 – point e b (new)
(e b) where known at the moment of the request, specify for how long data will be stored and when data will be deleted.
Amendment 838 #
Proposal for a regulation
Article 17 – paragraph 2 – point b
Article 17 – paragraph 2 – point b
(b) be justified and proportionate to the exceptional need, in terms of the granularity and volume of the data requested and frequency of access of the data requested, and be limited to data necessary to carry out the task;
Amendment 840 #
Proposal for a regulation
Article 17 – paragraph 2 – point b a (new)
Article 17 – paragraph 2 – point b a (new)
(b a) mention the purpose of this processing;
Amendment 851 #
Proposal for a regulation
Article 17 – paragraph 2 – point d a (new)
Article 17 – paragraph 2 – point d a (new)
(d a) be sent to the competent authority referred to in paragraph 2a of this Article and Article 31;
Amendment 853 #
Proposal for a regulation
Article 17 – paragraph 2 a (new)
Article 17 – paragraph 2 a (new)
2 a. A public sector body or a Union institution, agency or body requesting access to the data shall send the request to the competent authority referred to in Article 31. The competent authority shall coordinate the requests by: (a) analysing whether the request meets the requirements laid down in this Chapter; (b) determine whether a data holder has not received similar requests to make data available by more public sector bodies or Union institutions, agencies or bodies; (c) sending the requests to the data holder for the execution; (d) ensuring the online public availability of requests for access to data made by public sector bodies.
Amendment 855 #
Proposal for a regulation
Article 17 – paragraph 4 – subparagraph 1
Article 17 – paragraph 4 – subparagraph 1
Amendment 859 #
Proposal for a regulation
Article 17 – paragraph 4 – subparagraph 2
Article 17 – paragraph 4 – subparagraph 2
Amendment 866 #
Proposal for a regulation
Article 17 – paragraph 4 a (new)
Article 17 – paragraph 4 a (new)
4 a. The third party shall not use the data it receives from a public sector body or a Union institution, agency or body to develop a product or a service that competes with the product or service from which the accessed data originate or share the data with another third party for that purpose.
Amendment 874 #
Proposal for a regulation
Article 18 – paragraph 2 – introductory part
Article 18 – paragraph 2 – introductory part
2. Without prejudice to specific needs regarding the availability of data defined in sectoral legislation, the data holder may decline or seek the modification of the request, withiout undue delay, but no longer than 5 working days following the receipt of a request for the data necessary to respond to a public emergency and within 15 working days in other cases of exceptional need, on either of the following grounds:
Amendment 880 #
Proposal for a regulation
Article 18 – paragraph 2 – point b a (new)
Article 18 – paragraph 2 – point b a (new)
(b a) a similar request for the same purpose has been previously submitted by another public sector body or Union institution, agency or body and the data holder has not been notified of the destruction of the data pursuant to Article 19(1)(c).
Amendment 881 #
Proposal for a regulation
Article 18 – paragraph 3
Article 18 – paragraph 3
3. In case of a request for data necessary to respond to a public emergencyfor an exceptional need pursuant to Article 15, the data holder may also decline or seek modification of the request if the data holder already provided the requested data in response to previously submitted request for the same purpose by another public sector body or Union institution agency or body and the data holder has not been notified of the destruction of the data pursuant to Article 19(1), point (c).
Amendment 885 #
Proposal for a regulation
Article 18 – paragraph 5
Article 18 – paragraph 5
5. Where compliance with the request to make data available to a public sector body or a Union institution, agency or body requires the disclosure of personal data, the data holder shall take reasonable efforts to pseudonymise the data, insofar as the request can be fulfilled with pseudall necessary measures to irreversibly anonymised the data.
Amendment 902 #
Proposal for a regulation
Article 19 – paragraph 1 – point b a (new)
Article 19 – paragraph 1 – point b a (new)
(b a) take all necessary legal, technical and organisational measures to ensure the integrity and security of the data received;
Amendment 904 #
Proposal for a regulation
Article 19 – paragraph 1 – point c
Article 19 – paragraph 1 – point c
(c) destroy the data as soon as, without undue delay, the data theyat are no longer necessary for the stated purpose and inform the data holder that the data have been destroyed.;
Amendment 907 #
Proposal for a regulation
Article 19 – paragraph 1 – point c a (new)
Article 19 – paragraph 1 – point c a (new)
(c a) notify the data holder, without undue delay, of any cybersecurity threat, vulnerability or incident that has compromised the security and integrity of the data that has been transferred to them, without prejudice to the reporting obligations under Regulation (EU) XXX/XXXX [EUIBA] and Directive (EU) XXX/XXXX [NIS2].
Amendment 914 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
2. Disclosure of trade secrets or alleged trade secrets to a public sector body or to a Union institution, agency or body shall only be required to the extent that it is strictly necessary to achieve the purpose of the request. In such a case, the public sector body or the Union institution, agency or body shall take appropriate the legal, technical and organisational measures needed to preserve the confidentiality of those trade secrets.
Amendment 925 #
Proposal for a regulation
Article 20 – paragraph 2
Article 20 – paragraph 2
2. Where tThe data holder claimsshall be entitled to reasonable compensation for making data available in compliance with a request made pursuant to Article 15, points (b) or (c), s. Such compensation shall not exceed the technical and organisational costs incurred to comply with the request including, where necessary, the costs of anonymisation and of technical adaptation, plus a fair and reasonable margin. Upon request of the public sector body or the Union institution, agency or body requesting the data, the data holder shall provide information on the basis for the calculation of the costs and the reasonable margin.
Amendment 933 #
Proposal for a regulation
Article 21 – title
Article 21 – title
21 Contribution of research organisations or statistical bodies in the context of exceptional needs
Amendment 941 #
Proposal for a regulation
Article 21 – paragraph 2
Article 21 – paragraph 2
2. Individuals or organisations receiving the data pursuant to paragraph 1 shall act exclusively on a not-for-profit basis or in the context of a public-interest mission recognised in Union or Member State law. They shall not include organisations upon which commercial undertakings have a decisive influence or which could result in preferential access to the results of the research.
Amendment 943 #
Proposal for a regulation
Article 21 – paragraph 4
Article 21 – paragraph 4
4. Where a public sector body or a Union institution, agency or body intends to transmits or makes data available under paragraph 1, it shall notify the data holder from whom the data was received. and provide all necessary information regarding the identity of the data recipient and the activities that will be carried out by the data recipient based on the data received pursuant to paragraph 1. Data holders shall have the right to object to the sharing of data by a public sector body or a Union institution, agency or body under paragraph 1, to the competent authority, when such data sharing does not meet the requirements of this Chapter.
Amendment 949 #
Proposal for a regulation
Article 22 – paragraph 4
Article 22 – paragraph 4
4. After having been notifiedreceived the request in accordance with paragraph 3, the relevant competent authority shall advisend the requesting public sector body of the need, if any, to to the coomperate with public sector bodiestent authority of the Member State in which the data holder is established, with the aim of ensuring cooperation among authorities and reducing the administrative burden on the data holder in complying with the request. The requesting public sector body shall take the advice of the relevant competent authority into account.
Amendment 950 #
Proposal for a regulation
Article 22 – paragraph 3
Article 22 – paragraph 3
3. Where a public sector body intends to request data from a data holder established in another Member State, it shall first notify and send the request to the competent authority of that Member State as referred to in Article 31, of that intention. This requirement shall also apply to requests by Union institutions, agencies and bodies.
Amendment 1005 #
Proposal for a regulation
Article 27 – paragraph 1
Article 27 – paragraph 1
1. Providers of data processing services shall take all reasonablenecessary technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3.
Amendment 1092 #
Proposal for a regulation
Article 30 – paragraph 6
Article 30 – paragraph 6
6. Where harmonised standards referred to in paragraph 4 of this Article do not exist or w, the Commission shall issue a standardisation request in accordance with Article 10 of Regulation 1025/2012. Where the Commission considers that the relevant harmonised standards are insufficient to ensure conformity with the essential requirements in paragraph 1 of this Article in a cross- border context, the Commission may, by way of implementing acts, adopt common specifications in respect of the essential requirements set out in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 39(2).
Amendment 1115 #
Proposal for a regulation
Article 31 – paragraph 3 – point g
Article 31 – paragraph 3 – point g
(g) ensuring the online public availability of requests for access to data made by public sector bodies in the case of public emergencies undercoordinating requests made by public sector bodies to private sector to access data, according to Chapter V;.
Amendment 1128 #
Proposal for a regulation
Article 32 – paragraph 2
Article 32 – paragraph 2
2. The competent authority with which the complaint has been lodged shall inform the complainant in accordance with national law of the progress of the proceedings and of the decision taken.
Amendment 1162 #
Proposal for a regulation
Article 42 – paragraph 2
Article 42 – paragraph 2
It shall apply from [128 months after the date of entry into force of this Regulation].
Amendment 1163 #
Proposal for a regulation
Article 42 – paragraph 2 a (new)
Article 42 – paragraph 2 a (new)
The obligation resulting from Article 3(1) shall apply retroactively to connected products placed on the market within 5 years prior to the entry into force of this Regulation, only when the manufacturer or provider of related service is able to remotely deploy mechanisms to ensure the fulfilment of the requirements pursuant to Article 3(1) and only when the deployment of such mechanisms would not place a disproportionate burden on the manufacturer or provider of related services.